The Information Commissioner's Office said more companies should offer themselves up for voluntary audits. According to the quango's annual report, a third of organisations offered the chance to be audited by the ICO accepted. Of the 603 breaches last year, 186 came from private companies. But only 19 per cent of these firms …
"look at Sony – no one can blame them for getting hacked"
Whose fault was it? This is why you should employ security specialists to manage your security, not lawyers....
Sony – no one can blame them
Is this a sense of humour or legal amorality? I can't tell.
I can blame Sony for keeping customer information on an Internet-connected server, for being incompetent at basic security, for grossly immoral behaviour that created enemies, for deliberately and illegally infecting their customers computers with that root-kit, for breaking their contract with their customers by removing functionality post-purchase, ... The list is endless.
Sending demands for payment to Councils? Why not just send the taxpayers a bill directly, it works out to the same thing?
The ICO should bring cases against individuals, go after commercial targets, or sod off and get proper jobs.
 Last I checked, a "fine" can only be imposed by a court, not some pathetic quango.
Councils need to be held to account for not looking after personal data properly. How should that be done?
In some ways fining a council isn't that different to fining a corporate - it doesn't come out of the pocket of the person responsible, ultimately the public pay. For a council it comes out of taxes, for a corporate it is passed on as price rises and lower dividends (= smaller pension).
What it achieves in a small way is to weaken the position of the council leaders/board of directors. In an ideal world that would affect their salary or even cost them their job. In the real world perhaps not.
"no one can blame them [Sony] for getting hacked"
There are no* 'unhackable' systems, but if putting unencrypted text files of passwords onto an insecure public server isn't a cause for blame, I'd like to know what is.
* The only 100% secure computer system is one that’s not connected to a network … and switched off … and encased in concrete … at the bottom of the ocean.
>The only 100% secure computer system...
Davy Jones just made off wi' yer so-called secure undersea computer! Yarrrrrrr!
"at the bottom of the ocean."
With a sign saying beware of the leopard shark.
They should automatically audit
I try my best to support the ICO but when every complaint to their office gets the obligatory "we're sorry for the time it has taken to respond", I find it a bit annoying that they're not devoting resources to speeding up the complaints process.
The ICO should carry out audits whenever they receive a complaint. When you bear in mind that the majority of organisations in the UK use standard form civil contracts in an attempt to "customise" the DPA98 to suit their own needs, and when you bear in mind that no term in a standard form civil contract can deny a consumer of a statutory right, why aren't the ICO auditing the terms and conditions of companies?
.."* The only 100% secure computer system is one that’s not connected to a network … and switched off … and encased in concrete … at the bottom of the ocean."
You have no clue what you are talking about, as evidenced by the fact you used the phrase "the only 100% secure". NOTHING is "100% secure" when applied to a broad threat model. If you think that your definition of 100% secure is in some way actually useful, you truly are naive.
You have only implemented prevention systems systems in that model - no detection of attacks or response for when they are in process (or afterwards - when they are successful). In theory only the cost of getting the thing off the ocean bed (and a hammer and chisel to get past the concrete) are needed to gain access to your "100% secure computer system".
Security is an fundamentally an economics problem - you make trade-offs in resources or functionality to gain security (or not). Your above model is not only insecure by any sane reason for why you would use that approach, but for all intents and purposes utterly useless and impractical - what's the point of a computer that cannot be used?
I really hope you have no responsibility for anything where security actually matters.
FFS - it's a JOKE!
Full security is only possible by disconnecting the machine and preventing any physical access by anyone.
That makes the machine utterly useless of course, so nobody does that - that's the point!
The Data Protection Racket
"Pay the boss, or something nasty might happen to your windows. Capiche?"
The ICO Data Protection Racket; cough up the dough, give the Godfather 'respect', and they won't prosecute you... regardless of the way you abuse personal information.
ICO; lazy, corrupt, and completely incompetent.
is it just me?
Or are they trying to put data protection consultants out of business? If they start auditing volunteers, how are we supposed to know which companies have caused themselves to be auditied for cause.
The ICO now has delegated statutory powers to levy fines for DP failures just as the FSA does for failures by financial institutions (but lets not go there) so au contraire my friend, its not just the courts that can levy fines.