Out-Law News 4 min. read

Watchdog defends apparent discrepancies in fines for private and public sector data breaches


The UK's data protection watchdog has defended its policy of issuing fines after newly released figures suggested private sector organisations are issued with disproportionately fewer fines than local Government ones.

Statistics provided by the Information Commissioner's Office (ICO) to security and communications firm ViaSat under UK freedom of information (FOI) laws show that private companies were fined fewer times during a near-11 month period than public sector organisations.

The figures, seen by Out-Law.com, show that between 22 March 2011 and 17 February 2012 private sector businesses reported 263 cases of personal data breaches to the ICO out of a total of 730 reported to the watchdog during this time. NHS bodies reported 178 cases with local Government organisations owning up to 166 personal data breaches throughout the period.

However, during those months the ICO issued just a single fine totalling £1,000 to a firm in the private sector. In the same period the ICO fined eight local councils a total of £790,000 over breaches of personal data.

In a widely-reported case last year the ICO fined lawyer Andrew Crossley after he had failed to keep sensitive personal information relating to around 6,000 people secure. The ICO had originally proposed serving Crossley, trading as ACS Law, with a £200,000 penalty after hackers exposed emails containing names and other personal details of individuals accused of illegally copying pornographic material. However, the finalised monetary penalty levied on Crossley was just £1,000 after he claimed bankruptcy.

The ICO handed its heaviest ever fine of £140,000 to Midlothian Council for sending sensitive personal data about children and their carers to the wrong addresses on five occasions during the period that the figures disclosed by the ICO stem from.

The ICO said it could only issue civil monetary penalties (CMPs) in accordance with certain conditions.

"Civil monetary penalties are part of a range of options that we use to protect the privacy rights of individuals, and ensure that organisations comply with the Data Protection Act (DPA)," the watchdog said in a statement.

“We can only issue CMPs where strict criteria are met - where the breach has caused substantial damage or distress to individuals or has the potential to do so, and in instances where the organisation was, or should have been, aware of the risk of a breach and failed to take reasonable steps to prevent it. We will always consider a CMP whenever these criteria are met, regardless of the sector the organisation falls into."

"Effective regulation is about getting the best result in the public interest. There are several types of enforcement action we can take, all of which help drive compliance with the DPA. The course we choose will always depend on the circumstances of the individual case,” it said.

ViaSat has urged the watchdog to place greater scrutiny on the measures private sector businesses deploy to secure individuals' personal data.

"The ICO is definitely making a welcome effort to use its stick to enforce the law,” Chris McIntosh, chief executive of ViaSat UK, said in a statement. "However, since it can only act against self-reported breaches undoubtedly we are not seeing the full picture."

"While the ICO has shown great progress in ensuring the public sector regains control over data security practices, the private sector still has a relatively free rein," he said. "As the public increasingly trusts the private sector with its information we need to ensure this information is managed responsibly, especially as the private sector reported the most thefts of data or hardware in the past year. Nobody wants to deal with the consequences of further breaches like Sony’s loss of 77 million PlayStation Network customer account records."

The figures disclosed by the ICO reveal that data breaches in the NHS as a result of "no secure disposal" accounted for more than half the total number of breaches reported for the same reason.

More breaches of personal information as a result of lost data or hardware was reported to the ICO by NHS bodies than the entire private sector during the near-11 month period, according to the statistics disclosed to ViaSat.

Instances of personal data being disclosed in error were the most frequent form of data breach recorded with the ICO, with local Government bodies responsible for 88 cases out of a total of 281 during the period. Private firms reported 86 similar breaches.

Principles of the Data Protection Act (DPA) require, among other things, that organisations processing personal data do so fairly and lawfully and that they take "appropriate technical and organisational measures" to protect against "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".

Since April 2010 the ICO has had the power to issue monetary notice penalties of up to £500,000 for serious data breaches of the DPA.

The ICO has levied 10 fines in since then and the watchdog said that on five occasions it had issued final penalties lower than those it had originally proposed. It revealed that information in response to a freedom of information (FOI) request by Out-Law.com.

In addition to the reduced fine issued in the ACS Law case, North Somerset Council was served with a £60,000 monetary penalty notice after the ICO had detailed its intent to fine the authority £100,000. The ICO originally proposed fining Powys and Midlothian Councils £150,000 but scaled the eventual punishments back to £130,000 and £140,000 respectively.

Employment services company A4e was also fined £60,000 - 20% less than the ICO had originally proposed.

The ICO has issued guidance on the procedures it follows when determining whether and how much to fine organisations. The guidance states that the watchdog will only impose a monetary penalty if it is "appropriate" to do so and at a level that is "reasonable and proportionate, given the particular facts of the case and the underlying objective in imposing the penalty".

Whether a penalty is reasonable and proportionate or even appropriate at all depends on "the particular facts and circumstances" of individual cases and the "representations" that organisations are permitted to make to explain the incident.

The ICO is obliged to write a notice of intent detailing the amount it proposes to fine organisations or individuals for serious breaches of the DPA and the reasons why. The notice must also set out the right of the body or person to make their representations in response. The ICO's guidance states that the representations can include "comment on the facts and views" of the Commissioner, "general remarks on the case" or details of their financial situation. The ability to pay is one of several factors that the ICO has said it considers when evaluating the level of penalty organisations should have to pay for breaching the DPA.

Following this stage the ICO reassesses the individual cases and serves a finalised monetary penalty notice, if it chooses to issue one, on the organisation or individual.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.