The New Statesman’s rolling politics blog

RSS

Small fines for a big problem

With identity theft the UK's fastest growing crime, the ICO needs to take a firmer stand against dat

The Information Commissioner has handed out its first fines to organisations for data breaches, fining Hertfordshire County Council £100,000 and Sheffield-based employment services company A4e £60,000.

The Information Commissioners Office came under fire recently for seemingly failing to quickly establish that Google had breached privacy rules in the Street View car wireless 'snooping' fiasco, and when it did, doing little about it.

When the ICO finally decided that Google had conducted a "significant breach" of the Data Protection Act, it failed to levy a fine, saying that the breach of privacy had happened before its new powers to impose hefty fines came in, in April. And besides, Google had promised not to do it again.

But this week the ICO finally showed at least a little muscle, fining Hertfordshire County Council £100,000 for sending two faxes containing the confidential details of a child abuse case: one went to a member of the public, another to a legal firm not involved in the case.

The ICO also fined employment services company A4e £60,000 for a laptop which was stolen, containing the unencrypted details of over 20,000 people.

But anyone hoping that the ICO was going to come down hard on such breaches will be dismayed. Since the ICO now has the power to levy fines of up to £500,000, £60,000 seems relatively small beer for the loss of a sensitive laptop.

When the Nationwide admitted to the loss of an unencrypted laptop in November 2006, the Financial Services Authority (FSA) punished it with a fine of £980,000. That despite the Nationwide insisting that the data could not have been used for identity fraud because there were no PIN numbers, passwords or account balances on it.

But the Information Commissioner Christopher Graham said the fines he's imposed on Hertfordshire County Council and A4e will send a "strong message" to any firm handling personal or sensitive data in the UK.

Either way, none of this will stop privacy campaigners arguing that it should be a legal requirement for organisations to disclose data breaches to the Information Commissioner. It's currently voluntary except for Whitehall departments and some NHS organisations, though the ICO has warned organisations they face stricter penalties if it finds out about breaches that are not disclosed.

The ICO said it had been alerted to 1,000 data breaches by May this year, but how many more go unreported? Figures for 2009 showed that identity theft was the UK's fastest growing crime. Go figure.

Jason Stamper is NS technology correspondent and editor of Computer Business Review.