More than eight out of ten fines issued by the Information Commissioner's Office for data security breaches were for self-reported incidents, analysis by law firm Field Fisher Waterhouse has found.
It was the ICO's "most prolific year" yet in terms of enforcement actions, the firm found. The watchdog issued 25 fines, up from seven in 2011. It sent three enforcement notes, ordering organisations to take some action in order to comply with the law, up from one in 2011. And it initiated six criminal cases, up from five in 2011.
Field Fisher Waterhouse found that 84% of fines were for incidents that the organisations themselves had reported, demonstrating that self-reporters "are not given immunity from enforcement", the firm noted.
In an email to Information Age, technology partner Stewart Room commented that this may deter organisations from owning up to data breaches. "The likelihood is that many controllers will be deterred from coming forward due to fear of fines and the absence of positive incentives," he wrote.
"My personal view is that organisations who come forward should be treated similarly to those who undergo audit," he added. "They should receive an immunity from fines, provided that they comply with reasonable requests from ICO for remedial actions and they act in continued good faith in the relationship with ICO, being cooperative and transparent at all times."
Public sector organisations received 80% of the fines, with local authorities accounting for 60%, Field Fisher Waterhouse noted.
Room believes this reflects the fact that businesses to not feel obliged to report incidents themselves. "Most [private sector organisations] do not perceive that they should be voluntarily reporting incidents, whereas the public sector is working (quite properly in my view) to heightened levels of transparency," he commented.
"However, its clear that ICO enforcement is not a one way street and that the private sector is being more caught up within financial penalties."
Last week, the House of Commons justice committee warned if the European Commission's proposed data protection reforms are ratified, the ICO may face a £43 million budget shortfall.
The data watchdog receives most of its funding from notification fees, which businesses pay to register under the Data Protection Act, but these are to be scrapped under the proposed reforms.
Meanwhile, the new data laws would lead to more investigations and data controllers would require more support from the ICO.
The committee's report was a "worst case scenario", information commissioner Christopher Graham wrote in response.