back to article ICO targets lost laptop breaches under tougher fine regime

The deputy commissioner of the Information Commissioner's Office said that it is no longer a "toothless tiger" and has the resources and resolve to apply enhanced powers to data protection miscreants. David Smith said increased fines of £500K, introduced in April, for the worse case of privacy breaches would "concentrate minds …

COMMENTS

This topic is closed for new posts.
  1. frank ly
    Stop

    Legal Beagles

    "Smith wants to see mandatory notification in cases where personal data might have been exposed but not in situations where an encrypted laptop was lost, for example. He also wants to see private investigators who used trickery to obtain confidential records jailed. "

    "MIGHT have been exposed" who will decide if it 'might have'?

    "ENCRYPTED laptop" what is the definition of 'encrypted'? (I use ROT-13 so it's ok to lose the laptop and not report it)

    "used TRICKERY to obtain.." what is 'trickery'? how is it legally defined?

    If you thought he situation was bad right now, wait until these ideas get written up as law.

    1. Anonymous Coward
      Headmaster

      Mr Pedant here

      ROT-13 is not encryption, its encoding - there is a difference (albeit subtle). I thank you. :-)

      But I agree totally with your sentiment

      1. The Other Steve
        FAIL

        Crypto fail

        ROT-13 is a cipher, it's an instance of the class of ciphers commonly known as a 'Ceaser' or 'Ceaser shift' cipher.

        Encryption is the process of applying a cipher.

        If you're going to chime in and claim to be a pedant, at least get your fucking facts right.

        1. frank ly
          Happy

          Peace Little Fishes!

          Let's not fight among ourselves when there are bigger and nastier fish out there trying to bite us :)

  2. Mike 137 Silver badge
    WTF?

    Enforcement?

    Quote: "the watchdog would far rather work with organisations towards this than resort to enforcement"

    Surely, working with organisations to get things right _is_ enforcement?

    Enforcement is taking steps to make something happen - in this case, to prevent data breaches. The alternative (fines) discussed here is not enforcement - it's punishment. They are not the same thing. However the distinction seems to be lost on almost everyone these days. Real enforcement reduces the need for punishment, but punishment does not serve effectively as enforcement - we have centuries of evidence for this. Extreme punishments have never deterred people in general from offending. And it's a matter of externalities in this case. A person who loses a laptop may get their employer fined, and that might lead to their own dismissal, but the next person in line will not be permanently scared by that into being more careful.

    1. The Other Steve
      FAIL

      Really ?

      "A person who loses a laptop may get their employer fined, and that might lead to their own dismissal, but the next person in line will not be permanently scared by that into being more careful."

      Seriously ? You don't think that being told on day one that your predecessor was sacked for being careless with data would make you even little bit more careful ?

  3. The Other Steve

    Beat me with a marshmallow and call me Sally

    "He stressed that the watchdog would far rather work with organisations towards this than resort to enforcement."

    So in fact what will happen is that - in the unlikely event of ICO stirring from it's sleepy Cheshire lair and actually going out to see someone who has breached the DPA - the offender will still be able to look forward to nothing more than a quick chat and a "bad show, chaps".

    What would actually concentrate minds would be a preference toward enforcement, and a preference toward the top end of the fine scale.

    For a long time we did all decry ICO as toothless, and they knew it was so and asked for more powers. Recently it seems that every time they get a new one they make a public statement to the effect that they'd, y'know, rather not use it actually.

    Disband ICO, hand DPA enforcement responsibility over to the rozzers (where it properly belongs anyway), where the perverse incentive of 'detection' targets would ensure that an open and shut case like a laptop left in a car-park with a couple of cheeldren's addys on it would be prosecuted with the sort of enthusiasm one might expect of a murder case. Problem solved.

This topic is closed for new posts.

Other stories you might like