Lets start with ACS Law
Go-on maximum fine - they deserve it
The information commissioner will announce the first organisations to be fined for failing to protect data later this month. Christopher Graham said that the fines of up to £500,000 "give the ICO the teeth that many people in the past said it lacked". The ICO gained the ability to issue such penalties on 6 April, along with …
Graham is saving the maximum fine for big breaches, he said so. It's all about posturing. ACS:Law only made a little mistake affecting a few thousand people. The ICO's big day will be when it claws 500K off an NHS budget somewhere, forcing ward closures and making Christopher Graham the Civil Servant of the Year.
I suspect the collective response will be to keep ignoring the ICO, since that's what everyone's got used to by now.
At most, there might be a terse "Yeah, see you in court - you've got the budget for that, right? No? Oh dear, what a terrible shame."
At this point, public pike-polishing is about the last thing the ICO should be doing. Until there are heads on those pikes, they ICO will continue to be a joke with no punchline.
When will the regulatory bodies realise that NO public bodies, whether they are government, local authorities , councils, NGO's etc, have any money of their own.
It used to belong to the long suffering "general public" you and me, before it was taken as taxes and tribute.
Fining public bodies is indirectly fining the general public, 'cause next year the offenders are going to put up their taxes, fees or whatever to recover the fines.
The only way to hurt these offenders is to SACK them without compensation!
Bring on the tea party!
Would there be any point in the ICO fining public sector organisations? It's not like the money will be coming from their profits like it would a private company, instead it will come from our pockets the next year in the form of increased tax. Maybe instead they should be given the power to fire the useless numpties responsible and change the procedures, like disallowing sensitive information to be taken outside the secured offices via laptop/memory stick.
Police: You knowingly and illegally intercepted data with Phorm
BT: Oh, but we had no criminal intent
Police: Well that's all right then, sorry to have bothered you, carry on
ICO: You illegally gathered personal data from UK citizens
Google: Oh, but we will delete the data and won't do it again
ICO: Well that's all right then, sorry to have bothered you, carry on
Council: Your car was photographed in a bus line, that will be £30
Ordinary citizen: But I only crossed the lane to park
Council: That'll be £30 please, and more if you don't hurry
Fining public bodies just takes money from the tax payer. I suggest the ICO should instead take the 500k from the bonuses of the top 100 earners in the organisation - that would help them to focus on data security.
Alternatively, make it punishable by jail, and apply it to public and private organisations evenly.
He would fine the incompetent vermin £500,000 for compromising the identities of 25,000,000 people? A fine of £0.02 per person impacted?
Oooooh, quaking in my boots over data protection, the ICO has a new name "growling hamster".
So, if HMRC screws up again, they get fined and pay the fine out of the tax-payers' coffer. The money goes into the tax-payers' coffer. Next year, HMRC ask for more money from the tax payer to fill the hole caused by the fine. They get more money, screw up again, get fined, cough up, ad nauseum...
Where's the punishment?
"if HM Revenue and Customs committed a data breach similar to its loss of 25 million people's details in 2007, he would apply 'the max' penalty, describing it as 'the horror benchmark'."
£500,000 for losing data on 25 million people is 2p each. The fines should start at £1 per individual with bigger fines for exceptional negligence.
...and then what?
Essentially they've paid 1/2 million sheets to get away with nationwide data rape.
Yeah, that'll stop them dead in their tracks.
Obviously, they'wont be allowed to keep the data, but will they be allowed to keep their analysis of the data. Seems more than likely right.
Firing them is one thing, how about also barring them from holding any position where they have responsibility for / access to private data.. and before anyone starts whining about unfair restrictions on employment.. if you lose your driving licence.. you lose the ability to hold a driving job.. this is no different.
I'm sure the friendly people at the job centre will be able to harass them into some lowly paid menial task...or is that a fate reserved for the lesser proles in our society? Perhaps while they are doing a less demanding job they will have time to reflect on their attitude to other peoples security and privacy.
While the loss of £500,000 might bother a small firm, it won't even scratch the paint on the large organisations who do the worst damage, they'll just view it as another unfortunate cost of doing business, like paying the minimum wage.
Why have a limit at all? Far better to have a formula that relates to turnover/profits and delivers a predetermined amount of punch at every level from the smallest to the largest, the level set according the severity of the offence. - perhaps no accident that they dont. And why stop at fines? Until the worst offences result in negligent individuals doing a stint in chokey, its still "someone else's money" - ours in the case of public bodies. Those involved with serious losses should also be subject to much, much closer, more regular and more invasive scrutiny of their data handling processes - ultimately banned from handing personal data at all if they adhere to standards.
Illegal commercial exploitation of personal data, such as Phorm/BT and Google, is another game again, and really requires very severe punitive measures to act as any form of worthwhile deterrent; getting caught needs to hurt rather than irritate.
None of this will happen, and I really can't see why the ICO even bothers trying to persuade us they are serious about data protection when virtually every statement from them proves otherwise.
Fuck fines, a criminal record for the data controller would focus the mind wonderfully. No more civil service arse covering. If you're the controller and the breach happened on your watch, your ass is going to be in front of a judge. And fuck letting people off, breach should be a strict liability offence, no more of this cosy old uncle ICO having a quiet chat bullshit.
And if one of those fines isn't for ACS Law, then ICO might as well put its offices up for sale. I mean FFS, who else could have the option to fine Google 500,000 quid for criminal acts and not take it ? Surely "we're tough on data protection and will bring the full weight of the law down onto offenders, whoever they are" would have been a better message to send out than "We'll probably still let you off in any case"
Lack of independence is another (according to EU Fundamental Rights Agency).
Lack of competence is another (according to the ICO themselves).
Until the ICO are comprehensively reformed, and particularly the existing ICO management ejected onto the street, its hard to have any confidence in these corrupt handwringing muppets.