Think of a number

On Friday, DataGuidance (“the global data protection and privacy compliance solution”) published research headlined ‘Total fines imposed on private sector outstrip public sector‘. They also claimed that the level of fines against private sector organisations has increased year on year: the private sector CMPs amounted to 50.7% of the total, compared to 20.5% in 2012 and only 0.2% in 2011.

A few people – presumably those who didn’t actually read the article – were impressed by the findings. A former ICO employee accused me of making illogical claims because I did not think my belief in the ICO’s anti-public sector bias had finally been refuted. However, DataGuidance’s methodology and conclusions are eccentric and potentially unhelpful. The figures were broken down at the bottom of the article, but the headlines and the colourful bar charts conflate enforcement on both Data Protection and the Privacy and Electronic Communications Regulations. They also looked only at the total amounts, rather than the number of enforcement actions.

The law on PECR enforcement was changed in 2011; before that, it was impossible for the ICO to issue CMPs for PECR breaches at all, and even after that, until the statutory guidance was published, the ICO’s hands were still tied. The guidance was published in 2012. The ICO served their first PECR CMPs in November 2012. DataGuidance don’t acknowledge the fact that one of these PECR CMPs was overturned (admittedly, the ICO says they’re appealing), but much more importantly, the report does not register that the increase in private sector CMPs is almost entirely down to PECR and to this change in the law.

Data Protection and PECR are two completely different types of legislation and thus, two completely different strands of enforcement. Obviously, the public sector does some electronic direct marketing  and is no better at complying with PECR than the private sector in my experience. However, it’s equally obvious that the vast majority of direct marketing in the UK is carried out by the private sector. Therefore, the vast majority of complaints received by the ICO about PECR breaches will be about private sector organisations. If you’re trying to assess whether the ICO has a bias against the public sector in enforcement, it’s illogical to use legislation focussed on the private sector as evidence. It’s like trying to draw conclusions about the ICO’s attitude towards the private sector by looking at FOI. Any FOI enforcement would be against the public sector. Virtually all PECR enforcement will be against the private sector. There are interesting conclusions to be drawn here – whoever makes decisions about enforcing FOI clearly doesn’t have the bottle to do so, whereas whoever makes decisions about PECR clearly does. But the issue that really interests me is whether the ICO is generally biased against one sector versus another, and it’s Data Protection where I think this can best be examined.

Unlike FOI or PECR, there can be no argument about scope with DP. Some parts of public and private sector are at greater risk because of the nature of their work. For example, local government is more at risk because they share so much data, and the financial services sector is more at risk because of the effect of inaccuracies and losses on people’s finances.  However, in general, DP applies equally to all sides. DataGuidance clearly feel that the ICO’s attitude to the sectors is the crucial issue; their headline refers to it, and they quizzed the ICO on that topic, obtaining this unconvincing response ”We don’t consider whether a data controller is public or private sector when deciding whether to pursue enforcement. We judge everything on a case-by-case basis. It all comes down to the nature of the breach. It’s difficult to say how many public or private enforcement actions we will take in 2014.”

To get to the bottom of whether there is bias, let’s consider the evidence for each of the four years in which the ICO has been issuing Data Protection CMPs:

  • 2010: 1 public (£100,000), 1 private (£60,000)
  • 2011: 6 public (£540,000 in total), 1 private (£1000)
  • 2012: 20 public (£2,385,000 in total), 2 private (£200,000 in total), 1 charity (£70,000)
  • 2013: 10 public (£1,115,000 in total), 3 private (£330,000 in total)
  • TOTALS: 37 public (£4,140,000 in total), 7 private (£591,000 in total), 1 charity (£70,000)

There is no doubt that the private sector figure has gone up each year, but the Sony CMP in 2013 has a distorting effect. The private sector numbers are so low that Sony’s £250,000 CMP accounts for nearly 50% of the private sector total across all four years. Equally, the number of public sector CMPs are markedly down in 2013, but they still dwarf the private sector, and in any case, the drop in public sector enforcement is probably accounted for by the fact that a public sector organisation successfully overturned their CMP (Scottish Borders Council), showing up significant flaws in the ICO’s approach as they did so.

And consider these nuggets:

  • The highest CMP served (£325,000) was on a public sector organisation
  • Of the five CMPs that were £200,000 or above, only one (£250,000 on Sony) was served on a private sector organisation
  • Ignoring the two CMPs that were reduced because of the state of the Data Controller’s finances (both private sector), the lowest CMP served was on a private sector organisation (£50,000 on Prudential Insurance)
  • The only CMP successfully overturned was on a public sector organisation (£250,000 on Scottish Borders Council)
  • Of the seven private sector CMPs, only two were over £100,000 (of the 45 CMPs issued overall, 16 were below £100,000, 29 were £100,000 or over)
  • The ICO has served more CMPs on the NHS alone (9) than the whole of the private sector (7)
  • The ICO has served more than three times as many CMPs on local government (24) as it has on the whole of the private sector (7)
  • The ICO has twice served CMPs on public sector organisations that have been wound up and did not exist when the CMP was served (NHS Surrey and Stockport PCT for £200,000 and £100,000 respectively)
  • The first CMP issued against a private sector organisation was against A4e. A4e’s CMP was £60,000, the third lowest CMP if you disregard the two reduced CMPs. In a single year, A4e paid a bonus to its Chief Executive of £8.6million

If you want to believe that the ICO’s DP enforcement is an accurate reflection of Data Protection compliance in the UK, feel free to do so. All of my personal experience, the anecdotes I have heard over the years, and everything I have been told by private sector DP people tells me the opposite. Moreover, the ICO’s Annual Report suggests that something different. In 2012-13, the sector with the highest number of complaints was lenders with 17% of the total (local government, who account for the bulk of the enforcement, came in second with 11%). 47% of the complaints (the largest group) were about subject access, with disclosure coming in second at 19% and inaccuracy coming in third at 16%. There have been no subject access related CMPs, none related to disclosure, and only one about accuracy (needless to say, that was a private sector one). The Annual Report does not break down the complaints in terms of sector outcome, and it also only shows the top eleven most complained about sectors. However, private sector organisations account for at least 37% of the total, while the public sector account for 35%. So if 35% of all complaints result in ‘compliance unlikely’, while only 22% were ‘compliance likely’, unless the ICO can confirm otherwise, it’s reasonable to assume that the private sector have more than their fair share of breaches.

The ICO’s DP enforcement is skewed by an obsession with security, and a reliance on self-reporting above all other things. The private sector does not own up but the public sector does, as the ICO’s own Technology adviser admitted. On page 3 of the Information Commissioner’s ‘Regulatory Action Strategy‘, the following statement can be found: “In selecting areas for attention we will bear in mind the extent to which market forces can themselves act as a regulator”. I asked the ICO under FOI for any evidence that they hold establishing that market forces act as a regulator. They admitted that they had no evidence at all to back up this assertion. It’s an unfounded statement to justify inaction against the private sector under DP.

The ICO’s approach to Data Protection enforcement is biased against the public sector, and public sector bodies have far more to fear from them.

Comments

  1. Andy Walsh says:

    “A former ICO employee accused me of making illogical claims because I did not think my belief in the ICO’s anti-public sector bias had finally been refuted”

    Infact, I commented
    “Interesting figures,especially to those who claim a public sector bias in enforcement”.

    The article was about total fines issued by the ICO. I’m not sure how calculating the total number of fines could therefore equate to a flawed methodology? If the article was around DP enforcement you would be entirely correct to disregard PECR fines, but it wasn’t.

    Whereas you frequently suggest the ICO is afraid of the private sector, and specifically large tech companies, the biggest fine was to Sony and Ruth Boardman, Partner at Bird and Bird LLP, commented, ”The ICO has never hesitated to use whatever enforcement powers are available to it against the private sector as well as the public”. Do you agree with Ruth?

    The lack of logic is by noting, but not addressing, that there is poor FOI enforcement (against the public sector) but extremely robust PECR enforcement – which you rightly state is almost entirely private sector. An organisation biased against the public sector would surely operate in reverse.

    The DP enforcement is largely based around self reported ‘incidents’. We both know that is flawed, but that’s a different story. The public sector are more forthcoming reporting such incidents – I understand that its a requirement for the NHS – so they get more fines. In that sense,there might be said to be a bias in DP enforcement, atlhough personally I think flawed is a better description. On the otherhand, if/when any organisation gets a CMP for something they’ve deliberately not reported they will be hammered for not doing so.

    • Given that challenging illogical statements was your declared mission statement today, I assumed that this applied to me. I see absolutely no logic in trying to draw conclusions about the ICO from two completely different things, especially as the identified rise of private sector enforcement is based solely on new powers.

      On the issue of the comment from Ruth Boardman, no, I don’t agree with her at all. I think the history of the ICO is full with examples of hesitation in the face of the private sector – hiding from the Lindqvist judgement (and thus avoiding confrontation with Facebook et al.), dodging Google enforcement, seeing the press as being “too big for us” and repeatedly trying to view the blacklisting issue (an issue they did once manage to tackle) as something in the past. The idea that one CMP against Sony somehow makes a difference against the relentless focus on local government and the NHS is clutching at straws. It’s one case against dozens, and the biggest fine in 2013, not overall.

      Given that PECR accounts for far more complaints to the ICO than DP and FOI put together, the fact that fewer people work on it than either shows where the ICO’s priority is. There’s nothing wrong with the PECR enforcement, but the fact that the DP enforcement is better resourced and inevitably (given the self-reporting obsession) focussed on the public sector, I think your ‘extremely robust’ claim doesn’t stand up.

      I admit, the bias may be structural rather than conscious but your preference for ‘flawed’ isn’t just semantics. Most of what the ICO does is flawed; their approach to DP enforcement is biased, and lumping it in with PECR is an illogical and unhelpful way to explore it.

  2. Andy Walsh says:

    “declared mission statement” – brilliant line but I’ll be more accurate with my quoting.

    I previously asked you about Ruth’s comments and you stated “Boardman merely commented on the existence of the private sector fines, not the flawed claim that they outweigh public”

    It now appears infact you strongly disagree with her.

    On the subject of alleged bias you said

    “Anyone not weirdly biased in favour of them (the ICO) can see that”.

    So, its a ‘flawed claim’ that private sector fines outweigh public sector fines,and Ruth Boardman is ‘weirdly biased’. Fair enough – but I disagree.

    Re this statement

    “Given that PECR accounts for far more complaints to the ICO than DP and FOI put together, the fact that fewer people work on it than either shows where the ICO’s priority is”.

    Can I just check I’ve understood this correctly – you believe, based on staff employed, that the ICO’s enforcement priority is FOI above PECR?

    I do agree the DPA enforcement strategy is going to mean a disproportionate focus on those who self report – which will be mainly public sector.

    I don’t dispute your experience of private sector piss poor compliance that goes unchecked – but nor do I think that pisspoor public sector organisations should get a pass because of it. The Brighton case was a nailed on CMP and probably the best example of a “serious breach likely to cause…”. It’s the highest fine for good reason.

    My quibble with the ICO would therefore be not with the CMP’s to the publuc sector, but press releases suggesting private sector is operating to much higher standards. To some extent they can only assess what is presented to them, but they need to be much more aware of the structural flaws/bias in that position.

    Finally, thank you – you’ve saved me a post myself.

  3. I think FOI is a complete anomaly based on the approach taken by the current director of FOI. I don’t think any conclusion can be drawn about FOI until that influence is removed, and so it’s pointless to factor it in at all. But I feel the same way about PECR because PECR only really applies to the private sector because of what it applies to.

    We end (hopefully) where I started. DP is common ground. It applies to all. The enforcement outcomes are the only sensible, logical way of identifying whether the ICO is biased.

  4. Comparisons are slightly odious, but (you’ll not be surprised to hear) I largely agree with you. Of course, a) private and public sector data controllers do very different things with very different data, and b) (rather contradicting that) the distinction between private and public is increasingly becoming blurred.

    But something which I think does tend to show possible bias is the public announcements from Chris Graham and colleagues. I blogged last year about what I thought were particularly tendentious conclusions drawn from a sample of audited organisations, and an accompanying press release which I called “irresponsible” http://informationrightsandwrongs.com/2012/10/11/an-irresponsible-press-release/

    Even if the public sector were worse at DP than the private, the simplistic PR bashings which are routinely given to the former by the ICO run the risk of discouraging openness about data protection breaches, which would be contrary to the public interest the ICO should be serving.

%d bloggers like this: