Infosec 2012: Information commissioner Christopher Graham lashes out at critics

Information commissioner Christopher Graham has lashed out at critics in his keynote speech at Infosec Europe 2012 taking place in London

Information Commissioner Christopher Graham has lashed out at critics in his keynote speech at Infosec Europe 2012 taking place in London.

He faced a barrage of questions from attendees around monetary penalties, in what he admitted was his first visit to the annual information security event.

"The ICO has got teeth and they are sharp, but they are aimed at specific offences," he said, explaining that monetary penalties can be imposed only under certain conditions.

First, there has to be a serious contravention of the data protection principles that is likely to cause substantial damage or distress.

But then the contravention must also be either deliberate or it must be shown that the data controller ought to have foreseen the risk, but failed to take steps to mitigate that risk.

Only if these conditions are met, can a monetary penalty be imposed, said Graham, noting that in most cases the organisation concerned signs an undertaking to improve data protection practices.

The information commissioner also denied that he "had it in for the public service," but said the reason the most penalties had been levied on locals councils was the fact that they dealt with the most sensitive kinds of personal information.

"I would prefer the power to audit rather than rely on the power to fine," he said. To that end the ICO is seeking to extend its powers of compulsory audit in the public sector to the NHS and local government.

Asked about the £500,000 limit to monetary penalties, the information commissioner said the upper limit would be reserved for the most extreme cases.

"If we ever get to the point where we are imposing £500,000 penalties, but it is having no effect, the ICO will have to ask Parliament to review the maximum penalty," he said.

However, Graham insisted that the 14 monetary penalties imposed so far – with the highest being £140,000 – were having a positive effect in raising awareness of the need to protect personal data.

Graham responded very carefully to questions about government plans to allow law enforcement agencies to intercept electronic communications.

"If government is going to justify invasion of privacy, they will have to make a good case for it; they will have to show what limitations and safeguards they will place on such powers," he said.

However, Graham said that, without seeing the bill, it was impossible to comment further. "It is for Parliament to decide what to do and for the ICO to kick the tyres," he said.

The information commissioner also took the opportunity to emphasise the point the ICO is not only about imposing sanctions. "We are not all stick and no carrot," he said.

"There is a lot we can do to help in terms of advice and guidance; we have a very successful good practice audit scheme that is attracting a lot of interest from data controllers," he said.

Any organisation can apply to the ICO for a free audit to check compliance with the Data Protection Act. "This is the only free consultancy you can get," he said.

Graham said the ICO is a modern and proportionate regulator that is very considered in the use of its powers, with the emphasis being on helping organisations to get data protection right.

The ICO believes the role of a regulator is to be supportive, consistent and to ensure better regulation, which is part of better information security.

 "To be effective, we need to be selective," said Graham and vowed to continue to pursue this approach under the proposed new European data protection framework.

Read more on Hackers and cybercrime prevention