Effectiveness of CMPs Prepared for: ICO Ref: jn1666/BW Date: - - PowerPoint PPT Presentation
Effectiveness of CMPs Prepared for: ICO Ref: jn1666/BW Date: April/2014 1 UK I FRANCE I ITALY Contents Background & Objectives Approach/ notes about qualitative research Key findings Detailed Findings Study
1 UK I FRANCE I ITALY
Prepared for: ICO Ref: jn1666/BW Date: April/2014
2
Background & Objectives Approach/ notes about qualitative research Key findings Detailed Findings
Recommendations
3
Since April 2010 the ICO has had the power to issue Civil Monetary Penalties (CMPs) of up to £500,000 for serious breaches of the Data Protection Act or the Privacy and Electronic Communications Regulations The ICO wishes to find out how effective the CMPs have been in improving data protection practice not just in the organisations that they have imposed penalties on but also more generally Specifically, the research explores the triggers for CMPs, the impact of the amount of the CMP and the compliance issues covered by the CMPs and whether the organisations felt they had been dealt with fairly, reasonably and courteously. The findings are intended to inform regulatory policy on the use of the powers e.g. when and how to use them to best effect and on how their impact on promoting compliance across the board can be maximised Additionally, the ICO wishes to understand how ‘news spreads’ and whether the serving
4
Letters sent to 42 individuals within organisations receiving a CMP
Letters sent by the ICO explained the purpose of the research and gave people the
March 2014 (7 local authorities, 3 private companies, 1 local health authority, 1 police force , 1 central government agency and 1 regulator)
85 online surveys were conducted with a wider group of organisations mainly in the public sector to measure how far news of CMPs travels and what impact this has on the behaviour of other organisations
Local authorities 28 Local health authorities 26 Private companies 14 Not for profit organisations 13 Police forces 3 Central government 1
5
Qualitative research is ideal for exploring complex issues and to elicit a full range of possible answers It is designed to be illustrative and does not look to produce statistics, but to identify the range of views Throughout this presentation we have made use of verbatim comments to illustrate a particular viewpoint. It is important to be aware that these views do not necessarily represent the views of all individuals Respondents were assured of their anonymity in the covering letter and so none of the comments are attributed to any organisation and where necessary some quotes have been slightly amended to avoid the risk of them being attributable
6
7
Organisations receiving CMPs believe that the three conditions needed to trigger a fine are correct, however there were quite a few who felt they are a bit ‘woolly’ and open to interpretation. 8 of the 14 interviewed agreed in principle that fines should be levied against
11 out of 14 agreed that the ICO are right to make public the actions taken against
Asked what positive impact the penalty had on the way they manage their data protection responsibilities, training, re-training and the introduction of compulsory training was mentioned by almost all. This includes messaging and reminders using internal communications such as email notices, posters and screensavers
down the line”.
8
All the fined organisations and six in ten of those hearing about CMPs in the ‘wider impact’ online survey claim that there is greater management buy-in now. Four of the fined organisations had a complete overhaul of their information security regime. Systematic processes including asset registering, encryption, secure email, mobile phone lock down and CCTV have been introduced by several. While the headcount of those working in information security was boosted in only two
Similar levels of impact are observed in the wider impact study among those hearing about CMPs. The level of activity provoked by CMPs belies views about the fairness of them:-
9
In the wider impact study, opinion is split evenly between those who consider ICO’s fines to be fair and proportionate and those who don't. The main criticisms relating to the level of fines are:-
fines being larger for seemly less serious breaches.
limit the impact of the breach, diligent and concerted effort to improve practice to ensure breaches do not reoccur).
Most considered the time taken to determine the fine to be far too long. Those wanting alternative approaches to fining suggested:-
10
10 received bad press as a result of the fine.
More claimed that damage to reputation had a greater impact than the fine.
Taking everything into account, 7 felt they were treated fairly by the ICO, 4 didn’t think they were treated fairly and 3 didn’t answer.
11
12
All the organisations taking part in this research self reported the data protection beach. 5 were surprised to receive the Notice of Intent, 8 were not and 1 half expected to receive one. Fines were mainly in the band £80,000 - £120,000. Most received a reduced fine for paying promptly. 6 challenged the Notice of Intent. The majority did not feel that the level of the fine was fair and proportionate in terms of the breach that occurred.
8 agreed in principle that fines should be levied against organisations which are seriously in breach of the Data Protection Act.
13
Some made comparisons with other similar cases they read up on or knew about and were unhappy that their fine was greater.
When I did the representations I did compare our incident to other incidents that had happened previously with other organisations, one of them being a Police force. It was a similar incident although there was no theft involved with the Police force, but the loss of data whilst they were out in the Police car. The ICO decided to fine us an equivalent amount which was £70,000, I was disappointed with that because I felt it should have been slightly lower, because we had noticed a gap in process, whereas the Police actually had no training involved, no policies in place, they had absolutely no guidance whatsoever. And I thought it was a little bit harsh that we were fined exactly the same as them despite the nature of the information being quite similar. The ICO band into 3 categories. We thought it would be the lowest category. And recently there was a fine that came out for someone publishing information on a website, which we felt was far worse than us and they came in with a fine nearly half of ours.
14
There were three or four who are unhappy about the lack of transparency around how fines are calculated.
I think there’s a lack of transparency in how the fine was calculated in terms of why did we get a fine of £XXK compared to other organisations that had different amounts. There’s no explanation to the council and to our taxpayers who ultimately had to pay the fine as to what the rationale for the amount is. I think to me there seems to be an inconsistency in the level of fines from one data breach to another between different
undertaking and rigour in terms of organisations demonstrating that they’ve learnt from what’s gone wrong, that they have an open culture. What’s the point of reporting? It probably leaves people hiding things. That’s really in nobody’s interest.
It seemed quite arbitrary in terms of, when you're on the end of it and you weigh that up against the scale, but also how it's pitched against other offences if you like. And you're very much just on the receiving end of that, and you have nothing to sort of weigh it against. I think that we remain unclear about the parameters which lead to a fine and about how the level of penalty was arrived at in our case and how a decision was taken that we would be the only party to be subject to any action that was arrived at. It felt more than we expected. To be honest, I’d asked my information security officer to give us some sort of view and he found it quite difficult looking at other examples of these sorts of things to come up with a number that it might be.
15
One didn’t feel that mitigating circumstances were taken into account when the fine was calculated. Another was surprised at the level of the fine.
The level of the fine as I recall was one that raised eyebrows. We took massive steps to get the information back and we did get all the information back. The Police went round and retrieved the information. We got the individuals to sign to say that they would not share it with anybody else and none of that seemed to have been recognised by the ICO. I found it difficult going through the process with the ICO expecting us to change our whole IT system. Well, we’re a public sector
account.
16
A recurring objection among the public sector organisations is that it is money taken out
One had the suspicion that private companies are less inclined to report breaches and that the ICO could be seen to be picking the ‘low hanging fruit’ when it fines public sector bodies.
In our case that's £120,000. That is directly diverted from our core businesses, public protection. And at the moment we're investing heavily in information security and continue to do so, and the fine hasn't prevented that, but as an example, after the annual budget, information security improvements is around about £120,000, so paying an extra £120,000 to the Information Commissioner is at best robbing Peter to pay Paul, it doesn't have a positive impact on behaviours or on the rest of our business. I don’t know whether fining is the right way to go because I think certainly from a public sector perspective, when you start to take money out of a health service budget, that just doesn’t feel right. We absolutely don’t think there should have been a fine. We don’t think it changed any behaviours. It certainly hasn’t acted as a deterrent for us. We just think, we think this really passionately, the ICO is not doing themselves any favours by issuing fines because the public perception is they’re doing it to generate
whatever business you’re in. Where does it go? Nobody knows. What public benefit are we achieving by fining a public body? Nothing. There are a lot of private companies who aren't self reporting where they should be, because the chance of them becoming public are pretty much null and void. I've attended training courses where people have been very open about incidents that have happened to them in their organisation which are far worse than our breach and they've never reported it. I would arguably say that the ICO could be seen to be picking the low hanging fruit.
17
A couple accepted the fine knowing that’s its purpose was to send a message.
I think a lot of it is to make an example of people and then hopefully changing culture across other
The question is what is sufficient to make you do something different and yes it was. I think people became very concerned about the issue. There’s always this argument that that money would have been better off spent on public services or improving what we do so I don’t know whether we’d ever get a good answer to that question.
18
Only four could state the three conditions which must be met to trigger a CMP. All thought that the three conditions are reasonable, however there were quite a few who felt they are a bit ‘woolly’ and open to interpretation.
It boils down to risk assessment again and obviously the risk assessment on what is serious isn't defined. When you're issued with a monetary penalty notice or an undertaking, it's your assessment of the breach against the ICO's and determining what is and isn't serious can boil down to an opinion. So it's vague and it's a bit grey but a lot of the Data Protection Act is. I believe the conditions are fair in terms of determining a fine but obviously the nature in which they're written can be a little bit confusing and obviously the risk assessment isn't as clear cut as it can be. They've actually asked us to come up with a way of assessing our breaches better in terms of what is and isn't serious. And we had to go back to them and say, well we can't define what is and isn't serious because it depends on the breach, the circumstances, the outcome of the breach. Our own audit team are a little bit confused by that but we don't have a better definition. Having some clarity around what is and isn't serious would benefit us.
I don’t think the considerations are unreasonable but I think when the Commissioner assesses whether these conditions have happened or not, that it’s not as black and white. I think you get a bit of subjectivity in there and I think that’s where the greyness arises. I think they’re a bit woolly in terms of what does ‘substantial’ mean. That’s a subjective analysis or judgement isn’t it? So one person’s significant might not be somebody else’s. I do slightly disagree with the potential for harm condition because I think every breach has got a potential for harm. The substantial damage or distress I think could be qualified a bit more with examples.
19
Some questioned whether their breach really did meet some of the conditions, especially the second and third conditions.
I think that it comes down to the interpretation again doesn’t it? There was absolutely no proof in any way that these few misdirected faxes caused any harm to the individuals whose data it was. So, whilst I think those are good conditions for a fine, I don’t think they were interpreted properly in our particular situation. We had received no complaints from our staff at all about it. Once we informed our staff about the incident and the information had been published, we never received one complaint, one raised concern or one issue from any member
actually accessed that spread sheet would have been under 30. I think there should be a distinction between a breach that gets out into the public domain and everybody knows about it and there is huge embarrassment and huge distress and our case where the breach was controlled, the data was brought back and 2 years later we know that no harm has come from it. We were a little bit disappointed with that and we were also a little bit perplexed about how any of this had caused any harm or distress to individuals because we’d had no instances where we could identify that any fraud or distress had been caused to the customers. There was no evidence that that had caused any problems for them. We felt that it was more unfair that we'd been fined due to a theft. And there hadn't been a penalty for paper records lost before. At the time the ICO itself didn't issue guidance on paper records handling because we had approached the ICO prior to this incident happening to ask for guidance from them, and they had provided very little and nothing in an official guidance note.
20
Half felt the ICO explained well enough why they intended to levy a fine in the Notice
Those who didn’t think it was clear enough, thought on the whole that it was rather perfunctory, lacking a clear explanation of the rationale for the fine in their particular
All were aware of their rights to contest the notice and six did so. The rest felt that the notice was fair or they didn’t think their challenge would be successful.
The notice of intent in a sense simply reiterated what was in the policy and the guidance that they’ve issued and then related it to the facts and then said we’re therefore going to give you a fine. I don’t think it really analysed the third element of it in terms of what precautions we’d put in place. It was almost a case of you lost the data and therefore whatever precautions you put in place were insufficient, so that part of it I don’t think they analysed particularly well. To be honest with you there wasn't really much explanation. It was just the notice of intention that they sent us. So that followed the normal standard monetary penalty notice where it lists the aggravating circumstances and behavioural competencies of the organisation, that type of thing but there was no additional conversation. When they wrote their Notice of Intent to us, a lot of it was factually incorrect so even though we’d supplied them with information, they’d actually not correctly reported that in their Notice of Intent. I don’t think they respond to anyone’s objections. I would be intrigued to know if they do actually reduce anyone’s fine. If you look on their website, all of the case notes say ‘This was challenged and the ICO stuck with their original decision’. It didn't really explain or justify the level of the penalty. It's very legalistic. The mitigating features that they've taken into account and other considerations are less than one page of an eleven page document.
21
The one thing that the incident and the fine has had most of an impact on is training and getting a stronger message out to staff about data protection. The majority of
for all staff, retrained or began putting out much stronger messages to staff.
First of all we’re working out what’s the best way to get messages out as constant reminders. Everybody has the same screensaver at work, so we can use the message box on that to give people reminders. We have something called SID which is an internal news broadcasting system so it keeps people focused but I should think by a regular messaging campaign, we will be able to keep people reasonably focused, well we’ll certainly get significant improvement in people’s behaviour in the way they handle data and information. Our information governance team leader has done a lot of face-to-face training with people who are dealing with particularly sensitive information. We also had a review generally across the board. We also have compulsory information security training that every employee has to undertake. We’ve had information campaigns, posters in council buildings and so on to drive the message home. It’s a cultural shift but we always knew it would take some time to address. What we try to do, without being too heavy-handed about it, is to ensure that people understand the implication of getting it wrong and that may sound terribly self-evident, but people lose sight of the fact that the smallest mistake can cause a major incident further down the line.
22
Four said that the fine itself had been used in training and staff messages to help ‘focus the mind’.
