Another fine mess

For those working in Data Protection, there are many interesting things to note about the forthcoming General Data Protection Regulation. There is the clarification of consent, which may send tawdry marketers into a spin. There is the tightening of the rules over criminal records. There is the helpful emphasis on risk. My current favourite thing is a sly anti-establishment streak – here and there, the GDPR returns to the theme of the power imbalance between the data subject and the big public institution, and seeks to even up the score.

For some, however, there is only one thing to talk about. All that matters is the fines. Fines fines fines, all day long. A conference held in London last week was Fine City as far as the tweets were concerned. COMPANIES MIGHT GO BUST, apparently. Meanwhile, the Register breathlessly reheated a press release from cyber security outfit NCC Group, featuring a magical GDPR calculator that claims ICO’s 2016 penalties would have been either £59 million or £69 million under GDPR (the figure is different in the Register’s headline and story, and I can’t be bothered to find the original because it’s all bullshit).

This is my prediction. There will never be a maximum GDPR penalty in the UK. Nobody will ever be fined €20 million (however we calculate it in diminishing Brexit Pounds), or 4% of annual turnover. There will be a mild swelling in the amount of fines, but the dizzy heights so beloved of the phalanx of new GDPR experts (TRANSLATION: people in shiny suits who were in sales and IT in 2015) will never be scaled. It’s a nonsense myth from people with kit to sell. I have something to sell, friends, and I’m not going to sell it like this.

I have no quibble with DP officers and IG managers hurling a blood-curdling depiction of the penalties at senior management when they’re trying to get more / some resources to deal with the GDPR onslaught – I would have done it. There is probably a proper term for the mistake NCC made with their calculation, but I’m calling it the Forgetting The ICO Has To Do It Syndrome. NCC say Pharmacy2U’s penalty would inflate from £130,000 to £4.4 million, ignoring the fact that the decision would not be made by a robot. Pharmacy2U flogged the data of elderly and vulnerable people to dodgy health supplement merchants, and ICO *only* fined them £130,000, despite having a maximum of £500,000. Of course, some penalties have caused genuine pain for cash-strapped public authorities, but when NCC say that their adjusted-for-GDPR Pharmacy2U fine represented “a significant proportion of its revenues and potentially enough to put it out of business“, they’re not adjusting their hot air for reality.

Take the example of a monetary penalty issued by the ICO in March against a barrister. The barrister was involved in proceedings at the Family Court and the Court of Protection, so her files contained sensitive information about children and vulnerable adults. Despite guidance issued by the Law Society in 2013, they were stored unencrypted on her home computer. While upgrading the software on the machine, her husband backed up the files to online storage. Some of the files were indexed by search engines, and were subsequently found by a local authority lawyer.

The ICO fined the barrister £1000, reduced to £800 if they paid on time. I don’t think all barristers are loaded, but most could pay a penalty of £800 without going bankrupt. £800 isn’t remotely enough for a breach as basic and avoidable as this. The aggravating factors are everywhere – the Law Society guidance, the lack of encryption, the fact that the husband had access to the data. If the ICO was capable of issuing a £4.4 million penalty, they’d fine a barrister more than £800 for this mess. And what’s worse, they redacted the barrister’s name from the notice. The ICO offered no explanation for this, so I made an FOI request for the barrister’s name and for information about why the name was redacted.

They refused to give me the name, but disclosed internal correspondence about their decision to redact. There is a lot in the response to be concerned about. For one thing, in refusing to give me the name, the ICO contradicts its own penalty notice. The notice describes an ongoing contravention from 2013 (when the Law Society guidance was issued) to 2016 (when the data was discovered). Nevertheless, the FOI response states that “this data breach was considered a one off error“, and a reference to this characterisation is also made in the notes they disclosed to me.

If it was a one-off error, ICO couldn’t have issued the penalty, because they don’t have the power to fine people for incidents, only for breaches (in this case, the absence of appropriate technical and organisation security measures required by the Seventh Data Protection principle). Given that the notice states explicitly that the breach lasted for years, the ICO’s response isn’t true. It’s bad enough that the ICO is still mixing up incidents and breaches four years after this confusion lost them the Scottish Borders Tribunal appeal, it’s even worse that they seem not to understand the point of fining Data Controllers.

In the notes disclosed to me about the decision to redact the notice, ICO officials discuss the “negative impact” of the fine on the barrister, especially as she is a “professional person who is completely reliant on referrals from external clients“. Despite the Head of Enforcement putting a succinct and pragmatic case for disclosure: “it is easier to explain why we did (proportionate, deterrent effect) rather than why we didn’t“, he is unfortunately persuaded that the most important thing is to “avoid any damage to reputation”. Bizarrely, one person claimed that they could “get the deterrent message across” despite not naming the barrister.

The GDPR requires that fines be “effective, proportionate and dissuasive” – an anonymous £800 fine fails on each point. Anyone who takes their professional obligations seriously needs no horror stories to persuade them. For those who do not, an effective, proportionate and dissuasive penalty is either a stinging fine or naming and shaming. The ICO had no appetite for either option, and effectively let the barrister get away with it. They valued her professional reputation above the privacy of people whose data she put at risk, and future clients who will innocently give their confidential and private information to someone with this shoddy track record.

If the NCC Group, and all the various vendors and GDPR carpetbaggers are to be believed, within a year, the UK will operate under a regime of colossal, multi-million pound fines that will bring errant businesses to their knees. In reality, the ICO cut the fines on charities by 90% to avoid upsetting donors, and rendered their enforcement against an irresponsible data controller pointless for fear of putting her out of business.

These two pictures cannot be reconciled. It is entirely possible for the ICO to put someone out of business – indeed, many recipients of their PECR penalties are forced into liquidation (this may be a ploy to avoid the fines, but nevertheless, the businesses close). But the majority of PECR penalties are issued against businesses operating on the very fringe of legality – they are not mainstream data controllers. They are not nice, professional barristers. They are not the audience for the Great GDPR Fine Hysteria. If the ICO cannot stomach the risk of putting a single barrister out of business pour encourager les autres, it is disingenuous to pretend that they will rain down fire on mainstream data controllers after May 2018. We’ll get more of the same – cautious, reactive, distracted by the incident, and unwilling to take aim at hard targets. Plus ça change.

We Take Public Relations Very Seriously

This week, the Information Commissioner’s Office issued its latest Data Protection civil monetary penalty, a £150,000 fine on Greater Manchester Police following the theft of an unencrypted pen-drive. The police perspective was available via the Manchester Evening News, in a comment from Assistant Chief Officer Lynne Potts:

This was very much an isolated incident. We take all matters relating to the storage of data very seriously and have stringent measures in place to ensure the safe storage of data.

I was the Data Protection officer in an organisation that suffered a DP breach. These were not the days of hundred thousand pound CMPs, but we were still under a lot of pressure and the local media circled around the story with thinly disguised glee. You couldn’t blame them – a stolen laptop is a lot more newsworthy than the usual fodder of shed fires and pub fights. Throughout, our PR department’s aim was to put forward the corporate perspective and try to see that what was reported was accurate. The only disagreement I had with them during the whole process was when the first press statement was issued about the incident. It was entirely unobjectionable, apart from one thing. They wanted to say at the end: “We take Data Protection very seriously”.

I thought it was a stupid time to say this. The current evidence was that we didn’t and the public would be entitled to point this out. The sentence would be more accurate if it read “We usually take Data Protection very seriously” or “We take Data Protection very seriously, but not seriously enough on this occasion”. I felt that a simple statement about what had happened and what we were doing about it was the right approach. Anything else was like the PR Department of Chernobyl shooting out a press release one day after the isolated incident about how seriously they take nuclear safety. But I was told that it is vital in PR terms to include what was described as the “reassurance statement”.

I don’t know if this term is widely in use, but the technique is evident everywhere. Every time some Data Protection or Privacy SNAFU comes sliding into view, it will be followed by the reassurance statement. We may have sent your private information to someone else, stored it on an unencrypted device, published it on the internet, or left it down the side of your house. We may have put it on hard drives that we asked a sub-contractor who we don’t know to dispose of for free. We may have loaded data about nearly half of the population onto CDs and lost them somewhere. We may have driven unwelcome around streets slurping up your emails via Wi-Fi in every country that has roads. But We Take Data Protection Very Seriously.

I’ve rarely been to an organisation that didn’t give a toss about Data Protection. The quality of compliance varies wildly, the understanding of its implications even more so. In my experience, DP is not the same as FOI, where the reassurance statement of “I’m a big supporter of FOI / transparency” is sometimes just a barefaced lie – a bit of Pinocchio magic could have turned some of the Justice Select Committee’s post-legislative scrutiny into a jousting match. Organisations generally do take DP seriously, but when things go wrong, they find it very difficult to admit that a serious mistake has been made, and they’ll do their best to put things right.

If the statement said “We’re really sorry about this cock-up, and we’re going to do lots of practical things to see if we can stop it from happening again, or at the very least, make it less bad if it does”, I would not be writing this blog, and I would be much more reassured that GMP takes all matters relating to the storage of data very seriously.

If the “isolated incident” is the one where the officer left his back door open, a man walked into his house and stole his car keys, his wallet and then his car, and the wallet contained an unencrypted pen-drive containing the names and other identifiers of members of the public who had reported concerns about drug-dealing to the police, then yes, I’ll buy that. I bet that doesn’t happen every day. But if the isolated incident is the unsafe storage of data, which GMP takes “very seriously”, then Potts’ statement (which I assume was written by someone in PR) is anything but reassuring. The Information Commissioner’s monetary penalty notice makes clear that an amnesty that took place in the force after the incident recovered more than a thousand unencrypted devices, and a previous similar incident in 2010 had not led to improvements in data security. The unencrypted drive wasn’t an isolated incident; it was evidence of a systemic problem with data security that affected the entire force.

Most of the time, the ‘Very Seriously’ press statement is harmless bullshit. It’s just a sentence on the end of a press release, something to fill the space between the adverts. But combined with the nonsense about an ‘isolated incident’, GMP’s words ring hollow. Either they don’t understand what they’ve been fined for or they’re trying to massage the truth to avoid an embarrassing headline, which turns out to be a complete waste of time and insults the intelligence of readers. A glance at the comments on the MEN news story suggests that no one was convinced, although one contributor perhaps left logic behind in the midst of their outrage: “Someone high up in the force is ultimately responsible. They should be dealt with. Hung, drawn and quartered, then put before a court.

Compared to the delusional hubris of the most reckless CMP recipients, GMP’s PR waffle could have been a lot worse. I would bet that there are people in the force who, behind this smokescreen, are diligently putting things right if they haven’t done so already. But in every organisation I have ever worked, there have been far more PR officers than Data Protection or IG staff and I bet that GMP is the same. Perhaps some of those people could be more usefully employed taking action to prevent problems, rather than reassuring us about how seriously those problems are taken.

UPDATE: in the same week, an unfortunate incident is reported to have afflicted a housing organisation (to be fair to them, it’s as likely to be human error as anything else). But what do we find their statement?

This is not fine

The Chief Executive of Brighton and Sussex University Hospitals NHS Trust has come out fighting. Having just received a record £325,000 civil monetary penalty for DPA breaches, Mr Duncan Selbie has declared that he doesn’t understand what is going on, and he will appeal the CMP forthwith. There is a small part of me that hopes he is right. If I ever get my wish to retire to the Flanders countryside to run a microbrewery, first brew out of the garage will be one called Schadenfraude. The spectacle of the ICO enduring an epic reversal would not be unenjoyable.

Mr Selbie may miss the Tribunal as he is leaving the Trust to take over a new quango called Public Health England (one can only hope he maintains the same high standards in his new role). Meanwhile, someone else will presumably step up to refute the ICO’s case with a fully-worked out contract signed by the Trust and its contractors, setting out exactly what security measures they were to employ, and how they deal with subcontractors. They will thrill the Tribunal with records showing that they knew exactly who the chap who spirited 252 hard drives out of his premises was, that their tight security was foxed only by means of a Mission Impossible rope trick, and the precision with which the Trust checked how their requirements were being carried out will make passing watchmakers weep with envy.

On the other hand, if the defence really is the current line of A Big Boy Did It And Ran Away, one can only fear for Selbie and the Trust’s brass neck when the scrap metal thieves get wind of it. For the record, when this one is resolved, my money is on the Information Commissioner popping corks from bottles called I Told You So.

The facts in the notice are these – and unless Brighton disputes them, they should follow their own corporate rules (two of which are ‘lead not blame’ and ‘solve not excuse’) and just pay the fine. The contract between Brighton and their main contractor SHIS had expired. In any case, it did not set out security requirements that SHIS have to follow, and does not prevent SHIS from using a subcontractor. Brighton apparently did not even know that SHIS used one. This suggests that when he came into their premises and took away at least 252 hard drives, Brighton did not know that he was a subcontractor – in a sense, they did not know who he was when he was in their building, taking away their patients’ precious data. No alarm bells range when the subcontractor was willing to dispose of thousands of hard drives unpaid. Even when the breach was first pointed out to them, the Trust was unable to recognise its true scale.

The ICO is not beyond making a mistake. If these are not the facts, they owe Mr Selbie and his Trust an abject apology. But if they are right, Mr Selbie’s claim not to understand why his organisation has been punished is remarkable and worrying. A third party with no contract was able to enter a Trust building and take hundreds of hard drives unnoticed, even though nobody really knew who he was. If the organisation was so reckless with its money, I doubt he would be so bumptious. However, this apparently complacent approach is effectively the same thing. No amount of shroud waving about what they could have spent the penalty money on makes any difference. The cost of avoiding this shambles altogether would have been tiny by comparison. The cost of creating a framework sufficiently robust to prevent the ICO from being able to argue that the incident could have been prevented – even if it had happened – would have been even smaller.

Here’s what they needed to do:

  • Have a clear contract with their contractor, putting them under obligations to look after personal data properly
  • Ensure that the issue of subcontractors was properly dealt with – either forbidding them or requiring any subcontractors to be put under the same obligations
  • Obtain evidence periodically that the above was being complied with

Anybody could have done these things, and every day, thousands of organisations large and small do just that. If they had done these things, the CMP would be misconceived. If they haven’t done these, the incident is appalling and their reaction is even worse. Any attempt to appeal without evidence of the proper contracts and checks in place – especially as an appeal will require them to pay for legal representation and commit further time and resources – would be a scandal.

An organisation must be allowed to defend itself robustly when the ICO comes calling, especially as some of the recent CMPs have focussed on mishaps that could happen in any organisation. I’m not convinced that having work documents in your bag in the pub when it is stolen should carry a £100,000 price tag. I think the Commissioner sometimes hits another CMP target by over-egging the link between an email sent to the wrong place and a missing policy that may not have made any difference. But the account given of Brighton’s apparent inaction distinguishes it from many of the other CMP cases. It’s why the ICO’s blinkered focus on security breaches is sometimes absolutely right.

If these facts are correct, this punishment is entirely justified. It sounds like a systematic corporate failure, not a one-off cock-up, precisely what the CMPs were designed for. Having inadequate contracts that allow uncontrolled strangers able to access the most private and sensitive of health information is very different to sending an email to the wrong recipient. I enjoy a bit of ICO-bashing more than most, but they have it exactly right here. Mr Selbie should show real leadership, by apologising for this shambles and taking his medicine.