Effectiveness of CMPs Prepared for: ICO Ref: jn1666/BW Date: April/2014 1 UK I FRANCE I ITALY
Contents Background & Objectives Approach/ notes about qualitative research Key findings Detailed Findings • Study among organisations fined • Wider impact study Recommendations 2
Background & objectives Since April 2010 the ICO has had the power to issue Civil Monetary Penalties (CMPs) of up to £500,000 for serious breaches of the Data Protection Act or the Privacy and Electronic Communications Regulations The ICO wishes to find out how effective the CMPs have been in improving data protection practice not just in the organisations that they have imposed penalties on but also more generally Specifically, the research explores the triggers for CMPs, the impact of the amount of the CMP and the compliance issues covered by the CMPs and whether the organisations felt they had been dealt with fairly, reasonably and courteously. The findings are intended to inform regulatory policy on the use of the powers e.g. when and how to use them to best effect and on how their impact on promoting compliance across the board can be maximised Additionally, the ICO wishes to understand how ‘news spreads’ and whether the serving of a CMP on a particular organisation influences corporate behaviour more widely 3
Approach Letters sent to 42 individuals within organisations receiving a CMP • SIROs/ Directors of Information Governance Letters sent by the ICO explained the purpose of the research and gave people the option to opt out of the study • 14 contacted the ICO wishing to take part • In-depth discussions where completed with these 14 by telephone using a topic guide during March 2014 (7 local authorities, 3 private companies, 1 local health authority, 1 police force , 1 central government agency and 1 regulator) • Interviews were transcribed and fully analysed to draw out themes and interesting viewpoints 85 online surveys were conducted with a wider group of organisations mainly in the public sector to measure how far news of CMPs travels and what impact this has on the behaviour of other organisations Local authorities 28 Local health authorities 26 Private companies 14 Not for profit organisations 13 Police forces 3 Central government 1 4
Notes about qualitative research Qualitative research is ideal for exploring complex issues and to elicit a full range of possible answers It is designed to be illustrative and does not look to produce statistics, but to identify the range of views Throughout this presentation we have made use of verbatim comments to illustrate a particular viewpoint. It is important to be aware that these views do not necessarily represent the views of all individuals Respondents were assured of their anonymity in the covering letter and so none of the comments are attributed to any organisation and where necessary some quotes have been slightly amended to avoid the risk of them being attributable 5
Key Findings 6
Key Findings Organisations receiving CMPs believe that the three conditions needed to trigger a fine are correct, however there were quite a few who felt they are a bit ‘woolly’ and open to interpretation. 8 of the 14 interviewed agreed in principle that fines should be levied against organisations which are seriously in breach of the Data Protection Act. 11 out of 14 agreed that the ICO are right to make public the actions taken against organisations that have been in breach of the Act. Asked what positive impact the penalty had on the way they manage their data protection responsibilities, training, re-training and the introduction of compulsory training was mentioned by almost all. This includes messaging and reminders using internal communications such as email notices, posters and screensavers • Two stated that there was a need for a complete culture shift in the way staff approach data security. “People lose sight of the fact that the smallest mistake can cause a major incident further down the line”. • Some used the fine itself as a reminder to staff of the consequences of not handling data securely. 7
Key Findings All the fined organisations and six in ten of those hearing about CMPs in the ‘wider impact’ online survey claim that there is greater management buy-in now. Four of the fined organisations had a complete overhaul of their information security regime. Systematic processes including asset registering, encryption, secure email, mobile phone lock down and CCTV have been introduced by several. While the headcount of those working in information security was boosted in only two organisations, three more re-structured their departments to make them more effective. Similar levels of impact are observed in the wider impact study among those hearing about CMPs. The level of activity provoked by CMPs belies views about the fairness of them:- • 5 were surprised to receive the Notice of Intent. • 6 challenged it. • 9 didn’t think the level of the fine was fair. 8
Key Findings In the wider impact study, opinion is split evenly between those who consider ICO’s fines to be fair and proportionate and those who don't. The main criticisms relating to the level of fines are:- • The magnitude of them. • Lack of transparency on how the figure was reached. • Perceived mismatch between levels of fines for what appear to be similar magnitude breaches or fines being larger for seemly less serious breaches. • No sign that mitigating factors were taken into account (previous good behaviour, robust action to limit the impact of the breach, diligent and concerted effort to improve practice to ensure breaches do not reoccur). • Difficulty in accepting the case for fining public sector organisations at a time of austerity. Most considered the time taken to determine the fine to be far too long. Those wanting alternative approaches to fining suggested:- • Intervention by the ICO to help them improve their data protection practices. • Direct approaches to chief executives to get the message across. • Some reimbursement from the fines to be diverted to investment in data protection improvements. 9
Key Findings 10 received bad press as a result of the fine. • In most cases they claimed the impact of the bad publicity was limited and/ or short lived. More claimed that damage to reputation had a greater impact than the fine. • With local councils, the political dimension heightened their sensitivity to bad publicity. Taking everything into account, 7 felt they were treated fairly by the ICO, 4 didn’t think they were treated fairly and 3 didn’t answer. 10
Study among organisations fined 11
Organisations’ perception of the fairness of the fine All the organisations taking part in this research self reported the data protection beach. 5 were surprised to receive the Notice of Intent, 8 were not and 1 half expected to receive one. Fines were mainly in the band £80,000 - £120,000. Most received a reduced fine for paying promptly. 6 challenged the Notice of Intent. The majority did not feel that the level of the fine was fair and proportionate in terms of the breach that occurred. • 2 thought it was fair • 9 didn’t think it was fair • 3 wouldn’t comment on this 8 agreed in principle that fines should be levied against organisations which are seriously in breach of the Data Protection Act. 12
Organisations’ perception of the fairness of the fine Some made comparisons with other similar cases they read up on or knew about and were unhappy that their fine was greater. When I did the representations I did compare our incident to other incidents that had happened previously with other organisations, one of them being a Police force. It was a similar incident although there was no theft involved with the Police force, but the loss of data whilst they were out in the Police car. The ICO decided to fine us an equivalent amount which was £70,000, I was disappointed with that because I felt it should have been slightly lower, because we had noticed a gap in process, whereas the Police actually had no training involved, no policies in place, they had absolutely no guidance whatsoever. And I thought it was a little bit harsh that we were fined exactly the same as them despite the nature of the information being quite similar. The ICO band into 3 categories. We thought it would be the lowest category. And recently there was a fine that came out for someone publishing information on a website, which we felt was far worse than us and they came in with a fine nearly half of ours. 13
Recommend
More recommend
