Sunday, 8 May 2011

New privacy regulations – enter the moral maze

Three cheers for us Brits! Good Europeans as we are, we will hit the EU’s deadline of 25 May to bring some European legislation into force to provide an even better level protection to users of communications services. I’m not too sure how many other EU member states will also hit the deadline, but I doubt that many people will care too greatly if they don’t.

Laid before Parliament last Thursday, we can now put some hot towels around our heads to work out just what this stuff actually means. Please don’t think that all you need to do is to read it to be fully appraised of the true meaning of these words. Oh no. As the Statutory Instrument seeks to amend existing regulations, you really need to have a copy of the existing regulations on one side of your desk, and these regulations on the other, and then when you read them both together some interesting things emerge.

Last time the relevant regulations were changed, the old ones were completely replaced by a new text – so there was only one document to refer to. This way of revising the regulations means a bit more work – both for me, to understand what the new ractually mean, and for people who want to work out whether any of their rights have been infringed when a Communications Service Provider, or anyone else mentioned in the, for that matter, acts in a way that may be contrary to what is to be prohibited.

What did I think was going to happen? I had expected the Coalition Government to “copy and paste” the terms that appeared in earlier Directive, as I was not expecting any “gold plating” to emerge. So I was expecting something about communications service providers being required to notify data breaches to the regulators. I wasn’t expecting the SI to require “all” breaches. I had thought that there might have been some threshold below which those chaps in Wilmslow were not to be bothered about. Well, no threshold appears in the SI – just a statement in the explanatory notes to the effect that Regulation 5 inserts a new provision into the 2003 Regulations which relates to the notification of personal data breaches. In all cases, the Information Commissioner must be notified. In some cases, the subscriber or user must also be notified where there is a risk that the breach would adversely affect the personal data or privacy of that user.”

All cases? Well, to encourage all cases to be notified, the Regulations allow the Information Commissioner to impose a fixed monetary penalty of £1,000 (reduced to £800 if the miscreant pays the fine within 21 days) for cases where an “undue delay” in notifying the Commissioner had occurred. I didn’t see that in the original Directive.

Will this lead to communication service providers adopting the same behaviours as health trusts, where even the most minor of breaches are reported? And will it lead to the Commissioner issuing press releases about these minor breaches and then requiring the heads of these organisations to sign public undertakings to get things corrected? Well, yes it might. At least with NHS trusts, there are rather a lot of them, so I doubt that the heads of these organisations will feel the wrath of the ICO’s Head of Enforcement too often. There are many fewer Communication Service Providers, however. So they could, if the Chief Executive Officers are not careful, be signing more than one public undertaking each. Wo betide the person who has to brief the CEO every time a snafoo emerges that requires a breach notification. Sally Anne Poole, the ICO’s acting Head of Enforcement, could well be spending more time than she actually wanted dealing with the perceived failings of the CSPs – despite the fact that they are all relatively well resourced organizations with professional compliance teams who try as hard as they can to get things right.

I do hope that the ICO takes such factors into account when receiving yet another report of a minor breach. Companies with large customer databases are likely to incur a few breaches - but at least they're unlikely to relate to information as sensitive as the health records that can get lost by less well resourced organisations within the NHS.

While the CSPs may not be required to tell customers of trivial breaches, of course individuals will always be able to write to the ICO to make a Freedom of Information request about the volumes of breaches that have been reported to them by particular CSPs. And the ICO will not have to warn the CSP of such an enquiry - so the first time the CSP may know about it is when the media report emerges about the volumes of notices that each CSP had generated.

This “backdoor publicity” about data breach volumes could cause some CSPs to query the necessity of advising the ICO of all breaches. Will the risk of incurring a potential fine of £1,000 (if the breach subsequently becomes public) be worth running if the business fears that the reputational cost of publicising the most minor of breaches are far greater than £1,000? This is surely the sort of issue that listeners of BBC Radio 4’s excellent programme The Moral Maze would want to explore.

What side would I be on? Well, you’ll just have to wait until I’m asked to be a Moral Maze panelist (or witness) – and then you’ll find out!

There’s lots more to mull over in these new Regulations, but they can wait for another blog posting.

Source: (The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011)