Should staff, not the taxpayer, pay fines for public sector data breaches? This is a question posed by UKauthorITy, a publisher of IT related news for the local sector. It quotes the TaxPayer’s Alliance:
Of course people in these situations should be held personally liable as if the council is fined, then that fine is paid for out of the local council taxes. It essence it is a double tax – once for collecting/storing the data and again for losing it.
Should staff, not the taxpayer, pay fines for public sector data breaches?
Grant Taylor, UK VP of CryptZone is agin the idea of fining the staff rather than the organization, and puts forward a strong case. “If the penalties are applied to nominated senior managers in the relevant NHS trust, council or other government agency – as is the case with corporate responsibility, for example within transportation authorities – then the public sector could be forced into building liability insurance remuneration into management salaries, as has been required by medical professionals for some time,” he argues. This will simply have the effect of “moving the cost of data breach penalties across the government spreadsheet – with the taxpayer continuing to foot the bill.”
Grant believes that education and open discussion is the solution. “But to reduce the argument to individual ICO penalties within the workforce would only result in the departure of the most talented member of staff – who will be streamed off into the private sector – with predictable results. This is what makes this argument something of a non-starter in our opinion,” he concludes.
I sort of agree; but I don’t think education will ever be enough to protect our data. The bottom line is the current arrangements just are not working. Personal data continues to be lost, councils are fined, and the ‘double tax’ described by the TaxPayer’s Alliance is a reality. But potential remedies exist, and always have existed, without any action from the ICO. It is the concept of responsibility – when things go wrong, there is always someone at fault.
Consider this. Organizations will have procedures that are part of the security policy and part of the employment contract. If these procedures are followed, then data will not be lost. If they are followed and data is still lost, then the author of the procedures is responsible because he or she simply didn’t do the job properly. If the procedures are not followed and data is lost, then the person who loses the data is responsible because he or she didn’t follow procedures. Because the procedures are part of the employment contract, failure to follow them is a disciplinary offence. It’s not a case of the ICO fining individual staff, it’s a case of the organization sacking staff who haven’t done their job.
The advantage of this simple approach is that it doesn’t frighten off good staff (good staff will always be confident in their own abilities), but it does weed out poor staff. And it doesn’t cost the taxpayer an additional penny.
There are even in-built safeguards in this approach. Organizations always have bullies. Middle managers at fault will generally blame their staff. But that’s why we have employment protection laws and tribunals. If a scapegoat is selected and sacked to protect a manager, that scapegoat has recourse to the law. So we don’t need to fine individual staff or the organization. We don’t even need the ICO. We just need to do what we always could do: in the event of a data breach, the person responsible should automatically be sacked.
PRC, the Privacy Rights Clearinghouse, has launched a new online complaints form. It is a model of clarity and simplicity – but only for Americans.
We in the UK, of course, have our own Information Commissioner’s Office, to which we can make similar complaints on breaches of privacy. It is not a model of clarity or simplicity. To be fair, the site says that “some of our online complaints forms are undergoing development. In the meantime, please choose from the following options…”
Those options involve the good old-fashioned Word document that you download, print out, fill in and post or scan and email back to the ICO. My hope, but not expectation, is that the ICO takes a leaf out of the PRC’s book, and develops an online model of clarity and simplicity for future complaints.
One other current difference:
PRC: “The PRC’s staff will review and respond to every complaint, providing individuals with information and strategies to address their problem.”
ICO: “Please note: our automatic email response system is not currently working…”
Sometimes you just have to laugh for fear of crying. The Information commissioners Office (ICO) strategy for 2012 makes me do just that. It is a 17 page purple prose self-aggrandizing Declaration of Independence, declaring itself to be independent of political, public and media pressure. It should just simply say that ‘we will uphold the law in our role defined by the law.’
But it doesn’t do that. It seems more concerned to distance itself from the letter of the law by defining its own interpretation of the law, and to align itself with that interpretation. It has, in short, evolved an overblown idea of its function, which it attempts to define in this rather long and mis-titled public-relations document. I give just a few examples:
we will neither be exclusively an educator nor exclusively an enforcer. We are both, even though we prefer to deliver our desired outcomes through help and encouragement rather than force. This means we are primarily a facilitator…
In the time-honoured liberal tradition it has failed to understand that facilitation is delivered by enforcement, not enforcement delivered by facilitation.
