Presentation is loading. Please wait.

Presentation is loading. Please wait.

Taking Regulatory Action: The Logic Behind our Decisions Maureen H Falconer Senior Policy Officer Scottish Local Authority Computer Audit Group November.

Published byLester Wheeler Modified over 8 years ago

Similar presentations

Presentation on theme: "Taking Regulatory Action: The Logic Behind our Decisions Maureen H Falconer Senior Policy Officer Scottish Local Authority Computer Audit Group November."— Presentation transcript:

1 Taking Regulatory Action: The Logic Behind our Decisions Maureen H Falconer Senior Policy Officer Scottish Local Authority Computer Audit Group November 2014

2 Regulatory Action Guiding Principles The ICO shall: Be open about our approach to regulatory action and open about the action we take and the outcomes we achieve. Submit an annual report to Parliament and make sure that those who are subject to regulatory action are aware of their rights of appeal. Put in place systems to ensure that regulatory action taken is in proportion to the harm or potential harm done. Apply our decision-making criteria consistently in the exercise of our regulatory action powers. Target regulatory action on those areas where it is the most appropriate tool to achieve our goals.

3 Framework for CMPs Step 1 Seriousness of the contravention Step 2 Aggravating and mitigating factors Step 3 Financial impact on the data controller Step 4 Underlying objective Step 5 Final determination

4 Factors for consideration: the nature of the contravention or breach; the scope of the potential harm caused; and consideration of what is reasonable and proportionate. Rating bands: Serious = £40,000 to £100,000; Very serious = more than £100,000 but less than £250,000; Most serious = £250,000 up to the maximum of £500,000. Step 1 Seriousness of the contraventionSeriousness of the contravention

5 Factors for consideration: The behaviour of the data controller following the breach; Whether the data controller had previously declined to submit to an audit; The general record of the data controller; and Any other factors taken into account that were not considered at Step 1. Step 2 Aggravating & Mitigating FactorsAggravating & Mitigating Factors

6 Factors for consideration: Any proof of genuine financial hardship which has been supplied. The Information Commissioner will not impose a CMP that would cause a business to cease trading! Step 3 Financial impact on data controllerFinancial impact on data controller

7 Factors for consideration: Is the level consistent with comparable cases? Is the level sufficient to promote compliance with the Act? It is important that there is consistency in the monetary penalties set by the ICO. Step 4 Underlying objectiveUnderlying objective

8 Factors for consideration: Is the level reasonable and proportionate? Is the level consistent with similar cases? Is the level sufficient to promote compliance with the Act? Final sign-off is undertaken by the Information Commissioner or his Deputy. Step 5 Final determinationFinal determination

9 Monetary Penalties - Triggers Triggers: There has been a serious contravention of section 4(4) of the Data Protection Act by the data controller, (compliance with DPPs) The contravention was of a kind likely to cause substantial damage or substantial distress and either, The contravention was deliberate or, The data controller knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention.

10 Monetary Penalties - Seriousness Seriousness of contravention The contravention is or was particularly serious because of: the nature of the personal data concerned; the duration and extent of the contravention; the number of individuals actually or potentially affected by the contravention; the fact that it related to an issue of public importance, for example, unauthorised access to NHS Emergency Care Summaries; and it was due to either deliberate or negligent behaviour on the part of the data controller.

11 Monetary Penalties – Damage/ Distress Likelihood of substantial damage or substantial distress The contravention was of a kind more likely than not to cause substantial damage or substantial distress to one or more individual.

12 Monetary Penalties - Deliberate Deliberate contravention The contravention by the data controller was deliberate or premeditated; The data controller was aware of and did not follow specific advice published by the Commissioner or others and relevant to the contravention; or The contravention followed a series of similar contraventions by the data controller.

13 Monetary Penalties – Knew/Ought to have known Reckless contravention The likelihood of the contravention should have been apparent to a reasonably diligent data controller; The data controller had adopted a cavalier approach to compliance and failed to take reasonable steps to prevent the contravention, for example, not putting basic security provisions in place; The data controller had failed to carry out any sort of risk assessment and there is no evidence, whether verbally or in writing, that the data controller had recognised the risks of handling personal data and taken reasonable steps to address them;

14 Monetary Penalties – Knew/Ought to have known Reckless contravention (con’t) The data controller did not have good corporate governance and/or audit arrangements in place to establish clear lines of responsibility for preventing contraventions of this type; The data controller had no specific procedures or processes in place which may have prevented the contravention (eg, a robust compliance regime or other monitoring mechanisms) Guidance or codes of practice published by the ICO or others and relevant to the contravention were available to the data controller and ignored or not given appropriate weight.

