ICO admits it's hard to punish public data offenders

ICO logo

The Information Commissioner's Office (ICO) promises to use its tougher new powers to protect private data, but admits it's hard to punish public bodies.

Speaking at a Westminster eForum event about online privacy, assistant commissioner Jonathan Bamford said the ICO prefers to encourage compliance rather than punish those who don't comply.

"We prefer carrot to sticks, but our powers have been increasing in strength," Bamford said.

But he added: "I have to admit, the stick we've had for many years is a very small stick."

Bamford said it's now possible to file criminal charges following data breaches, and said later this year the ICO will be able to dole out fines, in the same way the Financial Services Authority (FSA) can. The FSA famously fined Nationwide nearly 1 million after it lost a laptop.

"The Information Commissioner will have those powers and we will use them," Bamford said.

That said, he noted that it's hard to unleash severe punishments on public bodies, especially when they've admitted their mistakes. "We're a prosecuting authority, but we have to act fairly," he explained, adding: "Do you punish them by going for legal action when they've put their hands up?"

Keeping up with tech

The punishments need to be strong because technology's increasing ability to share information is leading to bigger risks and regulation isn't keeping up. Referencing HMRC's massive data breach in 2007, he said: "Try losing 25 million paper records."

Bamford laid out other problems his office now faces. The internet means information spreads more easily, but at the same time it also ensures it sticks around for longer. "Are you forever Google-able?" he pondered.

He also noted that data doesn't stop at borders anymore, adding that the move to cloud computing will only exacerbate the problem of which country has jurisdiction.

Another problem Bamford sees is social networking. "Now we have a generation of people who are quite careless with information, who don't take care of it the way previous generations had," he said, although it's certainly hard to agree after HMRC that the current generation is caring for data particularly well.

Government databases

While he called out the government for responding to every problem by creating a database, he said that the government doesn't really have much more data on us than it used to it may seem that way, but it's only on a superficial level.

"We've got too much of it [data], it's poor quality," he said, adding that making bigger databases won't help anyone. "If you're looking for a needle in a haystack, it's a bit daft to keep building a bigger haystack."