Data security is clearly important but evidence is mounting that local authorities and the wider public sector are paying out too much in fines.
Since 2010 the Information Commissioner’s Office has had the power to issue fines of up to £500,000 for serious contravention of the Data Protection Act.
From June 2013 to April 2015, 28 penalties were issued by the ICO. Of these, 14 were against publicly funded organisations. Local councils received five out of the 28 penalties.
The average fine against public bodies was £122,000; the average penalty against private companies significantly less. To take just one example, in June 2013 Glasgow City Council received a penalty of £150,000 following the theft of unencrypted laptops during an office refurbishment.
Doubtless, the ICO has its reasons for imposing every one of its fines but are the levels of these fines truly just and in the public interest?
Remember that these are not compensation payments. The money goes to HM Treasury. The people whose information was lost get nothing. Comparing the data protection regime to other regulatory penalties, we see that the amounts involved are significantly higher. For example, the sentencing guidance for health and safety offences gave a guideline of £100,000 as a penalty for offences involving a death. Is it worse to fail to encrypt a laptop or lose a DVD than to kill somebody?
There is the practical aspect too. Voluntary notification is the most common way that the ICO learns of breaches. Councils and other public bodies are more likely to self-report, so is the ICO just going after low-hanging fruit?
Do the fines actually help with the one thing they were intended for: lowering the number of data protection failures? If the ICO wants to see real investment in information security, surely the money paid out in fines might be better spent on improving system and procedures to prevent future problems. Simple adjustments could make the system much fairer. For example, a significant reduction in penalties could be contingent upon demonstrating that processes for handling data had been improved.
In the meantime, the fines may just get higher given proposals for a new EU Data Protection Regulation. These could raise fines of up to 2% of turnover or €1m, or even higher if the European Parliament gets its way. But at present we seem to be robbing Peter to pay Paul, taking money away from one cash-strapped government department and giving it back to the Treasury rather than adopting a smarter system of data protection controls.
Andrew Katzen, partner, Ruth Barber, solicitor; both at Hickman & Rose