ICO FoI response reveals massive rise in data breach fines

FoI request flags year-on-year rise in ICO data breach fines and reports.

Private and confidential

The Information Commissioner's Office (ICO) has stepped up its enforcement activities, by issuing double the number of data breach fines in 2012-2013 as it did in the previous 12 months.

This is according to data obtained via a Freedom of Information (FoI) request by digital comms vendor ViaSat.

The ICO issued 20 monetary penalties in 2012-2013 totalling 2.6 million, according to the figures. During the previous year, the organisation fined just nine organisations generating 791,000 in the process.

Advertisement - Article continues below

During the past 12 months the ICO issued a record fine of 325,000 against a NHS Trust in Brighton for a data protection failure that allowed hard drives containing patient details to be sold on an internet auction site.

The apparent rise in the number of fines issued should go some way to appeasing data protection campaigners that have previously hit out at the ICO for being too soft on people that breach the Data Protection Act.

The human factor is still the primary cause behind data breaches.

The figures also revealed a year-on-year uptick in the number of self-reported breaches made to the ICO, which may partly explain why the organisation has issued more fines this year.

Between March 2012 and March 2013, there were 1,150 self-reported breaches made to the ICO, despite only 730 being made between 22 March 2011 and 17 February 2012.

Advertisement - Article continues below

Chris McIntosh, chief executive of ViaSat UK, said it's pleasing to see the ICO make good on its promise to use both the "carrot and the stick" when enforcing the Data Protection Act.

Advertisement - Article continues below

"Not only has the number of monetary penalties increased year-on-year, but they have grown in size and been implemented across both the public and private sectors," he added.

ViaSat submitted a similar FoI request last year, prompting the firm to hit out at the ICO for being too lenient on private sector firms, after it emerged that nearly every fine handed out between March 2011 and February 2012 was levied against a public sector organisation.

However, this year's results revealed that four out of the 20 fines the ICO dolled out in 2012-2013 involved data protection lapses in the private sector, while the remainder were handed to local councils (eight fines) and NHS organisations (six fines).

Even so, McIntosh said the response to his firm's FoI request suggests more work needs to be done to educate users about data protection best practice.

"What is clear from these findings is that the human factor is still the primary cause behind data breaches...while the ICO can keep issuing undertakings and penalties, it is only widespread change in public awareness and expectations that will truly drive organisations to change," he added.

Advertisement - Article continues below

In a statement to IT Pro, the ICO said penalties and enforcement action are not all it does to safeguard the data of UK citizens.

"The guidance and support we offer, including the free audits and advisory visits we provide to organisations of all sectors and sizes, is designed to make sure that organisations avoid problems further down the line," the organisation said.

"This is why it is important that organisations don't bury their head in the sand but visit our website, read our guidance and ask for our help where required, to make sure they are on the right side of the law."

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020
General Data Protection Regulation (GDPR)

Irish data regulator racks up GDPR cases against Big Tech

24 Feb 2020
data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019
Information Commissioner

What is the Information Commissioner’s Office (ICO)?

5 Sep 2019

Most Popular


Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
high-performance computing (HPC)

IBM dedicates supercomputing power to coronavirus research

24 Mar 2020