Is the data watchdog about to pounce?

The ICO is likely to use the full force of its new powers to penalise organisations for data loss in the next few months

The UK’s privacy watchdog is likely to use the full force of its new powers to penalise organisations for data loss in the next few months to set an example to others, according to compliance experts.

Alan Calder, director at data security consultancy ITgovernance, expects the Information Commissioner’s Office (ICO) to pursue a small number of high-profile cases concerning breaches of the Data Protection Act (DPA) in the spring and summer, and issue fines of up to £500,000 where appropriate.

“The new legislation gives the ICO the power to issue about 25 fines a year. Our sense is that it is looking forward to the first three or four, because it wants to make the point that [organisations found in breach of the legislation] will be penalised for losing laptops or USB sticks or having their networks hacked,” he said.

The power to issue those fines, to be levied where a serious breach of the DPA is judged to be either deliberate or the result of a failure to take reasonable steps to stop a foreseeable breach, do not come into force until 6 April.

Nobody from the ICO was available for comment, but a spokes­man said he doubted that Information Commissioner Christopher Graham would go out of his way to deliberately target any organisation.

“The ICO would not make an example of an organisation for the sake of making an example, it would be done on a case-by-case basis,” he said.

While there is still no legal obligation for company data controllers themselves to report breaches to the ICO, third parties can appeal to the Information Commissioner when they feel data loss has occurred.

But whereas public sector organisations came under real pressure to disclose data losses following the high-profile HMRC breach in 2007, which saw 25 million Child Benefit records lost, the same is not true for organisations in the private sector.

“The greater percentage of breaches reported have been in the public, rather than the private sector which on balance probably continues to brush things under the carpet,” said Calder.

Mike Jones, principal security product marketing manager at security software vendor Symantec, said even now many IT managers simply inform senior management of the potential consequences associated with data loss, rather than take concrete steps to satisfy ICO requirements.

“Data loss prevention technology is no longer a ‘nice to have’ but a requirement,” he said. “The government has been most affected by breaches to date but experience has shown that commercial organisations of all sizes have suffered losses.”

Some view the prospect of one government department fining another honest enough to admit to its mistake as risible. Regardless, the ICO has intimated that financial penalties will be more severe where an organisation has been investigated and found to be in breach of the DPA, rather than admitted to data loss in the first place.

Calder said the maximum £500,000 penalty may not be big enough to force organisations to tighten up their data management, especially those in the financial sector. But he also points out that a resultant loss of customer and business partner trust in a company found to be in breach might tip the balance.

“Banks can afford to pay the fine and have a cynical attitude to regulation, meaning few have any real concerns about looking after personal data consistently,” Calder said.

“But every breach makes it onto the ICO web site and ordinary people do care, so companies with a reputation for looking after personal data will be recognised as better companies to do business with,” he added.