ICO hits out at data breach figures

Watchdog claims data loss figures released under the Freedom of Information Act have been misunderstood

The Information Commissioner's Office (ICO) has hit out at encryption vendor ViaSat over claims it has misinterpreted data supplied to the firm via a Freedom of Information (FoI) request.

The data watchdog came under fire last week after it emerged that it has issued a handful of financial penalties totalling £310,000 for Data Protection Act (DPA) breaches, despite acquiring powers to impose fines of up to £500,000 a year ago.

The figures were obtained via a FoI request by ViaSat who said the ICO's inaction was harming the deterrent value of the fines.

The ICO has since released a statement claiming that one of the statistics, relating to the number of data breaches reported between 6 April 2010 and 22 March 2011, supplied to ViaSat, has been misinterpreted. This is a claim the firm staunchly denies.

According to ViaSat, 2,565 potential data breaches were reported during that period, while the ICO claims the actual figure is far fewer.

A representative from the ICO explained: "While it is true that the ICO has concluded that in 2,565 cases compliance with the DPA was unlikely, the figure for self-reported security breaches - where information has been disclosed or lost - is far lower.

"The 2,565 [figure] cover all types of compliance including a company sending unwanted postal marketing, incorrect data being held or an organisation not handling a subject access request appropriately."

In total, the ICO said it received 603 self-reported data breaches, 37 of which resulted in action being taken.

The representative continued: "These [self-reported security breaches] vary from minor administrative errors, where enforcement action would not be appropriate to serious data losses which led to the ICO imposing a monetary penalty."

In a statement to ChannelWeb, Chris McIntosh, chief executive of ViaSat UK, defended his firm's use of the figures, claiming the fault lies in the way the ICO supplied its data.

"The figure of 2,565 was given to us by the ICO in direct response to an FoI request on the number of data breaches reported since 6 April 2010," he said. "Our request was clear in that we wanted information on the number of data breaches.

"Even if you look at the revised figures the ICO has released, it is still clear that monetary penalties have been enforced in less than one per cent of the data losses it has dealt with."

Daniel Hamilton, director of public privacy campaigners Big Brother Watch, said the issue is not with the number of breaches reported, but the small number the ICO is clamping down on.

"For the ICO to only take enforcement action in such a small number of cases, suggests he is little more than a paper tiger," he said. "The ICO has tough and wide-ranging powers and it is time he used them to maximum effect."

This is a view shared by Andy Cordial, managing director of vendor Origin Storage. "We still see a number of high-profile data losses and very little action from the ICO," he said.

"The majority of the 603 cases could have be prevented with a small investment and until fines become more widespread, confidential data will continue to be compromised," he added.