Information Commissioner report reveals need for greater action

News by Tom Reeve

If the Information Commissioner's Office is to be more aggressive regarding data breaches, it will need more investment.

If the Information Commissioner's Office is to be more aggressive regarding data breaches, it will need significantly more investment, said Chris McIntosh, CEO of ViaSat UK.

According to its website, ViaSat design and develop security and communication products and services aimed predominantly at improving government, military and critical infrastructure networks and operational systems.

McIntosh was commenting on the publication of the Information Commissioner's Annual Report and Financial Statements 2014/15 launched today.

The report said that the ICO is completing more cases, more quickly than it did last year, with virtually the same level of overall funding as last year. More than 70 percent of cases were finished within 30 days, with 18 percent finished in 31 to 90 days.

No action was required from the data controller in 35 percent of cases finished, while 22 percent required action from the controller, 17 percent resulted in concerns being raised and 10 percent culminated in compliance advice being given to the data controller.  In one percent of cases, the ICO agreed an improvement action plan with the data controller.

During the year there were 316 appeals to the first-tier tribunal, of which 291 cases were heard. Of those, 56 percent were dismissed, eight percent struck out and 14 percent withdrawn. Of those that went against the ICO, six percent resulted in a consent order or settlement, six percent were part allowed and 10 percent were allowed.

However, McIntosh said he looked at the financial figures and concluded the amount of monetary penalties levied had fallen drastically year-on-year but the amount paid was less affected. The amount of penalties issued in 2014/15 was £1.13 million but none had to be repaid following a successful appeal, which compares to 2013/14 when £1.97 million in fines were levied but £580,000 had to be repaid.

McIntosh suggested this was because the ICO was picking its targets better, but it also suggests that the ICO has reached the limits of its powers.

“While the ICO's net expenditure has fallen by 32 percent, this year's report suggests it is operating against the limits of its financing,” McIntosh told “If we are to ask the ICO to take greater action against those breaking the Data Protection Act, to be able to monitor and audit organisations as it feels necessary and to have greater power to enforce data protection best practice, it is clear that this funding needs to increase.

“For instance, with greater resources the ICO might have been able to perform audits that came to more than 1/40th of the number of data incidents investigated. In an ideal world, we would see the ICO performing more audits and having to investigate fewer incidents, but it seems that is still some way off.”

He pointed to the ICO's consolidated fund, which consists of income from fines and data notification fees. “Of note is the fact that, while the financial penalties levied has almost halved, from £1.97 million to £1.13 million, the final amount paid to the ICO and its consolidated fund after reductions and appeals has not been nearly so greatly affected, dropping by 13 percent from £872,000 to £757,000. After last year, where more than half of the consolidated fund's supposed income was eliminated, this can be seen as a serious improvement. This is mostly down to no appeals to punishments being brought, which could suggest that the ICO is being smarter about how it picks its battles, and not pursuing cases that could result in a costly and ultimately counter-productive appeal.

Christopher Graham 
“For an organisation that needs to consider its budget, this is the wisest course of action – we can only hope that in the future, greater resources will allow the ICO to pursue tougher cases as well.”

We asked the ICO press office for a comment and they pointed us to this quote from the foreword to the report, written by the Information Commissioner, Christopher Graham: “So the evidence is that, when the ICO is given the tools we get on with the job. 

"And we are always seeking ways to make our limited resources go further too. 

"This year's accounts reflect the welcome agreement from the Ministry of Justice allowing us greater flexibility in accounting for non-frontline costs between our data protection income from registration fees and our grant-in-aid which pays for our freedom of information work.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews