recent work

Is the ICO using its fining powers effectively?

Channelweb.co.uk has today reported on the Information Commissioner’s Office (ICO) response to claims made by encryption vendor ViaSat that the ICO is being ‘inactive’ in handing out fines for Data Protection Act (DPA) breaches.

The ICO was given powers in early 2010 to impose fines of up to £500,000 on firms that breach the DPA, although it has emerged, through ViaSat claims, that to date, only £310,000 of fines have been dished out.

ViaSat requested the information via a Fol – but the ICO claims that ‘one of the statistics, relating to the number of data breaches reported between 6 April 2010 and 22 March 2011, supplied to ViaSat, has been misinterpreted’.

The statistic in question suggests, according to ViaSat, that 2565 potential data breaches have been reported between 6th April 2010 and 22 March 2011. A representative from the ICO explained:

“While it is true that the ICO has concluded that in 2,565 cases compliance with the DPA was unlikely, the figure for self-reported security breaches – where information has been disclosed or lost – is far lower.

“The 2,565 [figure] cover all types of compliance including a company sending unwanted postal marketing, incorrect data being held or an organisation not handling a subject access request appropriately.”

The representative continued: “These [self-reported security breaches] vary from minor administrative errors, where enforcement action would not be appropriate to serious data losses which led to the ICO imposing a monetary penalty.”

Chris McIntosh of ‘ChannelWeb’, Cheif Executive of ViaSat UK, said

“The figure of 2,565 was given to us by the ICO in direct response to an FoI request on the number of data breaches reported since 6 April 2010,” he said. “Our request was clear in that we wanted information on the number of data breaches.

“Even if you look at the revised figures the ICO has released, it is still clear that monetary penalties have been enforced in less than one per cent of the data losses it has dealt with.”

Many people in the data industry seem to be concerned not with the number of breaches reported, but the number of breaches that the ICO has decided to clamp down on. ChannelWeb asked Daniel Hamilton, director of public privacy campaigners Big Brother Watch  what he thought:

“For the ICO to only take enforcement action in such a small number of cases, suggests he is little more than a paper tiger,” he said. “The ICO has tough and wide-ranging powers and it is time he used them to maximum effect.”