Data watchdog the Information Commissioner’s Office is to begin aggregating complaints about private sector organisations in an effort to bring more fines against companies for breaches of UK data law.
A laptop containing unnamed patient information has gone missing from a subsidiary of the NHS North Central London health authority, putting the privacy of patients at risk.
The ICO has imposed 14 civil monetary penalties against organisations since November 2010, with 12 being against public sector organisations, and one against a public sector service provider. Much of the public sector, such as the NHS, has a requirement to notify the Information Commissioner’s Office (ICO) about data breaches, whereas the private sector does not.
To try to redress the balance of fines, the ICO will start to aggregate complaints from people about potential breaches of the Data Protection Act, Information Commissioner Christopher Graham told ZDNet UK on Wednesday.
“The next phase for us is to make more sophisticated use of all the information we get in from consumer complaints, to analyse [it],” said Graham. “Not just to decide whether a breach is likely or unlikely under the Data Protection Act, but to aggregate some of the information we’re getting to spot who are the serial offenders, which would build a case for action on more occasions in the private sector.”
Around half of businesses regularly breach the Data Protection Act, according to a report published by auditing company PwC on Tuesday. Graham said that companies would be ‘stupid’ to ignore the risks to reputation.
“For the companies of course, it’s a much bigger deal than it is for a local authority or a health service organisation, because they lose consumer confidence — there’s a real hit to the bottom line,” said Graham. “If people are being blasé about [data breaches] then that’s very stupid. Their reputation is a key asset.”
The next phase for us is to make more sophisticated use of all the information we get in from consumer complaints.
– Christopher Graham, ICO
Within four years, UK companies may be compelled to notify the ICO of breaches, due to tough European Commission proposals to update the Data Protection Directive.
Should the draft update to get passed as it is currently, the ICO could become swamped by notifications, said Graham.
“If [the law] remains as is in the draft directive, we would simply become paper pushers,” said Graham. “And because that is clearly not a good use of our time, I don’t think it will happen.”
It is likely that companies will have some discretion about reporting breaches consistent with the severity of the breach, said Graham.