Where does the money from ICO fines go?

    These are some staggering figures, and it may cause some of us to wonder- where does all of this money go?

    By eleanor blackwood

    Wed 15 Jul 2020

    4 min read

    Person holding hammer over data piggy bank for money to pay ICO fine

    What is the Information Commissioner's Office (ICO)?

    The Information Commissioner's Office (ICO) is the UK's independent regulatory office in charge of upholding information rights, in the interest of the public.

    In essence, the ICO makes sure that your personal data rights are protected and companies act within the law. To see how the law might changes after Brexit, read here.

    ⚠️ Personal data = any information that can be used to directly or indirectly identify you. Think your postal address, ID or political beliefs.

    What do they fine companies for?

    The ICO fine companies for breaching data protection laws, namely GDPR and the Data Protection Act.

    British law states that anyone who handles personal data, like companies, must do so according to certain rules and principles. These include ensuring that personal data isn't accidentally lost or damaged, and not using more data than strictly necessary.

    It's important to note that the amount demanded in fines also depends on how many people were affected and whether or not special category data was also lost.

    How much can the ICO fine companies?

    The fines can depend on the factors we mentioned above, but there are two tiers of penalties when it comes to the maximum that the ICO can charge.

    As the ICO notes:

    The standard maximum fine is 10 million euros (or equivalent in sterling), or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

    The higher maximum amount, is 20 million Euros (or equivalent in sterling) or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

    It's important to bear in mind that the ICO fine amount can be added to by people pursuing private legal action against companies. A great example of this in the UK is the largely new pursuit of data breach class actions, where groups of consumers who've been negatively impacted can collectively sue companies for mishandling their personal data.

    Some examples of ICO fines

    Recently, the ICO has given out fines that many would view as astonishing figures. Here are some examples:

    Cathay Pacific

    The ICO fined the airline Cathay Pacific £500,000 for failing to protect the personal data of 9.4 million global customers.

    Hackers got hold of information like:

    • customer names
    • phone numbers
    • addresses
    • travel history

    The airline’s data protection procedures fell far short of what was required by British law at that time. Some data was stored without passwords, the airline didn’t secure their internet servers and didn’t have adequate anti-virus protection. A fine of £500,000 was the maximum fine possible as the breach took place between 2014 and 2018- before GDPR was introduced.

    Marriott hotel group

    In 2019, the ICO fined the Marriott hotel group £99.2 million.

    This is because:

    • Of the 339 million guest records that were hacked, over 30 million people were related to residents of 31 countries in the European Economic Area.
    • Seven million of these related to UK residents.

    Marriott said it would appeal against the fine.

    Delete your personal data from hotels

    British Airways

    You may remember that in July 2019 the ICO announced it’s biggest fine for data breaches yet: £183 million.

    What happened:

    • The ICO said the incident took place after users of British Airways' website were diverted to a fraudulent site.
    • Through this false site, details of about 500,000 customers were harvested by the attackers.

    Speaking about the incident, Information Commissioner Elizabeth Denham said:

    'People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.

    That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.'

    So far, the ICO has collected over £39 million in fees and predicts that this number will continue to grow rapidly.

    So, where does the ICO fine money go?

    These are some staggering figures, and it causes us to wonder- where does all of this money go?

    The ICO’s website is clear: after it collects money from a fine it transfers this money directly to the Government’s Treasury Consolidated Fund. While the ICO doesn’t keep the money, it can be issued some of the money back by the government in order to fund their data protection work.

    Specifically, around 85%-90% of the fine money becomes the ICO’s annual budget, and the rest is separate grant-in-aid from the government to fund the ICO’s regulation of various other laws.

    However, this may change. The ICO is considering changing this policy to receive more money for cases when it needs to defend its decisions in court. You can find out more about this by looking through the ICO’s annual report.

    Before you go

    If you're concerned about your own data, you can now easily find out where it is and tell companies what to do it through Rightly. Let us know how it goes!

    Request your data from any company

    Related Articles