In November 2007, 25 million child benefit records were lost in
transit, provoking widespread media coverage for data breaches.
Since then, 711 organisations have reported security breaches to
the ICO, including 200 private sector firms and 209 NHS bodies,
according to the UK regulator.
Of the total breaches reported, 231 involved theft. The ICO
reported that it has taken action against 54 organisations for the
most reckless breaches. Several organisations have signed formal
undertakings to improve security.
Speaking at the annual conference of the National Association of
Data Protection Officers today, Deputy Information Commissioner
David Smith said: "Some of these breaches would trigger a
significant fine for organisations were they to occur after the
introduction of monetary penalties in 2010."
"We are keen to encourage organisations to achieve better data
protection compliance and we expect that the prospect of a
significant fine for reckless or deliberate data breaches will
focus minds at Board level,” he said.
The ICO has limited powers. It can serve organisations with
Enforcement Notices and get chief executives to sign formal
Undertakings pledging future security improvements. To breach an
Enforcement Notice is a criminal offence, but the maximum fine at
present is £5,000.
New powers scheduled to come into force in 2010 will enable the
ICO to impose substantial monetary penalties on organisations where
there is evidence of a reckless or deliberate data protection
breach. The Ministry of Justice published a consultation this week
that proposes a maximum penalty of
£500,000.
“The majority of organisations get data protection right, but
regrettably a significant minority of management teams are failing
to take data protection seriously enough," said Smith.
"Unacceptable amounts of data are being stolen, lost in transit or
mislaid by staff. Far too much personal data is still being
unnecessarily downloaded from secure servers on to unencrypted
laptops, USB sticks, and other portable media.”
The ICO said in a statement today that it is also increasing its
auditing role to ensure greater compliance with the Data Protection
Act and new powers contained in the Coroners and Justice Bill would
give the ICO formal inspection powers across government.
The Department of Business, Innovation and Skills (BIS)
published a review (43-page
PDF) of the ICO's activities last week. It concluded that the
"relationship between the ICO and the Ministry of Justice (MOJ)
appears to be less effective than it could be."
BIS also said that the ICO's audit and inspection function lacks
documented or systematic processes. It added: "In addition to the
imminent new power to impose financial sanctions, the ICO could
give greater consideration to making use of other elements of the
expanded range of sanctioning options that will be available under
the Regulatory Enforcement and Sanctions Act 2008."
The ICO expects to gain the power to fine in early 2010.
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
