The ICO: New Powers and Penalties

Slides:



Advertisements
Similar presentations
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Advertisements

In confidence Chair: Storm Westmaas Principal Legal Adviser, the Standards Board for England Speakers: Bernadette Livesey Chief Law and Administration.
1 POINTS OF LAW NEEDLESTICK INJURIES CONFERENCE 2006 Dr Kieran Doran P J O’Driscoll & Sons Solicitors 73 South Mall Cork City.
Data Protection Information Management / Jody McKenzie.
Getting data sharing right for every child
PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.
The Adult Support and Protection (Scotland) Act 2007 (“the Act”) Level 1.
Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
AN INTRODUCTION TO THE FIRE SAFETY ORDER PHIL THOMPSON MIFireE FIRE SAFETY ADVISOR UNIVERSITY OF BRIGHTON.
Health and safety at work
The Rail Safety Summit  2015 RAIL SAFETY SUMMIT 2015.
Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
An overview of the Data Protection Act Legal framework The Data Protection Act 1998 came into force in March 2001, replacing the Data Protection.
The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.
Development of Barring Criteria for the Protection of Vulnerable Groups Scheme Voluntary Sector Issues Group 16 February 2009.
How the Information Commissioner’s office operates as a regulator David Smith Deputy Information Commissioner.
1 OVERVIEW PRESENTATION FREEDOM OF INFORMATION (SCOTLAND) ACT 2002.
Data Sharing and Good Practice Maureen H Falconer Sr Policy Officer Information Commissioner’s Office.
The Information Commissioner’s Office David Evans.
Working together: Ensuring effective regulation Jonathan Bamford Head of Strategic Liaison.
Data Protection in Financial Services Are you Seeing the Bigger Picture? 17 September 2008.
Information Sharing Sheila Logan Information Commissioner’s Office Employability Partnership Event Glasgow 13 August 2009.
Privacy Impact Assessment Workshop Maureen H Falconer Sr Guidance & Promotions Manager Scotstat Public Sector Analysts Network 30 September 2010.
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
The Bribery Act 2010 Rhodri DaveyPartner & Head of Employment Team.
Processing personal health data: the regulator’s perspective Ken Macdonald Assistant Commissioner Information Commissioner’s Office.
Information Commissioner’s Office Sheila Logan Operations and Policy Manager Information Commissioner’s Office Business Matters 20 May 2008.
Annex A ASBOs are a powerful tool for protecting victims and stopping anti-social behaviour. Much effort goes into getting the ASBO by the agencies involved.
Local Government Reform and Compliance with the DPA Ken Macdonald Assistant Commissioner (Scotland & Northern Ireland) Information Commissioner’s Office.
Executing Environmental Judgments in Criminal Proceedings.
ENVIRONMENTAL PERMITTING 1 Environmental Law. Environmental Permitting 2 Environmental Permitting (England and Wales) Regulations 2007 introduced a new.
PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.
Session 7 Compliance failure policy. 1 Contents Part 1: COLP and COFA duties Part 2: What do we have to comply with and why does it matter? Part 3: Compliance.
July 051 LIABILITY ISSUES FOR COAL MINE SURVEYORS Australian Institute of Mine Surveyors Seminar Catherine Bolger Association of Professional Engineers,
Be Prepared For Change Are you Prepared?. Be Prepared For Change Are you Prepared?
Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.
Information Sharing & Corporate Governance Dave Parsons, Information Governance Manager, City of Cardiff Council.
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.
Getting data sharing right for every child Maureen H Falconer Senior Policy Officer Information Commissioner’s Office.
Workshop Understanding your responsibilities under the Data Protection Act 1998 and the Freedom of Information Act 2000 Adele Rhodes Girling.
Taking Regulatory Action: The Logic Behind our Decisions Maureen H Falconer Senior Policy Officer Scottish Local Authority Computer Audit Group November.
Freedom of Information Act ‘What you need to know’ Corporate Information Governance Team Strategic Intelligence.
Every employer must ensure, as far as is reasonable practicable, the health, safety and welfare of all his employees More specifically, employers must.
Leadership Foundation How to stay out of Jail Nicola Bennison, Eversheds LLP 1 November 2011.
Housing and Planning Act: Private Rented Sector Measures.
Leading transport safety
Sentencing in health and safety cases – The impact of the new regime
Jamie McPherson Partner – MVM Legal
Non-contentious disposals
Overview General Data Protection Regulation (GDPR)
Risk Based Thinking in Health & Safety
Data Protection Session
Leading transport safety
Leading transport safety
Getting it right for every child and information sharing
The Regulatory Enforcement and Sanctions (RES) Act 2008
Leading transport safety
Notifiable data breaches Roundtable
GDPR - New Data Protection Regulation
GDPR and paper records Why it’s not all cyber and fines Gary Shipsey
Compliance notices under the Privacy Bill
11 Safeguarding Vulnerable Adults
The Regulatory Enforcement and Sanctions (RES) Act 2008
Detecting, reporting & investigating data breaches under GDPR
The Adult Support and Protection (Scotland) Act 2007
Registration Policy and Practice First Aid Forward
Expensive commercial practices
OHSC 2018 CONSULTATIVE WORKSHOP - GAUTENG PROVINCE ENFORCEMENT
DATA PROTECTION: LEGAL CONSEQUENCES OF A FAILURE TO COMPLY
Presentation transcript:

The ICO: New Powers and Penalties Ken Macdonald Assistant Commissioner (Scotland)

Contents Background The Criminal Justice & Immigration Act 2008 The Coroners & Justice Act 2009 What it means for you…

