Home : Public Sector : News

InfoSec 2011: ICO wants larger fining powers

UPDATED: Deputy commissioner David Smith says, ideally, the ICO would like bigger fining powers.

By Tom Brewster, 20 Apr 2011 at 11:30

The Information Commissioner’s Office (ICO) would like fining powers above its £500,000 cap, a senior figure from the privacy watchdog has admitted today.

Deputy commissioner David Smith said if the need to fine companies over £500,000 arises, the ICO will ask the Government for the ability to issue higher monetary penalties.

“Ideally, we would like a higher level of penalties,” Smith told IT PRO at the InfoSecurity 2011 conference, taking place in London today.

“We think what we’ve got has met the needs of the cases we’ve had so far and if it fails to deliver a drive to the protection of personal information then we’ll go to the Government to ask for it to be increased."

He admitted a £500,000 fine on a large company such as Google, which the ICO investigated for the Street View breach of the Data Protection Act, would not damage its finances.

“For big, multinational businesses, it’s not necessarily going to have a huge financial impact on that business,” Smith said.

He claimed reputation was the key driver for businesses when it came to data protection.

A false report?

Earlier today it emerged the ICO had fined less than one per cent of all cases since 6 April 2010. The report came from a freedom of information (FoI) request put forward by encryption firm ViaSat.

Just 36 out of 2,565 data breaches were acted on by the ICO and only four cases resulted in monetary fines, the report claimed.

However, Smith told delegates at InfoSecurity 2011 the figures from the report were false, claiming there had not been so many breaches reported to the ICO.

Around 1,500 cases had been explored since November 2007 and this year 600 had been reported, Smith said, adding the ICO was “disappointed” by the reports.

“We’re happy with the number of enforcement actions we have taken,” he added.

UPDATED: An ICO spokesperson has sought to clear up the confusion surrounding the above figures.

“While it is true that since 6 April 2010 the ICO has concluded that in 2,565 cases compliance with the Data Protection Act was unlikely, the figure for self reported security breaches – where information has been disclosed or lost – is far lower," the spokesperson said.

"During the last financial year, the ICO received some 603 self reported security breaches. These vary from minor administrative errors where enforcement action would not be appropriate to serious data losses which led to the ICO imposing a monetary penalty."