recent work

ICO fines – the disparity of fines between private and public sector data breaches

A BBC report has highlighted the types of data breaches that have occurred in the UK over the last year, in both private and public sector organisations, and the apparent disparity between the level of fines levied, after a freedom of information request by satellite system-maker Viasat.

The UK’s private sector accounted for more than a third of all reported data breaches over 11 months, but less than 1% of the resulting fines, according to a Freedom of Information request.

Five fines totalling £790,000 were imposed on the public sector and one £1,000 penalty on a private firm.

During the period March 2001 to February 2012, the ICO said 730 events had been flagged up as being potentially liable to a penalty or other action.

The private sector reported 263 cases, while 467 were reported by government and other public sector bodies.

These included:
• 281 incidents when information had been mistakenly sent via email, documents had been sent to the wrong address, or other similar accidents;
• 170 incidents caused by the theft of data or hardware;
• 108 events involving the loss of data or hardware, of which the NHS was responsible for just over a third of cases;
• 17 instances in which materials had not been disposed of properly.

Of the 433 breaches resolved over the period, six resulted in local councils being fined. The biggest penalty was a £140,000 charge imposed on Midlothian Council after it repeatedly disclosed personal data about children and their carers to the wrong recipients.

The private sector company singled out was ACS: Law. Its data controller was fined £1,000 after a hack attack and subsequent security breach resulted in sensitive details about 6,000 people being published on a third-party website.

The ICO said at the time that it would have imposed a larger £200,000 fine had the firm not ceased trading and its owner not been of limited means.

Recent data breaches that have come to light include:
• The accidental publication of the home and email addresses of 38,000 people who applied to run the London Marathon
• Loans company Student Finance England sending an email to 8,000 customers, which included other recipients’ email addresses
• Scotland Yard sharing email addresses of more than 1,000 victims of crime with other victims.