The Information Commissioner’s Office (ICO) has only imposed financial penalties on four of the data breaches that occurred over the last year, a Freedom of Information (FOI) request has revealed.
The figures, uncovered by encryption company ViaSat, show that despite having the power to fine organisations since 6 April 2010, the information watchdog only took action against 36 of the more than 2,500 possible Data Protection Act (DPA) breaches reported to it, and fined only four organisations.
The figures were released as the ICO revealed that NHS Birmingham East and North breached the DPA by not having the adequate measures in place to secure confidential files stored on a shared IT network.
Despite having the power to enforce a maximum penalty of £500,000 for a single breach, the ICO has only fined four organisations a total of £310,000, so far.
Hertfordshire County Council received the heaviest penalty of £100,000 in November 2010, after it faxed details of a child abuse case to a member of the public. It had won an IT excellence award just the previous month.
Chris McIntosh, ViaSat’s chief executive, said: “The ICO has stated that the embarrassment and poor image of a fine will act as a deterrent and an incentive to improve an organisation’s grasp of the Data Protection Act. However, if fines are rare and well below the maximum allowed limit, their value as a deterrent drops.”
However, a spokesperson for the ICO said that getting organisations to comply with the DPA was not always best achieved through financial penalties.
“The action we will take depends entirely on the details of each individual case. The existence of civil monetary penalties has had a markedly beneficial effect on compliance generally. The big stick is there, but doesn’t need to be deployed all the time to have an effect.
“Good regulation is about getting the best result in the public interest. For a monetary penalty to be served the Information Commissioner has to satisfy a strict set of criteria including that the breach could have caused substantial damage or substantial distress to individuals and that the organisation knew, or ought to have known, that there was a risk that a breach may occur. We will always consider the imposition of a monetary penalty where these criteria are met,” the ICO said.