220 likes | 374 Views
Dealing with data protection related complaints. Laura Booth Pam Clements Rachael Cragg Jonathan Langley Dan Snowden Complaints Resolution. #dpoc2012. Who deals with the cases? . The First Contact teams deal with 60% of complaints related casework, usually within 30 days of receipt
E N D
Dealing with data protectionrelated complaints Laura BoothPam ClementsRachael CraggJonathan LangleyDan Snowden Complaints Resolution #dpoc2012
Who deals with the cases? The First Contact teams deal with 60% of complaints related casework, usually within 30 days of receipt These are usually cases where there is limited need for further investigation with the data controller This can include where there has been no response to subject access requests The Complaints Resolution department deals with cases where more in depth consideration may be required
Complaints handling structure Helpline Website Mail Customer Contact Department Complaints Resolution Department Policy advice Legal advice Enforcement Department Good Practice Department
Complaints Resolution structure • Five separate Groups dealing with information rights related complaints • Multi-skilled teams handling both data protection and freedom of information related disputes • Three broad areas covering public and private sector • Central government, police and society • Business, finance, health and education • Local government, housing and telecoms • Regional staff in Wales and Northern Ireland utilising local knowledge of issues and context
Complaints Resolution volumes We dealt with around 5200 complaints cases during the last financial year We currently have 21 staff dealing with data protection casework Equates to roughly 245 cases per case officer per year To deal effectively with these volumes we have to be proportionate with our case handling activity
Our complaints handling obligations • When complaints are raised with us we have an obligation under section 42 of the Data Protection Act to make an assessment • Our assessment is whether the processing in an individual case is likely or unlikely to have breached the principles of the Data Protection Act • Assessments can help us to decide whether we should take any further regulatory action against a particular organisation • If an organisation refuses to take their responsibilities under the Data Protection Act seriously then we may consider formal action to ensure they comply with the law
We also… • Consider individual complaints but have choices as to how far to investigate • Concentrate on identifying and addressing areas of significant non compliance • Extract information from complaints to better understand public concerns and the impact of our actions
Managing complainant expectations Complainants’ issues are important as they help us decide if the Data Controller is complying with its obligations under the law We will make an assessment in each case, where that assessment indicates a breach of the Data Protection Act we will inform the Data Controller and expect that they take action to put things right. Compliance unlikely assessments will not usually result in further action and we will consider whether or not further action is appropriate We use the information from complaints to help build intelligence about particular organisations
Our expectations of Data Controllers Responsibility to resolve the complaint is with the Data Controller Data Controller to explain circumstances of the complaint Data Controller to consider if there is any further action that might resolve the case Data Controller to share any corrective or remedial action taken with us and the complainant Data Controller to provide evidence of ongoing compliance with the relevant principle or principles
Managing Data Controller expectations Our role is to ensure that Data Controllers take their obligations under the law seriously not to act on behalf of the complainant We use the evidence that you provide to decide if we should take further action We can take action where obligations are ignored, however we will not resort to regulatory action where we are satisfied risks are being adequately addressed
Decision making We make an assessment in each particular case We consider any other relevant information that we currently hold We decide whether further action is appropriate taking into account the evidence provided and the Data Controller’s response We also consider informal monitoring arrangements of organisations within groups We notify both parties of the assessment decision
Risks and priority considerations Where help is requested there may be an opportunity for focussed audit Certain responses from the Data Controller will prompt us to consider further action. These may include: A deliberate, wilfully negligent approach to future compliance Evidence that many will be impacted by an uncorrected breach Inappropriate processing of sensitive personal data Triggers for enforcement (in line with regulatory action policy) action have been reached
Examples of poor responses • “We have provided a response to the complainant on xx date.” • “I know our data protection policies are in line with requirements as I wrote them.” • “The college is able to apply an exemption…we will supply the information requested if required by a court order.”
Characteristics of good responses • Chronology of complaint (and any relevant history) • Evidence of attempted resolution - remedy or apology • Answers all the questions • Admit to mistakes, where applicable, and ask for help • Provide full details – and copies of – relevant safeguards • Explanations of action taken (or timescales for the work) • Clear explanation – no need to quote large sections of the DPA or use overly ‘legalistic’ language
Outcomes of casework finished in complaints resolution April-Jan’12
Conclusions As the regulator it is our decision whether to take further action against an organisation Complaints raised with us help us make those decisions but individual breaches of the Data Protection Act may not result in automatic enforcement activity We will try to help individuals by our involvement but the responsibility to resolve disputes is with the data controller We want organisations to learn from the concerns that are shared with them and us so they can fully comply with their information rights, and information handling, obligations
Useful links • Helpline – 0303 123 1113 • www.ico.gov.uk • Guide to Data Protection • Regulatory Action Policy • Data Protection Casework Procedures
Case studies – questions to consider • Based on what you have heard in our presentation what do think we did? • Do you think the data controller handled this correctly? • If you were the regulator what do you think you would have done? • If appropriate what steps do you think the Data Controller should take in this situation?
Keep in touch Subscribe to our e-newsletter atwww.ico.gov.uk or find us on… • www.twitter.com/iconews