I see dead people

Before 2010, the ICO operated a brisk production line of undertakings to tackle the self-reported security breaches that came in the wake of the HMRC lost discs fiasco. Now they have the power to issue civil monetary penalties, the production line keeps humming. The obsession with security is such that even CMPs like the ones aimed at Belfast Health and Social Care Trust (which is as much about retention as security or St Georges Healthcare Trust and Stoke on Trent Council (both exclusively about accuracy) are branded as security breaches, as if only one DP principle exists. Enforcement shouldn’t be solely about public sector security, and a few CCTV and private sector wildcards do not change the overall picture.

A glance at their annual report explains why: the ICO has a fixation with figures, statistics, numbers, numbers, numbers, all the livelong day. Self-reported security breaches feed the numbers monster much more efficiently than complex decisions about fairness or adequacy, which have to be sought out before they even are made. All of the principles are breached by all sorts of organisations every day of the week, but because they don’t tell anyone or the ICO doesn’t notice, nothing happens. But wait for people to confess their security SNAFUs, and it’s like shooting fish in a barrel.

This tactic has now tipped into self-parody, with the ICO ensuring that the fish are dead first. In June 2013, Stockport Primary Care Trust was fined £100000 (£80000 if paid on time) for leaving patient records in a vacated building, and NHS Surrey were fined £200000 (£160000 if paid on time) for not controlling their IT contractor. Both organisations were wound up in April 2013, which means that the CMPs were served on successor bodies.

I don’t know why different organisations have inherited responsibility for PCTs, and the ICO doesn’t appear certain, claiming to have fined NHS England for NHS Surrey’s breach in the press release, and the Department of Health in the notice itself. NHS England told me in an FOI response that they asked the ICO to change this, but there is no evidence the ICO wanted to correct their mistake. The confusion is nevertheless irrelevant – neither DoH nor NHS England played any part in the breaches. They are not even real local successors like the Clinical Commissioning Groups where the PCT managers might now be plying their trade. They’re bystanders.

I’d have more respect for the ICO if they enforced the first or sixth DP principles, or didn’t rely almost entirely on the confessional / masochistic tendency in public sector Data Controllers to identify DPA breaches. Nevertheless, if the two former PCTs were open for business, I could not fault the ICO for taking action. But I can only see two main reasons to issue a CMP. The first reason is to educate everyone else. However, the ICO has already issued bigger CMPs for the same issues (£325,000 for Brighton NHS Trust for non-recycled hard drives, £225,000 for Belfast Health and Social Care Trust’s documents in an abandoned building).

The key reason for a CMP is to punish the organisation and in particular, the senior managers who allowed the breach to happen. The CMP recipient in NHS Surrey’s case is the ‘Department of Health Regional Legacy Management Team’ who presumably hold a budget to clean up after the dissolution of the PCTs. But the chief effect of the ICO’s intervention is to recycle some money back to the Treasury – that’s all. No awkward decisions for the PCT board, no hand-wringing in front of the local media – outcomes that concentrate the mind of even the most recalcitrant of managers. NHS Surrey is gone. DoH can legitimately say it’s nothing to do with them, so beyond a few headlines and extra figures for the 2013-14 annual report, what’s the point? It’s probably frustrating to have done the work only to drop the case, but as soon as you know you’re flogging a dead horse, is the effort of finishing the job really worth it? Wouldn’t the ICO staff be better employed going after organisations that are still processing personal data?

Well, funny I should mention that. Perhaps the only valid reason to inject Frankensteinian life into these cadavers can be found when you look at NHS Surrey’s case. According to the ICO,

the Head of the data controller’s IT team was contacted by the Director of a company (the “company”) who was looking for new business

and

The IT team explained that the hard drives would have to be physically destroyed because they may store confidential medical information. The company’s Director provided an assurance to the IT team that the hard drives would be crushed by an industrial guillotine.”

I want one of those. Having guillotined the hard drives, “the company” would then sell off the other components. On this basis, they did the work for NHS Surrey for free. The Trust’s Information Governance Head was – you’ll be surprised to learn – not involved in the decision. “The company” then received as many as 1500 PCs between 2010 and 2012 before third parties buying hard drives on auction sites revealed that the hard drives were in fact being sold on. Those of you with good memories will remember another hard-drives-on-auction-sites case involved a contractor who was also not paid.

If NHS Surrey still existed, the clowns who agreed to this without a formal contract would deserve a hard time. Even now, the ICO presumably knows who they are, and could name them. Given Christopher Graham’s determination that the CQC three should be outed, one can only wonder that his views on transparency are not more widely understood within Wycliffe House.

Of course, the recycling company would be an appropriate target itself, but as a data processor it is out of the ICO’s enforcement reach. However, if this outfit is still trading and actively touting for business, every actual and potential customer needs to know about their role in this sorry business. Whether the failure to protect the hard drives was a mistake or a deliberate act, the company’s customers need to know whom they are dealing with. If the ICO had picked the NHS Surrey case as a vehicle to name and shame the errant processor, I would have cheered them on. Instead, they go after a dead organisation and give “the company” anonymity.

I asked both the Department of Health and ICO for the names of the company and the director and both refused. The Department of Health refused, citing (perhaps satirically) concerns about the data protection rights of the Director. The ICO relied on Section 44 of the FOI Act, which prevents organisations from breaching existing legal barriers on disclosure. If the law says you can’t disclose, Section 44 kicks in. But the ICO has a problem. The specific legal barrier in their case – Section 59 of the Data Protection Act – does indeed prevent the disclosure of information about any organisation or business obtained as part of an investigation but not if the ICO has ‘lawful authority’ to give it out. So is it all over? Quite simply, no, and I’m challenging both decisions.

Section 59(2)(e) states that, having regard to the right and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest. Without the information being in the public domain, it is impossible for data controllers to comply with the Seventh Data Protection principle, in that they need to find data processors that can give sufficient guarantees of security. It is absolutely necessary and the ICO’s hands are not tied.

In my experience, the ICO treats Section 59 as a no-questions-asked absolute exemption, ignoring the public interest element. Of course, they exercise their own judgement about what to disclose all the time – if Section 59 was an absolute ban, they couldn’t have published much of what was into the CMP notice that kicked this blog off in the first place. But the ICO cannot hide behind Section 59. The Supreme Court has recently had the opportunity to consider the meaning of the word ‘necessary’ in the DPA. In the case of South Lanarkshire Council v Scottish IC [2013] UKSC 55, the Court confirmed that ‘necessary’ need only mean ‘reasonably necessary’ and does not have to be ‘absolutely or strictly necessary’. On this basis, how can anyone say that having regard to the legitimate interests of Data Controllers in the South East and beyond, there is not an overwhelming public interest in making public who the data processor is?

Admittedly, there will be consequences for the company if they are known. Without a credible explanation of what went on, their business would suffer. Even with one, they would be at a great disadvantage when compared to all the disposal companies who had not sold hundreds of their customer’s hard drives on the internet without permission. But the ICO should not tiptoe around this. The company probably could not offer its attractive “free” service if it properly disposed of the drives. But even if disclosure puts them out of business, that’s nobody’s problem but theirs. If processors know that they act with total impunity, what is to stop this organisation or another from making the same mistake again?

The ICO should not lightly divulge information it receives from the organisations it is investigating. There is much that they find out in the course of their enquiries that should legitimately remain secret. But Section 59 is not intended to prevent legitimate disclosures. It does not stop the dissemination of important information that needs airing in the public interest – it is specifically written to allow this. It is, therefore, remarkable that the ICO believes that it is more important for it to issue penalties to phantoms.

Comments

  1. As you rightly point out, there has been confusion about who the CMP for Surrey is aimed at. Although it is being aimed at NHS England, which is clearly not the organisation that made the errors, this is because NHS England inherited the financial and legal liabilities of all PCTs. Lansley and Hunt (mostly the former, as the latter doesn’t go detail) were clear that CCGs are not the successors to PCTs as they wanted them to start with a clean slate (not that they have, in some instances).

    A lot of the PCT staff have moved to CCGs, but a lot of them have moved to things called clinical support units (CSUs), which are part of NHS England (for another 13 months, when the fear is that their work will be privatised, but that is another story). Often (but not always) the IG staff are in the CSUs, and so there is a logic (not that I am claiming that logic had much part in this decision – it is more an accident), in making NHS England pay the fine as it has ended up employing a lot of the PCT staff in CSUs.

    And whoever pays the fine, the fact remains that such CMPs are closely read by IG people and even if you work in a neighbouring organisation, or at the other end of the country, the fact that this can happen to someone (imagine what this has done to individuals’ reputations, no matter what any internal report might say about the blame) will strike fear into public sector staff, who know that while £90k or even £200k is a drop in the ocean compared to local budgets, that they do not want to be involved or responsible for such a loss.

    Obviously, I am only talking about the ones that are awake. If they are asleep, you could fine them their small fingers and they still wouldn’t get it.

    • I think that’s a bit tenuous. NHS England and the DoH have been fined for breaches of the Data Protection Act they played no part in. How compelling is it for the IG professionals to read a notice that says ‘if you get this wrong, the organisation that takes over after you have been disbanded will be fined’? The prospect of the someone else who has to clean up after me getting a fine isn’t a big motivator.

      Besides, the live problem is now the contractor, and the ICO wants to protect them.

  2. The cock up didn’t happen with a view to the organisation being abolished and someone else paying the fine. That was an accident of timing.

    Everyone knows what a cock up this was. The individuals involved will be tarnished for a long time.

    • That might be true, but that doesn’t make the CMP any more necessary. A lot of ICO resources will have gone into enforcement action that cannot possibly make any difference to the organisation itself, pulling out one of the major purposes of a CMP in the first place. They could have done a press release setting out what the PCTs had done, and pointing out that they could have taken enforcement action if the organisations were still live. I know George Osborne is the ICO’s local MP, but they shouldn’t be so keen to hand money over to the Treasury.

      • Sorry, old bean, I just don’t agree – press releases are just not taken that seriously – we remember it better and a more powerful message is sent with a monetary fine. The stigma of that is so much more severe.

        It makes my teeth hurt that the ICO, who is under-funded, hands the loot over to HMT. But I struggle to see how it can maintain impartiality (or, more importantly, be seen to maintain it) if it gets the cash from the fines – that is the problem with parking fines – part of the reason they are badly enforced and cause so many complaints, is that the council takes the cash.

        And the fine problem is no different to the other ludicrous endless loops of money – HMT gives DH money. DH gives it to the NHS. The NHS pays VAT and its staff pay income tax. The tax goes to HMT and is then used to repeat… which I don’t mind, as it is more equitable if everyone pays tax, but the fact that it needs people and systems to make it happen is a really annoying waste.

        I think this is my way of trying to change the subject because I don’t think that I will ever win an argument with you.

      • What did DoH do wrong?

  3. Health and Social Care Act 2012?

  4. The HSCA says that DH/NHSE inherits liabilities.

  5. Exactly: DoH / NHSE did not breach the DPA, they just inherited liabilities. Clearly individuals and businesses with a legitimate claim against the PCTs should have somewhere to go, but the ICO is issuing CMPs against – effectively punishing – organisations that did not breach DPA. Which is pointless.

%d bloggers like this: