ICO confirms imminent data breach fines

The Information Commissioner's Office (ICO) has confirmed that it is in the process of imposing fines against two organisations that have breached the Data Protection Act.

Deputy information commissioner David Smith told V3.co.uk at an Internet Society event in London that the regulator hopes that the fines will make a significant statement about data protection.

"This will be a landmark moment in ensuring that firms take [data protection] seriously," he said.

"There have been a lot of questions asked of us about whether we are actually going to fine firms, and I can assure people that we will be actively using this power."

Smith declined to reveal any details of the companies involved, but said that information will be posted online "in the near future".

The ICO has been criticised in the past for failing to use its powers, and legal experts have argued that the fines it is able to levy are not a sufficient enough deterrent to make organisations behave in a responsible way with personal data.

Smith reiterated earlier statements that the ICO is investigating the leak of personal information by ACS:Law, but declined to comment further on the incident.

The deputy information commissioner also said that companies need to be accountable for the security of the data they hold, and that it is important to exercise self-denial and not just hold data because it is possible to do so. He also made a veiled reference to TalkTalk.

"There should be no exemption from these principles just because you are trialling a new service," he said.

TalkTalk was recently reprimanded for failing to inform its customers or the ICO of a trial of technology that monitored the web sites visited by customers in order to direct them away from malware infected pages.

Smith also said that the ICO wants businesses to provide users with settings so that "without reading the small print they know they will get a minimal level of protection".

Finally, Smith added that location-based services will raise issues around data protection as the collection of information that details where someone was at a particular time of day goes "a long way towards identifying someone".