Some information has emerged on the ICO's penalising policy, with the body apparently only fining self-reported data breach offenders in 2 per cent of cases.
The Information Commissioner had something of a reputation for being rather toothless, when upon first being given the power to fine up to £500,000 for data spills, he took a long time in levying the first financial penalty. High profile cases such as the Google Wi-Fi data slurping "accident" also saw the ICO fail to take action, in terms of levying a fine.
And this latest fact, revealed via a Freedom of Information request lodged by security outfit ViaSat UK, is unlikely to change the ICO's velvet, rather than an iron glove image.
In the year running up to February 2012, there were 730 self-reported breaches. Over half of those are still pending a result, but of the 297 resolved cases, only 6 organisations found themselves hit with a fine. 32 were made to sign undertakings, to hone data protection policies, but the vast majority saw no action taken against them.
Speaking to PC Pro, ViaSat's UK CEO Chris McIntosh said: "If we are going to simply accept that human error or adopting the wrong types of protection - or no protection at all - is acceptable, and fines are not given, then that means people will ignore it and carry on."
The ICO defended itself by stating that the majority of cases brought to its attention didn't actually violate the Data Protection Act, and that in some cases, informal undertakings were made to resolve the situation.
McIntosh further noted: "I really do not know why they find it easier to fine the public sector; it might be because they don't want to scare the private sector into a situation where they do not report breaches."
That's a good point: businesses can be reticent and attempt to cover up data spillages, rather than being open about them, the fear being that a leak shows them in a bad light and it may damage investor confidence.
Source: PC Pro