I think to be honest the council is at a reasonably high level in its data protection practices, and was at the time. As we said, we had ourselves identified a policy gap in this area and had already been working on it at the time that this incident occurred. It’s quite difficult to describe this as a positive impact. It did allow us to use the fine as a stick to remind staff to do this properly day to day. It certainly gives us something to talk about when you’re doing presentations to people about why this is
We use the penalty now as an example in training. So I suppose that adds a certain reality to our training sessions. In my role as a SIRO, it is helpful for me to say ‘You’re going to have to do that I’m sorry because the ICO could levy a fine of up to £500K’.
23
Many say that data protection has more buy-in from senior management now as a result
I am very much pro education of staff, personal responsibility but also corporate responsibility so it’s all well and good my team writing the best policy in the World but if the Chief Exec and Heads of Service don’t endorse it and don’t instil it amongst their staff then it’s not going to work but now the importance of data protection has 100% buy-in right at the top.
executive board and the audit committee as well, so there's clear visibility through the organisation on information security issues, a clear route for escalation and monitoring and so on.
24
Some of the organisations had a ‘root and branch’ overhaul of the whole information security system, tightening up on everything.
We've had a number of restructures since the incident and since the fine. We have an overarching information management policy that covers a lot of work that we're doing in terms of training, data accuracy and data
invited the ICO in in 2009 to do a voluntary audit, that probably gave more of an impetus to do stuff than the monetary fine did. Just going back to what we were saying about the policies, having a policy in place won't ever stop a data breach from happening, it'll just obviously limits the effects of it. We've looked at every possible angle, it's made people much more conscious of data protection issues, and therefore I think our data, physical and otherwise, is much, much more secure. We focused on making sure that all of our controls were fully documented and regularly tested. We put together a working group that's still in place, an information security group, which meets on a regular basis, to talk through all aspects of the data protection policy, any issues that we know we've got, any best practice, any controls that we could tighten. That's still working now and will continue to do so for the lifetime of the business. I think it sort of shocked the organisation a little bit. I think we became more proactive in our relationships with subcontractors and people who work with our data. We’re using our ICO audit by invitation as a catalyst for change really. We’ve had a few fining events so it’s obviously a bit of a sharp focus for us. We don’t like the risk associated with children’s and adult’s data irrespective of the fines. But we have got this impetus and I lead the IMG group now as the SIRO and we’ve got a number of things we’ve got to do immediately like handling portable data, USBs and that sort of thing. All of our machines have got software encryption. We’ve got an audit trail on waste paper and a clear desk policy which we’re constantly pursuing and then the other thing we’ve got to focus on is privacy impact assessments which is something that perhaps we were a bit behind the curve on but it’s coming up. We’re going to have to move quickly on that to get up to the standards required by the ICO.
25
Systematic processes including asset registering, encryption, secure email and other technologies such as the ability to lock down mobile phones if lost are being utilised by several organisations in their drive to tighten up on information security.
We rechecked all our laptops to make sure that they were encrypted and any that weren't were set up to be
those laptops was making sure that the individuals working on that contract had a secure place to store their data and access it remotely. We reiterated and reissued an awful lot of the policies and procedures that we already had in place. We double- emphasised to our IT contractor that they were not to issue anything unencrypted without express instructions from myself and we massively accelerated our process for making sure that any legacy kit was encrypted. That exercise discovered the fact that our asset registers were woefully inaccurate. So certainly we massively increased the effort that we were putting into that side of things and have continued to do so. Since then we have been pushing asset management for IT and to be honest, I don’t know if I would have put quite as much emphasis into it without the fine. We’ve got a number of programmes looking at things like data loss prevention and that’s very much looking at identifying emails that may contain information that shouldn’t be going outside the Group. We also have a records management improvement programme that’s been going now for a couple of years and that’s really about looking at both electronic and paper records in terms of do we need them? This year we are rolling out a tool which will actually enable more of the businesses to scan and then shred the paper rather than having to keep the paper records. The numbers remain fairly constant but the level of worry has gone down because typically it consists of someone losing a Blackberry. The Blackberries are encrypted and can be remotely killed. So we still have people lose things and social workers seem incapable of not losing Blackberries but because of technical measures we’ve taken around that, the human error doesn’t actually impact on us as much or indeed at all.
26
Those whose breach was clearly caused by a procedural flaw have corrected this. One or two boosted the headcount in information security and three restructured the information security department giving it more clout, more visibility and more formal link-ups with other groups across the organisation. Three arranged a good practice audit and two more are considering one. One has set up a series of workshops in conjunction with the ICO across ten of its sites. Nobody lost their job after the incident, although several faced disciplinary action.
