ICO slammed for data protection enforcement failures

Figures reveal that data watchdog's enforcement activities resulted in fines for just four firms last year

The Information Commissioner's Office (ICO) has come under fire for issuing a small number of fines against firms found in breach of The Data Protection Act (DPA).

The ICO was awarded powers to issue financial penalties of up to £500,000 against firms that fail to comply with the Data Protection Act last April.

At the time, the channel welcomed the move, claiming the powers could result in a rush of storage and security sales as end users strived to become compliant.

However, according to figures obtained through a Freedom of Information (FOI) request by data encryption vendor ViaSat, the ICO has used these powers just four times over the last 12 months.

The total value of these penalties was £310,000 and none of them exceeded £100,000.

In total, information concerning 2,565 potential data breaches was passed on to the ICO between 6 April 2010 and 22 March 2011, with action taken in 37 cases.

Chris McIntosh, chief executive of ViaSat, blasted the ICO, claiming that its inaction is doing nothing to encourage end users to tighten up their data protection strategies.

"The ICO has stated that the embarrassment and poor image of the fine will act as a deterrent and an incentive to improve an organisation's grasp of the Data Protection Act," said McIntosh. "However, if fines are rare and well below the maximum allowed limit, their value as a deterrent drops."

The vendor has also taken issue with the discrepancy between the number of breaches reported and acted upon within the private and public sectors.

Further findings from ViaSat's FOI request revealed that the number of reported data breaches involving private sector firms is three times higher than in the public sector.

Despite this, the ICO has taken action against seven private sector firms and 30 public sector ones, with three of those resulting in financial penalties.

McIntosh added: "The ICO has stated that the private sector has a worse grasp of the Data Protection Act than the public, [but] its actions so far do not seem to encourage any improvement.

"The ICO has a tough job. It must encourage better adherence to the Data Protection Act but, at the same time, do it with a set of tools that are woefully inadequate for the task at hand."

According to a report on news site publicservice.co.uk, the ICO has defended its actions by stating that financial penalties are not always the most appropriate way to tackle data breaches.

An ICO representative told the site: "The existence of civil monetary penalties has had a markedly beneficial effect on compliance generally. The big stick is there, but doesn't need to be deployed all the time to have an effect."