We cannot address all risks to the upholding of information rights equally nor should we attempt to do so.
Yes it most certainly should attempt to address all risks to the upholding of information rights equally.
we will treat all cases that come to us fairly and properly but not necessarily pursue them with equal vigour.
This is perhaps one of the most worrying comments. The ICO is declaring that it will decide, arbitrarily, whether your complaint is worth its attention. Not the law, not the judiciary, not parliament, not you, but its own self will pre-judge a case and decide whether or not to pursue it with vigour.
we will devote particular effort to investigating, analysing and ultimately enforcing in those cases that we see as contributing most to the delivery of our desired outcomes and not just those presenting the biggest risk…
Not just those presenting the biggest risk. It really does say that it, the body responsible for enforcing the Data Protection Act, is not necessarily going to spend its effort on the biggest risk.
Laugh or cry? You decide.
I was pretty damning of the ICO in my post outlining Alex Owens’ witness statement to the Leveson Enquiry (looking into the phone hacking scandal). You can read that here: Something rotten in the state of the Information Commissioner’s Office – will Leveson act?
Well, surprise, surprise. Richard Thomas doesn’t remember it.
The informal meeting to which Mr Owens refers took place in this instance because (understandably) the team wished to share the nature and scale of their success with me. I recall that meeting as the occasion when I was informed about the volume and nature of the materials – the “treasure trove” – which had been discovered. I recall congratulating Mr Owens and the team for a job well done. I do not, however, recall any course of action being formally or informally recommended by Mr Owens or anyone else, let alone being “bemused”. Specifically, I do not recall any proposal, on that or any other occasion, that any journalists – nor indeed any other customers of Steve Whittamore and his associates – should be investigated. I not recall even any suggestion that any further investigations were under consideration. One of my central memories of that meeting is a recognition of the challenge presented for a very small team by the sheer bulk of the evidence, without any suggestion that even more should be obtained. I do not recall whether Francis Aldhouse was at that meeting, but I do not ever recall hearing the words attributed to him.
…I do not have any recollection or awareness whatsoever of preventing any Investigating Officer…
…Nor do I have any recollection of making any later “decision” or issuing any sort of instruction…
…Nor was I aware at any time of any grievance…
…Although I cannot recall any discussion…
Fourth Witness Statement of Richard Thomas CBE
That’s the defence. And now the attack:
Mr Owens has made a number of allegations about me and the ICO. It is therefore necessary for me to alert the Inquiry to the fact that there were a number of performance, disciplinary and grievance issues between Mr Owens and the ICO…
It’s all so predictable that any media relations person could have written it for him without ever needing to speak to him. The difference is that Owens states things happened, while Thomas doesn’t deny them, just can’t remember them.
We take our responsibilities under the Data Protection Act very seriously having in place robust procedures to meet our obligations.
Sound familiar? It’s the standard response from an organization that has just failed in its responsibilities under the Data Protection Act – and we’re hearing it all too often, and all too often from a local authority. This is Bolton Council, who left children’s files in a car that was broken into.
A report in This Is Lancashire states that
…it is also believed the files should not have been removed from the office by the worker, who has now left the council.
Probe after children’s files stolen from car
First comment: if files were wrongfully removed from the office, then the ‘robust procedures’ clearly ain’t robust.
Second comment: the worker could have been a contractor who has left at the end of the contract. More likely, I suspect, it was a full-time employee. In which case, that he or she has left the council means one of two things: either it is an admission of guilt followed by an accepted resignation; or it is obvious guilt followed by dismissal. Resignation should not be accepted: loud and painful dismissal would reinforce the message that such behaviour is unacceptable.
But this bit makes me weep. The council also stated:
At the same time we also voluntarily chose to alert the ICO of the situation and will take their recommendations on board, should there be any.
The tone is hardly contrite. Bolton seems to be seeking kudos for reporting a disaster, will listen to a telling-off from the headmaster, but doesn’t seem to think there should be one. This has to change. The ICO must find some way to seriously hurt the people responsible, council management, without hurting the public taxpayer.
