Taking Regulatory Action: The Logic Behind our Decisions Maureen H Falconer Senior Policy Officer Scottish Local Authority Computer Audit Group November 2014
Regulatory Action Guiding Principles The ICO shall: Be open about our approach to regulatory action and open about the action we take and the outcomes we achieve. Submit an annual report to Parliament and make sure that those who are subject to regulatory action are aware of their rights of appeal. Put in place systems to ensure that regulatory action taken is in proportion to the harm or potential harm done. Apply our decision-making criteria consistently in the exercise of our regulatory action powers. Target regulatory action on those areas where it is the most appropriate tool to achieve our goals.
Framework for CMPs Step 1 Seriousness of the contravention Step 2 Aggravating and mitigating factors Step 3 Financial impact on the data controller Step 4 Underlying objective Step 5 Final determination
Factors for consideration: the nature of the contravention or breach; the scope of the potential harm caused; and consideration of what is reasonable and proportionate. Rating bands: Serious = £40,000 to £100,000; Very serious = more than £100,000 but less than £250,000; Most serious = £250,000 up to the maximum of £500,000. Step 1 Seriousness of the contraventionSeriousness of the contravention
Factors for consideration: The behaviour of the data controller following the breach; Whether the data controller had previously declined to submit to an audit; The general record of the data controller; and Any other factors taken into account that were not considered at Step 1. Step 2 Aggravating & Mitigating FactorsAggravating & Mitigating Factors
Factors for consideration: Any proof of genuine financial hardship which has been supplied. The Information Commissioner will not impose a CMP that would cause a business to cease trading! Step 3 Financial impact on data controllerFinancial impact on data controller
Factors for consideration: Is the level consistent with comparable cases? Is the level sufficient to promote compliance with the Act? It is important that there is consistency in the monetary penalties set by the ICO. Step 4 Underlying objectiveUnderlying objective
Factors for consideration: Is the level reasonable and proportionate? Is the level consistent with similar cases? Is the level sufficient to promote compliance with the Act? Final sign-off is undertaken by the Information Commissioner or his Deputy. Step 5 Final determinationFinal determination
Monetary Penalties - Triggers Triggers: There has been a serious contravention of section 4(4) of the Data Protection Act by the data controller, (compliance with DPPs) The contravention was of a kind likely to cause substantial damage or substantial distress and either, The contravention was deliberate or, The data controller knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention.
Monetary Penalties - Seriousness Seriousness of contravention The contravention is or was particularly serious because of: the nature of the personal data concerned; the duration and extent of the contravention; the number of individuals actually or potentially affected by the contravention; the fact that it related to an issue of public importance, for example, unauthorised access to NHS Emergency Care Summaries; and it was due to either deliberate or negligent behaviour on the part of the data controller.
Monetary Penalties – Damage/ Distress Likelihood of substantial damage or substantial distress The contravention was of a kind more likely than not to cause substantial damage or substantial distress to one or more individual.
Monetary Penalties - Deliberate Deliberate contravention The contravention by the data controller was deliberate or premeditated; The data controller was aware of and did not follow specific advice published by the Commissioner or others and relevant to the contravention; or The contravention followed a series of similar contraventions by the data controller.
Monetary Penalties – Knew/Ought to have known Reckless contravention The likelihood of the contravention should have been apparent to a reasonably diligent data controller; The data controller had adopted a cavalier approach to compliance and failed to take reasonable steps to prevent the contravention, for example, not putting basic security provisions in place; The data controller had failed to carry out any sort of risk assessment and there is no evidence, whether verbally or in writing, that the data controller had recognised the risks of handling personal data and taken reasonable steps to address them;
Monetary Penalties – Knew/Ought to have known Reckless contravention (con’t) The data controller did not have good corporate governance and/or audit arrangements in place to establish clear lines of responsibility for preventing contraventions of this type; The data controller had no specific procedures or processes in place which may have prevented the contravention (eg, a robust compliance regime or other monitoring mechanisms) Guidance or codes of practice published by the ICO or others and relevant to the contravention were available to the data controller and ignored or not given appropriate weight.
Other Considerations What will make the imposition of a penalty more likely? The need to maximise the deterrent effect of the monetary penalty by setting an example to others so as to counter the prevalence of such contraventions. A data controller had expressly, and without reasonable cause, refused to submit to a voluntary assessment or audit which could reasonably have been expected to reveal a risk of the contravention. What will make the imposition of a monetary penalty less likely? The contravention was caused or exacerbated by circumstances outside the direct control of the person concerned and they had done all that they reasonably could to prevent contraventions of the Act.
Lessons Learned
Hacking: ACS Law (£1k); BPAS (£200k); Think W3 (£150k) Disclosed on Internet: Torbay Care NHS Trust (£175k); Aberdeen City Council (£100k) Insecure Disposal: NHS Surrey (£200k); DoJ (£185k)
Lessons Learned Training!!! Audit!!!
The Future EU Regulation on Data Protection: Requires Privacy by Design Fine up to €1,000,000 EUR or up to 2 % of annual worldwide turnover Negotiations continuing Implementation date 2017 ????
Case Study A large business with a multi-million pound turnover contracted out the processing of certain aspects to its pension scheme to another company, requiring the personal details of relevant employees to be passed to the data processor. The total number of employees on the database was around 15,500. The Managing Director of the data processing company then downloaded the database on to his unencrypted laptop to assist him in the preparation for a meeting he was to have with the client. On returning from the meeting, he left his laptop on the train. The loss came to the attention of the ICO three weeks later after a report appeared in the local press.
Case Study Aggravating factors: Staff of the data processing company only received data protection training on induction An undertaking to encrypt devices had been previously signed by the data processor Mitigating factors: A contract evidenced in writing existed as per Principle 7 A programme of encryption was underway
Case Study ……..what level of fine would you set ?
Scotland Office: 45 Melville Street Edinburgh EH3 7HL T: E: Subscribe to our e-newsletter at or find us Keep in touch /iconews