The First Tier Tribunal recently upheld the ICO’s Civil Monetary Penalty of CLCH, which I think has generally has been taken as an approval of the ICO’s CMP logic and procedures. I’m not convinced, as I think some pretty important questions remain unanswered about the ICO’s handling and thought process in this area. I should share that I previously sat in on CMP meetings so have a little inside knowledge, although my former employers will no doubt be encouraged that I take enough interest in the legislation to know what Section 59 does (and doesn’t) apply to.
In anycase, if I was going to share my inside line, I rather follow the lead of the former Head of Enforcement, who went to work for FFW who coincidentally have since pocketed a staggering 168k representing a public authority in single case CMP. Moral of the story – that type of knowledge is to be sold, not to be told (feel free to contact me Sony legal department ahead of your forthcoming appeal).
We know from the recent appeal that the ICO divide CMP’s into 3 categories, Serious, Very Serious and Most Serious, with each category having a financial band. Aside from the slightly inelegant language, that seems a broadly sensible approach.
What has become apparent to me, however, is that 1) there is no consideration of where breaches occur without an associated incident and 2) there is no criteria, explanation or perhaps even logic on how breaches are classified into each band.
In making this analysis, I would accept that I may well be wrong here, because I haven’t made an FOI request for any information held in relation to the above. That’s because I wouldn’t wish to needlessly add to the testing workload of my former colleagues, especially because recent events have shown us how much a team of 12 people can struggle to keep on top of things when the majority are women. Only joking sisters, love you really!
Moving on from the satirical sexism, lets address my first contention, essentially that the ICO’s CMPs only react to data incidents, not DPA breaches. I’d begin by noting that at no point does the CMP guidance introduce the concept of punishing for a particular incident – it’s for the breach of the DPA itself. The ICO isn’t there to provide punitive redress to those who may have been wronged in someway – but to punish for a serious breach of the DPA. As I’ll expand upon below, it’s quite possible for a concerning incident involving personal data to occur that perhaps doesn’t even equate to a breach of the DPA.
If the ICO was indeed issuing CMP’s for serious DPA breaches, as opposed to punishing incidents, then if I self reported that my organisation didn’t encrypt laptops containing sensitive personal data (we do), would that not be a serious 7th principle breach and one likely to cause damage and distress in the event they were lost/stolen? It would fit each of the criteria required to impose a fine. Yet the ICO hasn’t fined one organisation for a breach where there wasn’t an incident. Why wait for the incident to occur before taking action against a breach? Furthermore, most of the published discussion around CMP’s focuses on the incident, such as the numbers affected and the type of information lost in that particular case. Admittedly it could be argued that where there is not an incident, it is much harder to demonstrate that breach would be of a kind likely to cause damage/distress, but from my anecdotal experience, I don’t think that is how things are looked at.
Similarly, with reference to the second strand of my perspective, the breach appears to be determined to be serious by the ICO almost entirely because of the specifics of the incident. There is minimal consideration of what the Data Controller did wrong in DPA terms.
Over 90% of the ICO CMP’s have been for breaches of the 7th Principle, so I will focus my analysis around that principle. The gist of the principle is basically the greater the amount information and sensitivity of that information, the more measures should be put into place to protect it – a proportionate approach.
To breach that principle, you would have failed to have put ‘appropriate’ measures in place. So for it to be a ‘serious breach’, the ICO should probably establish the deficit between the measures actually in place and the measures that should have been in place. If the gap is significant, one could then move on to looking at whether the breach was of a sort likely to cause substantial damage/distress.
The CMP for Sony typically sidesteps this issue of ‘seriousness’, instead concluding
“The contravention is serious because the measures taken by the data controller did not ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful processing and the nature of the data to be protected”.
I find that analysis exceptionally weak. Firstly, where the measures don’t match the risk, it is by definition a breach – where does the increased severity to a serious breach derive from? The ICO’s summary here appears to be saying that because it is a breach, it is a serious breach. I’m not saying it’s not serious, simply highlighting that there is no explanation offered by the ICO. Further, given we know that this case has ended up with a £250k fine, the ICO have in their mind infact held this to be a very serious breach. Shouldn’t the language used be comparable to the conclusion formed?