The problems with employing an ex-copper, especially a senior ex-copper, are twofold. Firstly, he has a pretty good idea of what will and will not make a successful prosecution; and secondly, he is well-versed in giving evidence from recorded notes. The danger comes when those notes are turned against you. Richard Thomas, the previous incumbent as Information Commissioner, must now be regretting he ever employed Detective Inspector (retired) Alexander John Owens as an investigator.
The story effectively starts in 2002. The Devon and Cornwall Police had become concerned that serving and retired offices were illegally accessing the police national computer and selling the data to a private detective. The police intended to search the premises of the detective agency and expected to find evidence relating to the Data Protection Act. They invited Mr Owens as an investigator with the Information Commissioner’s Office, to assist – and he did so.
The result of the search was the seizure of a large amount of paperwork. Early examination of this paperwork led to the initiation of Operation Motorman (so-called because of illegal accesses to DVLA records). Its purpose was to identify corrupt sources at the DVLA, and the detective agency’s ‘customers’ who had commissioned the actions.
One request to the detective agency was for a ‘protected number’. It came from Stephen Whittamore. In March 2003, Mr Owens and four other ICO investigators effected a search warrant at Whittamore’s home. It rapidly became clear that he “worked on a full time basis for numerous newspaper groups and journalists obtaining a variety of information for them. This ranged from ‘previous convictions’ (CRO checks), VRM checks, Ex directory telephone numbers, mobile phone numbers, telephone number conversions and even ’family and friends’ lists.”
On analysing the seized data, Owens decided that it would be impossible to interview all the ‘victims’, and that the best course of action would be to work on a select pool of 25/30 prosecution cases. From this basis he would be able proceed with an overall ‘conspiracy to breach the Data Protection Act’ incorporating all the parties involved. This he did, using his police experience to protect the data and obtain legal counsel. Counsel agreed that ‘conspiracy’ was the best route.
And then came the heavy hand of Richard Thomas, the Information Commissioner. Owens was informed that he was “not to make contact with any of the newspapers identified and we were not to speak to, let alone, interview any journalists. Despite our protests we were told this was the decision of Richard Thomas and that he would deal with the press involvement by way of the Press Complaints Council. It was at this moment we knew no journalist could or ever would be prosecuted in relation to our investigation.” The newspapers and journalists were being protected, and Owens was to restrict his investigation “solely to those at the bottom of the pyramid i.e. those involved with corruptly supplying information or ‘blagging’ information.”
Owens continued with his ‘lesser’ investigation and heard no more about the journalists. He completed his investigation in February 2004, and “handed over all the evidence gathered to the ICO Legal Department with our recommendations that all parties identified as being involved be jointly prosecuted for ’conspiracy to breach the Data Protection Act 1998’.”
More than a year later he learned that Whittamore had appeared before Blackfriars Court and had been given a Conditional Discharge.
Now, two questions come to mind.
- Was this personal cowardice on the part of Richard Thomas in declining to take on the press, or was it on instruction from the higher regions of government? Remember that Tony Blair was prime minister, and that he cultivated a close relationship with the press.
- Does any spectre of this cowardice/corruption still haunt the corridors of the ICO?
We are unlikely to ever get a satisfactory answer to the first question. But back to Owens, now retired from the ICO, on the second…
In April 2011 I watched David Smith the Deputy Information Commissioner on a Panorama programme. In this programme he made a statement that no journalist was ever prosecuted ’because we didn’t have the evidence that those journalists knew beyond all reasonable doubt that the information had been obtained illegally’. This I knew was, not only inaccurate but also deliberately misleading. What David Smith had omitted to tell the public was, that there was overwhelming evidence to establish numerous prime facie cases against many journalists but the Investigations Unit had been stopped from gathering any further additional evidence, by the Commissioner himself.”
It seems beyond all reasonable doubt that the cowardice and corruption that existed in 2002 to 2005 still exists in the Information Commissioner’s Office today. Quite simply, the ICO is not fit for purpose.
ICO and the Data Protection Act: do they fine the victims and expect them to punish the perpetrator?
The Information Commissioner’s Office (ICO) has come down hard on two councils. It has fined Worcestershire £80,000 after “a member of staff emailed highly sensitive personal information about a large number of vulnerable people to 23 unintended recipients.” And it fined North Somerset £60,000 “for a serious breach of the Data Protection Act where a council employee sent five emails, two of which contained highly sensitive and confidential information about a child’s serious case review, to the wrong NHS employee.”
Christopher Graham, the Information Commissioner, explained: “There is too much of this sort of thing going on across local government. People who handle highly sensitive personal information need to understand the real weight of responsibility that comes with keeping it secure… The Information Commissioner takes this sloppiness seriously – and so should you.”
Ed Rowley, Senior Product manager at M86 Security thinks this is a positive step. “It was suggested earlier this year,” he commented, “that the ICO was not using its powers to penalise organisations for the most serious data breaches. These two fines demonstrate that the ICO is serious about punishing those who fail to protect sensitive information. Commercial and government organisations must learn that protecting private data needs to be built into all of their processes from the ground up. Having the appropriate policies in place and training is the best place to start. However, these need to be supported by using appropriate technology to enforce those policies. Certainly, in both of these cases technology could have been used to prevent the email leaks and saved the councils and tax payers a lot of money, in addition to protecting the privacy of the vulnerable individuals whose information was inappropriately handled.”
My own view is simple (and explained here: Data Protection Act Fail): fining councils doesn’t help anyone, it merely punishes the taxpayer. I put this to Ed.
“I understand the point that you are making,” he replied. “However, I do have faith in the democratic process. While the public end up paying for the fines in a roundabout manner, a local council’s inability to provide services to the public can result in those responsible being ousted at the next set of elections in which they stand: elected officers can lose their jobs if they are not able to control public finances and ruling parties can be weakened or even lose overall control. Even though the fines imposed by the ICO may only play a small part from a financial perspective, the damage that these breaches can cause to the reputation comes at a much higher cost to those in power.”
It’s a valid point; but I haven’t changed my opinion, and I doubt that Ed will change his. However, I would add an additional comment that didn’t come up in this conversation. Within the legal system in general there is a huge desire for greater consistency in sentencing. This is necessary not merely for the old-fashioned view of ‘fairness’, but also to demonstrate to potential criminals the likely outcome of the offence. The ICO is not part of the judicial system even though in matters of data protection it effectively acts as both judge and jury; so the point is relevant. Here it is fining a local council £80,000 that will be paid by the victims and other innocent taxpayers. Earlier in the year it fined ACS: Law just £1000 to be paid by the perpetrator. So I ask: where is the consistency in this?
I have said it before, but clearly it needs to be said again: the Data Protection Act and the Information Commissioner’s Office, as configured today, are a waste of time, space and our money. Today, Big Brother Watch has published a report showing
more than 1000 incidents [of data loss] across 132 local authorities, including at least 35 councils who have lost information about children and those in care…
…Yet of the 1035 incidents, local authorities reported that just 55 were reported to the Information Commissioner’s Office. Perhaps more concerning, just 9 incidents resulted in termination of employment.
Local authority data loss exposed
Put plainly, the Data Protection Act isn’t working.
I have also been critical in the past about the Information Commissioner. In reality, he is in an impossible position. What can he do with local authorities? Fines are meant to hurt – they are a punishment to make people behave more responsibly in the future. But fines don’t work on local authorities because they don’t have any money of their own – it is our money. And if they don’t have enough of our cash to pay the fine, they’ll just have to reduce our services.
The local authorities are also in a difficult position. It’s not ‘them’ that loses the data, but their staff. And it’s nigh on impossible to sack local authority staff because of the combined weight of the employment laws, the Human Rights Act, and of course, UNISON.
So we have an Act that doesn’t work enforced by an organization that cannot enforce. That should be enough to cause a change. But nothing will change because the Data Protection Act is forced on us by the EU, and we don’t have the sovereignty to do anything about it. And there’s one other problem: the Data Protection Act allows our government to pretend it cares about our privacy. Obviously it doesn’t.
Surrey County Council, ACS:Law, an NHS laptop and a question: does anyone really care about our privacy?
