For some time, the Information Commissioner’s Office has advised organisations of all shapes and sizes to indulge in the masochistic activity of ‘breach notification’. Though taken to absurd levels of hair-shirtery in the NHS and some councils, the belief that any attention-grabbing data-related cock-up must automatically be reported to the ICO is widely held. I offer a modest prize for anyone can find me the interview in which Christopher Graham – earlier in his tenure – mistakenly claimed that breach notification was mandatory. I sometimes cause a frisson in training sessions when I quietly suggest that there is no such obligation, and on one memorable occasion, I was even shouted at by an angry Data Protection Officer who had just told his employer that they were obliged to report. My advice, gentle reader, is that if you think that reporting an incident to the ICO will improve your compliance with the Data Protection Act, do it at once. If you want to report it because someone else will, that’s as good a reason as any. But don’t do it because you have to. Because you don’t.
Everyone who has been on one of my training courses on Data Protection in the past few years has heard me make the same point – an incident and a breach are not the same thing. Sometimes a breach leads to an incident, but it’s perfectly possible to have one without the other. This shouldn’t be a revelation to anyone who has read the Civil Monetary Penalties Code, but the recent First Tier Tribunal decision on Scottish Borders Council’s appeal against a £250,000 CMP suggests that some people in a certain Cheshire village may have got some things jumbled up.
The thing that makes self-reporting really stupid is also the answer to why Scottish Borders succeeded. According to the Tribunal, there was a serious breach of the DPA principles, in that Borders did not have a contract that was fully compliant with principle 7. This is a breach of the DPA that hundreds, if not thousands of Data Controllers are guilty of (tell me that your employer isn’t). Many of these contracts cover information more sensitive and more potentially damaging than the Borders data.
The ‘trigger incident’ is intriguingly described at the outset of the decision:
“Outside Tesco in South Queensferry there are some bins for recycling waste paper. They are of the “post box” type. On 10 September 2011, a member of the public found that one of the bins was overflowing.”
In the bins were pension records that should have been shredded by Borders’ contractor, but were not. The Council had a decades-long relationship with the contractor, and so perhaps could be forgiven for thinking that all was well. In any case, pension records in an overflowing recycling bin is not a breach of the Data Protection Act: the breach is not having the correct contract. I don’t think that the ICO fully appreciates this distinction, but more importantly, the Tribunal doesn’t think so either. Paragraph 45 of the decision quotes the ICO CMP notice on the contravention, and then says that it “is not particularly easy to follow and seems to be focussed on the trigger incident rather than the contravention”. The Deputy Information Commissioner, David Smith, is also described several times as being focussed on the papers in the bins, rather than the breach that led to this happening. Distracted by records somewhere they shouldn’t be, the ICO failed to make the link between breach and harm. Conjecture about the local press printing extracts of the pension records and scaremongering about the risk of identity theft cuts no ice – the Tribunal identifies a breach that should be put right, but not the likelihood of harm that justifies a CMP.
If the Tribunal decision is correct, where is the logic in incident reporting? If the Tribunal is correct that Borders had not complied with Principle 7, that would be true if there had been no incident. The breach would still have occurred, even if Tesco had emptied that recycling bin more often, or if the contractor had chosen an emptier recycling bin. The incident is a MacGuffin. Hitting Borders with a CMP was incorrect because the breach itself did not warrant it. There will be many other contracts out there with the same problems, but with substantial damage or distress much more likely to occur e.g. those covering the handling of credit card details or witness protection (damage) or sexual health information or gender reassignment (distress). Equally, a CMP is only appropriate for egregious breaches. Some organisations can be pushed onto the right course via an Enforcement Notice and some will willingly sort themselves out as soon as they realise what they’re doing wrong with no further action. The ICO shouldn’t back away from enforcement – I still think there should be more of it. But it should get the balance right between these three approaches, and it should not enforce against what it seems to perceive as softer targets like councils in the hope that bigger and more powerful Data Controllers in Government and the private sector will fall into line. It would make more sense to target a few whales rather than constantly netting the minnows.
The current guidance on the ICO website is entitled ‘Notification of data security breaches to the Information Commissioner’s Office’. For reasons best known to its author, it begins “The Data Protection Act 1998 (the DPA) is based around eight principles of ‘good information handling’.” I don’t know why ‘good information handling’ is in quotation marks (who originally said it?), and I don’t know what the ICO wants to make the Act’s legal obligations sound like nice things it would be nice if nice people could do. But the guidance is not about breaches. It is about the reporting of incidents – the ICO wants to know about incidents involving
“exposure to identity theft through the release of non-public identifiers, eg passport number”
“information about the private aspects of a person’s life becoming known to others, eg financial circumstances.”
These are terrible examples – a passport number isn’t enough to commit identity ‘theft’ (I’m using quotation marks because you can’t steal a person’s identity, although you can commit fraud using someone else’s identity). Meanwhile, your financial circumstances being known to others is a remarkably trivial example of what might be considered to cause “detriment”. It doesn’t take a genius to work out why the ICO lost their case if this nonsense is what they’re working to. The document contains no rationale for why the ICO should be told about random incidents, nor any explanation of why they want to be told only about issues (tangentially) related to Principle 7. This focus on incidents is an ineffective way to encourage compliance anyway, as it hoodwinks organisations that haven’t had an incident into thinking that they are compliant. I don’t doubt that an incident often provokes an organisation into taking action but the message that incidents = non-compliance (and the reverse) is nonsense. Data Controllers should be complying in the first place, not waiting for the other shoe to drop.
If the ICO wants to operate a system of ‘security breach’ notification, this guidance (and the wider strategy) has to change. The emphasis on incidents and losses and thefts must go. Instead, the ICO should demand to be informed whenever Data Controllers find a contract that does not put the processor under an obligation to act only on their instructions. They should expect to be told about every delayed or non-existent programme to encrypt mobile devices that store potentially damaging data. Shoddy business continuity plans, non-functioning back-ups, fly-by-night contractors, unlocked doors, untrained staff, everything that is actually a contravention of the Seventh Principle should be reported.
And while we’re at it, let’s remember my new initiative: “PEOPLE OF THE INFORMATION COMMISSIONER’S OFFICE, CAN I INTEREST YOU IN THE OTHER PRINCIPLES?’ What is so special about the seventh principle? Why is lost data so much more unforgivable than old information or inaccurate information. The ICO should be asking Data Controllers to tell it about the databases that cannot delete records and throw up old data unbidden, the ignored retention policies that result in inappropriate information forming part of decisions, the inaccuracies that lead to financial loss and disadvantage, the CCTV in toilets, the unjustified secret use of information, the processing of data without a condition, and the sharing of personal data with non-EEA contractors without adequate protections. In the past few days, the Telegraph has reported a potentially massive breach of the fourth DP principle, with apparently widespread, damaging effects. But despite doubtless real distress experienced by many people (as opposed to the entirely imaginary damage attributed to Borders), the ICO will almost certainly not take action against the BBC over TV Licensing. They definitely do not publish guidance demanding that damaging inaccuracies are dutifully self-reported.
I have no doubt that quite a few of the Data Controllers impaled on the business end of an ICO CMP were guilty of a serious breach of one of the principles that was likely to cause substantial damage. Especially after the Borders decision, I am equally convinced that some of them were not – it is not only Borders who have been unfairly treated. But in any case, the CMP list is not the roll-call of the biggest, most damaging DPA breaches in the UK. It represents a haphazard collection of Data Controllers unlucky enough to experience a trigger incident and – in many cases – naïve enough to report it to the ICO. More serious breaches, likely to or actually resulting in real harm, have gone unpunished and will continue to do so until the incident obsession is set aside.
After this decision, the ICO can no longer simply grab headlines by punishing the hair shirt / bad luck brigade. It must find some more rigorous, equitable way to enforce the DPA, or go back to farting out undertakings and wringing its hands. If it continues to focus on incidents, Borders’ success will not be the last.