ICO issues first fines - but how does this help anyone?

The Information Commissioner’s Office has made the first use of new powers to fine organisations for data breaches. Two organisations – Hertfordshire Country Council, and employment services firm A4e – were fined £100,000 and £60,000 respectively for failures to comply with the Data Protection Act.

There is little doubt that the offences were, in each case, serious: Hertfordshire Council twice faxed information about a child sex abuse case to the wrong recipient, and an A4e employee was burgled, losing a laptop containing the unencrypted sensitive personal information of approximately 24,000 individuals. The Hertfordshire case is particularly inexcusable, since the two incidents were two weeks apart, during which remedial actions could have been taken to prevent a recurrence.

On the face of it, this looks like a win for the Data Protection Act and a welcome return to form for the Information Commissioner’s Office. However, I personally think that these fines are ill-judged and inappropriate, and that the consequence is equally likely to be a degradation in Data Protection practices in other organisations.

Firstly, both organisations voluntarily notified the Commissioner and the affected data subjects of the breaches. Serious corporate governance mistakes were made, but once these became apparent, the organisations took remedial action. What message does this send to other organisations that have yet to put their Data Protection processes in order? Yes, it will make it clear that Data Protection has to be taken seriously. But it will also encourage organisations and individuals to try to cover up data breaches – after all, why bother notifying the ICO if his response will be a fine? Why not just try to cover it up, since if the breach subsequently becomes apparent then the fines will kick in anyway? Remember that even if the organisation has a culture of integrity, an employee who has made a silly mistake and lost some data (in the case of A4e, the laptop concerned was scheduled for encryption under a rolling programme of security upgrades, although that doesn’t excuse putting 24,000 records on it) would be highly incentivised to protect his/her job by trying to hush up the incident.

And that brings me on to the second problem: what is the point of fining public authorities for data breaches? At an organisational level, the only consequence is that Hertfordshire County Council now has £100,000 less to spend on legal services for child protection (I’ll bet nobody at an executive level has lost their job or suffered some other penalty). How does that help anyone? A far more appropriate solution would be to identify the culpable individual – even if that is the Chief Executive – and take action against them. That would focus their attention without the effect of penalising service recipients.

All this is in an environment where the ICO is facing widespread criticism for failing to tackle technically complicated cases, or those involving major organisations. The ongoing sense of “kick ’em while they’re down” that arises from the ICO’s taste for penalising small enterprises and public bodies, whilst – in the eyes of privacy activists – failing to deal with the local consequences of global breaches such as those committed by Google, demonstrates a continued lack of appetite within the Commissioner’s office to face down a data controller who might actually win a case, and an inability to take on technically complicated cases.

What the ICO does next is critical for the credibility of these new powers. It’s time to pick on a hard target, one which has the appetite and resources to fight back against a penalty in a situation that is technically complicated. Doing that will silence many of the critics. Picking on a ‘soft’ victim will only make things worse for all of us.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

You make it sound like the council acted honourably and reasonably once it found out its mistake ... are you quite sure about that?
As the ICO finally seems to be toughening up https://bit.ly/bQY4UJ it raises questions about how the fines are applied. Whilst it is disappointing that Google could not be fined as the offence occured before the ICO could implement stronger penalties, to hear of local councils receiving large fines is also concerning for the public. A balance surely needs to be met, potentially basing the fine not only on the size of the breach, but also of the organisation at fault. It remains to be seen how much these fines will act as a deterrant.
I wouldn't go so far as to say 'honourably,' but they did follow the correct path of notifying the ICO after the second incident (it may be that the ICO had already become aware of the incident as a result of a complaint). Their punishment is largely as a result of their failure to take action after the first incident.
It should be a good deterrant - I understand that the private individual was fed up with receiving faxes from the council and the council did nothing about it. The actions that they subsequently took were more of a backside covering exercise than a proper addressing of the issues. Let's hope the whole story comes out soon.
Get protection – before it’s too late It was announced earlier this month that the ICO would issue its first fine in November. Since then, a number of companies have fallen victim to large fines. A question that springs to mind is whether or not these companies are actually the worst offenders or were just in the wrong place at the wrong time. Although the companies mentioned in the article did in fact breach the data protection act and were right to be fined, other firms have been let off with warnings this year for much worse – is this just the ICO flexing its muscles and scaremongering? It seems very convenient that a public and private sector firm were fined at the same time just before the end of the month. Who will be next? It could be anyone and companies, both public and private need to make sure their data is protected. Sensitive information is often stored on the hard drives of endpoint systems and on removable media. Organisations need to ensure that this data is persistently protected and one way of doing this is via encryption. The loss of one of those systems or media could expose corporate information, personnel records, government secrets, or intellectual property, producing disastrous effects for organisations. Encryption is transparent and there is no disruption to business operations, performance, or the end user experience. When sensitive data on endpoints is secured organisations can focus on other areas. Data needs to be fully protected or the next example made by the ICO could be for the full £500,000.