Has the ICO finally found its teeth with £150,000 fine?
By Nicole Kobie
Posted on 5 Jul 2012 at 14:17
A loans firm has been fined £150,000 by the Information Commissioner's Office - one of very few private companies to be targeted by the data watchdog, despite a significant increase in the number of penalties doled out.
The £150,000 fine against Welcome Financial Services for losing a pair of backup disks is the only the third instance of a private organisation being fined since the ICO was given the power in 2010.
The previous two fines against non-public bodies were a £1,000 penalty against an individual - Andrew Crossley of ACS Law - and £60,000 in 2010 against government-funded employment body A4E.
The fine comes as the ICO has significantly increased the number of financial penalties it hands out. The ICO has already issued almost twice as many fines so far in 2012 as in all of 2011.
Over the past year, the ICO has bared its teeth and has taken effective action to punish organisations
In the first six months of 2012, the data watchdog has issued 12 fines. In all of 2011, it issued seven. The ICO said that may partly because it wouldn't have been able to take action on any breaches that happened before April 2010. "This would have discounted some of the breaches reported to our office in 2011," a spokesman said.
The size of the fines has also increased. In 2011, the total value of fines was £541,000, an average of £90,000, not including Crossley's £1,000 fine, which was an anomaly. In the first half of 2012, the ICO has already hit £1,490,000 - an average of £124,166 per fine.
The leap in number and size of the fines is despite the number of breaches of the data protection act staying flat from one annual report to the next - although the ICO's reporting year runs to the end of March, not by calendar year. "Each case is looked at on a case-by-case basis and we will consider issuing a monetary penalty where the criteria are met," the ICO said.
Cases that have attracted fines have ranged from sensitive documents faxed to the wrong number to the half a million loan customer details leaked by Welcome Financial Services.
"Over the past year, the ICO has bared its teeth and has taken effective action to punish organisations, many of which have shown a cavalier attitude to looking after people's personal information," said Information Commissioner Christopher Graham. "It's a case of wake up and smell the CMP [civil monetary penalty]," he added.
Welcome Financial Services was given the ground-breaking fine after its Shopacheck loan business lost a pair of backup tapes holding names, addresses and phone numbers of customers in November. The tapes have yet to be found.
While the Shopacheck website continues to operate, Welcome Financial Services stopped offering loans in 2009. It defaulted in 2011, declaring it couldn't offer PPI refunds, which are now being paid by the Financial Services Compensation Scheme.
Despite the financial difficulties, the ICO said it wouldn't have any trouble collecting the fine. “We are aware of Welcome Financial Services Limited’s current financial situation and are satisfied that the company has the ability to pay the penalty amount, without impacting on their outstanding financial commitments,” an ICO spokesman said.
The ICO has executed search warrants at a number of sites across the UK linked to companies we believe are breaking the law
The ICO infamously cut Crossley's fine from £200,000 to £1,000 after the solicitor declared he was unable to pay the larger amount, and takes into consideration an organisation's ability to pay when coming up with the penalty amount.
While the number of complaints about data protection issues were the same year on year, the watchdog reported a 43% jump in the number of complaints about unsolicited marketing calls and text messages, with more than 12,000 received over the past 12 months.
The ICO was handed the ability to issue £500,000 fines last year to battle marketing calls and SMS spam, but has yet to dole out a penalty.
The watchdog has set up a dedicated team to target the issue, and is "working to identify the operators responsible," it said. "The ICO has executed search warrants at a number of sites across the UK linked to companies we believe are breaking the law."
Although certain powers may have only recently come in, personally I think ICO are lazy and incompetent.
99.9% of the fines have been for public bodies who, when they discover a data protection breach, basically prosecute themselves. And meekly accept the fines. As they follow the spirit as well as the letter of the Law.
Whereas ICO know they'd actually have to do some work to get private firms. Hence only 3 private organisations/individuals being fined. And only after other bodies had done all the legwork for them.
Also remember their complete failure to scrutinise the data obtained by Google StreetView. I seem to remember it was US and German regulators that picked up they were collecting data they had no real need for. And had not disclosed they collected.
ICO just accepted Google's word they were playing nice. And when Google were caught out by other people, blandly accepted Google's assurances the collection was accidental, and that they'd deleted the data.
By Penfolduk01 on 6 Jul 2012
One of the principles of the Data Protection Act 1998 is "Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes." Note the "longer than necessary" part.
I have complained to the ICO about recruitment agencies holding my CV for over five years and still sending me job offers. Action taken - none. Reason? I have to make a complaint about specific instances when there is clearly a generic problem of recruitment agencies refusing to abide by the principle of data retention.
Useless and a waste of our (taxpayer) money.
By jontym123 on 6 Jul 2012
Where is the Justice?
A loans firm has been given a fine.
Do we think that they may not simply increase their clients repayments in order to offset the loss?
The ICO has no credibility because the end result of intended justice is unbalanced.
By lenmontieth on 6 Jul 2012
To be fair, the ICO's response seems quite reasonable. I should imagine, that their procedures involve investigating specific complaints. If a pattern emerges that suggests a wider problem, I'm sure they could target a sector to ensure better compliance.
You're being unreasonable expecting them to attempt some compliance action across a whole sector off the back of one complaint. Provide them with specific examples, you'll get it sorted. Not rocket science.
By GillsMan7 on 6 Jul 2012
Have to disagree about my being unreasonable.
On may occasions I have sent to the ICO copious examples of generic failure to apply the data retention principle. The ICO are just not interested.
I have been retired from IT for five years so any CV of mine that is "out there" has to be at least that old yet I still receive contacts from dozens of recruitment agencies.
Quite simple, the ICO doesn't appear to be interested in generic failure, just specific cases in point.
By jontym123 on 8 Jul 2012
- Is it worth upgrading a media centre to Windows 8?
- Flickr redesign: is it enough to tempt photographers back?
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- The ICO's shame-faced u-turn on cookies
- Start8 and ModernMix: making Windows 8 work on a desktop
- How to boost your mobile reception
- How to fix Facebook: Social Fixer
- Taking the stress out of WordPress updates
- Where to download free web fonts
- Turn your tablet into a Sky+ remote control
- How to measure the success of a new IT system
- Three years on: the state of the tablet market
- Windows 8: what works and what doesn't