According to figures supplied to ViaSat UK by the ICO in a freedom of information request, there were 730 self-reported data breaches between 22 March 2011 and 17 February 2012 with the private sector accounting for 263 of them (or 36%). Yet, according to the figures, only one of those breaches resulted in a financial penalty (and even that was a pretty insignificant £1,000).
Contrast this with the £790,000 in fines meted out to eight councils. The majority of breaches concerned information being mistakenly disclosed in emails or documents being sent to the wrong addresses and 88 cases of human error accounted for half of all the self-reported breaches in the public sector.
Just who is the ICO penalising with fines for data breaches?
This state of affairs led ViaSat's UK CEO Chris McIntosh to suggest that the private sector was still being given "a relatively free rein" over data security practices. It certainly looks that way.
Now we might feel that data breaches deserve to be punished in order to act as a deterrent, but if we do, that policy needs to be applied equally across the public and private sectors. It may well be that the data held by public sector organisations is more sensitive than the data held by private sector businesses, but is the ICO really suggesting most data breaches at private organisations are of information that is relatively worthless? Because that seems to be the message.
There may be an element of treading with caution as regards private sector organisations because hefty fines could well cause fatal damage to their financial well-being, but by the same token, the fines being levied on public sector organisations are being taken out of the pockets of the UK's citizens.
In these touch times, it would surely be better to spend time training people and helping them to adopt best practice than seeking to change behaviour through financial penalties. Especially as the cost of those financial penalties is being shouldered by the taxpayers and council taxpayers in the UK.