Saturday, 19 May 2012

When will the ICO fine itself following a data breach?

In this regulatory bear market, we’ve been marvelling at the increasing use of civil monetary penalties by the Information Commissioner's Office to take action against organisations whose data handling systems are sufficiently shoddy to cause harm or distress to people.

Talking the ICO’s powers to extremes, I wonder when we’ll be reading an ICO News Release like this:


The Information Commissioner’s Office has issued itself a penalty of £20,000 for losing paper records containing personal information, including the names, job titles, beverage preferences, tastes and dietary habits of the ICO’s Executive Team.

The loss occurred when an administrator took some paper records to Wilmslow’s Sainsbury’s to buy the Executive Team sandwiches and snacks for a working lunch. The administrator’s car was burgled while they had popped to the Wilmslow public library to return some DVDs, and a bag, containing the records and an encrypted data stick, was stolen. This meant that the Executive team had to eat what they were given, rather than what they had asked for.

The ICO’s investigation found that it had failed to take appropriate organisational measures against the accidental loss of personal data held on paper records. Although the ICO had an information security policy and some guidance for staff on handling important papers, the measures failed to explain how the information should be kept secure when being transported in a private vehicle.

Today’s penalty comes after the ICO had required many public authorities to sign undertakings following earlier incidents, during which personal data, both in an encrypted and an unencrypted form, had been stolen from an employee’s home and/or vehicle. While many authorities later introduced a paper handling policy following the undertaking, this policy was not in place at the time of the ICO’s loss, nor had all staff been fully trained on the policy.

Simon Entwisle, the ICO’s Director of Operations, said:

“The potential for distress in this case is obvious. No-one wanted the Commissioner to eat egg and cress sandwiches, when his favorite cheese and ham bap could have been provided. It is therefore extremely disappointing, and embarrassing, that I had not put in place sufficient measures in time to avoid this mishap.

While I am pleased that I have now taken action to keep the personal data we use secure, it is vitally important that all organisations have the correct guidance in place to keep paper records taken outside of the office safe. This includes storing papers containing personal information separately from data sticks.

The effect of the penalty is that we will no longer be able to subsidise our annual ICO Data Protection Officer’s conference for everyone, so from now on all delegates from the private sector will be required to pay a £100 attendance fee.

We are aware that if an ICO administrator loses any more personal information, the effect is likely to be a much larger fine, which will probably mean that we would be required to charge everyone to attend our annual ICO Data Protection Officer’s conference. Given pressures on the public purse, we do appreciate, and greatly regret, that this will probably prevent public sector DPOs from ever being allowed to attend this event again.

But, if we are big enough to hand out the fines, then we ought to be big enough to accept a fine when we get things wrong, too.”

Actually, I’m not making all of this up. Section 107 of the Protection of Freedoms Act 2012 does give the ICO the right to charge delegates to attend ICO training events or conferences. They've got to recover their costs somehow, you know. And I’ve already seen one ICO consultation exercise commence on the extent to which private sector companies ought to pay to attend the ICO’s Data Protection Officer’s Conference. For my part, I’m very happy to pay a fee that represents the costs of staging the event. In my opinion, they represent brilliant value for money, and they give us all an opportunity to catch up with old friends. And have a laugh, or two.

Finally, for the anoraks among us, Section 105 of the Protection of Freedoms Act 2012 also changes the period for which the Information Commissioner is appointed. In future, rather than a (renewable) term of 5 years, the Commissioner will be appointed for a single period of 7 years.

Image credit: