Breach of the data protection peace

Features
By Adrian Bridgwater
published

With the ICO rarely fining for breaches of the Data Protection Act, are businesses breaking rules as they can get away with it or is the ICO bringing about some other type of corporate telling off?

So the ICO's figures look worrying and the industry is talking up' a data compliance tsunami, but have we overlooked any fundamental facts? Yes, the number of companies handed monetary fines is low, but we must remember a financial penalty is not the only regulatory power at the ICO's disposal to bring about compliance.

"Our focus as a regulator is on getting bodies to comply with the Data Protection Act," said an ICO spokesperson. "This isn't always best achieved by issuing organisations or businesses with monetary penalties."

"The action we will take depends entirely on the details of each individual case. The existence of civil monetary penalties has had a markedly beneficial effect on compliance generally."

Speaking to the organisation's press office, it appears the ICO has been in direct contact with most, if not all firms, that have acted improperly. Carrying out what it calls "informal resolutions," the ICO seems to have established its own subjectively calibrated barometer for determining which cases impinge upon data rulings enough to support the case for action.

Is it time for a re-calibration of its definition of serious?

But the ICO says it only penalises what it calls serious breaches,' so is it time for a re-calibration of its definition of serious?

"Good regulation is about getting the best result in the public interest," said the ICO. "For a monetary penalty to be served, the Information Commissioner has to satisfy a strict set of criteria, which is set out in the Statutory Guidance."

"This guidance has been approved by the Secretary of State and laid before Parliament. It makes it clear that the Information Commissioner may impose a monetary penalty notice if a data controller has seriously contravened the data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress."

The ICO has further clarified, in addition, the contravention must either have been deliberate or the data controller must have known or ought to have known there was a risk it would occur and failed to take reasonable steps to prevent it.

"We will always consider the imposition of a monetary penalty where these criteria are met," said the ICO.

Adrian Bridgwater