Most data breaches escape privacy watchdog fines

ICO keeps its big stick under wraps as not even one per cent of breaches attracts fine...

ICO keeps its big stick under wraps as not even one per cent of breaches attracts fine...

UK privacy watchdog ICO has issued few fines

New figures reveal that the Information Commissioner's Office has fined just four organisations since April last yearPhoto: Shutterstock

The UK's privacy watchdog has fined fewer than one per cent of organisations reported for breaching the Data Protection Act (DPA) since it gained new powers in April last year.

The Information Commissioner's Office (ICO) issued fines in relation to just four of the 2,565 suspected data breaches reported to the watchdog between 6 April 2010 and 22 March 2011.

In April 2010, the ICO gained the power to issue civil penalties of up to £500,000 to organisations found to have seriously breached the DPA in a way that is likely to "cause substantial damage or substantial distress".

Despite the ICO being able to issue penalties of up to £500,000, none of the fines issued have been more than £100,000, with the total penalties issued to date standing at £310,000.

The figures were revealed by an FOI request submitted by encryption specialist ViaSat.

The small number of fines issued and the low value of those penalties raises a question mark over the deterrence value of a financial penalty in reducing future data-protection breaches, ViaSat CEO Chris McIntosh said.

"If fines are rare and well below the maximum allowed limit, their value as a deterrent drops," McIntosh said in a statement.

McIntosh argued the ICO's actions will not deter future breaches of the DPA in the private sector. He pointed out that the £60,000 fine issued to A4e was only a fraction of the company's "£145m turnover" and that Google was given only a "slap on the wrist" after its Street View cars accidentally collected data on people's wi-fi use.

The ICO says it would be inappropriate and counterproductive to be too heavy-handed when issuing fines.

"The existence of civil monetary penalties has had a markedly beneficial effect on compliance generally," a spokesman said in a statement.

"The big stick is there, but doesn't need to be deployed all the time to have an effect."

An ICO spokeswoman said that while there were 2,565 suspected DPA breaches during the period, the number of self-reported security breaches - breaches where information was disclosed or lost - was far lower, adding that there were 603 security breaches during the last financial year.

During the period from April 2010 to March 2011, the ICO took formal action in relation to 41 of the 2,565 data breaches reported to it.

This formal action involved issuing 40 undertakings, where an organisation signs up to an agreement to comply with the DPA in future, and one enforcement notice, where an organisation is legally bound to stop the activity that put them in breach of the act.

The rest of the possible breaches reported to the ICO were either found not to be breaches or resulted in informal action, where the ICO contacts the organisation concerned and explains what action they need to take to better comply with the DPA, an ICO spokesman said.

From 25 May, the ICO will also gain new powers, including the ability to fine organisations up to £500,000 for the most serious breaches of Privacy and Electronic Communications Regulations, which covers organisations sending unwanted marketing emails and texts, as well as making live and automated marketing phone calls.

From this date, telecoms companies and ISPs will also be required to notify their customers and the ICO in certain circumstances when a personal data breach occurs. The ICO will also gain responsibility for regulating compliance with rules on how websites should use cookies.