Information Commissioner turns up the heat on data breach culprits

Richard Thomas, the Information Commissioner, spoke at the RSA conference in London to repeat his call for more powers and resources to address data breaches and poor security practices.

New powers being sought by the Information Commissioner will allow his office to make unannounced swoops on companies it suspects of wrongdoing, and in the worst cases, to impose fines of up to 10 per cent of the culprit's annual turnover.

Richard Thomas, the Information Commissioner, used a speech at the RSA conference in London to repeat his call for more powers and resources to enforce good data protection throughout government and the private sector.

To support his claims, he noted that 277 data breaches had been reported to his office since HMRC lost 25 million child benefit records nearly a year ago.

Parliament has already granted powers to the Information Commissioner's Office (ICO) to impose fines against organisations that wilfully breach data protection principles, but the levels have not yet been set by the Home Office. Thomas said that he expected a maximum fine to be set in line with the Financial Service Authority, which can fine a financial services company up to 10 per cent of turnover.

Thomas said he also expects the current rules, which prevent him from inspecting a system without the owner's permission, to be changed. He said he preferred to work with companies' co-operation, but that in some cases new powers would be required.

He said he also expects the current flat £35 annual registration fee that all data controllers pay, to be increased for larger organisations. The ICO currently has 300,000 data controllers registered, providing it with an annual budget of £10.5 million. By raising fees for bigger organisations, he said he planned to raise this to around £17 million. Thomas reminded the audience that the Health & Safety Executive has a budget of £890 million.

On the question of mandatory disclosure of breaches, which has operated in most states of the US for the last five years, Thomas said he was against adopting a similar approach in the UK or Europe. "Each breach carries different levels of risk and, consequently, requires a different response," he said. "Unless written and interpreted with very great care, a mandatory notification requirement would add a significant extra burden for organisations and, more worryingly, could produce breach fatigue if it were to result in frequent and unnecessary notifications of minor incidents. This carries the very real danger that people will ultimately ignore notifications when there is, in fact, significant risk of harm."

Thomas, who will step from his job next June, also called for a review of the EU directive on privacy which he described as "too prescriptive and burdensome." The ICO has commissioned its own research into what kind of laws would work better and will publish a final report of its findings next June, Thomas said.

Of the 277 reported data breaches in the last year, 28 were in central government, 75 in the NHS and other health bodies, and 80 in the private sector (Read the full breakdown of breach notifications). The ICO is investigating 30 of the most serious cases, and has taken enforcement action against HMRC, the Ministry of Defence, the Department of Health, the Foreign and Commonwealth Office, Virgin Media Ltd, Skipton Financial Services, Carphone Warehouse, Talk Talk, and Orange Personal Communications Services Ltd.

Read more on Regulatory compliance and standard requirements