Background

Background NHS Lanarkshire/Tayside July 2008 Glasgow City Council Jan 2009 HMRC November 2007 NHS NES December 2008 Dept of Health May 2007

Background - Current Powers & Penalties Breaches Formal Undertakings Enforcement Notices Audits only with consent

Background - Current Powers & Penalties Offences Sec 55 offence Failure to Notify Failure to follow Notice Max £5k in Sheriff Court Unlimited fine in High Court

Background - ICO Strategy Focus on what will cause detriment Real likelihood of serious harm Prevention better than cure Working in partnership

Background – Regulatory Action Aimed at changing practice Enforcement Notices to bring about changes, e.g. encryption of personal data Enforcement Notices and Formal Undertakings published ‘Spot checks’ on government departments and agencies, e.g. DWP and DVLA

Background – Regulatory Action enforcement NHS Lanarkshire/Tayside July 2008 undertaking enforcement NHS NES December 2008 undertaking HMRC November 2007 Glasgow City Council Jan 2009 undertaking Dept of Health May 2007

Criminal Justice & Immigration Act 2008

Criminal Justice & Immigration Act 2008 Provisions: s77 Power to alter penalty for unlawfully obtaining etc. personal data s78 New defence for purposes of journalism and other special purposes s144 Power to require data controllers to pay monetary penalty

Criminal Justice & Immigration Act 2008 SI 2010/31 The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 Maximum Penalty of £500k Content of Notices of Intent Content of Monetary Penalty Notice

Monetary Penalties ICO Guidelines Most serious situations only Sector, size and resources of the DC Not intention to impose serious financial hardship

Monetary Penalties ICO Guidelines The Commissioner has to be satisfied that: There has been a serious contravention of section 4(4) of the Act by the data controller, b) The contravention was of a kind likely to cause substantial damage or substantial distress and either, c) The contravention was deliberate or, d) The data controller knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention.

Monetary Penalties ICO Guidelines Seriousness of contravention The contravention is or was particularly serious because of the nature of the personal data concerned; The duration and extent of the contravention; The number of individuals actually or potentially affected by the contravention; The fact that it related to an issue of public importance, for example, unauthorised access to NHS Emergency Care Summaries The contravention was due to either deliberate or negligent behaviour on the part of the data controller

Monetary Penalties ICO Guidelines Likelihood of substantial damage or substantial distress The contravention was of a kind more likely than not to cause substantial damage or substantial distress to one or more individual.

Monetary Penalties ICO Guidelines Deliberate contravention The contravention by the data controller was deliberate or premeditated; The data controller was aware of and did not follow specific advice published by the Commissioner or others and relevant to the contravention; or The contravention followed a series of similar contraventions by the data controller.

Monetary Penalties ICO Guidelines Reckless contravention The likelihood of the contravention should have been apparent to a reasonably diligent data controller; The data controller had adopted a cavalier approach to compliance and failed to take reasonable steps to prevent the contravention, for example, not putting basic security provisions in place; The data controller had failed to carry out any sort of risk assessment and there is no evidence, whether verbally or in writing, that the data controller had recognised the risks of handling personal data and taken reasonable steps to address them;

Monetary Penalties ICO Guidelines Reckless contravention (con’t) The data controller did not have good corporate governance and/or audit arrangements in place to establish clear lines of responsibility for preventing contraventions of this type; The data controller had no specific procedures or processes in place which may have prevented the contravention (eg, a robust compliance regime or other monitoring mechanisms) Guidance or codes of practice published by the ICO or others and relevant to the contravention were available to the data controller and ignored or not given appropriate weight.

Coroners & Justice Act 2009

Coroners & Justice Act 2009 Provisions: s173 Assessment notices s174 Data-sharing code of practice

Assessment Notices Coroners and Justice Act 2009 Power of audit in the absence of consent Government Departments – but could be extended to other public bodies and private sector Statutory Code of Practice to follow

Assessment Notices ICO will aim for co-operation Recommendations aimed at helping Developing capability – staff and audit practice Question of publication to be addressed Spot Checks involve publication – but only after a department’s response to our recommendations

Information Sharing Code of Practice The Commissioner must prepare a code of practice which contains— practical guidance in relation to the sharing of personal data in accordance with the requirements of the DPA and (b) such other guidance as the Commissioner considers appropriate to promote good practice in the sharing of personal data.

Information Sharing Code of Practice No statutory requirement to follow the code but The code will be admissible evidence in court proceedings and Failure to abide by it will be taken in account

Information Sharing Code of Practice Currently being drafted Consultation required by statute Expected publication late summer

Proposed penalties Section 55 “blagging” MoJ consultation closed 7 January 2010 Maximum 12 months on summary conviction (and/or max fine of £5k) Maximum 24 months on indictment (and/or unlimited fine)

The ICO approach Focus on what will cause detriment Real likelihood of serious harm Extent of harm – level vs volume Prevention better than cure Working in partnership Foresee problems and identify solutions Create privacy friendly culture Introduce Privacy Impacts Assessments DETRIMENT REAL and SERIOUS harm EXTENT – one person with serious detriment or many with small detriment PREVENTION PARTNERSHIP with ICO – Engender public trust and confidence; reduction of potential harm PIA – Identify potential for harm before it happens; benefits of efficiency, effectiveness and economy.

www.ico.gov.uk scotland@ico.gsi.gov.uk 0131 301 5071 93-95 Hanover Street Edinburgh EH2 1DJ scotland@ico.gsi.gov.uk 0131 301 5071 www.ico.gov.uk

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.