Legal sanctions should be applied to companies and individuals who design flawed data systems, according to the Chartered Institute for IT, BCS.
BCS called on the government to make the reckless disclosure of data an offence under the Investigatory Powers Bill, which is being considered in draft by a joint select committee of the Commons and the Lords.
In research the organisation undertook, it said that 85% of IT professionals said that it should be a criminal offence if a professional designs and implements a system to store website history and fails to appropriately protect access to that data through the use of good practice in information security.
Such a law would probably also affect IT service providers and integrators who supply IT services to local authorities and public sector bodies.
Councils ‘must play part in national cybersecurity ecosystem’
Government as a Platform: Taking the £1.8bn Plunge
David Evans, director of policy at the Institute, said: “The criminal offence around misuse of data outlined in the Bill is welcome, however we can and we must create systems which by default protect against misuse.
“In an area of critical national importance, it would be reckless and inexcusable for individuals to design data systems which created unnecessary risks to the public, where those risks could have been prevented through known techniques.”
“We believe a double lock to protect against misuse of data would provide greater assurance for the public in how their information is managed in the process of protecting against serious crime,” he added.
The research also found that 76% of IT professionals “disagreed” or “disagreed strongly” that in order to protect national security, companies should weaken or defeat their own security measures to provide authorities with access to content that has been encrypted.
“Whilst government access to services is a useful tool, it is vital that citizens are able to protect themselves from both criminal and foreign state activity. Clarification within the Bill and a clear expression of principle that the security of communications for individuals collectively will not be compromised, is required,” said Evans.