Former ICO enforcement chief urges businesses to appoint full-time data security controllers

The former head of enforcement at the Information Commissioner's Office (ICO) has said that businesses should appoint dedicated staff to keep up to date with data security issues and guidance to avoid investigation by the watchdog.

Mick Gorrill, now a consultant in the security and information law group at Field Fisher Waterhouse, said that this would provide the best chance of avoiding data losses and monetary penalties.

"Organisations should have someone nominated for data security. It's a big help as once you have that accountability and that reasonability they start listening to what the ICO is saying and put policies and procedures in place and staff training," he said at a press event today.

"If businesses show they have done everything they could reasonably be expected to do - had a privacy impact assessment, put processes in place to prevent breaches and so forth - they would be looked at favourably."

Gorrill, who left the ICO at the end of March, said that the ICO had increased in stature since being given the ability to levy fines, and that the fine limit could be increased in the future.

"To some organisations £500,000 is nothing, but the reputation damage is more important, and if you get a civil penalty it leads to a lot of publicity," he said.

"There was talk of 10 per cent of turnover which seemed to me a good idea, but if there is a view in the future that £500,000 is not enough that could be pretty easily changed."

Giving more insight into the workings of the ICO, Gorrill explained that fines are issued or considered, or enforcement action taken, when there is a clear lack of responsibility by data controllers.

"Where they go spectacularly wrong is when they are cavalier with data security, and [data breaches] could have been avoided with a little thought. That's where we got tough," he said.

Gorrill added that the public sector has a poor record on data breaches, but that local authorities, rather than the NHS, are a greater cause for concern.

"Local authorities are very disappointing. They will tell you it's because money is being taken from them and they need to keep frontline services going and the Data Protection Act does not fall into this, but we would argue it does," he said.

"The NHS has improved pretty dramatically. Before the monetary penalty became law I would have put money that the first fine would be the NHS, but it wasn't and within the NHS it's a lot better understood now. It's definitely got better."

The ICO has issued five monetary penalties, covering the private and public sector, as issues around data security continue to grow.