And what is the remedy for this?
Today’s announcement regarding a data breach at the Identity and Passport Office, and Friday’s announcement about a breach at Anglesey Council, hot on the heels of the two most recent fines, feel like a increase in velocity by the ICO. However, neither of the latest breaches resulted in a fine and neither breach was major. So what next?
The conference season is almost upon us, and it seems likely that we will arrive at IA11 with a litany of breach undertakings and a bunch of fines still fresh in people’s minds. There are three questions that all this activity throws up:
1. Who is next?
2. When and where will this cycle end up?
3. What comes after that?
The answer to the ‘who is next?’ question is currently sat on the desks of someone at the ICO and the perpetrator of the breach. The less sensitive among you may even wish to place bets.
The key questions are 2 and 3. It is reasonable to assume that, although right now the ICO appears to be doing his best to keep is powder dry for the bigger breaches, at some point he will reach his glass ceiling and issue the maximum fine of £500k. At some point, there will be a breach of substantial proportions that it merits a different magnitude of undertaking and fine. This will in turn force the ICO to turn back to its political masters and request a bigger stick. This then hits the realm of a ‘political decision’, since he will be asking for the opportunity to levy a substantial fine on a public body, with all that entails. Do we believe there is an appetite for this? Will a coalition Government, unpopular because of the spending cuts, allow an NHS organisation or a Local Authority to be fined (say) £1million?
I believe that consideration needs to be given right now to how this pans out. In conjunction with the CSR Cyber defence war chest, it is time for detailed scrutiny of what is likely to come over the next few years and how government in its widest sense manages its data. The growing momentum of undertakings and fines will inevitably lead to ‘breach fatigue’ in the public eye, and pressure needs to be maintained lest its importance becomes diluted. Similarly, the momentum building around Cyber defence and spending on it needs to be maintained, to enable the increasing volumes of data held by Government to be adequately protected.