Feeds

ICO says it doesn't need to use its 'big stick'

Fewer than one in 500 breaches result in fines

Security for virtualized datacentres

Despite increased powers to levy fines for breaches of UK data protection rules, the Information Commissioner's Office (ICO) is only using these powers in a tiny fraction of cases.

A Freedom of Information request from encryption specialist ViaSat, made public on Wednesday, revealed that 2,565 data breaches had been reported to the government watchdog in the year since a tougher enforcement regime was introduced in April 2010. Just 36 of these cases have resulted in any form of action by the ICO to date. Only four have resulted in civil penalties.

These four cases have resulted in fines that maxed out at £100,000, a lot less than the £500,000 maximum, adding up to a collective total of £310,000. Hertfordshire County Council was fined £100,000, the toughest penalty to date, after it accidentally faxed details of a child sex abuse case to a member of the public instead of lawyers.

Nearly one in five of the reported breaches of the Data Protection Act over the last year came from a financial sector industry but none have resulted in fines, at least up until now. Santander and Yorkshire Building Society have each been reprimanded for minor breaches of data protection rules since tougher fines came into play last year and increased maximum fines were raised from £50,000 to £500,000.

"The ICO has stated that the embarrassment and poor image of a fine will act as a deterrent and an incentive to improve an organisation's grasp of the Data Protection Act," said Chris McIntosh, chief exec of ViaSat UK. "However, if fines are rare and well below the maximum allowed limit, their value as a deterrent drops."

McIntosh continued: "Organisations will view the rarity of a fine and the associated negative publicity the same way they have viewed the threat of a data breach itself: an event that only happens to other people."

ViaSat also criticised the ICO for seemingly targeting public sector organisations for tougher enforcement. The ICO has taken action against only seven private sector organisations, penalising one, compared to acting against 29 public sector organisations, and wielding the naughty stick against three.

The only private sector firm found foul of the tougher enforcement regime thus far is A4e, which was fined £60,000 last November after losing an unencrypted laptop containing the details of 24,000 people attending the League of Gentlemen-style job clubs it runs for the Department of Work and Pensions.

"The ICO has stated that the private sector has a worse grasp of the Data Protection Act than the public," continued McIntosh. "However, the ICO's actions so far do not seem to encourage any improvement."

McIntosh added that the public sector dutifully reports its failures under the Data Protection Act and receives more, and larger, penalties as a result. Hard-pressed taxpayers ultimately cope with this bill. Meanwhile private-sector firms might be tempted to think that the worst that will happen to them is a small fine, in comparison to the size of their business, and a "slap on the wrists", according to McIntosh.

While acknowledging that ICO has a tough job, McIntosh said it ought to be doing more than "handing out minor fines to local government". He suggested the organisation might be in need of "greater leeway" in imposing heavier penalties as well as more resources towards applying stronger monitoring.

In a statement, the ICO explained that its main aim was getting organisations to abide by data protection rules and that this "isn't always best achieved by issuing organisations or businesses with monetary penalties". It said that the proverbial carrot often worked better than a "big stick".

The data privacy watchdog continued: "Our focus as a regulator is on getting bodies to comply with the Data Protection Act. This isn't always best achieved by issuing organisations or businesses with monetary penalties. The action we will take depends entirely on the details of each individual case.

"The existence of civil monetary penalties has had a markedly beneficial effect on compliance generally. The big stick is there, but doesn't need to be deployed all the time to have an effect.

"Good regulation is about getting the best result in the public interest. For a monetary penalty to be served the Information Commissioner has to satisfy a strict set of criteria including that the breach could have caused substantial damage or substantial distress to individuals and that the organisation knew, or ought to have known, that there was a risk that a breach may occur. We will always consider the imposition of a monetary penalty where these criteria are met."

ICO guidelines on how it decides whether or not a fine is appropriate can be found here (32-page/264KB PDF). ®

Bootnote

In related news, the ICO received enhanced powers on Wednesday to fine firms that are caught making unwanted marketing phone calls or sending unwanted marketing emails to consumers of up to £500,000.

Internet Security Threat Report 2014

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Google Glassholes are UNDATEABLE – HP exec
You need an emotional connection, says touchy-feely MD... We can do that
Lawyers mobilise angry mob against Apple over alleged 2011 Macbook Pro crapness
We suffered 'random bouts of graphical distortion' - fanbois
Just don't blame Bono! Apple iTunes music sales PLUMMET
Cupertino revenue hit by cheapo downloads, says report
US court SHUTS DOWN 'scammers posing as Microsoft, Facebook support staff'
Netizens allegedly duped into paying for bogus tech advice
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Verizon bankrolls tech news site, bans tech's biggest stories
No agenda here. Just don't ever mention Net neutrality or spying, ok?
Inside the EYE of the TORnado: From Navy spooks to Silk Road
It's hard enough to peel the onion, are you hard enough to eat the core?
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.