UK BYOD Protection: Information Commissioner’s Office Seeking Custodial Sentences, Clarifies Monetary Penalty Not About Data Breaches.

The Deputy Information Commissioner David Smith, from the UK’s Information Commissioner’s Office (ICO), made an appearance at the 13th Gartner Security and Risk Management Summit in London.  Among other things, he noted that the ICO is still actively seeking custodial sentences — another way of saying jail time — for data breaches, and has noted that the enormous monetary fines are not actually about data breaches.

Long story short: if you’re dealing with personal data, as defined under the Data Protection Act, it’s a wise thought to engage the use of mobile security software like AlertBoot to protect the loss or theft of a device from burgeoning into a malfeasance. 

Custodial Sentences: Even Worse than Fines is a Little Cell

During the summit, Smith admitted that the ICO was “‘pressing for’ custodial sentences for malicious data loss,” according to  The technology-geared site noted that Smith also said,

…it [the ICO] had powers of criminal prosecution, but they were not its ‘primary way of enforcing the law’ as its only power was to fine.

I’ve actually covered this before.  In a previous blog post I noted that, regarding penalties for DPA violations,

The Information Commissioner’s Office has been seeking custodial sentences for people who endanger personal data since 2006, and the recent and past trends seem to further strengthen the ICO’s position.

And in a separate post more focused on the lack of prison sentences for those who breach the UK’s DPA,

In October 2011, British politicos openly supported giving the ICO the ability to hand out prison terms to those who break the DPA.  This Information Commissioner had been very publicly asking for such powers since at least early 2010.

However, a little-known fact is that Parliament has already voted on this issue and approved the matter: the Secretary of State was given the power to introduce custodial sentences in the Criminal Justice and Immigration Act 2008.  This has yet to be implemented, however.

When can the ICO expect to see the implementation of a power that’s been waning, sidelined for whatever reason?  According to Smith, “the government will have to introduce legislation, but I don’t think it will be less than 18 months” (my emphasis).

Smith added the observation that it would be hard to hand out such a sanction:

“You can’t jail an organisation,” said Smith. “And when these are organisational failures, it’s very hard to say that one person in the organisation was so responsible for this failure that they’re criminally liable. [A custodial sentence requires] proof beyond all reasonable doubt, whereas here we’re talking about balance of probabilities.” []

Data Breach Fines are not About Data Breaches

Regarding some of the more aggressive monetary punishments that were handed out by the ICO over the past 18 months, Smith noted that

It is not the breach itself that is attracting monetary penalties, but the lack of security behind it, what training staff have had and the way systems have been setup. []

This might explain why the figures for the ICO’s fines are all over the place: Brighton and Sussex General was fined £375,000 for having 232 hard drives stolen, but other public sector bodies were also fined hundreds of thousands of pounds where the data was breach involved less than a handful of people.

If the focus lies on what an organization is (or is not) doing regarding the security of their data, however, it makes sense: the more egregious the lack of security, the higher the penalties, regardless of how many were affected by the latest incident.

Regarding criticism that the fines may be too much and could affect patient health care, Smith noted that “It’s up to organisations how they find the money – Brighton and Sussex did pay the fine, despite all these protestations, and it’s a tiny fraction of a percentage of their total money, and they have all sorts of ways to pay,” according to, and that one “could [counter] argue that paying the chief executive a bonus every year detracts from patient care, because they could have spent that on patients. It’s for them to balance their business.”

Data protection is not, as Americans say, “small potatoes.”  A company doing business in the UK might feel that data protection is not as important as their core business operations, the “meat” in a main dish.  The ICO appears to be bent on proving that that’s not necessarily the case.

Related Articles and Sites:

Comments (0)

Let us know what you think