Infosec 2012 The UK's Information Commissioner's Office is looking to spend around £3m on its IT, with an invitation for tenders expected at the end of next month.

Information commissioner Christopher Graham told vendors at Infosec during his keynote speech that the ICO hoped to publish its procurement notice in the Official Journal of the European Union, seeking a vendor to provide his office with IT services.

Graham said the office would be spending about 20 per cent of its £15m budget on IT.

The commissioner also said that the ICO had handed out 14 civil monetary penalties (CMPs) for data protection breaches in the 18 months since he was given the power to do so.

Graham was keen to prove that the ICO wasn't just a toothless watchdog, but the fact that the majority of the penalties had gone to local authorities and other public bodies raised questions about the office's authority in the private sector.

However, Graham said that public bodies simply had more personal data than businesses so their breaches were often more serious. The penalties were only meant to be used when there had been a serious breach and if the offenders quickly fixed the problem and put in policies to make sure it would never happen again, they may not be fined, he said.

Data protection breaches were also taken more seriously by the ICO when the data controller wasn't up to scratch or the business hadn't taken steps to ensure their staff handled private information carefully.

He cited the example of one local authority where child protection papers were faxed off to the wrong place.

"[The authority] said that all the policies were in place, everybody was trained, it was all fine, nothing to see here," he said.

"But my people said, "Certainly not, this could happen again tomorrow".

"It happened that afternoon, exactly the same stupid faxing error and that's one of the reasons why a CMP was appropriate."

The commissioner was also asked by an Infosec attendee what he thought of the proposed web-snoop law and how that fit in with his mandate to protect people's privacy .

"You're referring to something that's called the Communications Capability Directive. We believe there's going to be something in the Queen's speech, whether it's going to be a bill or a draft, I don't know," he said.

"I would prefer to wait and see what's in the bill, but... I think if you're going to justify this invasion of privacy, you've got to make your case for it and you've got to mitigate any threats by showing that you've got limitations in place... and safeguards to make sure this honey-pot is not accessed by just anyone." ®

Related stories

• Welsh NHS fined £70k for patient psych file leak blunder (30 April 2012)

  https://www.theregister.com/2012/04/30/health_board_data_breach_fine/

• Theresa May: No emails sniffed in web super-snoop law (24 April 2012)

  https://www.theregister.com/2012/04/24/theresa_may_denies_real_time_emails/

• Home Office 'technologically clueless' on web super-snoop law (20 April 2012)

  https://www.theregister.com/2012/04/20/panel_of_experts_attack_net_snooping_plan/

• Tosh UK rewards competition hopefuls by exposing their privates (18 April 2012)

  https://www.theregister.com/2012/04/18/toshiba_slapped_by_ico/

• NHS trust loses personal data of 600 maternity patients, kids (16 April 2012)

  https://www.theregister.com/2012/04/16/south_london_healthcare_trust_loses_memory_sticks/