UK public sector accounts for bulk of data breach fines

  • Published
Eye and data graphic
Image caption,

Viasat believes there may be further breaches unreported by private sector organisations

The UK's private sector accounted for more than a third of all reported data breaches over 11 months, but less than 1% of the resulting fines, according to a Freedom of Information request.

The data was issued by the Information Commissioner's Office after a request by satellite system-maker Viasat.

It shows five fines totalling £790,000 were imposed on the public sector and one £1,000 penalty on a private firm.

The ICO said that it could only impose fines if strict criteria had been met.

Expensive accidents

The release covered self-reported personal data security breaches between 22 March 2011 and 17 February 2012.

Over this period the ICO said 730 events had been flagged up as being potentially liable to a penalty or other action.

The private sector reported 263 cases, while 467 were reported by government and other public sector bodies.

These included:

  • 281 incidents when information had been mistakenly sent via email, documents had been sent to the wrong address, or other similar accidents

  • 170 incidents caused by the theft of data or hardware

  • 108 events involving the loss of data or hardware, of which the NHS was responsible for just over a third of cases.

  • 17 instances in which materials had not been disposed of properly

Of the 433 breaches resolved over the period, six resulted in local councils being fined. The biggest penalty was a <link> <caption>£140,000 charge imposed on Midlothian Council</caption> <url href="http://www.ico.gov.uk/news/latest_news/2012/midlothian-council-handed-penalty-five-serious-data-breaches-30012012.aspx" platform="highweb"/> </link> after it repeatedly disclosed personal data about children and their carers to the wrong recipients.

The private sector company singled out was ACS: Law. Its data controller was fined £1,000 after a hack attack and subsequent security breach resulted in sensitive details about 6,000 people being published on a third-party website.

Some of the emails stolen included references to people's sex lives, health and financial status.

The ICO said at the time that it would have imposed a larger £200,000 fine had the firm not ceased trading and its owner not been of limited means.

Unknown breaches

The chief executive of Viasat's UK division praised the ICO's efforts to police the public sector, but claimed the private sector "still has a relatively free rein".

"While the ICO offers free training and auditing to organisations to help address these issues, so far the private sector in particular has been slow to take them up meaning that further incidents may be waiting to be discovered," said Chris McIntosh.

Public sector organisations might be more susceptible to the ICO's toughest penalties because they handle sensitive data on a day-to-day basis.

But commisioner's office told the BBC it would impose financial penalties whenever its criteria were met "regardless of the sector the organisation falls into".

"The course we choose will always depend on the circumstances of the individual case," an ICO spokesman added.

Since the period detailed in the release, data breaches have continued to occur.

Recent examples include the accidental publication of the home and email addresses of 38,000 people who applied to run the London Marathon; loans company Student Finance England sending an email to 8,000 customers which included other recipients' email addresses; and Scotland Yard sharing email addresses of more than 1,000 victims of crime with other victims.

Related internet links

The BBC is not responsible for the content of external sites.