When I started this blog I had no idea what direction it would take me in, but I held a desire to be able to speak freely about my opinion of DPA and FOI – a freedom that my previous role within the institutionally conservative ICO did not afford me. I’m an opinionated and perhaps contrary character so much of what I write will probably reflect those traits and follow a pattern of challenging those whose positions I disagree with. With all that in mind, I offer no apology for a strong focus and reaction to the latest offerings of those who have again rallied against the ICO’s criticism of the Local Government and/or wider public sector.
Much of the excitement came from Chris Graham’s reported remark that the Local Government sector was “hopeless” at DP. Unfortunately no context of the remark was given, although with predictable relish some choose to take that as an attack on the DP officers themselves whilst another anonymous public sector employee barked their laughable belief that Chris Graham should resign and again took the statement to be aimed at “all” Councils.
Previous to that comment, Tim Turner recently wrote about his “belief in the ICO’s anti-public sector bias”, and anyone who had a different view was “weirdly biased”. He further argued that the ICO was “arbitrarily going after the whole local government sector”, so some of my analysis will look at these bold assertions.
As a starting proposition, I certainly agree that the public sector report more security incidents to the ICO, undoubtedly partly due to certain mandatory reporting in the NHS and possibly more generally due to a sense of civic duty.
I don’t have (the energy to find) more up to date figures, but of 730 self reported incidents from 2012-2013, 263 were from the private sector, yet only 1 private sector fine was issued during that period. So, is the alleged anti local government and public sector bias proven by these figures showing that the ICO takes more action against the public sector? Well, that’s certainly one conclusion but a more logical one however, is that the Public Sector – and specifically the Health and Local Government sectors – process more data that is of a kind likely to cause damage/distress and thus its more likely they will be the recipients of CMP’s.
This rhetoric is backed up by the following comments by the ICO’s Simon Rice, who argued that
by its very nature, the public sector processes more sensitive data than the majority of the private sector, and our framework says that the penalty must be for the most serious cases – that you can only fine in the most serious cases
He went on to speculate elsewhere that
the failings in public and private sector organisation may be as great, but the impact of breaches by public sector organisations tends to be much greater
Generalisations can be dangerous, but they can also be applicable, and in this case it appears a reasonable statement, not least because it’s a position even the public sector bias critics subscribe to – note Tum Turner’s Local Government observations that “the likelihood of their data going missing is considerably greater than any other sector”.
Further evidence comes from Jonathan Baines, who notes “Local authorities, by their nature, handle large amounts of particularly sensitive data, but so do most, if not all, NHS bodies” along with further comments on the risk of accidentally releasing data that “councils and NHS bodies …are probably the highest risk ones”.
So, all the analysis of the numbers of breaches is built on the shaky foundations that it’s a level playing field, when we all appear to agree that its anything but. The public sector and particularly local government and health are processing more sensitive data and are more likely to face problems, so its a logical conclusion that they will be more likely to have serious breaches of a kind likely to cause damage etc. There is a slightly different debate we could have about the underlying purpose of a CMP and indeed the wider effectiveness, but that’s for another day.
A bias, to me, would be prevalent if the ICO looked the same issue in different ways on the basis of the sector involved. There is no evidence the ICO do this, although there evidence Tim does believe different sectors differently, as he told us so as a footnote to his own blog that he “would prefer to see more CMPs levied on the private sector, whose attention is more focussed on the bottom line”.
The public sector generally is certainly very underesourced and I’m not immune to that, but Data Controllers processing the most sensitive data in the most complex ways are the very first people one would expect to have basic measures in place like home working policies and mandatory staff training. Nobody is asking a small local authority to have the same measures to protect their website as Sony, but surely they have the capacity and certainly a duty to do the very basics? And yes, incidents would still happen, but you must do your best to prevent them – that’s the fundamental point of the 7th principle, your measures must essentially be proportionate to the risk (and your resources).
The public authorities who have been fined have, on the whole, shown a significant shortfall of their responsibilities – in many cases “hopeless” seems entirely apt. However, calling a sector “hopeless” might well be an over generalisation and I agree the lack of context makes it a clumsy and unhelpful comment.That said, I don’t think that by focusing a press statement or indeed CMP’s against the public sector that the private sector will become complacent, not least because there is evidence that the publicity surrounding the fines to public authorities for their data handling practices has led to an increasing number of private companies seeking independent assurance of their internal data protection standards.
If it was the case that the ICO did indeed believe the public sector should be held to higher standards then that would be an evidence of bias – and totally perverse. I do struggle to accept the unsupported assertion that market forces will lead to higher standards – if I was going out of my way to defend the statement I would assume it is a nod towards the fact that you have no choice about much of the processing carried out by the public sector, whereas if RBS routinely lose my data I can upsticks to Barclays. As an amusing aside, the former lost a copy of my passport when opening an account, although creatively told me they hadn’t lost it, and the reason they needed another copy was because they must have sent it the wrong processing centre and anything sent to the wrong place gets securely shredded. They didn’t lose my custom, merely £60 in compensation –but that choice was mine, a luxury I don’t enjoy with my Doctor, Social Worker or Teacher.