Interesting times indeed. At least for the Information Commissioner’s Office (ICO). Let’s have a look at three incidents: ACS:Law (adjudicated last month), Surrey County Council (adjudicated this month); and the loss of an NHS laptop with personal and perhaps even intimate details of 8000 patients (reported yesterday).
The Information Commissioner’s Office has fined Surrey County Council £120,000 for three successive breaches to the Data Protection Act. Ed Rowley, Senior Product Manager at M86 Security, quite reasonably commented at the time: “There really is no reason for privacy to be breached in this way and the fact that this same mistake occurred on three separate occasions shows that either staff have not been educated on email security, or that the duty of care to personal information has not been taken to heart by the Council’s management.” Or, I would add, that the ICO as enforcer of the Data Protection Act isn’t working.
It was a serious breach, and the ICO clearly agreed.
The Commissioner considers that the contravention of section 4(4) of the Act is serious and that the imposition of a monetary penalty is appropriate. Further that a monetary penalty in the sum of £120,000 (One hundred and twenty thousand pounds) is reasonable and proportionate given the particular facts of the case and the underlying objective in imposing the penalty.
(Subject to a nice little 20% early payment discount.) You can read the ICO’s penalty notice here.
But compare this penalty to last month’s adjudication against Andrew Crossley, ‘data controller’ at ACS:Law, which had earlier failed “to keep sensitive personal information relating to around 6,000 people secure.”
This case proves that a company’s failure to keep information secure can have disastrous consequences. Sensitive personal details relating to thousands of people were made available for download to a worldwide audience and will have caused them embarrassment and considerable distress. The security measures ACS Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details.
The fine? Not the £120,000 levied on Surrey County Council, but a mere £1000 – Which is presumably equally reasonable and proportionate given the particular facts of the case and the underlying objective in imposing the penalty. The ICO explains
As Mr Crossley was a sole trader it falls on the individual to pay the fine. Were it not for the fact that ACS Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach.
ICO fines former ACS Law boss for lax IT security; Fine could have been £200,000 if firm was still trading
Needless to say, this judgement and this reason caused a slight commotion, with the Daily Telegraph quoting Simon Davies of Privacy International thus:
“This is yet another monumental error of judgement by the ICO [Information Commissioner's Office]. What the ICO has failed to understand is that [this ruling means] the basis of corporate immunity is closure of a company,” Davies said. – “The ICO seems entirely unaware of the loophole it has just promoted. This signals to directors of all companies that they can act unlawfully under the Data Protection Act, and all they have to do is make the company dormant and escape any serious punishment.”
So, for the ACS:Law case we have two questions. Was the ICO right to fine Crossley a mere £1000? And is Simon Davies correct in saying a legal loophole is being promoted? I asked Dr. Brian Bandey, one of the United Kingdom’s leading experts on Computer and Internet Law and principal of the Patronus law practice, for his opinion. He has some sympathy for the ICO’s approach:
In the ACS:Law case, Mr. Crossley was ACS:Law and the ICO took the view that fining him more significantly would inevitably decrease the benefits his creditors would receive from the disposition of his assets under his bankruptcy. From a legal perspective, I find that a reasonable approach.
(Personally, I’m not so sure this is right. Would HMRC be so ‘reasonable’? I doubt it. Why not defer judgement until after the bankruptcy proceedings and then fine him the full amount? That wouldn’t affect other creditors.)
Dr Bandey also disagrees with the view put forward by Simon Davies. “It is wrong in law. ACS:Law was not, as far as I can tell, a ‘Corporation’.” Since ACS:Law was the trading name of Andrew Crossley, the ICO’s actions cannot be taken as promoting a legal loophole for company directors. Furthermore, the legislature seems to have been aware of this possibility when drafting the Data Protection Act itself. Dr Bandey again:
The Data Protection Act permits corporate persons to be and to register as “Data Controllers”. So Parliament anticipated that the usual advantages of Shareholders vs. the Wrongdoing of the Company should apply. That is a matter of policy.
But Parliament also created criminal offences under the Data Protection Act and s. 61 ensures that individual members, officers or directors can be criminally prosecuted. The Act says:
“If a company or other corporation commits a criminal offence under the Act, any director, manager, secretary or similar officer or someone purporting to act in any such capacity is personally guilty of the offence in addition to the corporate body if:- the offence was committed with his/her consent or connivance; or the offence is attributable to any neglect on his/her part.
