Information commissioner Christopher Graham has said he is not afraid to punish private sector organisations, rebuffing claims that the ICO is not heavy handed enough on corporations.
A Freedom of Information (FoI) request from security company ViaSat discovered that despite being responsible for 263 out of 730 self-reported data breaches between 22 March 2011 and 17 February 2012, the private sector has only received one financial penalty.
Yet Graham, pointing directly to the FoI in his keynote at InfoSecurity 2012 today, said he was aware of the problem in the private sector. “Every year, there’s a press release that goes around saying ‘the information commissioner doesn’t know what he is doing, he hasn’t noticed what is going on in the private sector’. Well, guess what? I have noticed.”
Talking to TechWeekEurope before the keynote, Graham said it was the second year running such a “stunt” had been pulled by ViaSat. An FoI from the company at InfoSec last year appeared to show the ICO had fined less than one percent of companies who had confessed to data breaches.
Graham said there was no bias when it came to public and private sector breaches of the Data Protection Act.
“The civil monetary regime is very specific and we look at every breach that comes our way. But we have to assess whether it’s a substantial and serious breach that’s causing distress and so on. It is all about whether the data controller knew or ought to have known what the effect was going to be,” Graham said.
He claimed companies in the private sector would get in much more trouble if their customers caught them out. In those cases, fines would be higher than if firms had been more honest.
Yesterday, minister for science David Willetts urged businesses to be more forthcoming with information if they are hit by a breach.
“There are more civil monetary penalties coming,” Graham added. “The key driver for the private sector is that you maintain consumer confidence and we’ve got to the tipping point where consumers are increasingly aware and are very, very concerned about protecting their privacy.
“If companies don’t respect that, they are going to lose business to companies that do.”
As for whether the EU Data Protection Framework would make an impact on the way the ICO handles penalties, the commissioner said there was “a long way to go” on the proposed laws.
“There are a lot of negotiations to take place. I hope very much that we’ll get to something that is more doable, that’s less over-engineered and over-prescribed to enable regulators to do their job,” Graham added.
Fascinated by IT security? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…