Underwhelming

The Information Commissioner has published the latest in a long line of undertakings, this time involving Northumbria NHS Trust. As always, the ICO’s press release is very misleading about what has really happened. This time, the notice has been ‘issued’, a word clearly intended to imply that the Trust had no choice in the matter. Recent undertakings have also purported to be “rulings“. However, the Information Commissioner has two powers to enforce the Data Protection Act, and the undertaking isn’t one of them.

Where the ICO identifies a serious breach of the DPA that was likely to lead to serious harm, and which the organisation could have prevented, they can issue a civil monetary penalty – it’s not technically a fine, although that’s the shorthand that most people use. In security cases, the breach is often the lack of training, the lack of management supervision, the lack of procedures or checks. It’s entirely possible for the ICO to issue a CMP without an incident (a loss or a theft of data), but they currently seem to lack the imagination to accomplish this. The CMP is a punishment – even if everything that was wrong has been put right, the ICO can still issue the penalty.

The other power that the ICO has is the Enforcement Notice. Here, there is no direct punishment, only the threat of prosecution if the notice is not complied with. The crucial difference between a CMP and an enforcement notice is that with the latter, the breach must be ongoing. The staff have not been trained, the laptops remain unencrypted, crucial and risky procedures are undocumented and unchecked. If an organisation refuses to undertake the steps required to put things right, an Enforcement Notice is plainly the tool to use. It’s possible – and logical – for the ICO to use either or both, depending upon the problem. They did both with Powys Council in 2011, for example. There could be a particularly heinous breach (CMP) which the organisation still hasn’t rectified (EN).

Neither of these problems is solved by an undertaking, a measure that is not even mentioned in the Data Protection Act. Put simply, an undertaking is the ICO asking the organisation to make a public promise that they will put things right and do better next time. If an organisation does not do what it has promised to do, there are no immediate consequences. If the ICO found an undertaking that had been ignored, they could do nothing other than issue an Enforcement Notice. Nothing is triggered by the failed undertaking in itself, whereas failure to comply with an Enforcement Notice leads to prosecution. There are people who think that the undertaking is a bargain to snapped up – if you refuse to sign, an enforcement notice or CMP will be winging its way from Wilmslow. But think about what that means: the ICO thinks they could make the case for a CMP, but is letting the organisation off the hook. Do you believe that? Alternatively, the ICO thinks that there is a significant ongoing breach (an Enforcement Notice cannot be issued if the identified breach has already been dealt with), but is choosing to trust an organisation that has already cocked it up to sort it out because they’ve been asked to. Which is nice.

I can see what’s in it for the ICO. Their investigations advance at a glacial speed (I have spoken to data controllers who have dealt with enforcement for years on a single case), and the ICO’s reputation for being risk averse and indecisive is richly deserved. Going for an undertaking closes the case. Asking the organisation to sign an undertaking does not require the ICO to identify a breach that is sufficiently serious to survive scrutiny by the Tribunal, should the data controller decide to appeal, so rather than making a firm decision, the undertaking allows for woolly compromise. Crucially, the ICO can still announce the undertaking as if they have actually made a decision – DP people will tweet and comment, there will be some stories in the IT and local press, and overall, the impression of action will have been created.

However, I don’t understand how the undertaking is anything but a kick in the teeth for the cooperative organisation: they don’t need to be cajoled with an enforcement notice and don’t deserve a CMP. If the ICO thinks the organisation will do it without being forced to do it, would they really risk a tribunal appeal on an Enforcement Notice that the data controller might already have complied with? And on the other side, would they really risk letting a recalcitrant or unwilling data controller off with a glorified press release instead of a CMP or an enforcement notice? If an unsigned undertaking might result in a CMP, is there any evidence that any of those that have actually received an undertaking were first offered a CMP and refused it? And if not, why not? Why were they immediately punished, but all the undertaking recipients not?

I can see only two possibilities – the ICO lacks the confidence to enforce when they should be doing (which is possible), or the ICO does not want to admit that it has spent months on a hiding-to-nothing case where the incident is more eye-catching than the breach. Wilmslow’s senior staff still have a real problem telling incidents and breaches apart, and the undertaking allows them to make a move without ever really deciding. If they offer your organisation an undertaking, they’ve already decided that they don’t have the evidence or the serious breach for a genuine exercise of their powers.

Don’t get me wrong, I have no problem with those that breach the DPA receiving CMPs and Enforcement Notices: I’m all for it. The absence of enforcement on fairness, dodgy re-use and selling of data, inaccuracy and failed subject access is a scandal. But for an organisation that hasn’t breached the DPA sufficiently badly to warrant a CMP, and who has put the problems right (or is clearly willing to do so), the undertaking is a PR exercise for the ICO. It is not an order, it is not a requirement, it is a request. You can say no.

Comments

  1. Who says the ICO must do better if they themselves are found wanting / not training their staff correctly?

    https://wirralinittogether.wordpress.com/2014/09/04/ico-news-have-you-ever-seen-a-fire-station-on-fire-or-a-snow-plough-stuck-in-the-snow-read-on/

    Imagine the upset caused if say, the expenses claims of top level ICO executives was sent to my house?

    I sincerely hope that happens one day because I would not hold back.

    • So you’re sitting around, hoping that somebody else will make a mistake so that you have an excuse to make a fuss about it? Has it occurred to you that Data Protection is actually a serious business, with serious consequences for real people, not an opportunity for attention-seekers to fill their daily quota of manufactured outrage?

  2. 1. I don’t ‘sit around’.
    2. I take up public bodies’ earnest appeals that members of the public engage with them.
    3. The fact that I’m invariably met by a phalanx of lawyers and intransigent naysayers such as yourself is neither here nor there.
    4. I’ll carry on engaging with disingenuous bureaucrats regardless of the fact that I’m unlikely to get the steam off their shit.
    5. If the ICO top team ever DO send me their expenses in error, I’ll make them regret it to their dying day, because they fully deserve what’s coming to them.
    6. Thanks for your time.

    • I suspect that most senior public sector people have broad enough shoulders to cope with a few long-winded FOI requests and some sanctimonious website comments, which seem to be the extent of your arsenal. As far as I know, your ‘campaigning’ has resulted in no resignations, no investigations, and no prosecutions, just a few FOI cases, some of which have gone in your favour, and your name occasionally in the headlines, which is what it’s all about.

      Of course, I have fallen entirely into the trap of Talking About Paul Cardin, which is the only thing you are interested in doing (all the other stuff is just a cover), so having made that mistake, let me be clear. There are people (a small number) who find your posturing persuasive, and this LOOK AT ME, I’M ANGRY schtick goes down well with them. But you don’t convince me; you’re interested in the sound of your own voice and nothing else. Any comment you make here will just be about you and how marvellous you are. So feel free to keep pontificating about what a big man you are, and how angry you will be if certain things happen, and how crap everybody else is. The world will keep spinning, entirely unaffected by all your guff.

      • Actually, you’re mixing up ‘broad shoulders’ with ‘bottomless pockets’. Despite the claims to ‘no money’, there’s always lots of ready cash for mounting hideous, doomed at the outset legal campaigns, or to pay subscriptions to the LGA in return for bogus ‘awards’. (See Rotherham Children’s Services 2008 and the hideous bestowing of an LGC award at the height of unchecked grooming and the sexual exloitation and abuse of children by paedophiles, evidence of which was later seen to have been concealed, possibly destroyed.

        The people you refer to at public bodies who respond so badly to genuine requests for openness from the sidelined public are largely cowards at heart. They’re the kind of person who on a battlefield would shoot their oppo in the back, kick the body over and rifle their pockets before deserting to the enemy. If you want to defend that type of character, go ahead. That’s up to you.

        I know you’re constantly chasing public sector cash from these people to prop your organisation up, and that, as opposed to the free flow of information is your true motivation in life, but posting opinions like the above are unlikely to win you any slap up training days, even from those power abusers who hold the purse strings.

      • I don’t have an organisation to prop up. It’s just me. I’m not defending anybody else, I’m criticising the angry, self-righteous attention-seeker for setting himself up as judge and jury for everyone else. Even where you do talk about real wrong-doing (after *someone else* has done the difficult job of whistleblowing), you won’t make a difference, because it’s so easy for those in power not to take you seriously. Those guilty of wrong-doing probably love you.

  3. I bring in serious issues of abuse at Rotherham and you lurch straight back to talking about me again.

    I suggest you use your undoubted expertise to go and do something worthwhile to help the increasingly powerless in society, rather than cultivating this worthless obsession that appears to be getting the better of you.

    • I am not obsessed with you, Paul. You turned up here, on my blog (which was not about you) and talked about yourself. You bring up irrelevant issues like Rotherham because you have no answer to legitimate criticisms I have made of you and your approach, criticisms I made only because you turned upon here to publicise yourself and your blog.

      I do not want your approval for what I do; I just don’t pretend to be something that I am not. However, I should make the same suggestion to you about helping the powerless – because if you think that commenting on websites, tweeting at people who aren’t listening to you and making FOI requests about your personal obsessions improves the life of a single powerless person, you are even deluded than I take you to be. The average care worker, social worker, or nurse does more for the powerless in a week than all of your sanctimonious bluster will do in a lifetime.

  4. Got as far as “irrelevant issues like Rotherham” and went no further.

    This kind of unaddressed horrow show underlies everything you’re defending and promoting. Including the encroaching concealment your organisation is welcoming in on a daily basis as the Conservative party / gets active watering down our human rights and the ICO / judiciary our precious FOI Act.

    I’d say it’s high time you focussed on the real battleground, rather than positioning yourself for monetary gain at everybody else’s expense.

    • Of course you got no further. How could you expose yourself to the truth about the pointlessness of what you’re doing, compared to the hard work of thousands of public sector employees that you routinely disaparage, which actually does make a difference? You’re not on a battleground, you’re sitting behind a keyboard, shouting at the wind. I’m not defending or promoting anything. I’m calling out a hypocrite who pretends to care about others. You can and will keep lying about what I’m saying, which is fine, because I’m not important and I don’t mind if an angry man with time on his hands misrepresents my views. However, I do object to the idea that you’re helping anyone. It’s the army of decent, hard-working people (people you insult and demean because they have the temerity to earn a living in organisations you disapprove of) who makes a difference to the powerless and keep what remains of society going. Web comments like the drivel you keep dishing up here feed no-one, clothe no-one, empower no-one. They just give you something to do. If you cared about others, you’d be out there doing something, not trying to score points off someone like me.

%d bloggers like this: