It was back in April 2010 that the Information Commissioner’s Office (ICO) powers to impose fines for breaches of the Data Protection Act were increased from £5,000 to £500,000. Perhaps understandably there was no early rush to exploit this new power to its full, but it would appear that any honeymoon period is now well and truly over.
This year has seen a major increase in the fines levied by the ICO for breaches of the Data Protection Act. In the past two months alone, it has handed out fines totalling over £870,000. For example, on 19th June it was announced by that the Belfast Health and Social Care Trust was being fined £225,000 as a result of trespassers gaining access to the site of a disused hospital, taking photos of a number of patient records and then posting them online. The Trust failed to report the situation to the ICO and an investigation found that they failed to keep the information secure and also to securely destroy medical documents which were no longer required.
This comes only a few weeks after it was announced that Brighton and Sussex University Hospitals NHS Trust had been fined £325000 for a major breach of the Data Protection Act, compromising massive numbers of staff and patient records: the highest fine imposed since the new ICO powers were introduced. In this instance the highly sensitive data (including information on HIV patients) was stored on hard drives which had been sold on an internet auction site.
Interestingly, the BBC reported in April this year that a study suggested the UK’s private sector accounted for more than a third of all reported data breaches, but less than 1% of the resulting fines. However it is dangerous to assume that the ICO is more likely to impose a fine for a data protection breach if the offender is a public rather than private body. The clear signal from the ICO is that if the breach is serious you will be fined. The reality is that public sector organisations, especially those in the health sector, are likely to have larger amounts of sensitive personal data and therefore failing to secure that data properly will be a more serious data protection breach. A lot of private sector breaches will be at the lower end of the scale for which a fine may not be appropriate.
It is worth pointing out that although the size of the fines being imposed by the ICO is increasing, the occurrences of breach remain just as easy to avoid. The cases mentioned above would not have required particulary complicated or sophisticated security systems to prevent. Most breaches are caused by basic, elementary failures and it is no doubt this fact which has caused the ICO to start to crank up the fines.
So while public sector breaches may continue to get the headlines, private sector companies need to be sure they are taking appropriate measures to protect personal data, or they may soon be joining them in the news.