Sunday, 9 March 2014
ICO in tricky predicament with £200,000 fine for pregnancy charity
For years data protection watchdog the Information Commissioner’s Office (ICO) was regarded as a toothless tiger.
It sounded big and scary and delivered stern warnings about the importance of data protection, but it could do very little about any data breaches, except perhaps wag its finger.
Then in 2010 everything changed. It was given fining powers to the tune of £500,000 and since then it has levied over £4m against organisations. But some may now consider it something of a heartless hound.
The latest to fall foul of the ICO’s desire for justice is the British Pregnancy Advisory Service (BPAS). The charity provides help and guidance for women with an unplanned pregnancy, from abortions to counselling and more besides.
For some its work is contentious and in March 2012 an anti-abortion hacker used his computing skills to wreak havoc on its website, defacing it and stealing details about those who had contacted the charity for help.
The hacker – James Jeffrey – got almost three years in prison as a result of the incident.
As the hack affected personal details of members of the public, the ICO got involved and its investigation found several technical lapses at the BPAS that made the incident worse than it should have been.
The long and short of it is that the BPAS now faces a fine of £200,000 for an incident which, as its CEO Ann Furedi understandably points out, was caused by a hacker who is now almost seeing his actions rewarded.
“We accept that no hacker should have been able to steal our data, but we are horrified by the scale of the fine, which does not reflect the fact that BPAS was a victim of a serious crime by someone opposed to what we do,” she said.
“It is appalling that a hacker who acted on the basis of his opposition to abortion should see his actions rewarded in this way."
Furedi also said the fine was “out of proportion” when compared with others the ICO has handed out, especially when those organisations’ breaches were not caused by criminal behavior.
A trawl back through recent fines suggests this claim is not without merit:
- Glasgow City Council fined £150,000 after losing 74 unencrypted laptops, including one containing more than 6,000 people's bank records.
- Aberdeen City Council fined £100,000 after a member of staff inadvertently posted data relating to the care of vulnerable children online.
- Islington Council fined £70,000 after details of over 2,000 residents were released online due to a basic misuse of Excel by a staff member.
Even if the BPAS pays its fine early – by the end of March – it still faces paying £160,000, more than any of those listed above.
None of this is to say the ICO has acted unreasonably though: it has to enforce the law and if it encounters incidences of poor data protection – as in this case – it must take a stand so others sit up and take notice. If other firms and charities up their game after seeing a fine being levied, the public are better protected.
Conversely, if it does not issue a fine, it will be seen as weak and unwilling to take a stand, while any organisation that is fined can make a claim to being harmed. A council delivers vital frontline services and a fine will hamper its efforts to do this, it could be argued.
Clearly, this is a controversial case, driven by the scale of the fine. The fact this money will end up in government coffers – having been given to charity – is also questionable, as noted by Stewart Room, partner at law firm Field Fisher Waterhouse.
“The users of the BPAS charity services have high expectations of privacy and any security weakness that could expose them is bound to trouble the regulator,” he said.
“But the financial penalty regime here is moving money from the collection jar direct to The Treasury. Perhaps the cash could be better spent on improving security and data protection at the charity?"
The BPAS is now appealing the fine in what could prove a fascinating case to see if the ICO's desire to fine can be tamed.