The information commissioner will announce the first organisations to be fined for failing to protect data later this month. Christopher Graham said that the fines of up to £500,000 "give the ICO the teeth that many people in the past said it lacked". The ICO gained the ability to issue such penalties on 6 April, along with …
Lets start with ACS Law
Go-on maximum fine - they deserve it
ACS:Law is small fry
Graham is saving the maximum fine for big breaches, he said so. It's all about posturing. ACS:Law only made a little mistake affecting a few thousand people. The ICO's big day will be when it claws 500K off an NHS budget somewhere, forcing ward closures and making Christopher Graham the Civil Servant of the Year.
Talk a good game, don't they?
I suspect the collective response will be to keep ignoring the ICO, since that's what everyone's got used to by now.
At most, there might be a terse "Yeah, see you in court - you've got the budget for that, right? No? Oh dear, what a terrible shame."
At this point, public pike-polishing is about the last thing the ICO should be doing. Until there are heads on those pikes, they ICO will continue to be a joke with no punchline.
Fining who ?
When will the regulatory bodies realise that NO public bodies, whether they are government, local authorities , councils, NGO's etc, have any money of their own.
It used to belong to the long suffering "general public" you and me, before it was taken as taxes and tribute.
Fining public bodies is indirectly fining the general public, 'cause next year the offenders are going to put up their taxes, fees or whatever to recover the fines.
The only way to hurt these offenders is to SACK them without compensation!
Bring on the tea party!
Would there be any point in the ICO fining public sector organisations? It's not like the money will be coming from their profits like it would a private company, instead it will come from our pockets the next year in the form of increased tax. Maybe instead they should be given the power to fire the useless numpties responsible and change the procedures, like disallowing sensitive information to be taken outside the secured offices via laptop/memory stick.
Justice: by the powerful, for the powerful
Police: You knowingly and illegally intercepted data with Phorm
BT: Oh, but we had no criminal intent
Police: Well that's all right then, sorry to have bothered you, carry on
ICO: You illegally gathered personal data from UK citizens
Google: Oh, but we will delete the data and won't do it again
ICO: Well that's all right then, sorry to have bothered you, carry on
Council: Your car was photographed in a bus line, that will be £30
Ordinary citizen: But I only crossed the lane to park
Council: That'll be £30 please, and more if you don't hurry
I wonder if they are in the first batch ?
*cough* Andrew Crossley *cough*
how about the names?
I'd like to short their stock.
I'll Believe It
When I see it. Are you going to bite, little doggie?
Fining public bodies just takes money from the tax payer. I suggest the ICO should instead take the 500k from the bonuses of the top 100 earners in the organisation - that would help them to focus on data security.
Alternatively, make it punishable by jail, and apply it to public and private organisations evenly.
I'm sorry let me take you to a free lunch in 'The Ivy' then I can give you all the reassurances you need to prove that this will never happen again.
Sorry I've been a very naughty boy.
What is a cheaper? A £500.000 fine or enforcing proper Data protection.
Answers on a postcard?
Heaven help the ICO's first victims
To prove his office isn't a wuss < http://www.urbandictionary.com/define.php?term=wuss >, this guy is really going to hit a few targets hard.
Then he will shut all his critics up and he can go back to sleep
he would apply "the max" penalty, describing it as "the horror benchmark"
He would fine the incompetent vermin £500,000 for compromising the identities of 25,000,000 people? A fine of £0.02 per person impacted?
Oooooh, quaking in my boots over data protection, the ICO has a new name "growling hamster".
Who pays the fines?
What's the point in fining public bodies such as Customs and Revenue or NHS? All you're doing is shovelling money from one government department to another. If you want to penalise public bodies then the only solution is start firing people.
Not an incentive for public offices to get it right
So, if HMRC screws up again, they get fined and pay the fine out of the tax-payers' coffer. The money goes into the tax-payers' coffer. Next year, HMRC ask for more money from the tax payer to fill the hole caused by the fine. They get more money, screw up again, get fined, cough up, ad nauseum...
Where's the punishment?
No, not fines...
... Jail the responsible directors/chief executives (and use proceeds of crime legislation to recover the cost of incarceration from them personally) because I don't want to pay (usually as a reluctant customer) for the illegal activities of the public or commercial body...
What about crossley?
So if they drop the fine on e smaller organisation
What about crossley @ acs law???
"if HM Revenue and Customs committed a data breach similar to its loss of 25 million people's details in 2007, he would apply 'the max' penalty, describing it as 'the horror benchmark'."
£500,000 for losing data on 25 million people is 2p each. The fines should start at £1 per individual with bigger fines for exceptional negligence.
fine google the maximum...
...and then what?
Essentially they've paid 1/2 million sheets to get away with nationwide data rape.
Yeah, that'll stop them dead in their tracks.
Obviously, they'wont be allowed to keep the data, but will they be allowed to keep their analysis of the data. Seems more than likely right.
Firing them is one thing, how about also barring them from holding any position where they have responsibility for / access to private data.. and before anyone starts whining about unfair restrictions on employment.. if you lose your driving licence.. you lose the ability to hold a driving job.. this is no different.
I'm sure the friendly people at the job centre will be able to harass them into some lowly paid menial task...or is that a fate reserved for the lesser proles in our society? Perhaps while they are doing a less demanding job they will have time to reflect on their attitude to other peoples security and privacy.
Bark or whimper?
While the loss of £500,000 might bother a small firm, it won't even scratch the paint on the large organisations who do the worst damage, they'll just view it as another unfortunate cost of doing business, like paying the minimum wage.
Why have a limit at all? Far better to have a formula that relates to turnover/profits and delivers a predetermined amount of punch at every level from the smallest to the largest, the level set according the severity of the offence. - perhaps no accident that they dont. And why stop at fines? Until the worst offences result in negligent individuals doing a stint in chokey, its still "someone else's money" - ours in the case of public bodies. Those involved with serious losses should also be subject to much, much closer, more regular and more invasive scrutiny of their data handling processes - ultimately banned from handing personal data at all if they adhere to standards.
Illegal commercial exploitation of personal data, such as Phorm/BT and Google, is another game again, and really requires very severe punitive measures to act as any form of worthwhile deterrent; getting caught needs to hurt rather than irritate.
None of this will happen, and I really can't see why the ICO even bothers trying to persuade us they are serious about data protection when virtually every statement from them proves otherwise.
Do no stupid
Fuck fines, a criminal record for the data controller would focus the mind wonderfully. No more civil service arse covering. If you're the controller and the breach happened on your watch, your ass is going to be in front of a judge. And fuck letting people off, breach should be a strict liability offence, no more of this cosy old uncle ICO having a quiet chat bullshit.
And if one of those fines isn't for ACS Law, then ICO might as well put its offices up for sale. I mean FFS, who else could have the option to fine Google 500,000 quid for criminal acts and not take it ? Surely "we're tough on data protection and will bring the full weight of the law down onto offenders, whoever they are" would have been a better message to send out than "We'll probably still let you off in any case"
Penalties are only one part of the problem.
Lack of independence is another (according to EU Fundamental Rights Agency).
Lack of competence is another (according to the ICO themselves).
Until the ICO are comprehensively reformed, and particularly the existing ICO management ejected onto the street, its hard to have any confidence in these corrupt handwringing muppets.