The Information Commissioner’s Office has made the first use of new powers to fine organisations for data breaches. Two organisations – Hertfordshire Country Council, and employment services firm A4e – were fined £100,000 and £60,000 respectively for failures to comply with the Data Protection Act.
There is little doubt that the offences were, in each case, serious: Hertfordshire Council twice faxed information about a child sex abuse case to the wrong recipient, and an A4e employee was burgled, losing a laptop containing the unencrypted sensitive personal information of approximately 24,000 individuals. The Hertfordshire case is particularly inexcusable, since the two incidents were two weeks apart, during which remedial actions could have been taken to prevent a recurrence.
On the face of it, this looks like a win for the Data Protection Act and a welcome return to form for the Information Commissioner’s Office. However, I personally think that these fines are ill-judged and inappropriate, and that the consequence is equally likely to be a degradation in Data Protection practices in other organisations.
Firstly, both organisations voluntarily notified the Commissioner and the affected data subjects of the breaches. Serious corporate governance mistakes were made, but once these became apparent, the organisations took remedial action. What message does this send to other organisations that have yet to put their Data Protection processes in order? Yes, it will make it clear that Data Protection has to be taken seriously. But it will also encourage organisations and individuals to try to cover up data breaches – after all, why bother notifying the ICO if his response will be a fine? Why not just try to cover it up, since if the breach subsequently becomes apparent then the fines will kick in anyway? Remember that even if the organisation has a culture of integrity, an employee who has made a silly mistake and lost some data (in the case of A4e, the laptop concerned was scheduled for encryption under a rolling programme of security upgrades, although that doesn’t excuse putting 24,000 records on it) would be highly incentivised to protect his/her job by trying to hush up the incident.
And that brings me on to the second problem: what is the point of fining public authorities for data breaches? At an organisational level, the only consequence is that Hertfordshire County Council now has £100,000 less to spend on legal services for child protection (I’ll bet nobody at an executive level has lost their job or suffered some other penalty). How does that help anyone? A far more appropriate solution would be to identify the culpable individual – even if that is the Chief Executive – and take action against them. That would focus their attention without the effect of penalising service recipients.
All this is in an environment where the ICO is facing widespread criticism for failing to tackle technically complicated cases, or those involving major organisations. The ongoing sense of “kick ’em while they’re down” that arises from the ICO’s taste for penalising small enterprises and public bodies, whilst – in the eyes of privacy activists – failing to deal with the local consequences of global breaches such as those committed by Google, demonstrates a continued lack of appetite within the Commissioner’s office to face down a data controller who might actually win a case, and an inability to take on technically complicated cases.
What the ICO does next is critical for the credibility of these new powers. It’s time to pick on a hard target, one which has the appetite and resources to fight back against a penalty in a situation that is technically complicated. Doing that will silence many of the critics. Picking on a ‘soft’ victim will only make things worse for all of us.