1 / 29

The ICO: New Powers and Penalties

Learn about the new powers and penalties of the ICO under the Criminal Justice & Immigration Act 2008 and the Coroners & Justice Act 2009, and what they mean for you.

kinslow
Download Presentation

The ICO: New Powers and Penalties

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The ICO:New Powers and Penalties Ken Macdonald Assistant Commissioner (Scotland)

  2. Contents • Background • The Criminal Justice & Immigration Act 2008 • The Coroners & Justice Act 2009 • What it means for you…

  3. Background

  4. NHS Lanarkshire/Tayside July 2008 NHS NES December 2008 Glasgow City Council Jan 2009 Background HMRC November 2007 Dept of Health May 2007

  5. Background - Current Powers & Penalties • Breaches • Formal Undertakings • Enforcement Notices • Audits only with consent

  6. Background - Current Powers & Penalties • Offences • Sec 55 offence • Failure to Notify • Failure to follow Notice • Max £5k in Sheriff Court • Unlimited fine in High Court

  7. Background - ICO Strategy • Focus on what will cause detriment • Real likelihood of serious harm • Prevention better than cure • Working in partnership

  8. Background – Regulatory Action • Aimed at changing practice • Enforcement Notices to bring about changes, e.g. encryption of personal data • Enforcement Notices and Formal Undertakings published • ‘Spot checks’ on government departments and agencies, e.g. DWP and DVLA

  9. undertaking NHS Lanarkshire/Tayside July 2008 undertaking enforcement NHS NES December 2008 Background – Regulatory Action enforcement HMRC November 2007 Glasgow City Council Jan 2009 undertaking Dept of Health May 2007

  10. Criminal Justice & Immigration Act 2008

  11. Criminal Justice & Immigration Act 2008 • Provisions: • s77 Power to alter penalty for unlawfully obtaining etc. personal data • s78 New defence for purposes of journalism and other special purposes • s144 Power to require data controllers to pay monetary penalty

  12. Criminal Justice & Immigration Act 2008 • SI 2010/31 The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 • Maximum Penalty of £500k • Content of Notices of Intent • Content of Monetary Penalty Notice

  13. Monetary Penalties ICO Guidelines • Most serious situations only • Sector, size and resources of the DC • Not intention to impose serious financial hardship

  14. Monetary Penalties ICO Guidelines • The Commissioner has to be satisfied that: • There has been a serious contravention of section 4(4) of the Act by the data controller, • b) The contravention was of a kind likely to cause substantial damage or substantial distress and either, • c) The contravention was deliberate or, • d) The data controller knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention.

  15. Monetary Penalties ICO Guidelines • Seriousness of contravention • The contravention is or was particularly serious because of the nature of the personal data concerned; • The duration and extent of the contravention; • The number of individuals actually or potentially affected by the contravention; • The fact that it related to an issue of public importance, for example, unauthorised access to NHS Emergency Care Summaries • The contravention was due to either deliberate or negligent behaviour on the part of the data controller

  16. Monetary Penalties ICO Guidelines • Likelihood of substantial damage or substantial distress • The contravention was of a kind more likely than not to cause substantial damage or substantial distress to one or more individual.

  17. Monetary Penalties ICO Guidelines • Deliberate contravention • The contravention by the data controller was deliberate or premeditated; • The data controller was aware of and did not follow specific advice published by the Commissioner or others and relevant to the contravention; or • The contravention followed a series of similar contraventions by the data controller.

  18. Monetary Penalties ICO Guidelines • Reckless contravention • The likelihood of the contravention should have been apparent to a reasonably diligent data controller; • The data controller had adopted a cavalier approach to compliance and failed to take reasonable steps to prevent the contravention, for example, not putting basic security provisions in place; • The data controller had failed to carry out any sort of risk assessment and there is no evidence, whether verbally or in writing, that the data controller had recognised the risks of handling personal data and taken reasonable steps to address them;

  19. Monetary Penalties ICO Guidelines • Reckless contravention (con’t) • The data controller did not have good corporate governance and/or audit arrangements in place to establish clear lines of responsibility for preventing contraventions of this type; • The data controller had no specific procedures or processes in place which may have prevented the contravention (eg, a robust compliance regime or other monitoring mechanisms) • Guidance or codes of practice published by the ICO or others and relevant to the contravention were available to the data controller and ignored or not given appropriate weight.

  20. Coroners & Justice Act 2009

  21. Coroners & Justice Act 2009 • Provisions: • s173 Assessment notices • s174 Data-sharing code of practice

  22. Assessment Notices • Coroners and Justice Act 2009 • Power of audit in the absence of consent • Government Departments – but could be extended to other public bodies and private sector • Statutory Code of Practice to follow

  23. Assessment Notices • ICO will aim for co-operation • Recommendations aimed at helping • Developing capability – staff and audit practice • Question of publication to be addressed • Spot Checks involve publication – but only after a department’s response to our recommendations

  24. Information Sharing Code of Practice • The Commissioner must prepare a code of practice which contains— • practical guidance in relation to the sharing of personal data in accordance with the requirements of the DPA • and • (b) such other guidance as the Commissioner considers appropriate to promote good practice in the sharing of personal data.

  25. Information Sharing Code of Practice • No statutory requirement to follow the code • but • The code will be admissible evidence in court proceedings • and • Failure to abide by it will be taken in account

  26. Information Sharing Code of Practice • Currently being drafted • Consultation required by statute • Expected publication late summer

  27. Proposed penalties • Section 55 “blagging” • MoJ consultation closed 7 January 2010 • Maximum 12 months on summary conviction (and/or max fine of £5k) • Maximum 24 months on indictment (and/or unlimited fine)

  28. The ICO approach • Focus on what will cause detriment • Real likelihood of serious harm • Extent of harm – level vs volume • Prevention better than cure • Working in partnership • Foresee problems and identify solutions • Create privacy friendly culture • Introduce Privacy Impacts Assessments

  29. www.ico.gov.uk 93-95 Hanover Street Edinburgh EH2 1DJ scotland@ico.gsi.gov.uk 0131 301 5071

More Related