The ICO has two primary functions, to enforce the Data Protection Act and to enforce the Freedom of Information Act; and, said Graham, “we are right in the middle of some pretty hot debates... Luckily, as I think we can demonstrate,” he added, “the ICO is well up to the task.”
He was certainly upbeat. Commenting on his ability and practice to apply fines (technically known as ‘civil monetary penalties’), he said, “It’s a case of ‘wake up and smell the CMP!’” This “regulator is getting results.” In his forward to the Annual Report itself, he concludes, “The next 42 pages tell the story of an organisation that, I believe, is performing effectively – ready to do more and better in the year ahead.” So far the ICO has levied fines totaling £2,000,000.
But not everybody agrees with this viewpoint. Critics point to unabated data loss particularly by local councils and the NHS, despite the number of CMPs levied. The latest fine, of £150,000 on Welcome Financial Services Limited (WFSL), also announced yesterday, is one of just three CMPs from a total of more than 20 that has not been levied against a public body. (WFSL’s Shopacheck business lost two back up tapes which contained the names, addresses and telephone numbers of their customers in November last year. The tapes have never been recovered.)
Mark Dunleavy, the managing director of Informatica, sees the problem lying in business culture, and the solution in a change to that culture. “The ICO is just scratching the surface with data breaches at the moment because traditionally there hasn’t been a culture of securing [customer] data.” Dunleavy doesn’t see a quick fix, nor does he believe the fear of a CMP should be seen as the greatest threat. “This process takes time and those who have not started down this road are putting their client relationships at serious risk. £2 million isn’t reflective of the much bigger issue that’s at play here.”
Informatica has just published a YouGov survey on user trust in the use of their personal data. Doctors and banks are most trusted, with estate agents and Facebook the least trusted. But in general, only 35 per cent of UK adults trust businesses to use their personal data as directed by them.
“It’s not just about avoiding a fine,” says Dunleavy, “but maintaining and developing trust with your customer base. We’re in a society that is very wary of the organizations that it hands its data over to. In order to rectify this, organizations need to take responsibility, not only for protecting their own data, but their customers' too.”