The Information Commissioner’s Office (ICO) has slashed fines for businesses which have breached data laws in half of the cases in which it has slapped a monetary penalty, according to a Freedom for Information request.
Since April 2010 the ICO has had the power to fine firms £500,000 for serious data breaches, and has issued 14 such notices with the highest fine to-date, including a record £140,000 fine on Midlothian Council.
In a response to an FOI request by Pinsent Masons relating to the first 10 of those cases the ICO said that on five occasions it had issued final penalties lower than it had originally proposed.
One fine for £200,000 – for controversial law firm ACS Law – was slashed to just £1,000 after the organisation claimed bankruptcy. But the average reduction in the other four – for North Somerset Council, Powys Council, Midlothian Council and A4e Limited – was 20%.
Pinsent Masons asked the ICO to disclose details of the representations all 10 organisations may have made to the watchdog in response to the proposed fines, but the ICO refused, claiming that the information was exempt from disclosure under the terms of the Freedom of Information Act.
This was because the ICO considers that disclosing the information “would, or would be likely to, prejudice the exercise by any public authority of its functions”. The watchdog said it had assessed whether there was an overriding public interest in disclosing the information anyway and that it had reviewed the “prejudice or harm that disclosure may cause, and its likelihood”.
