ICO FoI response reveals massive rise in data breach fines

Private and confidential

The Information Commissioner's Office (ICO) has stepped up its enforcement activities, by issuing double the number of data breach fines in 2012-2013 as it did in the previous 12 months.

This is according to data obtained via a Freedom of Information (FoI) request by digital comms vendor ViaSat.

The ICO issued 20 monetary penalties in 2012-2013 totalling 2.6 million, according to the figures. During the previous year, the organisation fined just nine organisations generating 791,000 in the process.

During the past 12 months the ICO issued a record fine of 325,000 against a NHS Trust in Brighton for a data protection failure that allowed hard drives containing patient details to be sold on an internet auction site.

The apparent rise in the number of fines issued should go some way to appeasing data protection campaigners that have previously hit out at the ICO for being too soft on people that breach the Data Protection Act.

The human factor is still the primary cause behind data breaches.

The figures also revealed a year-on-year uptick in the number of self-reported breaches made to the ICO, which may partly explain why the organisation has issued more fines this year.

Between March 2012 and March 2013, there were 1,150 self-reported breaches made to the ICO, despite only 730 being made between 22 March 2011 and 17 February 2012.

Chris McIntosh, chief executive of ViaSat UK, said it's pleasing to see the ICO make good on its promise to use both the "carrot and the stick" when enforcing the Data Protection Act.

"Not only has the number of monetary penalties increased year-on-year, but they have grown in size and been implemented across both the public and private sectors," he added.

ViaSat submitted a similar FoI request last year, prompting the firm to hit out at the ICO for being too lenient on private sector firms, after it emerged that nearly every fine handed out between March 2011 and February 2012 was levied against a public sector organisation.

However, this year's results revealed that four out of the 20 fines the ICO dolled out in 2012-2013 involved data protection lapses in the private sector, while the remainder were handed to local councils (eight fines) and NHS organisations (six fines).

Even so, McIntosh said the response to his firm's FoI request suggests more work needs to be done to educate users about data protection best practice.

"What is clear from these findings is that the human factor is still the primary cause behind data breaches...while the ICO can keep issuing undertakings and penalties, it is only widespread change in public awareness and expectations that will truly drive organisations to change," he added.

In a statement to IT Pro, the ICO said penalties and enforcement action are not all it does to safeguard the data of UK citizens.

"The guidance and support we offer, including the free audits and advisory visits we provide to organisations of all sectors and sizes, is designed to make sure that organisations avoid problems further down the line," the organisation said.

"This is why it is important that organisations don't bury their head in the sand but visit our website, read our guidance and ask for our help where required, to make sure they are on the right side of the law."

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.