380 likes | 615 Views
ICO: new powers and penalties. Mick Gorrill Assistant Commissioner Sally Anne Poole Head of Enforcement and Investigations. New powers and penalties. Presentation: New structure Powers and Penalties What this means to Data Controllers?
E N D
ICO: new powers and penalties Mick Gorrill Assistant Commissioner Sally Anne Poole Head of Enforcement and Investigations
New powers and penalties • Presentation: • New structure • Powers and Penalties • What this means to Data Controllers? • What is an appropriate penalty? Your views on the scale of the monetary penalty.
New structure • The Regulatory Action Division (RAD) will become the Enforcement division • currently RAD • Data protection enforcement • Audit and investigations (S55 Data Protection Act, S77 Freedom of Information Act)
New structure • Enforcement Division • Responsibility for Data Protection Act and Freedom of Information Act • Bigger enforcement teams • Concentration on serious breaches of the DPA and FOIA • Audit will become a separate division
Powers and penalties • Cover the new monetary penalty in the main • Also, our current investigation into self reported security breaches • Still problems with unencrypted portable media devices and poor governance, risk assessment.
Background • Significant losses of personal data in 2007 • Existing powers deemed inadequate • Public calls for criminal offence • Preferred option was power to impose a Monetary Penalty – civil sanction • New power inserted into section 55 of Data Protection Act 1998 by section 144 of the Criminal Justice and Immigration Act 2008 (CJIA)
Policy objectives • Enhanced power for ICO to impose monetary penalties • Sanction and a deterrent to data controllers who may otherwise ignore their responsibilities under the Data Protection Act • Encourage data controllers to approach ICO and promote compliance • Improve public confidence
Legislative framework • Section 144 CJIA inserted section 55A-E into DPA 1998 – In force on 6 April 2010 • The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 • The Data Protection (Monetary Penalties) Order 2010 • Statutory guidance about the issue of Monetary Penalties – section 55C
Main features • ICO may serve a Monetary Penalty Notice on a data controller requiring payment of a Monetary Penalty which must not exceed £500,000 • Applies to all data controllers in the private, public and voluntary sectors except Crown Estate Commissioners or a person who is a data controller by virtue of section 63(3) DPA 1998-Royal Household
Specific requirements • Before the ICO can impose a Monetary Penalty it has to be satisfied under section 55A DPA 1998 that: • There has been a serious contravention of data protection principles by the data controller, • The contravention was of a kind likely to cause substantial damage or substantial distress and either…
Specific requirements (contd.) • The contravention was deliberate or, • The data controller knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention
General approach • Only applies to serious contraventions of data protection principles • May be wide variations depending on the circumstances of each case • Financial resources will be a factor • New territory for the ICO and further guidance will be produced based on actual precedents • ICO may still serve an Enforcement Notice
Enforcement Notice • S40 DPA 1998 • If the Commissioner is satisfied that a data controller has contravened or is contravening any of the DP principles the Commissioner may serve him a notice requiring him to…. • to take ..or refrain from taking …such steps
Enforcement Notice • to refrain from processing any personal data….purpose or manner…time so specified… • In deciding whether to serve an enforcement notice, the Commissioner shall consider whether the contravention has caused or is likely to cause any person damage or distress.
Factors making imposition of a Monetary Penalty more likely • Seriousness of contravention • Nature of personal data involved • Duration and extent of contravention • Number of individuals actually or potentially affected by the contravention • Matter of public importance • Example – security breach
Factors making imposition of a Monetary Penalty more likely • Contravention was of a kind more likely than not to cause substantial damage or distress to one or more individual • Considerable in importance, value, degree, amount or extent • Not perceived but of real substance • Damage is financially quantifiable • Injury to feelings, harm or anxiety suffered by one or more individual
Factors making imposition of a Monetary Penalty more likely • Contravention was deliberate • The contravention was deliberate or premeditated • Data controller was aware of and did not follow relevant advice published by ICO and others • Series of similar contraventions and no action taken by data controller to rectify cause of original contraventions
Factors making imposition of a Monetary Penalty more likely • Knew or ought to have known • Contravention was or should have been apparent to a reasonably prudent data controller • Failure to carry out any risk assessment • No evidence that data controller recognised risks of handling personal data • Cavalier approach to compliance
Factors making imposition of a Monetary Penalty more likely • Failed to take reasonable steps to prevent the contravention • Inadequate procedures, policies, processes and practices in place • No clear lines of accountability • Failure to implement guidance or codes of practice published by ICO or others • Not exhaustive
Factors making imposition of a Monetary Penalty less likely • Contravention was caused or exacerbated by circumstances outside direct control of data controller • Data controller has already complied with requirements of another regulatory body • There was genuine doubt or uncertainty that any relevant conduct, activity or omission was a contravention
Next steps – Notice of Intent • ICO must serve a data controller with a Notice of Intent setting out the proposed amount • Notice of Intent must contain prescribed information and provide the data controller with at least 21 days to provide written representations to the ICO beginning with the first day after date of service
Next steps – Monetary Penalty Notice • ICO must consider any written representations before deciding whether to issue a Monetary Penalty Notice • ICO may decide to issue a Monetary Penalty Notice requiring a data controller to pay the amount specified • Alternatively ICO will inform data controller that no further action will be taken
What does this mean for data controllers? • ICO not seeking to impose many monetary penalties • However, there is still some concern • Self reported security breaches for example • Unencrypted portable devices • Serious breach?
What does this mean for data controllers? • In most cases where there is poor security there is also excessive information and poor retention • In the security breaches reported to the ICO there is still little evidence of privacy impact assessments and or risk assessment.
What does this mean for data controllers? • Undertaking – not always appropriate • alternative to an enforcement notice? • serious principle breach • good new procedures in place? • prevention of a reoccurrence? • if serious breach – monetary penalty • still use enforcement notices
What is an appropriate penalty? Sally Anne Poole Head of Enforcement and Investigations
What is an appropriate penalty? • Following seven cases are in our view • serious contravention of data protection principles by the data controller • the contravention was of a kind likely to cause substantial damage or substantial distress and either… • …deliberate or data controller knew or ought to have known that there was a risk..
What is an appropriate penalty? • Case 1 • Encrypted and password protected USB stick lost • Contained data for 6,300 prisoners – medical condition and treatment • HIV, hepatitis B and C, mental health conditions drug or alcohol addictions • Encryption pass key attached to device by post it note • Poor security • Excessive information • Poor governance
What is an appropriate penalty? • Case 2 • Unencrypted USB stick found by car wash attendant • details of 741 patients • Name, date of operation, treatment, clinic list, X rays • Breach of Trust policies • Poor governance
What is an appropriate penalty? • Case 3 • Unencrypted DVD containing database of 20,000 patients • Name, DOB, gender, cardiology test dates and results • details of clinician • Not clear why data had been put on disc • Five month delay in reporting • Poor governance • Lack of risk assessment
What is an appropriate penalty? • Case 4 • File containing personal data relating to 60 people found in a skip • Office refurbishment • Details of job applicants with PSNI • Name, address, place and date of birth • Security vetting documents • Poor governance
What is an appropriate penalty? • Case 5 • Data relating to 15,333 individuals emailed to member of public in error • Names, addresses and mortgage accounts details • Re possession proceedings • Arrears information • No risk assessment • Poor security
What is an appropriate penalty? • Case 6 • Theft of unencrypted laptop • Details of 110,000 individuals • Name, address. DOB, NINO • Employer, salary, bank details • Breach of policy
What is an appropriate penalty? • Case 7 • Theft of unencrypted laptop • 36,800 data subjects • 1,900 motoring convictions • Name, address, telephone number • Registration, make and model of vehicle • Poor governance
So, what is an appropriate penalty? • Discussion