InfoSec 2011: ICO hits back at critical report

Watchdog says low number of fines does not mean offenders are getting off lightly

The Information Commissioner's Office (ICO) has defended itself against a report released today criticising it for issuing fines for less than one per cent of 2,565 reported data breaches.

The ICO was given powers to enforce financial penalties in April 2010.

David Smith, deputy commissioner and director of data protection at the ICO, who was talking at security tradeshow Infosec, said he was very unhappy with the report.

"The figures quoted are quite inaccurate," said Smith.

It appears that the information presented by security and communications company ViaSat, which released the report, has been misinterpreted, with the 2,565 figure actually referring to data compliance issues, which can include information being stored incorrectly. The ICO has actually only looked into 603 data breaches in the past 12 months, four of which led to a fine.

The data was provided by the ICO as a result of a freedom on information request.

Smith also insisted that he was satisfied with the number of penalties that had been enforced, and indicated that "there will be more" but that other enforcement measures have been sufficient.

"This year we have had 603 breaches reported to us, which so far have resulted in four monetary penalties," he said.

"Many of the reported breaches have resulted in undertakings being made.

"In addition, many of them have resulted in the organisation taking measures to comply with the law, which we deemed satisfactory, and don't warrant an undertaking or any publicity."

Smith went on to reveal that there are currently 20 cases under investigation for possible penalties, which are likely to be resolved this year.