Privacy watchdog dishes out just four data breach fines in a year

The Information Commissioner’s Office (ICO) has issued just four civil penalties since obtaining powers to issue fines for Data Protection Act (DPA) breaches.

The fines, which account for just one per cent of all reported data breaches since the ICO powers were extended to include monetary penalties just over a year ago, total £310,000. The maximum fine that can be imposed for a single offence is £500,000.

The figures, supplied in response to a Freedom of Information request from encryption firm ViaSat, also revealed that during the period the privacy watchdog had only penalised seven private sector organisations, compared to 29 in the public sector. Of the four fines issued, only one was to a private firm.

An ICO spokesman defended the seemingly meagre use of its powers to hit organisations where it hurts – their bank balance – saying the penalties were a big stick that it did not always have to use.

“Our focus as a regulator is on getting bodies to comply with the DPA. This isn’t always best achieved by issuing organisations or businesses with monetary penalties," he said.

"[However] the existence of civil monetary penalties has had a markedly beneficial effect on compliance generally.” 

Presumably, new powers welcomed by the ICO today will be used in a similar way. The privacy watchdog can now issue fines for the most serious incidents of firms making unwanted marketing calls or sending unsolicited marketing emails to consumers.

This change – along with other powers granted to the ICO – will come into force as part of an amendment to the UK’s Privacy and Electronic Communications Regulations on 25 May.

The ICO spokesman told V3.co.uk that the action taken depends on the details of each individual case. 

Monetary penalties are served only once the Information Commissioner has satisfied a strict set of criteria. This includes evidence that the breach could have caused substantial damage or distress to individuals and that the organisation knew, or ought to have known, that there was a risk that a breach may occur.

“We will always consider the imposition of a monetary penalty where these criteria are met,” he stated.

However, Chris McIntosh, chief executive of ViaSat UK, countered: “The Information Commissioner has stated that ‘you have to be selective to be effective’. However, the ICO has a tremendous amount of leeway in the penalties it levies and so far doesn’t seem to be applying this in either direction.” 

McIntosh argued that, if fines are rare and well below the maximum allowed limit, their value as a deterrent would drop. 

“Organisations will view the rarity of a fine and the associated negative publicity the same way they have viewed the threat of a data breach itself: an event that only happens to other people,” he added.

The biggest ICO fine so far of £100,000 was given to Hertfordshire County Council late last year. It was found in breach of the DPA after twice accidentally faxing sensitive information about child sex abuse and care cases to the wrong recipients in the space of two weeks in June 2010.

A couple of months ago, the ICO fined Ealing Council £80,000 and Hounslow Council £70,000 after two laptops containing details of some 1,700 Ealing clients and Hounslow employees were stolen from the home of an employee of an out-of-hours service working on behalf of both councils.

Employment services company A4e was fined £60,000 in November 2010 after a laptop containing personal information of about 24,000 people who had used community legal advice centres in Hull and Leicester in June was stolen.

The latest ICO victim is the NHS Birmingham East and North Trust, which has been implicated in yet another public sector data breach.

The ICO said today that the organisation failed to restrict access to files on its IT network, allowing some NHS staff at its own Trust and two other NHS Trusts nearby to potentially access restricted information.

As a result, the Trust’s chief executive has signed an undertaking with the ICO to ensure that adequate technical security and staff training measures are in place to prevent unauthorised access to personal data.