Locations
The number of organisations who have been fined by the Information Commissioner's Office (ICO) for data security breaches has dramatically increased in 2012 according to research from European Law firm Fieldfisher.
Research showed that 2012 was the most prolific year yet for serious ICO enforcement action, with 25 fines, three enforcement notices, six criminal prosecutions and 31 undertakings (through which organisations undertake to improve their data protection practices). In comparison to 2011 with only seven fines, one enforcement notice, five criminal prosecutions and 69 undertakings. These findings demonstrate that the ICO is increasingly turning to fines to regulate data security failures and other serious breaches of data protection law.
The latest research from Fieldfisher analysed ICO's enforcement actions in 2012 and found that:
- Data security breaches remain the most regulated type of failure, accounting for 88% of all fines
- 80% of ICO imposed fines were issued to the public sector
- 60% of ICO imposed fines within the public sector were issued to a local authority
- Data controllers who voluntarily self report an incident to ICO are not given immunity from enforcement, 84% of fines were self reported
Technology partner at Fieldfisher Stewart Room said:
"This analysis provides valuable insights into ICO’s enforcement strategy and how it translates into action. The ICO does not hesitate to take serious enforcement action for failures to comply with data protection law, and is becoming a real force to be reckoned with and a driver for change.
"Looking at the year ahead, we can expect ICO’s enforcement activity to continue at this pace or even intensify, focusing in the areas that ICO has prioritised as posing a higher data protection risk, namely health, internet and mobile, financial services, security and criminal justice.
"Although the public sector will remain firmly on ICO’s radar, we can expect the regulator to turn more of its attention to the private sector. This is likely to mean more serious enforcement action but we also expect a greater appetite to challenge enforcement actions."
Further findings from the research include:
- There was no enforcement action for use of cookies or international data transfers
- In the private sector, enforcement is more fragmented, with suppliers of health services just in the lead, followed by financial institutions, telecoms, and providers of property and real estate services.
In light of this analysis, Fieldfisher encourages data controllers to take the following practical steps:
- Familiarise themselves with ICO's enforcement strategy and monitor ICO enforcement cases.
- Risk assess their data security system and policy framework, and take action if there are concerns.
- Look closely at their mechanisms for engaging and contracting with third parties who process data on their behalf.
- Provide adequate and up-to-date data protection training to staff.
- Take practical steps to mitigate the risk of misdirected communications, including faxes, emails and letters.
- Implement a data security incident response plan.
For further information, please contact:
Ibrahim Kamara, PR Manager, Field Fisher Waterhouse LLP on 020 7861 4120