Support 100 years of independent journalism.

  1. Politics
25 November 2010

Small fines for a big problem

With identity theft the UK's fastest growing crime, the ICO needs to take a firmer stand against dat

By Jason Stamper

The Information Commissioner has handed out its first fines to organisations for data breaches, fining Hertfordshire County Council £100,000 and Sheffield-based employment services company A4e £60,000.

The Information Commissioners Office came under fire recently for seemingly failing to quickly establish that Google had breached privacy rules in the Street View car wireless ‘snooping’ fiasco, and when it did, doing little about it.

When the ICO finally decided that Google had conducted a “significant breach” of the Data Protection Act, it failed to levy a fine, saying that the breach of privacy had happened before its new powers to impose hefty fines came in, in April. And besides, Google had promised not to do it again.

But this week the ICO finally showed at least a little muscle, fining Hertfordshire County Council £100,000 for sending two faxes containing the confidential details of a child abuse case: one went to a member of the public, another to a legal firm not involved in the case.

Sign up for The New Statesman’s newsletters Tick the boxes of the newsletters you would like to receive. Quick and essential guide to domestic and global politics from the New Statesman's politics team. The best of the New Statesman, delivered to your inbox every weekday morning. The New Statesman’s global affairs newsletter, every Monday and Friday. A handy, three-minute glance at the week ahead in companies, markets, regulation and investment, landing in your inbox every Monday morning. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A weekly dig into the New Statesman’s archive of over 100 years of stellar and influential journalism, sent each Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy

The ICO also fined employment services company A4e £60,000 for a laptop which was stolen, containing the unencrypted details of over 20,000 people.

But anyone hoping that the ICO was going to come down hard on such breaches will be dismayed. Since the ICO now has the power to levy fines of up to £500,000, £60,000 seems relatively small beer for the loss of a sensitive laptop.

When the Nationwide admitted to the loss of an unencrypted laptop in November 2006, the Financial Services Authority (FSA) punished it with a fine of £980,000. That despite the Nationwide insisting that the data could not have been used for identity fraud because there were no PIN numbers, passwords or account balances on it.

But the Information Commissioner Christopher Graham said the fines he’s imposed on Hertfordshire County Council and A4e will send a “strong message” to any firm handling personal or sensitive data in the UK.

Either way, none of this will stop privacy campaigners arguing that it should be a legal requirement for organisations to disclose data breaches to the Information Commissioner. It’s currently voluntary except for Whitehall departments and some NHS organisations, though the ICO has warned organisations they face stricter penalties if it finds out about breaches that are not disclosed.

The ICO said it had been alerted to 1,000 data breaches by May this year, but how many more go unreported? Figures for 2009 showed that identity theft was the UK’s fastest growing crime. Go figure.

Jason Stamper is NS technology correspondent and editor of Computer Business Review.