Small change

Some senior figures in the charity sector have sought to deal with the Information Commissioner’s recent enforcement against the RSPCA and the British Heart Foundation by suggesting that the ICO’s action is disproportionate and unfair. The fundraiser sorry, academic, Ian MacQuillin has written two blogs which touch on the theme, while a few days ago, Robert Meadowcroft, the Chief Executive of Muscular Dystrophy UK tweeted:

If the is impartial regulator it will investigate practices of and not simply pursue charities

As 2016 is now disappearing over the horizon, I thought it was worth testing the hypothesis that the ICO is taking disproportionate action against charities, and the fines and other enforcement against charities are unrepresentative. TL:DR – it’s complete nonsense.

In 2016, the ICO issued 34 civil monetary penalties – 11 under the Data Protection Act, and 23 under the Privacy and Electronic Communications Regulations (PECR). There are a number of different ways of looking at the figures, and none of them show any evidence of disproportionality.

1) Charity CMPs as a proportion of the total in 2016

Of the 34 penalties, 2 were against charities, so 6% of the ICO’s CMPs in 2016 were against charities.

2) Amount charities were fined, as a proportion of the total in 2016

The CMP total was £3,225,500. The total of CMPs issued against charities was £43,000. This is 1.3% of the total.

3) Proportion of Data Protection CMPs issued to charities in 2016

If you look only at the CMPs issued under Data Protection, the charity proportion is not insignificant – there were 11 DP CMPs, so the 2 charity CMPs are 18% of the total – the same as the police, 1 more than councils, but less than the private sector or the NHS (3 each). However, this is the only comparison where charities feature significantly, and they are not the dominant sector. The next two comparisons are also instructive.

4) Proportion of PECR CMPs issued to charities in 2016

None. This is despite widespread breaches of PECR by charities, including phoning donors who are on TPS and sending texts and emails without consent (for example, the vast majority of mobile numbers gathered via charity posters in 2016 were obtained in breach of PECR).

5) Proportion of CMPs issued for marketing related activities in 2o16

There were 21 PECR CMPs related to marketing, and 2 DP CMPs related to marketing, making 23 marketing CMPs in all. 2 were against charities, which is 9.5% of the total. Given the big charities’ disastrous approach to marketing, this relatively small number is astonishing.

6) Level of CMPs in 2016

The average DP CMP was £108,500; the average charity DP CMP was £21,500.

The average PECR CMP was £84,666.75; there were no charity PECR CMPs.

The highest DP CMP was £400,000; the highest charity DP CMP was £25,000.

7) Other enforcement in 2016

There were 22 enforcement notices issued by the ICO in 2016, 8 under DP and 14 under PECR. 1 of the 8 DP enforcement notices was against a charity, which is 4.5% of the total, or 12.5% of the total DP enforcement notices. Either way, it is a small percentage of the total. Again, if you count the number of marketing related enforcement notices, there were 15, of which 1 was against a charity. This is 6.6% of the total.

8) CMPs since 2010

There have been 69 DP CMPs since 2010 that I can find (they drop off the ICO’s website after a few years); 4 were issued against registered charities, which is 5.8% of the total. The average DP CMP was £114, 163, whereas the average charity was £78,250. It is worth noting that these figures are slightly skewed by the £200,000 penalty against the British Pregnancy Advisory Service, which is a registered charity but receives most of its funding from the NHS.

The CMP against the British Heart Foundation was the 8th lowest CMP overall, while the CMP against the RSPCA was the 9th lowest. The only organisations to receive lower penalties than the charities were small businesses, unincorporated associations, and a bankrupt lawyer.

There have been 47 PECR CMPs that I can find since 2012; none have been issued on charities, which is 0% of the total.

Conclusion

These figures will likely be different in 2017. The ICO has signalled that more DP enforcement against charities is coming, and so the proportion of DP penalties may rise when the totals are in, but that depends on a variety of different factors including the number of other penalties and the ICO’s general approach. However, when you look at the facts for 2016, MacQuillin and Meadowcroft are wrong. Despite years of ignoring the Data Protection and PECR requirements in favour of a flawed, fundraiser-driven approach, the ICO has not taken disproportionate action against the charities. The action taken is a small percentage of the overall total. Special pleading and blame-shifting will not help the sector. Compliance with the law will.

Compliance unlikely

The Information Commissioner has issued a consultation about the way it deals with complaints from the public under Data Protection. Like virtually everything that issues from Wilmslow, it is written in congealed corporatese, using lots of words to convey a very simple idea. The idea in this case is that the ICO wants to start ignoring more individual complaints, and concentrate on what it considers to be strategic priorities. The method they have chosen is to rebrand complaints from the public as ‘concerns’. Instead of automatically doing assessments of compliance, the ICO wants to log complaints and target the most recalcitrant organisations and the most persistently difficult issues.

Complainants who haven’t taken their problem to the Data Controller first can expect short shrift. Complainants whose DP problem is merely a peripheral part of a customer service problem may be ignored. The Commissioner’s objective is to log complaints and aim its enforcement powers against those who deserve it.

This is not an unreasonable aim. Many regulators – OFCOM, the old Financial Services Authority – don’t seek to resolve the cases of individual complainants but instead identify industry issues that need attention. This consultation is a sign that the ICO wants to be a regulator rather than an ombudsman. I worked at the ICO more than 10 years ago, but I’ve spoken to a lot of people who worked (and still work) there since I left, and many complain about the amount of time spent dealing with aggrieved individuals with no worthwhile outcome.

I don’t argue with this idea. My problem with the consultation is that the ICO is currently incapable of doing what it aspires to. Too many people working at the ICO have blinkers on – obsessed with data security incidents in the public sector to the exclusion of almost anything else. I’ve blogged incessantly (and my apologies, tediously) about Wilmslow’s lack of attention to fairness, accuracy, subject access, retention and a huge range of other important issues. Everyone except the ICO itself knows that they won’t take on the private sector, or anyone willing to put up a fight. Getting Google to sign an undertaking that they then breach is better satire of the ICO’s approach than I could think up.

Regulators should be feared. They should be respected but they should not be liked, and yet the ICO’s ingratiating attitude to Data Controller is exemplified by the fact that they have an entire department (Strategic Liaison) devoted to making friends with Data Controllers and keeping them on side. Indeed, even though the chief effect of the proposed changes in this consultation are aimed at complainants, the Commissioner is only interested in asking what the Data Controllers think about those changes.

There are other problems. The idea of logging complaints to make enforcement decisions is an attractive one until you remember that this is what the ICO claims it does with FOI. The Cabinet Office has been diligently ignoring an FOI request I made to them in September, and my complaint about this has been logged. The idea that there is a critical mass of such complaints that will make the ICO roll out the big guns is delusional. The ICO will not take on the Cabinet Office in a strategic way. They will not take on the banks. They will never take meaningful enforcement action against an organisation the big tech companies.

There are also problems with treating complaints as ‘concerns’. Nobody goes to the ICO thinking that they are joining a massive game of regulatory Tipping Point, contributing their problem to a greater whole with no expectation of getting satisfaction. The ICO has thick layers of management – team managers, group managers, department heads, Deputy Commissioners. I have never worked in or for a management-heavy organisation that could make agile, bold decisions because everyone is always looking over their shoulder. ICO managers I have encountered have been indecisive and risk averse, deferring to the loudest voice. The consultation document says “We will not engage in protracted correspondence once we have explained the position” but that requires grit. As a complainant and as a data protection officer, I have had decisions reversed simply by being more obnoxious and obstinate than the other side. I suspect that there are many in the ICO who will back down and try to placate angry complainants, rather than log their complaint and tell them to go away.

But to look at it from the complainant’s perspective, we see the biggest problem of all, one that the consultation even acknowledges. It says “We may make an assessment under section 42 of the DPA where we think this adds value or where the customer has asked us to do so.” The ICO doesn’t actually have a choice about whether to make assessments. They have actually tried this before – the old request for assessment form was changed to a ‘complaint form’ in a bid to do something very similar to what’s afoot here. Anyone remember something called the ‘Robust Approach’? The FOI side of the business had a process of ‘withdrawing’ complaints on behalf of applicants where a request hadn’t been answered until complainants pointed out that they didn’t have the power to do this.

Section 42 obliges the ICO to make assessments of Data Protection compliance. Telling complainants that what they’re doing is expressing concerns is patronising and it won’t work with precisely the most persistent complainants they’re probably trying to deal with.

This consultation is a mess. The ICO is telling complainants that their ‘concerns’ are no longer the priority, but if they start to adopt this approach, the spotlight will be even more on the action that they do take (or in practice, don’t). If they’re not there to represent the public – an argument which has some merit – but they retain their tendency to suck up to ‘stakeholders’ and collapse when faced with anything like opposition, they’ll be faced with a difficult question. What are they for?

 

This is my last blog of the year, and I will be disappearing from Twitter and the blog for a short while to enjoy a complete break from Data Protection, FOI and work in general. I will be back in the New Year with blogs about ACPO, Direct Marketing, the Police and the Badger cull, the Cabinet Office and no doubt the usual jibes at the ICO. Whether you view Christmas as a religious festival or – like me – a traditional holiday to drive out the dark and the cold, I hope you have the opportunity to relax, indulge and reflect. See you in 2014.

KLF Revisited*

On June 1st 2012, the Chief Executive of Brighton and Sussex University Hospital Trust, Duncan Selbie, gave a statement about the threatened ICO Civil Monetary Penalty of £325,000 for a Data Protection breach involving the insecure disposal of hard drives by a subcontractor. In the statement, Mr Selbie said the following:

In a time of austerity, we have to ensure more than ever that we deliver the best and safest care to our patients with the money that we have available. We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal.

Despite these stirring words, the Trust paid up shortly afterwards. Unaware of another FOI request on WhatDoTheyKnow that had already revealed the crucial information, I made my own request to the Trust a few weeks ago about various aspects of the case, including whether they had paid for external advice. Several public bodies have told me that they were tempted to challenge their CMP, but the cost put them off. Given Brighton’s later statement that they were “not prepared to incur further costs“, I guessed that they must have been paying someone, and wondered how much they had paid out. Much of my request was refused, but one answer they did give me was that particular fact.

Brighton paid £168,259.59 in legal fees to Field Fisher Waterhouse up until the point that they paid the penalty, and £10,000 to a barrister. As well as the CMP itself, Brighton paid out an extra £180,000, with nothing to show for it. When the story was originally leaked to the local press in January, the CMP was supposedly £375,000, so the best that can be said is that they shaved off £40,000 (£50,000 minus the 20% discount they got from paying on time). The Interim Chief (who replaced Selbie) stated when the penalty was paid that “We have made repeated attempts over the past six months, most recently last week, to reach a settlement that recognised that errors were made but no harm arose, all of which have been rejected by the Information Commissioner’s Office”. If this was what FFW were being paid to handle, is it possible that £180,000 of public money was spent trying to spare the Trust’s blushes?

You will think me self-serving for saying so, but I think that any organisation that finds itself in this pickle could find better things to spend public money on. For starters, they would have saved a fortune by paying up and doing nothing else. However, I think I speak on behalf of all of my competitors when I say that if you want to spend money in response to a Data Protection incident, the only way training and consultancy will cost you £180,000 is if the training sessions are accompanied by the London Symphony Orchestra, the sandwiches are provided by Ferran Adria and the training rooms are decorated by Elton John’s florist.

Stewart Room is possibly the most high profile of FFW’s lawyers and in a recent blog on CMPs he claimed that they are “stupid” and an “inefficient waste of time and money“. I believe that Room’s take on CMPs is wrong, but in any case, it’s difficult to accept lectures about where public money ends up in a CMP case from someone whose firm trousered the thick end of two hundred grand of it. Given his concern about keeping public money “in the public body“, one can only assume Room refused to have anything to do with the Brighton case. Just to recap the details, Brighton had an out-of-date service level agreement with their contractor (para. 4 of the CMP notice). They let a man into a secure area of their building without – it appears – knowing he was an unpaid subcontractor (para. 5). From the notice, it’s not clear who they thought he was when they let him in, and they did not obtain proper evidence of destruction of the hard drives from him (para. 6). The individual managed to remove 200 hard drives containing information about people’s sexual health without Brighton knowing (para. 11). And of course, all of this mess happened because Brighton were operating a system where sensitive personal data of the most confidential kind was being stored on 1000s of hard drives, which may be a bigger breach than the one that alerted the Commissioner. If these are ‘appropriate technical and organisational measures’, I am a banana. Unlike so many CMPs, this was not human error underpinned by the absence of some policy or training; this looks like a complete system failure, for which the senior corporate level are responsible. A challenge to this CMP was unwinnable and should have been unthinkable.

But even if Brighton’s case had not been open and shut, the apparent cost of challenging a decision has to become a matter of public concern. Central London Community Healthcare NHS Trust is appealing their CMP at the Information Tribunal in December. Their case appears to have some merit and it’s very different to Brighton’s. But their penalty was £90,000, and within the 35-day deadline, they would have paid the discounted rate of £72,000. This is now lost. If they are using a legal firm of similar stature and hourly rate to FFW, that £72,000 may have already been swallowed, and they have set themselves a high bar to clear. They have to win, get the penalty overturned, and get their costs awarded against the ICO. Anything less than that is indefensible, even if they’re right. Needless to say, the same chap who asked Brighton about their costs has now asked CLCH the same question.

To win at the Tribunal on a security case, there are only two options. The breach is not the incident, so the organisation needs to show it has put all the necessary technical and organisational measures in place, and checked that they are being followed. Relatively few organisations can achieve this; they escape CMPs only because they don’t have incidents or they don’t tell the ICO about them. The only alternative to appropriate compliance would be to find some procedural loophole or flaw in the ICO’s process – paragraph 3.1.3. of the minutes of the ICO’s July Information Rights Committee suggest this might be a possibility. FFW employ the former ICO Head of Enforcement as a consultant, but even if he has some cracking inside information about the ICO process, was it really worth £170,000 to find out what it is? Beating a CMP on a technicality will not change the fact that an organisation has breached the DPA, and the combined expertise of all those involved at FFW didn’t seem to help Brighton do anything but back down.

Organisations should be able to challenge the ICO. FOI has proved time and again that the ICO is not infallible and Tribunal intervention is sometimes necessary to protect the public interest in non-disclosure as well as disclosure. Friends tell me that the cost of an FOI challenge is relatively low, especially on a paper hearing, and can often be justified. Challenging a vexatious request can even save money in the long run, given the amount of staff time that can be squandered on a run of requests that a Tribunal success can put a stop to (fingers crossed, Devon). Even Michael Gove’s misbegotten run at the Tribunal over private emails only cost £13,000 – a waste of money, but a snip compared to £180,000. If a CMP recipient with a decent case can challenge the ICO without huge cost, I’ll root for them all the way. It would be good to see the ICO’s CMP approach tested and a bit of embarrassment for Wilmslow is rarely a bad thing. But no matter how aggrieved the organisation may feel, good governance must put a low ceiling on legal costs. The subtle subliminal message of this blog may be BUY TRAINING NOT LAWYERS, BUY TRAINING NOT LAWYERS, but it could equally be a case for more IT security staff or DP staff, better IT systems, or more curious auditors. Had Brighton paid some contract lawyers earlier on, I would not be writing this, and I doubt the bill would be anything like the current figure.

Mr Selbie is now Chief Executive of Public Health England, but he still needs to explain why his public statement about public money is so at odds with the internal decisions made on his watch. Brighton has a management board, auditors, and regulators, all of whom have questions to answer about this mess. I spend much of my time on this blog excoriating the ICO and I also complain about the raw deal that local public authorities get at their hands, especially under DP enforcement. But this one is different – the ICO got it right, and the shocking thing about Brighton’s handling of the case is that in receipt of the biggest penalty in DP history, they contrived to increase it by more than 50%. In a time of austerity, that’s a heavy price to pay.

http://www.youtube.com/watch?v=i6q4n5TQnpA