Data breach howlers to get up to £500,000 fine The Information Commissioner's Office is threatening to slap penalties of up to half a million pounds on data controllers who are found guilty of serious breaches of the Data Protection Act. According to a statement on the Ministry of Justice's website, the government is pushing for Parliamentary approval of its Civil Monetary …
If people don't want to give details then they should not be compelled to do so.
The fine is not for the people, it is for the UK government, their chandeliers, sanitary towels, and moats.
In instances where the UK government allow for data breaches generally about information no one really wants them to hold in the first place, they are just fining themselves.
£500,000 is a lot to a small firm or small organisation, but it's peanuts for a bank, supermarket, avereage large government department (which shouldn't not be fined anyway as its our money).
If the personal details of half-a-million people turn up on the 19.35 from Waterloo or in the bins round the back of Lidl then the fine provided it's the maximum works out at £1 a pop! Seems light to me! Surely something like 25% of profits or £500,000 (which ever is greater) would be an actual deterrent for organisation such as banks who have been known leave all sorts of random data out in the street or send it via email to strangers!
Mine's the one with your personal data in the pockets!
Thats all very well and good if somebody in the private sector drops a bollock. However, what happens when the next civil servant looses an unencrypted disk: Who gets blamed? Who gets fined? Who pays the fine?
I bet the answers will turn out to be: nobody, the departmental budget, the poor bloody taxpayer.
Odd, that.
There may be good things in this bill; I don't know. Sadly, all I need to do to consign it to the disappointingly large pile labeled "ineffective legislation for propaganda purposes" is read the max penalty.
ID theft can cost victims thousands, and relevant failures regularly affect thousands or millions. How about a modest penalty of up to £1000 per victim? £500,000 is so much less than it would cost to fix data security in many organizations, making it too easy to justify paying up, rather than fixing things.
Forget fines.
Legislation should be for naked photos of all Board Members of the appropriate Organisation to be posted on the web.
For Government Departments it should apply to all Front Bench Spokesmen for the Department together with their top level Civil Service team.
Perhaps they might take personal data a little more personally and seriously.
Just putting them out naked is (a) not good enough (you're only making sure companies will hire exhibitionists for the job) and (b) a potential hazard to children. Put them then at least in stocks, and generate extra revenue (unit price + VAT) on the sale of rotten tomatoes in the vicinity, ripe for deployment.
I deem it then less likely that they will get many to re-offend.
What I would really want is 3rd party providers be compulsory declared. Some companies buy lists, and as they have no duty to to tell you provided the data you can only ask the company to delete you, but the original list is still sold on, leaving you to play a whack-a-mole game with new spammers. This is, incidentally, also a loophole in teh DPA - if I ask YOU for data I'll have to jump through all the hoops. If I get your friends to tell me about you, you will not be asked permission, yet the data can still be sold legally (AFAIK).
I now email every spam from UK companies to the ICO. With a bit of luck they will actually start looking at this (or put me in the junk filter) :-). Feel free to join me.
..says all Government departments are exempt from this law.
Wouldn't want Civil Servants abiding by the same laws as us tax-payers/voters/lowly scum now would you.
Anyway, the penalty should be applied to the Data Controller that is responsible, not the organisation. A novel idea I know.
..says all Government departments are exempt from this law.
Wouldn't want Civil Servants abiding by the same laws as us tax-payers/voters/lowly scum now would you.
Anyway, the penalty should be applied to the Data Controller that is responsible, not the organisation. A novel idea I know.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