For the life of me I can’t understand why the ICO would be biased against public sector. Their wider enforcement is pitiful on FOIA (solely dealing with the public sector) yet plentiful for PECR (almost entirely only applicable the private sector) so the idea they are routinely scared of the private sector doesn’t appear well founded or consistent across their other functions. The closest I can get for thinking why the ICO might hesitate against the private sector is a fear of taking on a sector who might initially be considered more likely to contest the ICO’s findings through costly and potentially embarrassing Appeals. However, both of the Appeals against DP CMP’s have come from public sector bodies. It’s thus an incredibly self serving argument to highlight
“The only CMP successfully overturned was on a public sector organisation (£250,000 on Scottish Borders Council”, because the only CMP challenged was from a public sector organisation. That particular analysis also neglects to mention that the CMP’s served to Sony, Welcome Finance and the Bank of Scotland were served on a similar (apparently flawed) reliance on the compromised data putting the data subjects at risk of identity fraud/financial loss. In hindsight, they look like very dubious CMP’s against the private sector.
Further, if the ICO really was into going after perceived soft targets, then surely they wouldn’t be looking at a sector such as the NHS, with all of the emotive arguments that can be made about the money coming at the expense of the patient care.
Infact, from working in the office at the time of the first wave of CMP’s, there was actually something of a relief when the first appeal was made because it offered a broad reassurance that the ICO approach was reasonable. I can also assure those who suspect otherwise that when fining underresourced schools, hospitals and police forces, it isnt done with any relish. Likewise, a CMP of £200,000 for a Charity doesn’t feel great, but the idea is surely to protect the data of the individuals more than to make moral judgments about the raison d’etre of the Data Controller. I therefore cannot agree that Charities should be subject to lower penalties, as I feel it carries an implication is that they should be allowed to have lower standards because they are pursuing altruistic goals – and in this case even that statement assume you support the work of the BCAS.
I worked at the ICO and now I work in the private sector and have straddled the sectorial divide with complete indifference. I didn’t regard myself as a beleaguered public sector worker anymore than I now think I’m on the other side of the coin, lay awake at night wondering how to exploit consumers. I’m paid to do a similar job and it just so happens that my employer is in the business of making money for providing a service, not taking it to provide a service. If the ICO criticized the financial sector for poor compliance I certainly wouldn’t take offence, personally I’d probably enjoy the fact that competitors were not hitting high standards. I acknowledge those within Local Government may regards themselves a little differently and more collectively than that, but the spikiness of a sector to criticism within the sector seems disproportionate and I do wonder whether it’s linked the increasingly polarised political sphere.
Nevertheless, it was with considerable astonishment I read these reported comments from public sector governance officers. Seemingly, on the back of some mildly unflattering press releases from the ICO about public sector audit results, they would no longer volunteer for a free audit. Simultaneously making arguments about budgetary constraints whilst turning down a free audit on the basis that the results might be used to make generalisations about ones sector seems perverse. The loyalty should surely be to your employers (and customers), not to safeguard the reputation of your wider sector?
David Smith recently answered a question at the ICO conference by giving his opinion that the private sector is better than the private sector at DPA. His thought process (11m 55s) was that as customer data is a key asset of business, business will take that the security of that data more seriously
I doubt there will be any specific information held in the form requested to prove this point, but I think it’s a reasonable and well placed opinion based on anecdotal experience of being a Deputy Commissioner for Data Protection who signs off the Civil Monetary Penalties and who has access to the full details of the self reported breaches. There are only 4 honest answers you can give to who you think is better– private, public, the same or don’t know. Whether you agree or disagree, was his answer a reasonable one – especially when again considering the underresourced and undersupported nature of the public sector?
The caveat I would add, which I think the Deputy Commissioner would have been wise to have included, is that is comments were on the context of keeping data secure. I think it would fascinating to know which sector he believes processed data more fairly, because personally I think this is an area where the private sector will be more inclined to push the boundaries, spurred by the same commercial interests that motivate them keep the data secure.
Whilst critics should acknowledge that those processing the most senstivie data in the most complex way means they are naturally more likely to end up involved in breaches of a kind likely to cause damage, equally so the ICO should recognise that their compliance might not be comparatively worse. Indeed, I note from a recent ICO statement on their new approach to handling casework that
With any report we publish summarising the number of concerns raised with us we will always include a statement to explain that organisations processing high volumes of personal information are likely to generate a proportionate number of concerns to the regulator.
Personally, I don’t actually think the ICO needs to go overboard in contextualising every set of figures it releases to pander to the sensitivities of certain sectors, but if they believe in the above statement, then surely they should apply a similar rhetoric to all areas of their work?
I’ve not given huge thought to which sector is better, as despite my 2500 words here, I don’t actually think its especially important. However, if we are looking at Private sector compliance bias then it’s surely pertinent to raise, or at least be aware of, the fact that losses of customer data in the financial services will often be looked at by the FCA. For example, Zurich were fined a comparatively eye watering £2.3million for losing an unencrypted disc. The date of that fine preceded the ICO’s CMP powers but had it not, it still would have been left to the FCA to handle, because of their greater powers. But that raises an interesting point – the FCA has stronger powers for mandatory reporting and stronger fining powers. Yet since 2010 there hasn’t been a single fine from the FCA for a data loss.
These are interesting political times, the polarisation of debate is quite clear and the divide between the private and public sector is increasingly apparent. Whoever, or whatever is to blame for that general shift, I don’t think we should artificially extend the battleground to the ICO’s approach. I think public sector compliance professionals should concentrate on getting their own house in order before they worry about ICO press releases which may (or may not) turn out to be misguided. I’m sure the vast majority are already do so, in which case they arent would have little to fear from the ICO.