Your browser is no longer supported

For the best possible experience using our website we recommend you upgrade to a newer version or another browser.

Your browser appears to have cookies disabled. For the best experience of this website, please enable cookies in your browser

We'll assume we have your consent to use cookies, for example so you won't need to log in each time you visit our site.
Learn more

Data protection penalties on local authorities rob Peter to pay Paul

  • Comment

Data security is clearly important but evidence is mounting that local authorities and the wider public sector are paying out too much in fines.

Since 2010 the Information Commissioner’s Office has had the power to issue fines of up to £500,000 for serious contravention of the Data Protection Act.

From June 2013 to April 2015, 28 penalties were issued by the ICO. Of these, 14 were against publicly funded organisations. Local councils received five out of the 28 penalties.

The average fine against public bodies was £122,000; the average penalty against private companies significantly less. To take just one example, in June 2013 Glasgow City Council received a penalty of £150,000 following the theft of unencrypted laptops during an office refurbishment.

Doubtless, the ICO has its reasons for imposing every one of its fines but are the levels of these fines truly just and in the public interest?

Remember that these are not compensation payments. The money goes to HM Treasury. The people whose information was lost get nothing. Comparing the data protection regime to other regulatory penalties, we see that the amounts involved are significantly higher. For example, the sentencing guidance for health and safety offences gave a guideline of £100,000 as a penalty for offences involving a death. Is it worse to fail to encrypt a laptop or lose a DVD than to kill somebody?

There is the practical aspect too. Voluntary notification is the most common way that the ICO learns of breaches. Councils and other public bodies are more likely to self-report, so is the ICO just going after low-hanging fruit?

Do the fines actually help with the one thing they were intended for: lowering the number of data protection failures? If the ICO wants to see real investment in information security, surely the money paid out in fines might be better spent on improving system and procedures to prevent future problems. Simple adjustments could make the system much fairer. For example, a significant reduction in penalties could be contingent upon demonstrating that processes for handling data had been improved.

In the meantime, the fines may just get higher given proposals for a new EU Data Protection Regulation. These could raise fines of up to 2% of turnover or €1m, or even higher if the European Parliament gets its way. But at present we seem to be robbing Peter to pay Paul, taking money away from one cash-strapped government department and giving it back to the Treasury rather than adopting a smarter system of data protection controls.

Andrew Katzen, partner, Ruth Barber, solicitor; both at Hickman & Rose



  • Comment

Have your say

You must sign in to make a comment

Please remember that the submission of any material is governed by our Terms and Conditions and by submitting material you confirm your agreement to these Terms and Conditions.

Links may be included in your comments but HTML is not permitted.