The Information Commissioner's Office (ICO) published - on 4 July 2012 - its 2011 Annual Report outlining, among other things, the civil monetary penalties (CMPs) it has imposed since its powers in 2010. The launch of the Report coincided with the ICO imposing the highest fine in the private sector - of £150,000 on consumer lender Welcome Financial Services Limited (WFSL) for losing two million records containing employee and customer data.
According to the Report, lenders were the sector that generated the most data protection complaints last year. 'Over the past year, the ICO has bared its teeth and taken effective action to punish organisations, many of which have shown a cavalier attitude to looking after people's personal information', read the Report. 'We hope these penalties send a clear message to both the public and private sectors that they cannot afford to fail when it comes to handling people's data correctly.'
© 2013 Cecile Park Publishing Ltd. All rights reserved
WFSL lost two back up tapes in November 2011 that held the personal data of 20,000 current and former employees, and 8,000 agents including bank account details, dates of birth, CV information and National Insurance numbers. 1.94 million customer records were also lost, consisting of names, addresses, telephone numbers, dates of birth and loan accounts. ''As ever, the key issue is the human element'', said Hazel Grant, Partner at Bristows. ''No doubt the organisational and technical measures were there to ensure security of the backup tapes, but the one missing link with the human element of following the procedure. This is a challenge for all businesses: to ensure that their staff are educated and trained to recognise the importance of protecting personal data.''
''This is only the third penalty issued against a private sector entity'', said Kate Brimsted, Head of Global Information Governance, at Herbert Smith LLP. ''The vast majority of fines issued to date have been against the public sector and the ICO has received a fair amount of criticism for this. Undertakings have tended to be more prevalent against the private sector, but we could be seeing signs that the ICO is becoming more willing to fine companies in the private sector.''
In an exclusive interview with DataGuidance on 13 July 2012, David Smith, Deputy Commissioner at the ICO, said: ''The ICO does not target particular sectors; we assess whether a breach merits a monetary penalty based on our criteria. So long as those criteria are met, we will look at all cases equally. There have been more penalties issued to the public sector and this could be due to various factors. For example, public sectors may be more inclined to report due to internal organisational requirements, private companies might be better at keeping data secure and there is also a difference in the type of data held; public organisations often hold much more sensitive data than private companies. Although our criteria have never changed, we have certainly seen more cases qualifying for civil monetary penalties.''
The ICO Report stated that it had issued ten CMPs totalling £1,171,000 in 2011, as well as two enforcement notices and 76 undertakings. Concerning future enforcement, Smith stated: ''I think the reason why it seems we are increasing enforcement is there is a time lag between the breach coming to our attention, for us to investigate it, and then to decide on appropriate action. In the rest of 2012, you will see the ICO taking a tougher stance under the e-Privacy Directive; we have some upcoming civil monetary penalties as a result of our investigations.''
The statistics in the Report show a 43.2% increase in the number of complaints under the Privacy and Electronic Communications Directive, with almost half of those complaints concerning unsolicited phone calls or text messages in the direct marketing sector, in addition to a 7.7% increase in Freedom of Information complaints. The number of data protection audits carried out by the ICO increased by 60%, which it called 'an encouraging increase in the recognition of the benefits of this work'. Brimsted said: ''Data protection is steadily getting more attention within organisations at a senior level, particularly for those with direct consumer relationships whose business model tend to be particularly vulnerable to adverse consequences such as loss of trust and poor PR which routinely accompany data breaches.''
Grant told DataGuidance: ''Larger fines have been levied where sensitive personal data (especially medical data) has been lost, but [those] fines have been in the health or care sectors. This [WFSL penalty] is the largest fine outside those sectors and therefore will be of interest to commercial organisations. As the level of fines increases then businesses do pay more attention to the need to implement good data handling policies and ensure all members of staff are trained in them.''