How to avoid regulatory action by the ICO

Civil Monetary Penalties imposed by the Information Commissioner's Office (ICO) for data breaches are helping to increase awareness and spur action by UK companies worried about damage to their brand, even if they are able to afford to write off up to £500,000 for being in breach of the Data Protection Act.

Civil Monetary Penalties imposed by the Information Commissioner's Office (ICO) for data breaches are helping to increase awareness and spur action by UK companies worried about damage to their brand, even if they are able to afford to write off up to £500,000 for being in breach of the Data Protection Act.

But what are the criteria the ICO uses for imposing a penalty and what can UK organisations do to ensure they are not on the ICO's hit-list?

Mick Gorrill, a former ICO enforcement officer, has joined London-based legal firm Field Fisher Waterhouse and was on hand at an information security forum held in partnership with IT security firm Sophos to answer these and other questions.

The penalties were introduced along with other enhanced powers for the ICO from April 2010 after it became clear in 2007 that UK organisations were not taking seriously their obligations under the Data Protection Act (DPA) and that existing powers of enforcement and sanction were inadequate.

The first penalties were issued in November 2010, and although there have been relatively few since, Gorrill expects the ICO to settle into a rhythm of six to 10 a year.

Who is at risk?

The ICO can impose a penalty on any data controller, including private, public and voluntary sectors. Crown Estate Commissioners are the only exceptions, which means the ICO can go after any organisation that handles any personal data, but this does not include data processors. Every organisation remains responsible for its personal data even if processed by a third party.

However, before the ICO can impose monetary penalties, two specific requirements must be met.

First, there has to be a serious contravention of one of the eight data protection principles.

Second, the contravention must be likely to cause substantial damage or distress. To satisfy this requirement, the contravention must be either deliberate, or it must be shown that the data controller either knew or ought to have known that there was a risk that the contravention was likely to cause substantial damage or distress, but failed to take steps to prevent it.

The risk element is key, says Gorrill. The ICO will always ask for a risk assessment, so organisations should ensure they have one to hand and can demonstrate that they have given some thought to data protection and have put some policies and processes in place.

Steps to avoiding regulatory action 

  • Conduct a data review to establish what personal data is held and where it is
  • Conduct a risk assessment for all personal data
  • Conduct a privacy impact assessment for all new projects
  • Establish policies and procedures on accessing personal data
  • Establish policies for storing personal data on portable media
  • Establish a clear incident management procedure that includes data gathering
  • Draw up guidelines for notifying the ICO in the event of a breach
  • Introduce regular staff awareness programmes on handling personal data
  • Schedule regular data protection compliance audits

These things are essential, says Gorrill, because apart from deliberate or repeated contravention of the DPA, failure to carry out a risk assessment and recognise the risks of handling personal data or failure to take steps through policies and processes to prevent a contravention are the top reasons that will make the ICO more likely to impose a monetary penalty.

If things do go wrong and the ICO decides to impose a monetary penalty, all is not lost because the ICO must serve a data controller with a notice of intent, after which the data controller has 21 days to provide written representations to the ICO.

This presents an opportunity for organisations to point out all they have done around risk assessment, policies and procedures, says Gorrill, which may lead the ICO to opt for an enforcement notice and an audit instead, because the ICO must consider any written representations before making a final decision to issue a monetary penalty notice.

Carefully worded presentations can save many thousands of pounds or stand as a foundation for an appeal against a monetary penalty, he says.

Have any organisations appealed against a penalty?

No appeals have been made so far, says Gorrill, but organisations who find themselves in this position should look to the requirement that a contravention must cause substantial damage or distress before a penalty can be imposed. A challenge to this requirement is one of the most likely bases for an appeal, he says.

If a breach occurs, what should organisations do?

After containing the breach, Gorrill advises that organisations should gather as much information as possible and compile a comprehensive report about what went wrong to help put together a strategy to prevent similar breaches in the future.

Should organisations always notify the ICO?

If an organisation decides not to inform the ICO of a breach, it should carefully consider the risk, says Gorrill, because not reporting it will be viewed as an aggravating factor that will not only increase the likelihood of a penalty, but could also increase the penalty.

It is always best to notify the ICO, and the comprehensive breach report can be used as a basis for this, but Gorrill warns against rushing to the ICO before there is a good understanding of what went wrong. Tell the ICO early, he says, but if necessary, issue a holding statement to buy some time to investigate, seek advice, put systems in place to prevent further data losses, and compose a carefully considered report that details all the mitigating factors that will make the imposition of a monetary penalty less likely.

How long can an organisation wait?

Realistically, says Gorrill, there is a 7-10-day window before informing the ICO to get up to speed and put measures in place to help anyone affected by the breach, such as providing credit reference checks or compensation.

But it is important not to wait too long because while the ICO considers early reporting a factor that mitigates the level of the penalty, waiting too long may increase the penalty. "If you keep it secret and also don't tell the data subjects, subsequent discovery [by the ICO] will lead to an enhanced penalty," he warns.

Where there are no grounds for a monetary penalty, organisations must remember that the ICO will continue to issue enforcement notices when a data controller contravenes any of the DPA principles and has caused or is likely to cause any person damage or distress.

Security experts agree that it is impossible to guarantee the safety of data 100%, so given that breaches will continue to happen, organisations can significantly reduce the likelihood of regulatory action in the UK by following the steps outlined by Gorrill.

Read more on IT risk management