Deputy Information Commissioner David Smith has told Computing that, while he does not dispute the accuracy of figures to suggest a 1,000 per cent rise in UK public and private sector data breaches in the past five years, he is unsure they "reflect the position" of serious data leaks.
Commenting on figures unearthed through an FOI request that 207 serious NHS breaches were reported to the Information Commissioner's Office (ICO) in 2011, Smith said: "It's not that those figures aren't reliable, but I'm not sure they really reflect the position. I don't think you can necessarily say that the fact we've got more reports means there are more breaches. It's just that awareness of the need to report it [has increased]."
Smith, who was speaking at Gartner’s 13th Gartner Security and Risk Management Summit in London yesterday, said that the power granted to the ICO in 2010 to allow it to impose fines on organisations that allowed data to be leaked provided "more of an incentive to report now than there was".
Computing challenged Smith on the question of fines back in January 2012, when Brighton and Sussex General Hospital was hit with a £375,000 fine for allowing hard drives containing highly confidential patient sexual health data to end up on eBay. We pointed out to him that the hospital felt that paying the fine would reduce its ability to provide adequate patient health care. Smith, however, remains adamant that fines have a role to play in ensuring organisations take their data secuirt obligations seriously.
"[Fines] are a good idea," said Smith. "If you look back at where this is all came from, it came from government data breaches – public sector data breaches were the reason we were given these powers. The idea we shouldn't impose these fines on public sector bodies is just going against the whole intention of the legislation."
Smith added: "It's up to organisations how they find the money – Brighton and Sussex did pay the fine, despite all these protestations, and it's a tiny fraction of a percentage of their total money, and they have all sorts of ways to pay.
"You could argue that paying the chief executive a bonus every year detracts from patient care, because they could have spent that on patients. It's for them to balance their business. And it does send a message about accountability; someone there is responsible for this – not just for the loss of data, but also the loss of money to this organisation. There's no other effective mechanism."
In his speech to the summit, Smith revealed that the ICO "has been pushing for custodial sentences for some time now, but the government is resisting", however he conceded that incarceration would be difficult to implement in many data breach cases.
"You can't jail an organisation," said Smith. "And when these are organisational failures, it's very hard to say that one person in the organisation was so responsible for this failure that they're criminally liable. [A custodial sentence requires] proof beyond all reasonable doubt, whereas here we're talking about balance of probabilities."