15 Other Considerations What will make the imposition of a penalty more likely? The need to maximise the deterrent effect of the monetary penalty by setting an example to others so as to counter the prevalence of such contraventions. A data controller had expressly, and without reasonable cause, refused to submit to a voluntary assessment or audit which could reasonably have been expected to reveal a risk of the contravention. What will make the imposition of a monetary penalty less likely? The contravention was caused or exacerbated by circumstances outside the direct control of the person concerned and they had done all that they reasonably could to prevent contraventions of the Act.

16 Lessons Learned

17 Hacking: ACS Law (£1k); BPAS (£200k); Think W3 (£150k) Disclosed on Internet: Torbay Care NHS Trust (£175k); Aberdeen City Council (£100k) Insecure Disposal: NHS Surrey (£200k); DoJ (£185k)

18 Lessons Learned Training!!! Audit!!!

19 The Future EU Regulation on Data Protection: Requires Privacy by Design Fine up to €1,000,000 EUR or up to 2 % of annual worldwide turnover Negotiations continuing Implementation date 2017 ????

20 Case Study A large business with a multi-million pound turnover contracted out the processing of certain aspects to its pension scheme to another company, requiring the personal details of relevant employees to be passed to the data processor. The total number of employees on the database was around 15,500. The Managing Director of the data processing company then downloaded the database on to his unencrypted laptop to assist him in the preparation for a meeting he was to have with the client. On returning from the meeting, he left his laptop on the train. The loss came to the attention of the ICO three weeks later after a report appeared in the local press.

21 Case Study Aggravating factors: Staff of the data processing company only received data protection training on induction An undertaking to encrypt devices had been previously signed by the data processor Mitigating factors: A contract evidenced in writing existed as per Principle 7 A programme of encryption was underway

22 Case Study ……..what level of fine would you set ?

23 Scotland Office: 45 Melville Street Edinburgh EH3 7HL T: 0131 244 9001 E: scotland@ico.org.uk Subscribe to our e-newsletter at www.ico.org.uk or find us on… @iconews Keep in touch /iconews

Download ppt "Taking Regulatory Action: The Logic Behind our Decisions Maureen H Falconer Senior Policy Officer Scottish Local Authority Computer Audit Group November."

Similar presentations

Managing the Health and Safety of Contractors

Managing the Health and Safety of Contractors
Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.

Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Regulators’ Code July 2014. Regulators’ Code A statutory Code Came into effect in April 2014, replacing the Regulators’ Compliance Code All local authorities.

Regulators’ Code July Regulators’ Code A statutory Code Came into effect in April 2014, replacing the Regulators’ Compliance Code All local authorities.
Auditing, Assurance and Governance in Local Government

Auditing, Assurance and Governance in Local Government
Child Safeguarding Standards

Child Safeguarding Standards
Student Integrity and Misconduct Training and support for decision makers and Academic Integrity Officers.

Student Integrity and Misconduct Training and support for decision makers and Academic Integrity Officers.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Getting data sharing right for every child

Getting data sharing right for every child
PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.

PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
ISO General Awareness Training

ISO General Awareness Training
WORK HEALTH AND SAFETY ACT IMPLICATIONS FOR SMALL BUSINESS

WORK HEALTH AND SAFETY ACT IMPLICATIONS FOR SMALL BUSINESS
Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.

Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
An overview of the Data Protection Act 1998. Legal framework The Data Protection Act 1998 came into force in March 2001, replacing the Data Protection.

An overview of the Data Protection Act Legal framework The Data Protection Act 1998 came into force in March 2001, replacing the Data Protection.
How the Information Commissioner’s office operates as a regulator David Smith Deputy Information Commissioner.

How the Information Commissioner’s office operates as a regulator David Smith Deputy Information Commissioner.
Data Sharing and Good Practice Maureen H Falconer Sr Policy Officer Information Commissioner’s Office.

Data Sharing and Good Practice Maureen H Falconer Sr Policy Officer Information Commissioner’s Office.
The Information Commissioner’s Office David Evans.

The Information Commissioner’s Office David Evans.
Working together: Ensuring effective regulation Jonathan Bamford Head of Strategic Liaison.

Working together: Ensuring effective regulation Jonathan Bamford Head of Strategic Liaison.

Similar presentations

Ads by Google