34.The ICO has a number of tools and powers at its disposal to support data protection and enforce the laws and regulations that underpin it. Given the importance of the digital economy and the increasing amount of personal data held on line, as the ICO said in written evidence, cyber security is “integral” to the protection of personal data. Apart from any tension between informing the authorities and informing those affected, there may also be an incentive to cover up cyber-attacks or data breaches, due to the potential damage to corporate reputation they may cause. The ICO should introduce an incentive structure that inhibits delays, for example escalating fines for delays in reporting a breach. At present the ICO can only issue a fixed fine of £1,000 for failure to report a data breach. There should also be scope to levy higher fines if the organisation has not already provided guidance to all customers on how to verify communications.
35.We note that the maximum fine that can be imposed by the ICO is currently £500,000, which may not be a significant deterrent for a large company. The forthcoming EU GDPR strengthens consumer rights and extends the requirement to report data breaches to all entities that handle personal data. All companies and organisations will be required to inform national data protection authorities within 72 hours of a breach, and if there is a high risk to individuals/consumers, those people must also be informed. The EU GDPR also significantly increases the fines available to the ICO, from £500,000 maximum at present to a maximum of 4% of global turnover or €20 million. In oral evidence, the Information Commissioner said:
In the GDPR that is coming down the track, the potential fines are much bigger….the figures are eye-watering and will make the big players sit up and take notice…a fine of £500,000 when deployed against a really big player, like Sony for example, does not amount to very much whereas a percentage of global turnover becomes very serious.
36.The ICO has begun producing guidance to help UK data controllers to prepare for the Regulation’s entry into force. However, the attention of individuals within the organisation may be better engaged by the threat of a custodial sentence, rather than a fine for their employer. As the ICO said in his written evidence:
At present there is no option for a court to impose a custodial sentence for someone who contravenes section 55 of the DPA. Previous parliamentary evidence which we have submitted has called for more effective deterrent sentences, including the threat of prison in the most serious cases, to be available to the courts to stop the unlawful use of personal information
37.The Direct Marketing Association also agreed that the use of criminal sanctions would be a greater deterrent, as did Big Brother Watch. We concur with the ICO, that whilst the implementation of the EU GDPR will help focus attention on data protection, it would be useful to have a full range of sanctions, including custodial sentences. We therefore support the ICO’s call to bring into force Sections 77 and 78 of the Criminal Justice and Immigration Act 2008, which would allow a maximum custodial sentence of two years for those convicted of unlawfully obtaining and selling personal data.
38.The digital economy is an increasingly important part of the UK economy. The 2015 UK Digital Strategy said that the UK economy is boosted by around £145 billion a year from digital technology. In written evidence, Fujitsu said that the UK has the largest internet economy in the G20. However, as TechUK underlined, as the digital economy grows, the opportunity for cyber-crime increases, and the challenge to make the UK a safe place to do business becomes ever more important. TechUK estimates that cyber-crime costs the UK economy £34bn a year, having increased from £27bn in 2010. The ‘digital by default’ agenda also means that public services are increasingly provided digitally, resulting in significant volumes of personal data being held on-line. Increased use of cloud computing also means that more personal data is held on line. Given the importance of e-commerce to the British economy and the prevalence of e-services, coupled with the mounting threat of cyber-attacks, we consider that companies need to continually invest in cyber-defences and ensure that they are keeping ahead of criminals and hackers. NCC Group highlighted a widespread diversity in cyber awareness at Board level, expressed through a variable level of committed investment. Companies and other organisations need to demonstrate not just how much they are spending to improve their security but that they are spending it effectively. We therefore recommend that organisations holding large amounts of personal data (on staff, customers, patients, taxpayers etc.) should report annually to the ICO on:
Such reporting should be designed to help ensure more proactive monitoring of security processes (both people and cyber) at Board level, rather than reporting breaches after they have happened. Those submitting reports should also be encouraged to include such data in their own annual accounts to help give confidence to customers, shareholders and suppliers that they take security seriously and have effective processes in place.
39.Consumers are increasingly concerned about data protection and cyber-security. In written evidence, the Institute of Customer Service said that 43% are concerned that cyber-attacks might compromise their personal information and financial loss is the principal concern. Consumers need to be able to identify which suppliers and retailers are implementing effective data protection and security (personnel and cyber) defences. There is an urgent need for a mechanism that is easily understood by consumers in order to maintain consumer confidence and inform consumer choices. We therefore support the ICO’s plan to create a privacy seal, to be launched later this year, which would be awarded to entities which demonstrate good privacy practice and high data protection compliance standards. It would be useful if the privacy seal could also incorporate a traffic light system to help consumers understand which companies are compliant, which are making progress, and which have yet to take the issue seriously.
40.At present, the ICO has limited powers of non-consensual audit. Such audits cannot provide complete assurance: as noted above, the ICO had undertaken a consensual audit of TalkTalk in September 2015. Nevertheless, the ICO should have additional powers of non-consensual audit, notably for health, local government and potentially for other sectors.
58 Information Commissioner
59 ICO oral evidence Q187
60 ICO oral evidence Q198
62 ICO written evidence paragraph 31
63 Direct Marketing Association
64 Big Brother Watch
68 Federation Against Software Theft
69 NCC Group
70 Institute of Customer Service
17 June 2016