The Information Commissioner’s Office has defended statistics released under FOI showing that private companies were fined on fewer occasions than public sector organisations over an eleven month period. Within that time, one fine of £1000 was issued to a private firm whereas eight local councils were fined a total of £790,000 over data protection breaches. In response, the ICO said fines would be imposed only where a data breach caused substantial damage or distress or where it had the potential to do so, and where the organisation was or should have been aware of a risk of a breach and failed to take reasonable steps to prevent it. The guidance issued by the ICO on potential fines also states that any penalty must be ‘appropriate’ and at a ‘reasonable and proportionate’ level taking into account the relevant facts of the case and the ‘objective in imposing the penalty’. Under the statistics released, final penalties imposed were lower than originally sought in five cases and the most common data breach was disclosure of personal information in error. The Out-Law article
provides institutions with a helpful reminder of what is required to meet data protection obligations and thus prevent monetary penalties being imposed. For more information on data protection law, please visit the JISC Legal website.