Note that there are now three data losses. The Information Commissioner held that the MoD was not in compliance with the Data Protection Act (third and seventh principles) and issued an enforcement notice, with the requirement for 3 monthly monitoring reports. MoD issued a response to this, detailing how the 51 recommendations of the Burton report (response to data loss 1) would be addressed. Information Commissioner also took account of Article 8 of ECHR.
The issue of compliance and non-compliance is not in doubt: MoD was not compliant with the DPA when these losses occurred. A key issue is how the implementation of the Burton recommendations was being carried through. Was anything kicked into the long grass due to costs? Was there an immediate tightening of procedures, or did they sit with the proverbial thumb inserted over the summer? Do these data losses even precede data loss 1 ie. not picked up until now - what is the chronology?
It is clear that MoD are liable for compensation claims for damages arising from data loss 1 and will probably be liable to claims arising from these second losses. The Information Commissioner found that distress had occured, but compensation is normally only payable for distress when damage has occured as well. I do wonder how restrictive the "normally" caveat is...perhaps it needs tested in court!
http://www.ico.gov.uk/upload/documen...d_en_final.pdf
http://www.mod.uk/NR/rdonlyres/F0437...an20080625.pdf
http://www.ico.gov.uk/upload/documen...sation_2.0.pdf