Analysis: Should the ICO wield the carrot or the stick?

Fines have been levied at already strapped-for-cash councils - but is fining the right approach?

In 2008, the Criminal Justice and Immigration Act gave privacy watchdog the Information Commissioner's Office (ICO) powers to fine organisations for breaches of the Data Protection Act.

These powers were enacted in April 2010, but the ICO didn't actually flex its new muscles until November 2010 when it fined employment services company A4e £60,000 for the loss of an unencrypted laptop containing the personal details of 24,000 people (this effectively values each individual's privacy at £2.50).

In the same month, the watchdog fined Hertfordshire County Council £100,000 after staff faxed confidential information to the wrong recipients.

In total, the ICO has issued just six fines, totalling £431,000. It is allowed by law to fine organisations up to £500,000 for each breach.

But of those fines issued, four have been to local councils, which are all struggling to make ends meet following budget cuts. The ICO's fines have therefore received consternation from some quarters.

The need to incentivise organisations to be careful with private data is clear, but is removing cash from already overstretched budgets the best way to do it?

Surrey County Council received the ICO's largest fine to date in June this year (£120,000), for incorrectly addressing sensitive emails. Paul Brocklehurst, head of IT at the council believes that the fines were unnecessary, and unhelpful.

"Training and education is the best way to prevent data breaches," said Brocklehurst. "And we could have funded more of both if we hadn't been fined. We take data protection incredibly seriously and the fine hasn't really helped."

But the ICO believes that Surrey County Council has only itself to blame. A spokesperson for the ICO said: "The best way a public authority can protect taxpayers' money is by not being lax in the way it looks after personal information."

Other than fines, the ICO is able to issue undertakings, where an organisation commits to a course of action to improve its compliance, and enforcement notices, which can compel organisations to immediately stop actions leading to legal infringement.

Both of these require the ICO to work with liable bodies, helping them to improve their procedures. Brocklehurst believes this is preferable to a fine, and states that his staff do want to comply with the law.

"I'd rather the ICO had worked with us in a more intelligent way. They don't need to use this stick, people are responsible enough, they understand how important that data is."

Despite this he explains that Surrey County Council has made several changes to its staff education programme since the fine.

"We've looked a strengthening our working practises. The policy was correct in our case, it was getting everybody to follow the policy that was the challenge. We have about 8,000 staff here, and they don't always understand the full ramifications of IT security."

The council has begun a series of computer-based training courses and online quizzes to ensure staff understand the importance of data security, and included assessments of that understanding in regular appraisals by line managers.

It already had technology in place to support the data protection strategy, but the information it provides is now audited more regularly.

"We've increased the auditing and tracking checks on what emails are sent by staff," says Brocklehurst. "The technology was already in place, but we're reviewing the audit logs more often now, and targeting training where it's most needed."

Although he believes that the fine has impeded his efforts to ensure the organisation protects its data, Brocklehurst does concede that it works as a deterrent.

"There's never been a better time to avoid a fine. Our savings target is £270m over the next four years, so a fine of £120,000 was exactly what we didn't need."

The council is unlikely to make the same mistakes again.

Besides councils, NHS bodies have fallen foul of the ICO on numerous occasions, signing 22 undertakings since 2010. So far, no NHS organisation has yet been fined by the ICO.

In fact, the ICO was so concerned with the regularity of data breaches across the NHS, that in July this year Information Commissioner Christopher Graham announced that he was working with Connecting for Health to help health organisations comply with the Data Protection Act.

So why hasn't the NHS been fined in the way that several councils have?
A spokesperson from the ICO said: "A monetary penalty is only appropriate in the most serious situations.

"In order to impose a monetary penalty, the Commissioner must ensure the contravention meets the legal threshold as stated in the ICO's statutory guidance. At this stage no NHS organisations have fulfilled this criteria."

However, despite the lack of financial penalty the NHS appears to be taking the situation seriously. A spokesperson for the NHS said: "We fully support the Information Commissioner's call for improvements in local NHS practice in relation to preserving patient confidentiality. There is absolutely no excuse for breaches leading to the loss of sensitive and personal data."

The spokesperson added that further guidance will be provided to NHS bodies.

"We will shortly be providing NHS organisations with further guidance around their responsibilities in looking after and protecting information."

But considering the understandable unpopularity of fines, are there any other methods the ICO can use to deter breaches?

ICO Commissioner Graham has asked for custodial sentencing to be added to his arsenal to enforce privacy laws. An ICO spokesperson said: "The unlawful trade in personal information is not a victimless crime and the Information Commissioner has already called for the introduction of a custodial sentence for section 55 breaches of the Data Protection Act concerning the illicit obtaining and sale of personal information."