Businesses Consider Abusing ICO Data Breach Fine ‘Loophole’

Organisations have considered using a “loophole” to avoid data breach fines – by asking the privacy regulator, the Information Commissioner’s Office (ICO), to audit them when they already know personal data has been lost or stolen.

The UK privacy watchdog has promised not to fine any company for breaches of the Data Protection Act if they are discovered during a voluntary audit. It appears that no matter how badly a company has performed, if the poor practice comes to light during an audit, the perpetrator won’t have to pay up.

TechWeekEurope has learnt that some companies are considering keeping quiet about breaches, and deleting data trails suggesting they knew about those breaches, before going to the ICO for an audit. That way, offenders sweep the issue under the rug, so it won’t rear its ugly head at a later date and they will not receive a fine, according to a member of the legal community who wished to remain anonymous.

The source said it would not be too tricky to hide the data trail which could show the audited company knew of the breach before it asked for an audit.

If a company takes a more honest approach, comes clean and reports  a specific data breach to the ICO, they are still in line for a fine. This is what happened in the case of the Brighton  and  Sussex  University  Hospitals  NHS  Trust, which received the biggest monetary penalty handed out by the regulator, £325,000, earlier this year when it reported a data breach to the regulator.

The Trust was incensed by ICO’s actions and launched an appeal, claiming the ICO had even suggested the case was not worthy of a fine.

The ICO believes it will be able to catch those companies who try to trick it by hiding any evidence that they knew of a data breach. The majority of fines handed out by the ICO to date have come after an organisation confessed to a specific breach.

Breaking data breach rules

But members of the security community, as well as lawyers, are deeply concerned about the loophole’s potential impact on compliance, and the negative consequences of the regulator’s promise.

“The move of the ICO to selectively remove fines based on completed audits could lead to more covert reporting of incidents,” warned Carl Blackett, ICT security architect at Norfolk County Council, who said that he was speaking from a personal point of view and that his comments did not reflect the position of his employer.

“Any change which would encourage organisations to ‘hide’ incidents without the risk of a fine being imposed following an audit could lead to an increase in this practise.”

Blackett was concerned that the vital practice of data breach notification, and its deterrent effect, could be undermined as a result of the loophole. “Without this public notification, several bodies could lose valuable advice to prevent data loss.”

He said data breach notification should not solely be about fines, it should point out areas of bad practice that need to be addressed and rectified to prevent re-occurrence both within the offending organisation and amongst others.

“An organisation that the ICO targets for a compulsory assessment or a consensual audit because they are perceived to be a data handling or privacy risk is exposed to a less serious regulatory outcome (no fine) than the one that the ICO aren’t targeting, but that “comes clean” after a problem is discovered,” added Stewart Room, data protection lawyer and partner in Field Fisher Waterhouse’s Privacy and Information Law Group.

“The one who is most transparent is the only one who is subject to fine… it seems to me that there is a genuine issue here.”

Currently, the ICO can only force audits on central government departments, but is hoping to be able to do the same with local councils and NHS bodies. It is not pushing for the same with private businesses.

However, the regulator can and does approach all kinds of organisations to recommend they take part in an audit, especially if the ICO has concerns about their practices.

Them’s fighting words

The potential for abusing the loophole came to light during a Westminster eForum event last week, when information commissioner Christopher Graham and Room took each other to task on the topic.

Graham, who was keen to point out a Freedom of Information (FOI) request that showed Room’s practice was paid £168,259.59 by the Brighton  and  Sussex  University Hospitals  NHS  Trust in its unsuccessful appeal of the fine, said the ICO would come down hard on any companies abusing the audit process to avoid a fine.

“If we discover duplicity, that there was a breach that you knew about and didn’t report then you’re in deep trouble. There are no games to be played,” Graham told TechWeekEurope. He suggested Room only brought up the issues with the process as he “was doing what lawyers do, and he is going to lose”.

A number of notable organisations have been the subject of an ICO audit, including Google, which let the regulator in after the Wi-Spy saga erupted in 2010, when the tech giant slurped up personal information over unprotected Wi-Fi networks when its Street View cars were collecting image data. A second consensual audit took place in September 2012.

A full list of ICO audits can be found here.

In the Brighton case, the NHS  Trust gave up the ghost  on its appeal in June, when its fine was reduced to £260,000, and it paid up.

Other bodies remain unhappy at how they have been treated by the ICO, however, and are appealing fines. TechWeekEurope understands the Scottish Borders Council, which was told to pay out £250,000 after an outsourcer left sensitive files in a recycle bank, is appealing.

A separate, as yet unnamed NHS body, is also set for a tribunal next month to fight its monetary penalty. Room will be representing that organisation.

Loading ...

How well do you know Internet security? Try our quiz and find out!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

  • It's all very well for Christopher Graham to get upset with Stewart Room for being a lawyer but it doesn't really address the fundamental point that, in this instance, honesty is not the best policy. There is a general feeling in organisations it seems that as long as the policies are written and handed down then all is well ( http://ow.ly/fhM2j ). Whilst I know that the public sector is keenly aware of the need to avoid, and consequences of, data breach (I've done my time as Information Governance lead for local council, prison and NHS) they are also keenly aware of budget constraints and PR issues. Saving a few hundred thousand with a 'we're unsure we're doing it right, please help us' is better than 'we're not very good and we know we're not' and handing over money which should be used to solve the problem rather than exacerbate it.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago