Data protection breaches – time for a rethink on the ICO’s right to fine?

The news last week that the Information Commissioner’s Office has served Brighton and Sussex University Hospitals NHS Trust with a notice of intention to impose a monetary penalty notice for a whopping £350,000 got me thinking about the rationale underlying the ICO’s fine regime.

The ICO’s guidance on the exercise of his power to fine
In his guidance on how he will exercise his power to fine, the Commissioner explicitly recognises that in determining the appropriate level of any fine he must consider the impact that any fine would have on the controller. In particular, the Commissioner’s guidance states that:

  • The Commissioner will take into account the sector, for example, whether the data controller is a voluntary organisation and also the size, financial and other resources of the data controller.
  • The Commissioner will consider the likely impact of the penalty on the data controller, in particular financial and reputational impact.
  • The Commissioner will take into account any proof of genuine financial hardship which may be supplied. The purpose of a monetary penalty notice is not to impose undue financial hardship on an otherwise responsible data controller.

Many of the monetary penalties issued by the Commissioner to date have been imposed on public on public sector bodies, such as NHS trusts (and councils for that matter). Levying fines on the public sector raises tricky issues, particularly in this financial climate. When budgets are already stretched, there is a real risk that large fines will hit front line services and that, of course, would ultimately hit the public – the very people the Commissioner is trying to protect.

It’ll be very interesting to hear what level of fine is ultimately imposed on the NHS Trust in question. From the press reports, it does seem that the contravention of the DPA was particularly serious and so a substantial fine is inevitable. No doubt, in it’s representations to the ICO, the Trust will address the issue of the financial impact any fine of this scale will have on its operations.

Time for an alternative approach?
If the idea behind monetary penalty notices is really change the culture within organisations and move away from the attitude that data loss incidents are “inevitable” (c.f. “preventable”), maybe it’s time to start thinking about whether the ICO should have power to fine individuals themselves within the organisations whom he finds to be culpable.

Yes, the organisations themselves should be responsible but perhaps also it is time to recognise that individuals whose conduct is deliberate or reckless and below the standard of someone who is reasonably competent, should also be at risk of being fined personally.

Just a thought…

5 Responses to “Data protection breaches – time for a rethink on the ICO’s right to fine?”

  1. 1 Malcolm Charnock February 21, 2012 at 12:38 pm

    Bit of a later response to this post…. I don’t see any other way to ensure organisations take their responsibilities seriously whan it comes to data security. I work for a leading UK ITAD who provide secure auditable methods of eradicating all data on redundant IT equipment prior to resale or recycling. Many companies (a huge percentage) will use the cheapest solution who we know do not use employ practises or approved technology (or even know how to destroy data) and as a result the data of individuals, government bodies, banks, health trusts etc make their way into the hands of a potentially hostile party.
    As an example, if we erase all data from mobile phones and then sell these items they are worth half as much as if we sell without erasing data. With this sort of financial incentive offered for failing to handle data responsibly I fail to see what options are available to the ICO.

  2. 2 Ellie Hurst January 17, 2012 at 12:51 pm

    Definitely time for a re-think. I see DP in the same space H&S was in a few years ago. There is a laissez faire (apologies if I have mispelt) attitude and seems to be viewed as optional in too many places.
    Education of security is lacking and making everyone in an organisation responsible and part of security is key. Its not easy and that is the problem, so organisations are learning the hard way.
    I think your comment on personal responsibility feeds into this mindset. I understand exactly where you are coming from when you talk about making people responsible, its harsh but I feel a certain level of frustration at every article I read about data breaches…
    People see data security and think firewalls, encryption, virus scanning software etc, when in actual fact that’s just one aspect and normally works well. Its the humans that cause the most problems, through basic daftness, lack of repsonsibility and education of policy, lack of policy o the list goes on. A genuinely hostile individual in an organisation exists of course but normally its something much more mundane and silly that causes the problem.

  1. 1 ICO issues largest fine to date « Brodies TechBlog Trackback on June 6, 2012 at 3:02 pm
  2. 2 First appeal against a fine issued by the ICO for breach of the Data Protection Act? « Brodies TechBlog Trackback on May 21, 2012 at 6:20 pm
  3. 3 New ICO guidance on monetary penalties « Brodies TechBlog Trackback on February 3, 2012 at 12:37 pm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Twitter: @BrodiesTechBlog feed

January 2012
« Dec   Feb »

%d bloggers like this: