Deputy ICO says big rise in reported breaches is no cause for alarm
Fining NHS trusts still 'good idea' says David Smith
Deputy Information Commissioner David Smith has told Computing that, while he does not dispute the accuracy of figures to suggest a 1,000 per cent rise in UK public and private sector data breaches in the past five years, he is unsure they "reflect the position" of serious data leaks.
Commenting on figures unearthed through an FOI request that 207 serious NHS breaches were reported to the Information Commissioner's Office (ICO) in 2011, Smith said: "It's not that those figures aren't reliable, but I'm not sure they really reflect the position. I don't think you can necessarily say that the fact we've got more reports means there are more breaches. It's just that awareness of the need to report it [has increased]."
Smith, who was speaking at Gartner’s 13th Gartner Security and Risk Management Summit in London yesterday, said that the power granted to the ICO in 2010 to allow it to impose fines on organisations that allowed data to be leaked provided "more of an incentive to report now than there was".
Computing challenged Smith on the question of fines back in January 2012, when Brighton and Sussex General Hospital was hit with a £375,000 fine for allowing hard drives containing highly confidential patient sexual health data to end up on eBay. We pointed out to him that the hospital felt that paying the fine would reduce its ability to provide adequate patient health care. Smith, however, remains adamant that fines have a role to play in ensuring organisations take their data secuirt obligations seriously.
"[Fines] are a good idea," said Smith. "If you look back at where this is all came from, it came from government data breaches – public sector data breaches were the reason we were given these powers. The idea we shouldn't impose these fines on public sector bodies is just going against the whole intention of the legislation."
Smith added: "It's up to organisations how they find the money – Brighton and Sussex did pay the fine, despite all these protestations, and it's a tiny fraction of a percentage of their total money, and they have all sorts of ways to pay.
"You could argue that paying the chief executive a bonus every year detracts from patient care, because they could have spent that on patients. It's for them to balance their business. And it does send a message about accountability; someone there is responsible for this – not just for the loss of data, but also the loss of money to this organisation. There's no other effective mechanism."
In his speech to the summit, Smith revealed that the ICO "has been pushing for custodial sentences for some time now, but the government is resisting", however he conceded that incarceration would be difficult to implement in many data breach cases.
"You can't jail an organisation," said Smith. "And when these are organisational failures, it's very hard to say that one person in the organisation was so responsible for this failure that they're criminally liable. [A custodial sentence requires] proof beyond all reasonable doubt, whereas here we're talking about balance of probabilities."
Deputy ICO says big rise in reported breaches is no cause for alarm
Fining NHS trusts still 'good idea' says David Smith
On the issue of the EU's cookie regulation, and the ICO's apparent reluctance to punish noncompliance by imposing fines, Smith said the watchdog was "monitoring it very closely" and inviting people to "register their concerns about cookies". He said the ICO had written to 75 infringing organisations, but was unlikely to issue financial penalties.
"It's unlikely we will fine anybody," said Smith, "because the fines have to be for breaches which are likely to cause serious damage or serious distress to individuals, and it's hard to see how not getting consent for cookies meets those criteria."
If the ICO does anything at all, said Smith, "it's more likely to be enforcement notice power, which is a power that requires you to remove certain cookies from your website or make sure you get consent to them. We're not there yet, but it's our intention to use those powers against those who have ignored that responsibility and are using cookies in a way that does have a significant effect on individuals. So [examples such as] third party cookies and behavioural advertising, where [organisations] have done nothing to meet the requirements."