ICO confirms another data breach fine in the offing

Information commissioner Christopher Graham has revealed that the watchdog is to fine a fifth organisation for breaching the Data Protection Act.

Graham said at a Westminster Forum event on Tuesday that the issuing of another fine will remind data controllers that the Information Commissioner's Office (ICO) is not a toothless regulator.

"This fifth fine coming down the track shows that the ICO is not an organisation with small fangs, but that data controllers should realise that, if they let consumers down, a fine from the ICO will be the Mark of Cain," he said.

Graham did not reveal any further details about the fine, but expressed  his view that the market itself could drive better privacy controls by punishing businesses that abuse customer trust.

"Some are not convinced that market forces will help improve privacy, but I disagree. Consumers are frequently asking questions of businesses around data use, and the companies that treat consumers as adults will be the ones that succeed," he said.

Graham also reminded businesses that they have 40 working days to prepare for changes to electronic communications regulations which will include mandatory breach notifications for telecoms firms and changes to cookie laws.

He added that the ICO will have to wait and see exactly how the changes will need to be enforced, but said that firms should be aware that new laws will mean changes to working practices. He also noted that the ICO recognises that a one-size-fits-all approach is not applicable.

"We need to see the wording of the UK regulations at end of the month to be clear [on how it will need to be enforced], but we understand that the EU institutions expect a change in the law to mean a change in behaviour," he said.

"The ICO will be realistic as we recognise there are various ways to give individuals a degree of transparency through enhanced privacy features on browsers and different types of cookies."

Despite revealing the forthcoming fifth fine, Graham said that he would prefer not to have to resort to these measures to encourage improved data protection, but did say he was hoping to have the ICO's auditing powers extended.

The fine follows two issued in November totalling £160,000 and two issued in February to two London councils that reached £150,000.