ICO blasts businesses for data breach record

Sensitive data

Private companies reported more data breaches in 2010/11 than any other sector, according to the Information Commissioner's Office (ICO).

Of the 603 data breaches reported to the ICO in 2010/11, 186 were from the private sector, the watchdog's annual report showed.

Information commissioner Christopher Graham called on more businesses to offer themselves up for data protection audits. Only 19 per cent of private firms contacted the ICO for an audit in the last year.

"Lenders, general businesses and direct marketing companies account for almost a third of total complaints to the ICO, and businesses were the top sector for reporting data security breaches to us last year," Graham said.

"Despite this, many of them are still resisting our offer to undergo audits. We've written to organisations we consider to be high risk but the response has been disappointing."

Where are the fines?

Talking of disappointment, some have questioned the ICO's response to private sector data security practices.

Last year, the ICO was lambasted for not taking stronger action against Google, although the regulator said it was powerless to act on the search giant due to timing issues.

The ICO was handed the ability to fine companies up to 500,000 in April 2010 after Google collected data during its Street View rounds in the UK.

Stewart Room, partner in Field Fisher Waterhouse's Privacy and Information Law Group, said the annual report raised "some very interesting questions."

In particular, Room wondered why almost a third of security breaches reported to ICO occurred in the private sector, yet only a quarter of all financial penalties were imposed on businesses.

"The impression is being given that ICO will take tough action against relatively weak opposition, but may not be willing to fight tougher battles," Room told IT Pro.

"Another interesting question is why only four fines, when there have been over 600 reported incidents?"

The ICO said it only handed out fines where necessary, regardless of whether the firm was public or private.

"The ICO applies the same published criteria to all cases where we believe that a monetary penalty might be appropriate," a spokesperson said.

"We do not distinguish between the public and private sectors when following this guidance."

Earlier this month, the ICO found five NHS bodies in breach of the Data Protection Act. The public body has been repeatedly caught out in breaking the Act, yet no fines have been handed out.

The ICO spokesperson said the body was not afraid of hitting the NHS with a fine, if it were deemed suitable.

"The ICO is currently investigating a number of data breaches that involve organisations within the NHS," the spokesperson added.

"If the situation merits it, we will not hesitate to issue a civil monetary penalty against an organisation within the NHS."

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.