As you will be aware, the ICO fined some councils today. Ealing and Hounslow got nailed for losing data on unencrypted laptops, in breach of the Data Protection rules, their own internal rules and just about every shred of common sense and recommended best practice available.
I’ve tried to be reasonable about this, but I can’t. It’s not good enough for several reasons:
1. The fines are a bit limp. £80k and £70k respectively is hardly a punitive damage is it? If it costs more than £80k to roll out encryption across a council (and in my experience, it easily can), it’s hardly an incentive for change.
I know that the previous fine handed out to a Local Authority was £100k for a data breach, and the maximum possible fine is £500k, so the ICO is attempting to be proportionate and give himself wiggle-room for the future. So it’s tough to blame the ICO, but it’s not tough to blame those that gave him these powers. Ealing probably spends more on toilet roll than they will on this fine.
2. Given that both Authorities will have had early notice of the fine, I have yet to see any sign of disciplinary action, or internal remedy. Where are the procedural changes? Who owns the failure?
3. What exactly is the fine meant to achieve? Is it just shuffling £70k back to the Ministry of Justice? That’s a paper chase. How about spending the fine on a proper remedy: user education, remedial action for those whose privacy has been breached, legal training for people who aren’t lawyers within the Authority as to what the legislation says and is for?
I applaud the fine for it sentiments – it is NOT APPROPRIATE to treat client information in such a slapdash manner. But nor is it appropriate for the fine to be so pathetically small. Three Councils fined in so many months for a sum total less than it costs to put a proportionately secure working environment in place is not a deterrent, it’s a mild rebuke. And if fines are not a deterrent, what’s the point of them in the first place?