When considering the aggrevating factors, it does mention that the “contravention was particularly serious because of the nature and amount of personal data”, but that again is weak because of the implication that any breach involving large amounts of data is a serious one. Again,the incident might be serious, but I’m not convinced it makes the breach itself serious, not least because there might be a case where the data controller just made one small mistake and that led to an incident that would be likely to cause damage and distress for a large number of people. Is that more, or less of a serious breach than a data controller being completely reckless with 1 person’s data thus causing huge damage?
The FTT commented in the CHC appeal that they thought the ICO could have classified that case as “very serious” on the basis of the number of organisational failings – essentially judging the seriousness of the breach against the failings against the 7th principle. The ICO has not stated in it’s written guidance that such factors will be considered at all and it’s missing from the CMP’s, again suggesting they are more focussing more on the incident and working backwards from there.
For example, information could be lost or accidentally disclosed as a result of an error by a data processor. Where the data controller is considered to have followed all the appropriate steps for selecting and monitoring the data processor, it might be the case that technically a breach of the DPA at all – or perhaps more accurately not the 7th principle. If you select a specialist data processor, ensure you have a watertight contract and audit them regularly, would you not be well placed to argue you had taken appropriate measures to keep information secure, even where an incident then occured? Or likewise if you train staff regularly and have the best policies in the country but an employee decides to leave sensitive papers stuffed in a hedge?
Had the data controller followed all of the correct steps but not carried out regular audits of the Data Processor, then in my mind that would be a breach of the 7th principle – but not a serious one in the sense the gap between what they should have done and what they did do was relatively small. A serious breach would be just flinging out the outsourcing to the cheapest provider, with no contract and no checks. The reality is that incidents usually occur as a result of a breach, but the extent to which the incident has been caused by technical and organisational failings will of course differ and that’s where I feel the ICO is somewhat blinkered.
To again take the example of Sony, they had online security, it just wasn’t sufficient enough to withstand a targeted and sophisticated criminal attack. It strikes me that the breach itself was at the lower end of the spectrum, in terms of assessing the difference between what they should have done, and what they actually did. What would the fine have been if they had no security at all?
I’m not suggesting that the numbers affected and level the (potential) damage/distress should be ignored, as that would be a bit perverse. Indeed, I would like to see those factors considered in conjunction with the severity of the DPA breach by the data controller (e.g. severity of breach x numbers affected x potential damage/distreess). But above all, I’d like to see those handing out the fines being clear about their reasoning.
On a slightly different note, something also caught my attention about the recent CMP to the Nursing and Midwifery Council. Incidentally, whilst it might be a bit of a pipedream to think I might catch the eye of the Sony Appeal lawyers, it’s more of a lifelong dream to catch the eye of a gaggle of Nurses. They were essentially subject to be a CMP because they didn’t have a policy to encrypt DVD’s containing evidence sent to a fitness to practice hearing. The guidance in such matters is very clear, so in some ways there is no debate, but it did cross my mind that had they sent the very same information (apparently witness interviews) in paper form, then would they have faced similar action? Sending personal information on a disk shouldn’t really be considered more insecure than sending the same information in paper form. If a bundle of papers had vanished having using a courier, would that have seen a 6 figure fine?
I’m not setting out to be a vocal critic of the ICO, as aside from anything else I think that market is saturated, so I should perhaps balance my criticism of the ICO by acknowledging that on the whole the CMP’s seem to be broadly consistent, reflective of a logical precedent based approach. I just feel that it would also be good to take a step back and think about the basis behind some of the fines – admittedly easier said than done when faced with a constant stream of breaches (sorry, incidents) to invesitgate. Hopefully my analysis will therefore help. If so I seek no plaudits – although I wouldn’t mind of those generous free dinners (page 7) the Commissioner manages to get through the expenses policy(page 14), disproving the old adage that there’s no such thing as a free lunch (page 1).