ICO Slaps Oldham School, But Suffers Fresh Criticism

The Information Commissioner has reprimanded a school and a hospital for data breaches, but is still facing criticism for going too easy on organisations failing to protect their data.

Freehold Community School in Oldham, may have exposed 90 pupils’ personal information when an unencrypted  laptop  was stolen from a teacher’s car, while NHS Birmingham East and North breached the Data Protection Act by failing to restrict access to files on its IT network, the Information Commissioner’s Office (ICO) has said.

The announcements came while the ICO was slated for acting on data breaches so rarely that its fines are “a risk organisations are prepared to take,” according to critics.

Public sector still unfairly targeted?

The ICO has only fined four organisations for data breaches, despite having 2565 incidents reported to it in the year since it gained the right to fine offender, according to a Freedom of Information request made by security firm ViaSat.

ICO deputy director David Smith attacked the figures when they were released, calling them “inaccurate”, and suggested a revision downward to around 600 reported breaches. ViaSat stood by the figures, pointing out that the data came from the ICO in response to a specific request about data breaches.

“Our request was clear in that we wanted information on the number of data breaches,” said ViaSat chief executive Chris McIntosh. “Even if you look at the revised figures the ICO has released it is still clear that that monetary penalties have been enforced in less than one percent of the data losses it has dealt with.”

The new reprimands did not include fines, and do nothing to counter McIntosh’s other criticism, that the ICO hits the public sector unfairly. “The public sector… dutifully reports its failures under the data protection act and receives more, and larger, penalties as a result,” said McIntosh in a statement.

Promise to do better

Joyce Willetts, the head of Freehold Community School, has promised that laptops will not be stored in cars in future, all data taken off site will be encrypted, and staff will be trained.

Meanwhile in Birmingham, Denise McLellan, chief executive of the NHS Birmingham East and North trust has promised to increase security, after the personal records of thousands of members of staff were potentially exposed to staff at three NHS trusts.

“Our focus as a regulator is on getting bodies to comply with the Data Protection Act,” said an ICO statement. “This isn’t always best achieved by issuing organisations or businesses with monetary penalties. The big stick is there, but doesn’t need to be deployed all the time to have an effect.”

The ICO ’s guidance on the use of its powers to issue a monetary penalty is here (PDF)

This statement did little to placate McIntosh, who reiterated his criticism of ICO inaction: “The  ICO is fond of saying that ‘you have to be selective to be effective’ but by being too selective all that happens is that organisations, especially in the private sector, can begin to view the threat of a penalty or an undertaking as something that is so unlikely as to be beneath notice,” he said. “For example, organisations could easily look at the £60,000 penalty meted out to A4e, its size compared to the company’s £145m turnover, its rarity and the fact that A4e is still receiving plenty of business, from the Government no less, and feel that the risk of ICO action is one they are prepared to take.”

McIntosh and the ICO agree on one thing however. At Infosec Smith is reported as asking for more powers to deal with those who breach the data protection act.

McIntosh agrees: “The ICO is right to push for more powers, and we fervently hope it can get them,” he said. “However, it would be nice to see those it has exercised a little more.”

The ICO has indeed been given more powers in another area related to data breaches. It can fine companies that send unwanted spam up to £500,000.