Where the affairs of a corporate body are managed by its members, any member who exercises the functions of management as if he were a director can also be guilty of the offence that results from any of his/her acts or omissions.”
The winding-up of a Company will not extinguish the criminal liability created by this Act.
In short, even if ACS:Law was a limited company, Andrew Crossley, as the data controller, would have remained liable even after the dissolution of the company. We have, then, a situation where the ICO has done nothing wrong in law, but perhaps not so much right in morality. Think back to the Surrey County Council fine: £120,000 of our (the taxpayers’) money. This fine hurts no-one but us. If Surrey can afford to pay it, then they are taxing us too much. If Surrey cannot afford to pay, then we, the taxpayer, will pay in either increased taxes or decreased services. But a private person gets fined just £1000. Justice?
And now for the last incident: the reported loss of an NHS laptop. Yesterday El Reg reported that “A London health authority has admitted losing a laptop which contains 8.6 million health records.” It “asked North Central London health board why it needed to store 8.63 million health records on an unsecure laptop in the first place,” and received the following:
NHS North Central London is investigating the loss of a number of laptops. One of the machines was used for analysing health needs requiring access to elements of unnamed patient data. All the laptops were password protected and our policy is to manually delete the data from laptops after the records have been processed. NHS North Central London operates under strict data protection guidance and is taking the matter extremely seriously. We have started an investigation into the issues raised by the loss. We are liaising with the office of the Information Commissioner.
8m health records go walkabout
Clearly the ICO hasn’t yet adjudicated on this breach: so our interest is in predicting what it will do. Will it fine the NHS in the way it fined Surrey; that is, lots and lots of our money that hurts no-one in the NHS but costs us more tax? Or will it discover, like it did with ACS:Law, some reason to fine it very little? I would just add this: to my mind, this is the most disturbing of all three breaches. And I have three questions:
The NHS says that the laptop was password protected, but not that the data was encrypted – which means that it was not encrypted (password protection will delay breaking in by just as long as it takes you to remove the hard drive and attach it to a different machine). So, question one: why was the data not encrypted?
Question 2: why did London Health Programmes have this data in the first place? Its website talks about engaging with patients in order to develop health programmes – it says nothing about analysing the health records of thousands of patients, almost certainly without their knowledge or approval.
And question 3: why was this data left on a laptop in a storeroom full of other laptops?
These are rhetorical questions, for there can be no satisfactory answers. But I await the ICO’s decision on this with considerable interest, and with one comment to offer: these privacy breaches just keep on happening; so whatever you’re doing, it ain’t working.
The Data Protection Act: the ICO demonstrates that the cost of compliance is greater than the cost of non-compliance
The Information Commissioner, Christopher Graham, is being decidedly unfair to the security industry. Consider this: fear sells. Government does it all the time. It keeps us in constant fear of terrorists, pedophiles, drug runners, gun runners, Katie Price, identity thieves and the Russian Mafia so that we will buy its lies about the need to curtail our liberty to keep us safe on the street. Security vendors do the same – they keep us in constant fear of cyber terrorists, online purveyors of child abuse, money mules, Katie Price, identity thieves and the Russian Mafia so that we will buy their products to keep ourselves safe online.
But we have to be afraid, or none of it works.
Enter the Information Commissioner. Last April he gained the power to enforce his responsibility for the Data Protection Act by levying fines of up to £500,000. What music to the ears of the security industry – something else for us to be afraid of! Another reason to buy security products; this time to help us comply with the Data Protection Act.
But what a let down Mr Graham has been!
Of the 2,565 data leaks reported to the watchdog in the past year, the ICO has only taken action in 36 cases and handed out only four fines, according to data revealed by ViaSat UK under the Freedom of Information Act.
ICO acts on only 1% of reported data breaches
I’m not sure of the maths here, but nevermind. The point is very clear – if you breach the Data Protection Act you are overwhelmingly likely to get away with it. So what does that do? It tells us that the cost of compliance is considerably greater than the cost of non-compliance. In other words, don’t bother about the Data Protection Act. And don’t bother buying any security products to help with compliance.
He’s so unfair!