Information Commissioner Christopher Graham’s claim that a fine from his office will be the “Mark of Cain”, has been exposed as a hollow threat after it was revealed that just 1 per cent of all data breaches have been punished since the regulator was given greater powers last year.
The ICO was given the right to fine companies up to £500,000 in January 2010, and a wider remit in April 2010.
But according to figures released under the Freedom of information Act (FOI), of the 2,565 data breaches recorded since April 2010, only 36 have resulted in a punishment, with just four resulting in a fine.
About 80 per cent of punishments have gone to public sector bodies, although the majority of actual breaches (59 per cent) were from the private sector, according to the findings of an FOI application submitted by data encryption company ViaSat.
Chris McIntosh, the chief executive of ViaSat UK, said: “The ICO has stated that the private sector has a worse grasp of the Data Protection Act than the public. However, the ICO’s actions so far do not seem to encourage any improvement.
“For example, other organisations can easily look at the £60,000 penalty meted out to employment services firm A4e, its size compared to the company’s £145m turnover, its rarity and the fact that A4e is still receiving plenty of business, from the Government no less, and feel that the risk of ICO action is one they are prepared to take.”
The ICO was given the power to fine companies in breach of the Data Protection Act up to £500,000 in January 2010.
But the first fines were not handed down until November, when Hertfordshire Country Council and A4e were ordered to pay £100,000 and £60,000 respectively. In February, Ealing Council and Hounslow Council were also fined £80,000 and £70,000 respectively.
Related stories:
Missing data found in lunchbox
Protecting your data ‘not geeky’
Public bodies in data loss fiasco
