Private companies reported more data breaches in 2010/11 than any other sector, according to the Information Commissioner's Office (ICO).
Of the 603 data breaches reported to the ICO in 2010/11, 186 were from the private sector, the watchdog's annual report showed.
Information commissioner Christopher Graham called on more businesses to offer themselves up for data protection audits. Only 19 per cent of private firms contacted the ICO for an audit in the last year.
"Lenders, general businesses and direct marketing companies account for almost a third of total complaints to the ICO, and businesses were the top sector for reporting data security breaches to us last year," Graham said.
"Despite this, many of them are still resisting our offer to undergo audits. We've written to organisations we consider to be high risk but the response has been disappointing."
Where are the fines?
Talking of disappointment, some have questioned the ICO's response to private sector data security practices.
Last year, the ICO was lambasted for not taking stronger action against Google, although the regulator said it was powerless to act on the search giant due to timing issues.
The ICO was handed the ability to fine companies up to 500,000 in April 2010 after Google collected data during its Street View rounds in the UK.
Stewart Room, partner in Field Fisher Waterhouse's Privacy and Information Law Group, said the annual report raised "some very interesting questions."
In particular, Room wondered why almost a third of security breaches reported to ICO occurred in the private sector, yet only a quarter of all financial penalties were imposed on businesses.
"The impression is being given that ICO will take tough action against relatively weak opposition, but may not be willing to fight tougher battles," Room told IT Pro.
"Another interesting question is why only four fines, when there have been over 600 reported incidents?"
The ICO said it only handed out fines where necessary, regardless of whether the firm was public or private.
"The ICO applies the same published criteria to all cases where we believe that a monetary penalty might be appropriate," a spokesperson said.
"We do not distinguish between the public and private sectors when following this guidance."
Earlier this month, the ICO found five NHS bodies in breach of the Data Protection Act. The public body has been repeatedly caught out in breaking the Act, yet no fines have been handed out.
The ICO spokesperson said the body was not afraid of hitting the NHS with a fine, if it were deemed suitable.
"The ICO is currently investigating a number of data breaches that involve organisations within the NHS," the spokesperson added.
"If the situation merits it, we will not hesitate to issue a civil monetary penalty against an organisation within the NHS."
-
Cloudflare is cracking down on AI web scrapersNews Cloudflare CEO Matthew Prince said AI companies have been "scraping content without limits" - now the company is cracking down.
-
Swiss government data published following supply chain attack – here’s what we know about the culpritsNews Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
23andMe 'failed to take basic steps' to safeguard customer dataNews The ICO has strong criticism for the way the genetic testing company responded to a 2023 breach.
-
Two more NHS Trusts have been hit with cyber attacks – here’s what we know so farNews A flaw in a third-party device management tool appears to be the source of the incident
-
NHS England launches cyber charter to shore up vendor security practices
News Voluntary charter follows a series of high-profile ransomware attacks
-
Cyber attacks have rocked UK retailers – here's how you can stay safeNews Following recent attacks on retailers, the NCSC urges other firms to make sure they don't fall victim too
-
ICO admits it's too slow dealing with complaints – so it's eying up automation to cut staff workloadsNews The UK's data protection authority has apologized for being slow to respond to data protection complaints, saying it's been overwhelmed by increased workloads.
-
NHS supplier hit with £3m fine for security failings that led to attack
News Advanced Computer Software Group lacked MFA, comprehensive vulnerability scanning and proper patch management
-
Cyber attack delayed cancer treatment at NHS hospital
News A cyber attack at Wirral University Teaching Hospital in 2024 delayed critical cancer treatment for patients, documents show.
-
Alder Hey Children’s Hospital confirms hackers gained access to patient data through digital gateway serviceNews Europe’s busiest children’s hospital confirmed attackers were able to steal data from a compromised digital gateway service
