Re: Interesting disincentive to whistleblowers
Speaking as a data protection officer in a hospital who has come across data protection breaches, i can speak for myself when i say i always report them.
Why not just keep schtum i hear you ask? Well for several reasons.
1. If the breach isn't actioned then there's a risk it can happen again and again. If it's identified and actions taken accordingly to mitigate, then less risk of it recurring.
2. It's my job to identify these breaches, report them to various bodies (not just the ICO) and try my best to ensure they don't happen again. If i let each breach slide then I should seriously consider looking for another job. No point in being hired to do a job and then doing the complete opposite.
3. If we don't report a breach and it comes to light during another breach later on then it just looks bad and adds to the ICO incentive to fine us for being 'sneaky'.
4. The ICO don't fine organisations willy nilly. It's not like one breach and you're fined. Of course it's possible to be fined after one breach depending on the severity of the incident but it's very very rare. All the NHS organisations fined since April 2012 have had more than one breach and have failed on the 'learned lessons' of previous incidents and that's why they eventually got fined.
5. The risk of the ICO fining us for breaches is the motivation we need to get every single element of data protection and information security (ISO 27001) implemented. Sad, but true. We all need motivation for the things we do.