Wednesday 26 June 2013

Should there be a “right to forget” about old ICO enforcement actions?


How should a data controller respond to the question “Has the organisation ever been subject to action by the Information Commissioner regarding complaints and or enforcement notices?”

Should a ”Rehabilitation of ICO Offenders Act” should be created, to set the expectations of people who ask such question?  After all, if an ex-offender can’t be questioned about their criminal convictions after a certain period, perhaps similar standards ought to apply to those who have fallen foul of the folk in Wilmslow.

A quick glance at the ICO enforcement site provides some clues to the answer. If you want to learn who’s been told to stand on the ICO’s naughty step, then this is a good place to start. The good news is that it lists no details of ICO prosecutions before June 2011, Enforcement Notices before December 2011, or Undertakings before May 2011. But it does list all Decision Notices since February 2005, all Monetary Penalty Notices (ie those awarded since it was given powers February 211) and all PECR breaches (ie those awarded since it was given powers in July 2011).

However, even though the old prosecutions, Enforcement Notices and Undertakings no longer appear on the ICO’s Enforcement Pages, details can still be found if you’ve a rough idea of what you’re looking for. Thanks to the mighty internet search engines (and the sterling efforts of a number of journalists and  firms of solicitors), details and occasionally comments about old enforcement actions can readily be found all over cyberspace.

Should a responsible data controller take the ICO’s lead, and assume that it is obliged to reveal details of enforcement actions when they are also available on the ICO enforcement site, but once they have been removed they can forget about having been on the ICO’s naughty step? 

Some would suggest that it’s unfair to expect an ex-offender to be required to reveal information that the Regulator has decided is no longer worthy of mention on the Regulator’s own website.

I’ve had a look at the ICO’s own policy on “Communicating Enforcement Activities” to see if that provided any useful guidance. A policy document was published in January 2010 and contained a commitment that the policy would be reviewed in a 2011. However, it’s not clear if the review took place – and if it did, whether anything changed. 

On the assumption that it has not changed, then (a slightly condensed version of) the ICO’s policy for communicating enforcement and regulatory activities is as follows:

“The default assumption is that we are likely to publicise enforcement and regulatory activities:

  • If it’s already a news story. We would probably also publicise the fact we’re investigating in these circumstances.
  • Where there’s an opportunity for education/prevention.
  • If it’s new, extreme, a first etc (standard news criteria).
  • If it meets a communications, corporate or information rights objective.
  • If it would help an investigation to publicise it.
  •  If there are aggregate stories showing trends etc.
  •  Where publicity is likely to deter others.
  •  Where publicity would be in the public interest.
We are not likely to publicise enforcement and regulatory activities:
  • When releasing information could prejudice a trial. 
  •  When an investigation is underway (and it could be hindered by publicity, or the investigation may come to nothing)
  • When we have several similar cases and time or news constraints mean we have to choose.
  •  If it is too dull or technical to make the news.
  •  Where we would breach S59 of the Data Protection Act.
         Preliminary notices

  •  More suited to aggregate story, unless there is an overriding public interest to publicise it, all parties agree, if it was already in public domain, or if there is a regulatory need.

Undertakings

  • We will publicise undertakings depending on news value and/or if there is a need to address public concerns.
  • Where they relate to section 55 and are given by individuals in lieu of possible prosecution they will normally be put on our website in an anonymised form.
  • Undertakings will normally be kept on our website for two years.

Prosecutions
  •  We may inform journalists in advance.
  •  We will adhere to contemporaneous reporting rules.
  •  We may issue a news release.
  •   In some cases we’ll provide the case summary to a journalist.
  •  We will report on prosecutions in our Annual Report to Parliament. This also goes on our website and will normally be kept on our website for three to four years.

Cautions
  • We may publicise cautions depending on news value.
  •  More suited to aggregate story.

 

Enforcement Notices
  • We will publicise these depending on news value.
  •  Enforcement notices will be put on our website and reviewed after two years.
     


Injunction application
  • More suited to an aggregate story.


Application for Enforcement order
  • We may publicise these depending on news value.

Inspection
  • If publicity is desired, we will work with the relevant authority on communicating international inspections.

Information Notice
  • We are likely to publicise if it’s in the public domain.
  • We may publicise if it helps the investigation.
  • We are likely to publicise if there’s an expectation of an update or we need to show we have taken action.

     Search warrant
  • We will publicise these in aggregate (eg in the annual report).
  • We may publicise if it helps the investigation.
  • We are likely to publicise if it’s in the public domain.
  • We are likely to publicise if there’s an expectation of an update or we need to show we have taken action.


Penalties  
  • We will not normally publicise the notice of intent to serve a monetary penalty. This is more suited to aggregate story, unless there is an overriding public interest to publicise it, all parties agree, if it was already in public domain, or if there is a regulatory need.
  •  We will publicise the serving of a monetary penalty.
Given that the internet hardly ever forgets, I think it’s safe to assume that once a data controller finds themselves on the ICO’s naughty step, people aren’t going to forget about it for a very long time. So it might as well come clean about all of its past misdeeds, just in case someone carries out an internet search and unearths material that leads them to suspect that there has been a cover- up.

There ought certainly be to a right to forgive. I’m just not sure how we can actually enforce  a right to forget.


Source:
 http://www.ico.org.uk/enforcement/action/~/media/documents/library/Corporate/Detailed_specialist_guides/enforcement_communications_policy_v4.ashx

Image credit:
http://static.guim.co.uk/sys-images/Guardian/Pix/pictures/2009/5/5/1241516425432/The-Scales-of-Justice-Old-001.jpg

.
Posted by at