Making sure that papers aren't kept with laptops and away from valuable items, not in handbags, that kind of
things like that, not generally after paper. We immediately changed our operating procedures for people that handle evidence to make it clear that even though we receive evidence from third parties like the Police, we need to make sure that it’s encrypted when it goes out. We've started the journey towards ISO 27001 accreditation which is all part of this.
27
Half claim they feel more confident about their data security but none could say that there will never be another breach. They put this done to the chance of human error which can never be ruled out. At best their systems can minimise the fallout from human error.
Given the volume of transactions that the council deals with, I think there will inevitably be some breaches
you’ve got people dealing with information, some people will occasionally, very occasionally, make mistakes. I can’t say that I’m confident that we’ll never have another data breach.
I think all companies which handle the level of data that we have, have some instances which could be in breach
exclude it. I'm not going to say we're never going to lose any data ever again. I don’t think you can ever say that we will never have a breach. It’s more about how you put controls in place to try and mitigate the chances of that happening and then what controls you have in place to act and react to any issues that occur so I think we’ve got a very strong controlled environment. We have a number of risk teams and controls and we have to have the right framework in place and so on. Ultimately most of our issues that
A large organisation is only as good as every individual in it. I think that's where our concern would be. We can do as much training as we like and have as good processes as we possibly can, but people will always be able to make a mistake. Data protection has definitely come up the risk agenda of all local authorities.
28
Several say that the incidence of reported breaches of data security has increased since the event which triggered the fine. They put this down to tighter controls and better reporting of incidents.
We’re seeing possibly 500% or 600% increase in reported incidents. So we’re treating it as very positive because staff now know who we are, they know how to recognise an
because we’re in a process of changing people’s culture, changing processes and improving things and so it’s likely to plateau in another 3 years I think and then you’ll actually get a real picture of how many security incidents you’re having as an organisation. I think we’re running at a constant level because I think whatever we resolve, people become more aware of issues so the tide’s moving against us in the sense that there’s a great level of awareness of what people’s rights are and so on and so forth so probably we might improve our hygiene but relatively the level of complaints might go up, so we stay about the same. That’s my feeling.
29
For the majority, tightening up on data security has not stopped them doing other things. One is having to stall their accreditation for IOS27001 as it takes a lot of work and they consider that the organisation is not quite ready for it but they are using a lot of the procedures laid out in the standard anyway. Whist not identified as a burden, two say that the demands of data protection and freedom of information sometimes compete with one another. One suggested there needs to be a lot of work done now around improving electronic data security.
We've recognised that reaching ISO27001 quickly would have imposed a disproportionate burden so whilst we're still using the framework and using that to risk assess, using that to develop policies and so on, actually going for accreditation at the point we are in our journey, it's not appropriate.
You get a very curious interrelationship between the Freedom of Information Act and the Data Protection Act in which you've got competing privacy rights. It's part of being in business and running the business. We have a series of risks that we have to manage. We can get a conflict in requirement so you require us to be fleet of foot in providing access to internet driven services, but the cost from our perspective in making sure that that's available within a Data Protection Act environment, at times it's prohibitive. I think people don’t appreciate the risks associated with electronic information and so, if anything, the pendulum needs to be pulled over quite hard in the draconian direction to get people to wake up to this issue before it finds its actual resting place. Eventually people will get used to this.
30
10 received bad press as a result of the fine. In most cases, they claimed the impact of the bad press was limited and/ or short-lived. 11 agreed that the ICO are right to make public the actions taken against organisations that have breached the Data Protection Act. Although one was upset that they didn’t have the chance to discuss with the ICO what was to be published about their case. One local council faced up to the bad publicity head on as they felt they had a duty to inform citizens of what had happened.
We put it in the public domain ourselves by having our Head of PR offer himself up to go on the local radio station for a phone-in. We in a sense chose to put it in the public domain because we’d made a mistake, people needed to know about it so that they could protect themselves.
Personally I find it very helpful to see decision notices, to see types of incident. And I think it's a common approach in judicial process in this country and I think that's right, to be transparent. My personal view is that the whole reason they exist is to make sure that people’s data is secure and that companies have the appropriate controls in place. I think it's absolutely right that companies take the security of data seriously and when they are proven to have been negligent that it is declared. It's just when you're looking at it commercially it's far reaching. The issue I’ve got is that having been at the receiving end, it’s about whether the wording in the notice properly reflects everything that’s taken place and I think that because there is that inability to have proper dialogue because it was just emails flying back and forth. I think that was a little bit unfair. You should have the ability to perhaps have better discussions as to what actually gets published.
31
The damage to reputation, although short lived, had a greater impact than the fine, especially in the case of local councils – the political dimension heightens their sensitivity to bad publicity.
We’re a big county council so I think we get a couple of £billion budget, so that’s not significant but we are a social care organisation. We deal with social services, so it is how it’s going to affect our relationship with our clients and if they lose respect and they’re not confident in us, then actually we could be failing those services. I think the money, yes, that hurts but it doesn’t really hurt a lot and in the big scheme of things, it is more about the ramifications on the reputation. The budget is sufficiently large to be able to deal with those issues or we hold reserves so if we got a big hit, we would end up dipping into that or try and manage it. As I say, it’s a very hard thing. I talk to people about this and the level of fine in local authority terms is kind of meaningless because it’s almost like a fine on a tax. It’s got this circularity about it. The real issue for us is reputational. I suppose in the public sector, the thing that most motivates us is reputational damage. The politicians will be very motivated by things that damage the reputation of the council during their period of
administration that saw a threat to reputation, would ensure that sufficient resource was diverted to the problem to make sure it didn’t happen again.
32
Taking everything into account, 7 felt they were treated fairly by the ICO, 4 didn’t think they were treated fairly and 3 didn’t answer this question. Impressions of the ICO:-
Overworked Tick box driven Professional Disjointed Blunt Bureaucratic Non-receptive
33
Asked what they could have done differently, four suggested a different approach to issuing CMPs
The council has had to cut services, essential frontline services for other residents in order to pay the fine. To what end? There’s no impact that wouldn’t have been generated by the ICO naming and shaming the council for this error and the productive bit of this process is the undertaking that we had to give setting out what had gone wrong, why it had gone wrong, what we’re going to do to prevent any kind of similar
I think what we’re seeing now is a little bit of what we call fines fatigue that they’re going out and they’re imposing these fines predominantly on the Health Service and local authorities and it’s almost like old news
they engaging with some of the chief execs or the trust directors or whoever it is, chief constables of various police authorities, how are they really engaging with them to get them to accept ownership and responsibility for data privacy. It’s more about the need to do some more top/down type activity rather than just wielding out fines. I think in all fairness monetary penalties are better placed with private companies because public authorities are struggling already and then you’re taking even more money out of public sector. In all seriousness we were very disappointed with the ICO’s attitude. We felt very much that they weren’t working with us. It wasn’t a supportive organisation. It was a punitive organisation. So if anything, our regard for them
they’ve got a good working relationship with people and imposing fines only serves to compromise working
anything obvious and then offer, say in 12 months time, to come in and do a bit of a ‘where are you now’ review.
34
A couple suggested that the ICO should take mitigating factors into consideration when determining fines or make it clear that mitigating factors were taken into account e.g. general good behaviour, robust damage limitation, action taken to reduce the risk of a repeat incident.
I wonder whether there's a model which would enable the ICO to work with organisations when they report a breach, so in addition to those 3 criteria that you've mentioned for reaching monetary penalty notices, there might be some others criteria which apply when determining the fine such as how has the organisation engaged with the ICO, what sort of importance do they attach to this, what sort of improvements have they made. I believe their audits are more of benefit than a monetary fine. And I think possibly, depending on the severity of the fine, perhaps they should incorporate an audit process as part of that investigation to see whether it was just a one off incident or whether there are continual errors within an organisation to actually determine the severity of a fine.
35
Two suggested that there should be some reimbursement from the fine which could be invested in improving data security.
They might have said ‘This is the level of fine but if you spend half of this money on improving your resources allocated to this. If you do this and demonstrate to us that you’ve done something to stop this happening again then the fine will be moderated or whatever. There was a feeling from people saying fair enough to impose a fine, but couldn't some of that come back to the organisation to be spent on improving data protection.
36
Several thought the fine should be determined a lot faster.
Now we were given deadlines for when we had to respond, and we were well within those deadlines. We were getting back to them within a couple of weeks, with our representations and with our additional
it was a year until we got the fine after the incident happened. There seemed to be a very large delay to find what had happened and them coming back and issuing the fine. The
but the report flagging areas of good practice and areas for improvement. I think that probably did inform part of their decision-making which if true they could probably have communicated that fact to us so it was formally clarified. We started a conversation with them, I think it was September 2011 and we didn’t get the fine until May 2013, and it’s a long time particularly with an organisation such as ours, when we have issues like this which receive regulatory attention, these things are taken seriously so they are escalated up to some very senior people in the Group and then obviously we have a duty to make sure that we are keeping them updated with what’s going on and so on so you can imagine that if this is dragging out over a lengthy period of time, it’s quite confusing for senior people to understand why it’s taking so long for the regulator to make a decision
37
Many felt the ICO should be more receptive/ approachable/ supportive.
