ICO will 'aggregate' complaints to identify serial data protection offenders

Out-Law News | 30 Apr 2012 | 2:21 pm | 4 min. read

The UK's data protection watchdog is to pool the complaints it receives from consumers about the data protection practices of individual businesses in order to increase the level of regulator "action" it takes in the private sector, the Information Commissioner has said.

Christopher Graham said amassing the complaints against individual companies would enable the Information Commissioner's Office (ICO) to identify which companies repeatedly do not observe their obligations under the Data Protection Act (DPA), according to a report by technology news website ZDNet.

"The next phase for us is to make more sophisticated use of all the information we get in from consumer complaints, to analyse [it]," Graham said, according to the ZDNet report. "Not just to decide whether a breach is likely or unlikely under the Data Protection Act, but to aggregate some of the information we're getting to spot who are the serial offenders, which would build a case for action on more occasions in the private sector."

A spokesman for the ICO told Out-Law.com that the watchdog had "responded" to more than 12,000 consumer complaints about data protection issues within the past year, although a full breakdown of how many relate to the private sector will not be known until the ICO's annual report is published in July.

The spokesman said the "action" that Graham said the ICO could take after aggregating complaints could mean anything from requiring private sector firms to sign-up to 'undertakings' to improve their data protection policies and practices, issuing 'enforcement notices' requiring companies to desist from particular practices or issuing 'monetary penalty notices' - which the ICO can levy up to a total of £500,000 - for serious breaches of the DPA.

The ICO can also initiate criminal proceedings against individuals who commit offences under the DPA.

A report into information security by the accountancy firm PricewaterhouseCoopers (PwC) last week revealed that 45% of large businesses broke data protection laws last year as a result of security breaches. One in five small businesses lost "confidential data" as a result of a security breach, whilst only 18% of organisations that breached the laws "had an effective contingency plan in place".

"Most serious security breaches are due to multiple failings in people, processes and technology," a summary report (4-page / 338KB PDF) issued by PwC said. "Computer frauds, data losses and regulatory breaches (together with hacking attacks) were most likely to result in a very serious breach."

Graham said that data breaches were more harmful to the reputations of private sector businesses than they are to public sector bodies, according to the ZDNet report.

"For the companies of course, it's a much bigger deal than it is for a local authority or a health service organisation, because they lose consumer confidence — there's a real hit to the bottom line," Graham said. "If people are being blasé about [data breaches] then that's very stupid. Their reputation is a key asset."

Last week the ICO defended its policy of issuing fines after newly released figures suggested private sector organisations are issued with disproportionately fewer fines than local Government ones.

Statistics provided by the ICO to security and communications firm ViaSat under UK freedom of information (FOI) laws show that private companies were fined fewer times during a near-11 month period than public sector organisations.

The figures showed that between 22 March 2011 and 17 February 2012 private sector businesses reported 263 cases of personal data breaches to the ICO out of a total of 730 reported to the watchdog during this time. NHS bodies reported 178 cases with local Government organisations owning up to 166 personal data breaches throughout the period.

However, during those months the ICO issued just a single fine totalling £1,000 to a firm in the private sector. In the same period the ICO fined eight local councils a total of £790,000 over breaches of personal data.

At the time the ICO said it could only issue civil monetary penalties (CMPs) in accordance with certain conditions.

"Civil monetary penalties are part of a range of options that we use to protect the privacy rights of individuals, and ensure that organisations comply with the Data Protection Act (DPA)," the watchdog said.

“We can only issue CMPs where strict criteria are met - where the breach has caused substantial damage or distress to individuals or has the potential to do so, and in instances where the organisation was, or should have been, aware of the risk of a breach and failed to take reasonable steps to prevent it. We will always consider a CMP whenever these criteria are met, regardless of the sector the organisation falls into."

"Effective regulation is about getting the best result in the public interest. There are several types of enforcement action we can take, all of which help drive compliance with the DPA. The course we choose will always depend on the circumstances of the individual case,” it said.

The ICO has issued guidance on the procedures it follows when determining whether and how much to fine organisations. The guidance states that the watchdog will only impose a monetary penalty if it is "appropriate" to do so and at a level that is "reasonable and proportionate, given the particular facts of the case and the underlying objective in imposing the penalty".

Whether a penalty is reasonable and proportionate or even appropriate at all depends on "the particular facts and circumstances" of individual cases and the "representations" that organisations are permitted to make to explain the incident.

The ICO is obliged to write a notice of intent detailing the amount it proposes to fine organisations or individuals for serious breaches of the DPA and the reasons why. The notice must also set out the right of the body or person to make their representations in response. The ICO's guidance states that the representations can include "comment on the facts and views" of the Commissioner, "general remarks on the case" or details of their financial situation. The ability to pay is one of several factors that the ICO has said it considers when evaluating the level of penalty organisations should have to pay for breaching the DPA.

Following this stage the ICO reassesses the individual cases and serves a finalised monetary penalty notice, if it chooses to issue one, on the organisation or individual.

Principles of the DPA require, among other things, that organisations processing personal data do so fairly and lawfully and that they take "appropriate technical and organisational measures" to protect against "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".