ICO criticised over fining policy

The privacy watchdog has received more than 600 reports of data breaches since it gained the power to fine companies up to £500,000, but it has levied only four fines

The Information Commissioner's Office has used its powers to impose fines in less than one percent of reported data breaches, according to the UK privacy authority's own figures.

BT Office

The Information Commissioner's Office, which dropped an investigation into data-handling at BT, has been criticised for the way it has used its powers to impose fines. Photo credit: ell brown/Flickr

There were 603 breaches of the Data Protection Act (DPA) between April 2010 and March 2011, according to Information Commissioner's Office (ICO) numbers. Of those incidents, 36 resulted in enforcement action, with four fines imposed.

Encryption company ViaSat criticised the privacy authority in a statement on Wednesday.

"Despite increased powers to issue civil penalties for breaches of the Data Protection Act, the Information Commissioner's Office is still only using these powers in a tiny fraction, fewer than one in 500, or less than one percent, of all reported data breaches," said the company.

In April 2010, the ICO was granted powers to fine organisations up to £500,000. In November, it put those powers into play for the first time, imposing a penalty of £100,000 on Hertfordshire County Council and £60,000 on employment agency A4e. In February, it fined Ealing Council £80,000 and Hounslow Council £70,000 over the loss of unencrypted laptops with sensitive data.

ViaSat also criticised the ICO for fining a greater number of public-sector organisations than private-sector companies.

"The ICO has taken action against only seven private-sector organisations, penalising one, compared to acting against 29 public-sector organisations, penalising three," said the company.

Although the ICO found that Google broke the law when it gathered personal details from unsecured Wi-Fi networks, it did not levy a financial penalty on the company. In addition, the watchdog dropped an investigation into inadequate data protection by BT, leading privacy campaigners to complain that the telecoms company had been let off the hook.

Time lapse in fines

Deputy information commissioner David Smith said that the ICO is happy with the number of enforcement actions. He noted that while there have been only four fines since the new powers were granted, there are more fines under active consideration.

"Even if there were 600 breaches in the year and four monetary penalties, there's always a time lapse," Smith told ZDNet UK at the Infosecurity Europe conference on Wednesday. "We do have reports from the last financial year that are under consideration for monetary penalties."

Smith said that 20 or so breaches are under active consideration for financial penalties, but declined to say the proportion of public- to private-sector organisations.

The ICO said that the private sector had reported 186 breaches in that time period, while the NHS had 165 and local government, 146.

There's undeniably a significant problem in the public sector... It's less clear how big the problem is in the private sector.

– David Smith, ICO

"There is a worry that it is the public sector that is the bigger problem," said Smith, although he conceded that some public-sector organisations like the NHS are legally obliged to report data breaches, whereas the private sector is not.

"There's undeniably a significant problem in the public sector," said Smith. "It's less clear how big the problem is in the private sector."

The ICO announced on Wednesday that it has gained powers to fine spammers and companies making unwanted marketing calls up to £500,000. In addition, the ICO now has powers to force telcos and ISPs to report data breaches in certain circumstances.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.