We didn’t hear anything until they actually made then their final decision and I think that it just would have been useful to have had a bit more engagement at that stage.
I think because we have worked very closely with them and we volunteer a lot of stuff to them as well. We’ve got arrangements set up where we volunteer information that by law we’re not necessarily required to give them but we’re happy to set up these sorts of arrangements to help them in managing data privacy. So it just felt a little bit disappointing that this was dealt with in almost a very black and white approach without any engagement with us. We've made phone calls to the ICO over the years and on a number of occasions they’ve told us we have to fill in the complaint form. That causes a problem when it’s only a simple question you want
impression I get as a specialist in this area is that there is a lack of funding that is leading them to have to do a tick box exercise and forcing you to make your own decisions. We asked them if they'd like to come in and do a DPA audit and they declined. They said we didn't need one. We asked them what else can we do, and they felt we had everything in place. There's very little learning. We did want to actually try and arrange a face-to-face or telephone meeting with the solicitor who was employed by the ICO to look at this but we found that they weren’t interested in having that sort of dialogue, everything had to be done in writing. And again that was a little bit disappointing because sometimes it’s much easier to explain things in a face-to-face situation and sort of verbalise it better than you can do in both an email or a letter, that can be misinterpreted.
38
… and finally, there was also praise for the ICO from some who appreciate what you do.
I think they have a very difficult job to do so that's the first thing. Secondly, we were in breach of the Act, so it was entirely right that we were fined and we dealt with it. Third I think they should try and distinguish people who are genuinely trying to deal with it and self report rather than those that don't. I don't know how they'd do that to be fair. We found them an extremely reasonable organisation to deal with and we don’t have an issue with them at all. I've dealt with the ICO for a long time and I think they do a fantastic job. They’ve had operational challenges in terms of volume of case work, backlog of case work and huge improvements have been made in that area over the last few years under the current Commissioner. I have an enormous amount of respect for what they do. And all of that actually in the face of shrinking budgets, and actually championing rights which is not always top of people’s agendas or not always terribly popular. In overall terms I think what the ICO does is excellent. I just think the timing of the fine and how all of that works actually means that the fine is incidental to what you're doing, and therefore only detrimental in a sense. I think the process was fair. I think they kept us informed. The case officer I had he was extremely good. He kept me up to date, he answered any queries, any concerns I had. Always called me back, so the communication was great. The review was done thoroughly and the conclusion reached was the right conclusion.
39
40
46% 25% 29% Yes, to another organisation in our sector Yes, to a company/organisation in another sector No
Base: All (85)
41
57% 47% 45% 38% 20% 20% 2% The ICO's website Word of mouth/colleagues/associates Newspaper articles TV news Radio news Other Don't know
Base: All hearing about organisations receiving CMPs (65)
42
25% 33% 15% 14% 13% Significant impact (9 to10) 7 to 8 Mild impact (5 to 6) 3 to 4 No/ little impact (0 to 2)
protection? Please could you give me a score of between 10 and 0 where 10 means it had a very strong impact on the way you manage data protection and the importance you attach to data protection and 0 means it had no impact at all. Base: All hearing about organisations receiving CMPs (65)
43
58% 47% 47% 28% 18% 15% 18% 2% Senior management have taken more of an interest in Data Protection Reviewed/changed our Data Protection policies/practices Introduced more Data Protection training Carried out internal audits of our Data Protection practises or more internal audits Introduction of new hardware/ software/ secure locations New staff/ new responsibilities to boost our Data Protection capability Other Don't know
Act? Base: All hearing about organisations receiving CMPs (65)
44
Base: All (85)
25% 24% 18% 22% 12% Very widely, everyone in my sector ends up hearing about them Many hear about them You sometimes hear about them Not very widely at all, you hear about them rarely Don't know
45
42% 26% 27% 2% 1% 1% Strongly agree Slightly agree Neither agree nor disagree Disagree slightly Disagree strongly Don’t know
Base: All (85)
46
22% 21% 57% Yes No Don't know
Base: All (85)
47
Base: All saying fines are not fair and proportionate
I believe the offences have sometimes come about because of a simple error rather than a member of staff deliberately contravening data protection. The greatest fines come from the public purse to the public purse; other more useful sanctions could be taken then simply fining. Over zealousness sometimes. The fines are often issued for instances that occurred many years in the past. They also do not seem to take into account the actual impact of the loss as opposed to the theoretical. Some also seem to fail to take into account that even with policies / procedures in place, criminal activity (such as theft of laptops) will occur. No action is apparently taken against the perpetrators. Completely out of proportion to the level of harm/damage caused and appear to have no grounding in reality. Often private organisations committing serious breaches get away with no fine whereas local authorities under extreme staffing pressure get significant fines not because they are unaware of the DP Principles but because staffing levels in front line activities have been stretched and councillors are pushing for quick turnaround times. The fines whilst focusing attention do not have a significant impact where staffing levels have been shot and morale is already low. I don’t think that residents and businesses of a local community should be ultimately penalised if the authority has misused or misplaced the data.
48
Base: All saying fines are not fair and proportionate
There does not always appear to be a logical connection between the breach and amount of fine. I believe enforcement notices and undertakings help an organisation to improve where as a financial penalties often makes senior management feel that paying the fine sorts the issues. Only if the organisation has blatantly flouted the law should fines be imposed. The fines can be counterproductive in that they may rob the organisation of the investment they need to improve their position. Fines on public sector end up being fines on taxpayers. Without knowing all the background information, sometimes fines can appear disproportionate and unfair. Does a single letter addressed incorrectly to a neighbouring property require a high 5 figure fine, when some organisations that lose lots of data receive a similar level of fine? They do emphasis the seriousness of data breaches, but they suggest scapegoats. Would prefer more to be spent
The fines are fact dependent which allows for proportionality and for a distinction to be made between individual human error and inadequacy of policy or corporate approach, however compared to a public body budget they are small, which means the imposition of a fine would not trigger drive for improvement. What matters to the authority is publication of a decision which might have an adverse effect on public confidence in its management of personal
compliance e.g. ICO audits/ best practice/ guidance/ possibly closer working between ICO and public bodies. The fines imposed on large, multinational, multi-million or multi-billion pound enterprises are so pathetically insignificant to be meaningless to them compared to impact their breaches have on us the consumer. Fines are not a good way to penalise these monster corps. Shame them and impose limitations on what they can do with data is the way forward. Imagine just how seriously they would take data protection if they were banned from keeping personal data at all?
49
Base: All saying fines are fair and proportionate
It emphasises the importance of protecting personal data and the serious implications that may result from a breach in data protection within an organisation. Important that data protection is of the highest order to avoid fraud and other criminal use of unprotected data. Should be more. They have reflected the importance of security of personal data and the seriousness of the breaches by the
They are of extremely high value as deterrents, but probably feel unfair to an organisation which receives one. Organisations should be aware of their responsibility under the Data Protection Act also to ensure that all personal information that they work with should be protected. I believe large fines act as a deterrent, especially to public authorities. For private companies who have profited from non-compliance, the fines should be even heavier! Some fines seem to be a bit low for the types of breaches that are being investigated. Yes I do believe the fines are fair, although I would like to see larger fines for smaller organisations who deliberately and consistently flout DP legislation. The fines are high but it is a serious issue. Having liaised with the ICO following a breach notification, I am aware of the detailed investigation conducted by the
level of fine. To ensure organisations look after personal sensitive e information appropriately.
50
Base: All saying fines are fair and proportionate
Public awareness is important. We are guardians of private personal data. The fine should reflect that and be punitive. It is important that information is protected and the ability to fine organisations will ensure that all organisations improve their processes. Because the ICO takes into account the nature of the breach and the size of the organisation. The DPA does not allow truly proportionate civil monetary penalties to be collected from the private sector, which considers fines just a cost of doing business. Also, punitive action is disproportionately aimed at the public sector while many private sector breaches of Principles 1,2,3,4,5,6 and 8 go unremarked. I don’t think it is straightforward. You can’t undo a breach of confidentiality and the potential cost to the person or people whose confidentiality is breached are unquantifiable. The breach of trust is another factor! Nobody has the right to tell other people private matters. Unless they are talking about themselves. Because there have to be consequences to actions and it makes people take note and be more careful. The Act is clear, the expectations of organisations are appropriate, the penalties for breaches are well publicised. Furthermore the penalties are proportionate to the level of breach. Unless they are published and more substantial then it is no deterrent to people not to breach the rules. Because threat of a fine does not impact in the same way as an imposed fine does, both in terms of organisational reputation and financial hardship. It’s taxpayer’s money and they will ask why we were levied the fine.
51
The study provides strong evidence that CMPs actually work. They have positive impacts on
ICO should consider clarifying the three conditions which must be met in order to trigger a fine by giving examples. ICO might consider providing more detail around how the amount of the fine is calculated.
data protection practices to avoid reoccurrence of breaches, then this should be made clear so that these behaviours are encouraged.
Channels of communication should be kept open with all organisations seeking help to improve their information security procedures during the interval period between the issue of notice of intent and the fine itself, as at least one complained that it was difficult to communicate at this time.
54
55
56
58
59
60