The Information Commissioner’s Office (ICO) has issued fines in excess of £5m for data breaches since it was given this power in 2010, with local councils and NHS Trusts being the worst offenders.
The ICO revealed the figure to V3, announcing that a total of £5,391,000 has been issued in penalties. This figure even excludes a £250,000 penalty successfully appealed against by the Scottish Borders Council from 2013.
The table below shows that the worst offenders for this are local government councils, which are frequently fined for all manner of data-loss mishaps. To date these errors have cost taxpayers over £2m.
NHS Trusts have also repeatedly wasted money through data-protection blunders, with £1.3m in fines being handed out.
Recent examples of poor data handling include the Ministry of Justice being hit with a £180,000 fine for failing to educate staff on how to use encryption on hard drives and Kent Police leaving interview tapes in an old office. This led to a fine of £100,000.
While more than £5m in fines has been issued, the overall total paid is £4.25m. This is because many organisations have taken advantage of the ICO's 20 percent early-payment offer.
Even with this reduction the total represents a significant waste of taxpayers' money from public services such as local councils or NHS Trusts because of poor data handling, usually due to incidents that could easily have been avoided.
The fines are paid into the government's Consolidated Fund, which is then used by the government as extra funding during new budgets or spending reviews. While this means the money remains in the public purse, it will be little consolation for those who see their council or health trust services suffer.
ICO head of enforcement Steve Eckersley said that despite the wide range of reasons for fines being issued, the underlying cause was always a lack of appreciation for data-protection requirements.
"Despite the variety, the common thread is organisations not properly looking after people’s personal data. That simply isn’t good enough. Good data handling is not about box-ticking to comply with the law, but about properly handling the often sensitive details of real people," he said.
"That means thinking about where your organisation could be at risk of not handling personal data properly, and then putting the right technical and organisation measures in place to mitigate that risk, particularly around data security."
Eckersley added that he hoped the fines issued and the negative headlines they led to are at least helping some organisations sit up and take notice of their data-protection needs.
To get more insights on cyber security, register for the V3 Security Summit now.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago