PLC Public Sector reports:
It is a story that has been told many, many times. The Information Commissioner’s Office (ICO) reprimands a local authority for losing or mistakenly disclosing the sensitive personal data of staff or service users and the authority accepts a slap on the wrist, signing an undertaking promising to do better in the future. The problem is, however, that no matter how many wrists are slapped and undertakings signed, the constant flow of local authority data loss appears to continue unabated.
On 1 April 2010, the ICO was given new powers, including the power to impose financial penalties of up to £500,000 for serious breaches of the Data Protection Act 1998. The ICO has not been shy to use these powers to punish local authorities. Surely this should have provided the impetus to local authorities to put a stop to this? Well, it hasn’t.
The case for making the necessary changes to address these data security breaches is undeniable.
- Hertfordshire County Council was the first organisation to be hit with a fine (£100,000). The most recent offenders have been Croydon Council, which was fined £100,000 after a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub and Norfolk County Council, which was fined £80,000 for disclosing information about allegations against a parent and the welfare of their child to the wrong recipient.
- The ICO guidance on issuing monetary penalties makes it clear that it has the power to fine “all data controllers in the private, public and voluntary sectors”. However, a look at the list of the penalties imposed by the ICO makes worrying reading. To date, the ICO has imposed fines on 12 organisations totalling £1,021,000. Staggeringly, local authorities account for 10 of the organisations and £960,000 of the fines.
- If action is not taken, there is room for the picture to become even gloomier. The ICO guidance gives a very wide discretion over what it can take account of when assessing the appropriate level for a penalty, including specific reference to “whether the contravention was a ‘one-off’ or part of a series of similar contraventions”. If fines at the current level do not have the desired effect, there is considerable scope to increase them up to the current £500,000 limit.
This is all set against the background of the local authority finance settlement following the comprehensive spending review. Facing significant budget cuts, local authorities simply do not have the funds to pay these fines (the current average fine is the approximate equivalent of the salaries of two children’s services lawyers).
It is possible to make the argument that local authorities process particularly high levels of sensitive personal data and are therefore, more likely to fall foul of the regime due to sheer weight of numbers, as opposed to a more fundamental sectoral behaviour issue. However, this isn’t a particularly strong argument as there are “data rich” organisations throughout the public and private sectors that have, to date, avoided fines completely. For example, see the complete absence of NHS trusts or companies providing outsourced services to local authorities from the list of organisations fined.
What then for the future? Can local authorities bring about the behavioural change necessary to stop these data losses? The issue is very much in focus, with the ICO currently requesting further audit powers of local authorities and the Department for Communities and Local Government writing to all local authorities, imploring them to improve their performance in this area by taking steps such as appointing someone at board level to act as the senior responsible owner for data issues. If the answer does lie in working more closely with the ICO and undergoing a data security audit, local authorities may wish to note that, pending the grant of compulsory audit powers to the ICO, they can already get the ICO to undertake an audit by consent. This is a step that could be worth considering, especially as, if such an audit is undertaken but data is still lost, it is likely to play a part in reducing any fine imposed.
For those that think that there is an air of inevitability that local authority data losses will continue, another key message from the ICO’s guidance on imposing penalties is that the actions taken by an organisation that has lost data can have a significant impact on the level of the fine made. Our checklist on the steps that should be taken following a data loss should assist local authorities in this regard.
STOP PRESS: the ICO has today stated that Cheshire East Council has also been fined £80,000 for failing to take appropriate measures to ensure the security and appropriateness of disclosure when e-mailing personal information. This problem is not going to go away on its own.