There was news this week that the UK Information Commissioner’s Office (ICO) exercised for the first time its powers to fine organisations for breaching the Data Protection Act. Those powers were first put into law back in May 2008 in the Criminal Justice and Immigration Act, and they came into force in April of this year – so the first enforcement notices have been subject to detailed hepatomancy as organisations and pundits try to divine what the ICO’s future strategy might be.
Thus, for instance, it’s noted that the organisations fined come from both the public and the commercial sector (one a County Council, and the other an employment services company); also, that the fines in question (£100,000 and £60,000 respectively) fell short of the £500,000 ‘top tariff’. In each case, there was something characteristic about the kind of data compromised: not just personally identifiable information, but in one instance, data about a child sex abuse case which was before the courts, and in the other instance, data about alleged criminal activities of the individuals concerned.
There’s always the argument, of course, that fining a public sector body not only costs the tax-payer, it also potentially takes away funds which the organisation might otherwise have been able to apply to fixing the problem. I talked to the former Commissioner, Richard Thomas, about that once; not surprisingly, his preferred solution was that any fines levied (on public sector bodies in particular) should be ploughed back into the ICO itself. However, I don’t think he got his way, and as far as I know the funds go into the central government pot managed by the Treasury.
There are clearly some delicate balancing acts to be done here – for instance, should public sector offenders be fined less than commercial organisations (for the reasons above), or should they be fined more, to make up for the fact that they have less to lose from damage to their reputation? (After all, I can’t take my tax “business” to HMRC’s competitors, because they don’t have any…).
There’s also the question of what scale of fine is high enough to be punitive, but not so high that it encourages organisations to hide the truth about data breaches. In that respect, the £60,000 fine is interesting, because the company concerned actually made a voluntary report notifying the ICO of the breach. They still got fined.
Despite how tempting it is to squeeze every last inference out of these two cases, I think one has to see this in the longer perspective. Sure, these don’t, at first glance, look like high-profile cases – but they get their impact from their novelty, not from being about Google, or the HMRC. They were also probably picked in order to give the ICO a predictable “win” with minimal chance of an objection or an appeal; after all, what organisation is likely to try and quibble about the disclosure of material relating to a child sex abuse court case…?
And as for the risk that companies will clam up about data loss; well, the evidence to date (including these fines) is that the ICO is a very pragmatic organisation. Organisations who behave like grown-ups, who act on best practice recommendations and who report such breaches as they incur, get treated like grown-ups. Sometimes that won’t earn you an exemption from a fine, it seems – but my prediction is that the higher fines will be reserved for those organisations who don’t seem to learn from previous mistakes.
Category: Uncategorized Tags: