Peter A Clarke

The UK Information Commissioner has published a review of the impact of the Civil Monetary Penalties.

Under the Data Protection Act 1984 the ICO can issue Civil Monetary Penalties (CMPs) to the maximum of £500,000 for serious breaches of the Data Protection Act (the DPA) and serious breaches of the Privacy and Electronic Communications Regulations (PECR). The criteria for serving a CMP  under section 55  A(1) of the DPA are:

1.  there has been a serious contravention of a data protection principle and
2.  “the contravention was of a kind likely to cause substantial damage or substantial distress” and
3.  the data controller:

(a) knew or ought to have known—

(i)                  that there was a risk that the contravention would occur ,and

(ii)                 that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but

 (b) failed to take reasonable steps to prevent the contravention”.

The listed key findings are:

• The research findings indicate that  CMPs are effective at improving data protection compliance.This was particularly clear for organisations that had been issued with a CMP; the research showed a clear impact on how those organisations managed their data protection responsibilities:
  • Organisations took their data protection obligations seriously, with revised practices and policies, and increased staff training.
  • Data protection was given a higher profile, with greater senior management buy-in.
  • Staff awareness was raised through targeted campaigns,with their importance of handling data properly made more prominent.

 

• The research confirmed that this positive impact was extended to ‘peer’ organisations,where CMPs had a wider impact as a useful deterrent and an incentive to ‘get it right first time’.A substantial proportion of this sample said that they had reviewed or changed their data protection practices and policies as a result of hearing about CMPs being issued to other organisations. This indicates that CMPs effectively contribute to achieving specific outcomes in the ICO’s Information Rights Strategy:

–      to ensure organisations are aware of the ICO’s enforcement powers; and

–      the ICO deploys its enforcement tools in a way that provides an incentive for organisations to ‘get it right’ first time.

• The findings indicate that ICO and its support organisations in complying with their information rights obligations.Four out of 14 respondents in the telephone interview sample proactively engaged with the ICO subsequent to the CMP process,with three undergoing a good practice audit, and one organisation setting up a series of workshops in conjunction with the ICO across ten of its sites.Two more respondents confirmed that at the time of the interview, their organisation was considering a good practice audit.

• Evidence suggests a lack of understanding of the interpretation of the conditions in Section 55A of the DPA, particularly around the meaning of  ‘serious’ and ‘substantial damage and distress’ in relation to a contravention.
• Some respondents felt that there was a lack of transparency about how CMPs were calculated. This could be linked to some organisations expressing discontent about the clarity of the Notice of Intent.

Some interesting observations by the ICO on the impact of CMPs are:

Security was the main area that received attention following the receipt of CMP.This reflects that CMPs have been predominantly issued for data breaches related to principle 7 of the DPA, which requires ‘appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’.

…for organisations who had not received a CMP:

 58 per cent said that senior management had taken a greater interest in data protection because of CMPs.

• 47 per cent reviewed their data protection practices and policies.
• 47 per cent introduced more data protection training.
• Over a quarter (28per cent) carried out some form of internal audit.
• Others introduced new systems (18 per cent); appointed new staff or added new responsibilities to existing roles (15 per cent).

Eleven out of the 14 respondents who had received a CMP agreed that it is appropriate for the ICO to publish actions taken against organisations that breach information rights law.Ten respondents reported that their organisation received bad press as a result of the CMP,with most reporting that the negative publicity was short-lived. More respondents claimed that the damage to reputation had a greater impact than the CMP.For local authorities,the political dimension heightened their sensitivity to bad publicity. Almost 70 per cent of the wider sample agreed that the ICO should do more to publicise CMPs it issues for breaches of the DPA

The conclusions the ICO reached are:

The findings show that CMPs are effective in achieving the overarching objective of improving data protection compliance.This was particularly clear for organisations which had been issued with a CMP; the research showed a clear impact on how those organisations managed their data protection responsibilities:

• Organisations took their data protection obligations seriously,with revised practices and policies,and increased staff training.
• Data protection was given a higher profile,with greater senior management buy-in.
• Staff awareness was raised,with the importance of handling data properly made more prominent.

 The wider sample study shows that there was a high level of awareness amongst peer organisations about the use of CMPs as a sanction for organisations in breach of the DPA/PECR.The findings indicate that the positive impact on data protection compliance was extended to peer organisations,where CMPs were viewed as an incentive for them to get it right first time.The majority reported that there was greater senior management buy-in; just under half said they had reviewed or changed their data protection practices and policies as a result of hearing about CMPs, and some increased training and initiated internal audits.

 These findings indicate that CMPs effectively contribute to achieving specific outcomes in the ICO’s Information Rights Strategy:

–      to ensure organisations are aware of the ICO’s enforcementpowers;

–      good information rights practice embedded into culture and day-to-day processes of organisations; and

–      the ICO deploys its enforcement tools in a way that provides an incentive for organisations to ‘get it right’ first time

The findings should not come as any great surprise.  Effective regulation requires consultation, education and, where necessary, effective sanction with the consequential deterrence.  With the amendments to the Privacy Act 1988 the Privacy Commissioner can now effect sanctions by commencing civil penalty proceedings in the Federal Magistrates/Federal Court.  The issue is whether he will do so.