ICO insists its policy on fines is not biased against public sector

'I certainly wouldn't suggest people have been let off' says ICO tech group manager Rice

The Information Commissioner's Office (ICO) insists it does not discriminate between private and public sector firms when deciding on data breach fines, and says that nobody has been "let off" fines since it was given the power to sting culprits for up to £500,000 in late 2010.

"I think there's certainly no discrepancy on our part, favouritism or thoughts like that in any way; I certainly wouldn't suggest people have been ‘let off'," the ICO's group manager of technology, Simon Rice, told Computing.

Speaking at a Westminster eForum on mobile and remote working this week, Rice also commented specifically on Google, who the ICO decided not to fine after it was caught gathering personal data during its street mapping projects.

"They were found out to have broken the Data Protection Act," admitted Rice, but stated as a comparison that "by its very nature, the public sector processes more sensitive data than the majority of the private sector, and our framework says that the penalty must be for the most serious cases - that you can only fine in the most serious cases."

Rice insisted that Google had not been "let off", but implied that though the company was guilty of a breach, the seriousness did not compare to many public sector breaches.

"It's unfortunate that the private sector aren't very open about notifying about breaches in a voluntary process," said Rice.

"It's a factor of a number of things, but certainly not favouritism. But having said that, we now publish a summary [of companies fined], which is showing the private sector is coming out better in protecting against breaches."

However, Rice said all organisations needed to do more to protect data held on mobile devices, including greater use of encryption.

Paul Graham, a partner at law firm Field Fisher Waterhouse, said informing the ICO of a breach should not be the victim's first priority.

"The first thing you should be doing is making sure you contain that breach and remedy it," said Graham.

"So if you're looking at these issues purely on the basis of ‘will I get a penalty notice against me' your first instinct might be to notify the ICO of the breach. That might not be the right thing to do.

"The first course of action is to try and remedy the breach and contain it, and then look at your obligations."