Home » Topics » Data Protection & Privacy » Eight out of ten ICO fines in 2012 were for self-reported incidents

Eight out of ten ICO fines in 2012 were for self-reported incidents

Pete Swabeyby Pete Swabey

More than eight out of ten fines issued by the Information Commissioner's Office for data security breaches were for self-reported incidents, analysis by law firm Field Fisher Waterhouse has found. 

It was the ICO's "most prolific year" yet in terms of enforcement actions, the firm found. The watchdog issued 25 fines, up from seven in 2011. It sent three enforcement notes, ordering organisations to take some action in order to comply with the law, up from one in 2011. And it initiated six criminal cases, up from five in 2011.

Field Fisher Waterhouse found that 84% of fines were for incidents that the organisations themselves had reported, demonstrating that self-reporters "are not given immunity from enforcement", the firm noted.

In an email to Information Age, technology partner Stewart Room commented that this may deter organisations from owning up to data breaches. "The likelihood is that many controllers will be deterred from coming forward due to fear of fines and the absence of positive incentives," he wrote.

"My personal view is that organisations who come forward should be treated similarly to those who undergo audit," he added. "They should receive an immunity from fines, provided that they comply with reasonable requests from ICO for remedial actions and they act in continued good faith in the relationship with ICO, being cooperative and transparent at all times."

Public sector organisations received 80% of the fines, with local authorities accounting for 60%, Field Fisher Waterhouse noted. 

Room believes this reflects the fact that businesses to not feel obliged to report incidents themselves. "Most [private sector organisations] do not perceive that they should be voluntarily reporting incidents, whereas the public sector is working (quite properly in my view) to heightened levels of transparency," he commented.  

"However, its clear that ICO enforcement is not a one way street and that the private sector is being more caught up within financial penalties."

Last week, the House of Commons justice committee warned if the European Commission's proposed data protection reforms are ratified, the ICO may face a £43 million budget shortfall. 

The data watchdog receives most of its funding from notification fees, which businesses pay to register under the Data Protection Act, but these are to be scrapped under the proposed reforms. 

Meanwhile, the new data laws would lead to more investigations and data controllers would require more support from the ICO. 

The committee's report was a "worst case scenario", information commissioner Christopher Graham wrote in response. 

Pete Swabey

Pete Swabey

Pete was Editor of Information Age and head of technology research for Vitesse Media plc from 2005 to 2013, before moving on to be Senior Editor and then Editorial Director at The Economist Intelligence...

Related Topics

Data Breach

Related Stories

Data Protection & Privacy

The future of private AI: open source vs closed source

As regulation of artificial intelligence evolves, the future of AI could be private in nature - here's how adoption of open and close source capabilities would compare

Blockchain

How fully homomorphic encryption can solve blockchain’s privacy problem

Jason Delabays explains how fully homomorphic encryption can help businesses innovating with blockchain ensure privacy long-term.

Data Protection & Privacy

Combining Qumulo integration with open source backup software

Software development automation platform Yuzuy has been looking to drive value from integration with Qumulo and customer partnerships

Data Protection & Privacy

Class action lawsuit filed against OpenAI over “stolen private information”

OpenAI, developer of ChatGPT, has been hit with a class action lawsuit alleging misappropriation of personal data scraped from the web