Today marks five years since the UK data protection regulator went from being the toothless tiger to having the power to issue a financial penalty against those responsible for data loss.
According to its guidance, the Commissioner may impose a monetary penalty notice if a data controller has seriously contravened the Data Protection Act, or if any person has seriously contravened the 2003 Regulations and if, in both cases, the contravention was of a kind likely to cause substantial damage or substantial distress.
In addition, the contravention must either have been deliberate or the data controller or person must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.
According to this list, 66 fines have been issued by the Information Commissioner’s Office (ICO) to healthcare trusts, firms in the public sector and private sector and Government agencies. This has included a fine to its own parent the Ministry of Justice for £180,000 for the “loss of hard drives containing sensitive and confidential information at prisons” last year. My calculations work out the total amount of fined to have collected £7,158,500; a lot of money that could have gone into the pockets of senior management, or could have been spent on security solutions.
In reviewing the past five years, I got the opportunity to speak to Stephen Eckersley, head of enforcement at the ICO, and asked him if the purpose of such enforcement was to help companies get things right? He said that is the overarching theme, and the ICO’s approach.
“If you look at our strategy, it is linked to organisations to make sure that they know of the ICO’s enforcement powers, and making sure that we are deploying our enforcement tools and that it is proportionate for organisations to incentivise them to get it right first time,” he said.
However he mentioned the deterrent and the punishment, but said that headlines usually do not take into account when a fine is issued where there has been previous engagement with the organisation involved. “So in some cases where it had issued fines that same organisation had reported a breach or a similar incident 12-18 months earlier, and said that they would introduce remedial measures and it was clear that they had not or it didn’t work and you got a repeat situation,” he said. “I think the key message that we like to think that our regulatory action is proportionate.”
He was keen to stress that enforcement is one strand of what the ICO do and with a strategic liaison for good practice and now with compulsory audit powers within healthcare, enforcement is something that it is looking to use more regularly. He said that the fine is seen as a last resort and in some cases it may well be, but in some cases it is a first resort if there is clear potential for detriment for consumers or the data subject.
“We are keen to stress it is not ‘one size fits all’ here as every organisation is different and the trusts operate differently, but with healthcare and the public protection arena, where they handle personally sensitive data, we would expect that those measures are tight and mitigate risk effectively,” he said.
If there is one thing that the ICO has been criticised for with the monetary penalty process, it is a deemed heavy hand on the public sector, with Google the most notable escaper of a fine over the Street View wifi capture instance.
Eckersley said that he was convinced that there is a lot of under-reporting going on in the private sector and though it is not mandatory in the public sector, the organisations do apply that approach in their reporting. Asked if mandatory breach reporting could really happen, he said that organisations in the private sector are gearing themselves for this and it looks like things are moving quickly.
I wanted to know whether he thought the UK was a more secure place five years after the Toothless Tiger got its powers? He said that his obvious answer is yes, and he can qualify that for a number of reasons as it had definitely seen an improvement in compliance.
“What I do know is that we have influenced compliance significantly on how we raise the profile of data protection,” he said. “Quite often the data protection officer is a lone voice in the wilderness, and suddenly become the executive team’s best friend when there is an incident!
“So if there is a near miss, enforcement, undertaking or fine, then maybe once you get buy-in at executive team level and you get that governance and oversight, and it makes a big change to that company’s compliance. Otherwise, you cannot get decision makers to invest and get the communication to change.”
Is it the case that as well as being more secure, the UK is more aware of data protection compliance five years on? He boldly said yes, particularly as the ICO’s profile is far higher than it was a few years ago with issues around phone hacking, data being sold and what happens to the companies tasked with holding it. “I think we are holding them to account to make sure that they are looking after their information,” he said.
Eckersley claimed that the new EU rules on data protection will likely appear either in 2016 or 2017, almost five years since the original new rules were announced. Eckersley said that new rules, which could pose fines of €1 million or five per cent of global turnover, will create a substantial fear factor.
In a research effort, the ICO contacted some companies who had been fined, and found positive movements and collaboration with their peers, who were thinking “that could have been us”.
Five years ago the ICO was a toothless tiger, with the power to name and shame but all too easily ignored. Whilst the first fines took seven months to be served, from the 6th April 2010 we had a data protection regulator who meant business and now the UK’s PLC, healthcare, public sector and Government are well aware of who wears the stripes.
Stephen Eckersley, head of enforcement at the ICO, was talking to Dan Raywood