Surrey County Council, ACS:Law, an NHS laptop and a question: does anyone really care about our privacy?

Interesting times indeed. At least for the Information Commissioner’s Office (ICO). Let’s have a look at three incidents: ACS:Law (adjudicated last month), Surrey County Council (adjudicated this month); and the loss of an NHS laptop with personal and perhaps even intimate details of 8000 patients (reported yesterday).

Ed Rowley, Senior Product Manager at M86 Security

The Information Commissioner’s Office has fined Surrey County Council £120,000 for three successive breaches to the Data Protection Act. Ed Rowley, Senior Product Manager at M86 Security, quite reasonably commented at the time: “There really is no reason for privacy to be breached in this way and the fact that this same mistake occurred on three separate occasions shows that either staff have not been educated on email security, or that the duty of care to personal information has not been taken to heart by the Council’s management.” Or, I would add, that the ICO as enforcer of the Data Protection Act isn’t working.

It was a serious breach, and the ICO clearly agreed.

The Commissioner considers that the contravention of section 4(4) of the Act is serious and that the imposition of a monetary penalty is appropriate. Further that a monetary penalty in the sum of £120,000 (One hundred and twenty thousand pounds) is reasonable and proportionate given the particular facts of the case and the underlying objective in imposing the penalty.

(Subject to a nice little 20% early payment discount.) You can read the ICO’s penalty notice here.

But compare this penalty to last month’s adjudication against Andrew Crossley, ‘data controller’ at ACS:Law, which had earlier failed “to keep sensitive personal information relating to around 6,000 people secure.”

This case proves that a company’s failure to keep information secure can have disastrous consequences. Sensitive personal details relating to thousands of people were made available for download to a worldwide audience and will have caused them embarrassment and considerable distress. The security measures ACS Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details.

The fine? Not the £120,000 levied on Surrey County Council, but a mere £1000 – Which is presumably equally reasonable and proportionate given the particular facts of the case and the underlying objective in imposing the penalty. The ICO explains

As Mr Crossley was a sole trader it falls on the individual to pay the fine. Were it not for the fact that ACS Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach.
ICO fines former ACS Law boss for lax IT security; Fine could have been £200,000 if firm was still trading

Needless to say, this judgement and this reason caused a slight commotion, with the Daily Telegraph quoting Simon Davies of Privacy International thus:

“This is yet another monumental error of judgement by the ICO [Information Commissioner’s Office]. What the ICO has failed to understand is that [this ruling means] the basis of corporate immunity is closure of a company,” Davies said. – “The ICO seems entirely unaware of the loophole it has just promoted. This signals to directors of all companies that they can act unlawfully under the Data Protection Act, and all they have to do is make the company dormant and escape any serious punishment.”

So, for the ACS:Law case we have two questions. Was the ICO right to fine Crossley a mere £1000? And is Simon Davies correct in saying a legal loophole is being promoted? I asked Dr. Brian Bandey, one of the United Kingdom’s leading experts on Computer and Internet Law and principal of the Patronus law practice, for his opinion. He has some sympathy for the ICO’s approach:

Dr Brian Bandey, principal of the Patronus law service

In the ACS:Law case, Mr. Crossley was ACS:Law and the ICO took the view that fining him more significantly would inevitably decrease the benefits his creditors would receive from the disposition of his assets under his bankruptcy. From a legal perspective, I find that a reasonable approach.

(Personally, I’m not so sure this is right. Would HMRC be so ‘reasonable’? I doubt it. Why not defer judgement until after the bankruptcy proceedings and then fine him the full amount? That wouldn’t affect other creditors.)

Dr Bandey also disagrees with the view put forward by Simon Davies. “It is wrong in law. ACS:Law was not, as far as I can tell, a ‘Corporation’.” Since ACS:Law was the trading name of Andrew Crossley, the ICO’s actions cannot be taken as promoting a legal loophole for company directors. Furthermore, the legislature seems to have been aware of this possibility when drafting the Data Protection Act itself. Dr Bandey again:

The Data Protection Act permits corporate persons to be and to register as “Data Controllers”. So Parliament anticipated that the usual advantages of Shareholders vs. the Wrongdoing of the Company should apply. That is a matter of policy.

But Parliament also created criminal offences under the Data Protection Act and s. 61 ensures that individual members, officers or directors can be criminally prosecuted. The Act says:

“If a company or other corporation commits a criminal offence under the Act, any director, manager, secretary or similar officer or someone purporting to act in any such capacity is personally guilty of the offence in addition to the corporate body if:- the offence was committed with his/her consent or connivance; or the offence is attributable to any neglect on his/her part.

Where the affairs of a corporate body are managed by its members, any member who exercises the functions of management as if he were a director can also be guilty of the offence that results from any of his/her acts or omissions.”

The winding-up of a Company will not extinguish the criminal liability created by this Act.

In short, even if ACS:Law was a limited company, Andrew Crossley, as the data controller, would have remained liable even after the dissolution of the company. We have, then, a situation where the ICO has done nothing wrong in law, but perhaps not so much right in morality. Think back to the Surrey County Council fine: £120,000 of our (the taxpayers’) money. This fine hurts no-one but us. If Surrey can afford to pay it, then they are taxing us too much. If Surrey cannot afford to pay, then we, the taxpayer, will pay in either increased taxes or decreased services. But a private person gets fined just £1000. Justice?

And now for the last incident: the reported loss of an NHS laptop. Yesterday El Reg reported that “A London health authority has admitted losing a laptop which contains 8.6 million health records.” It “asked North Central London health board why it needed to store 8.63 million health records on an unsecure laptop in the first place,” and received the following:

NHS North Central London is investigating the loss of a number of laptops. One of the machines was used for analysing health needs requiring access to elements of unnamed patient data. All the laptops were password protected and our policy is to manually delete the data from laptops after the records have been processed. NHS North Central London operates under strict data protection guidance and is taking the matter extremely seriously. We have started an investigation into the issues raised by the loss. We are liaising with the office of the Information Commissioner.
8m health records go walkabout

Clearly the ICO hasn’t yet adjudicated on this breach: so our interest is in predicting what it will do. Will it fine the NHS in the way it fined Surrey; that is, lots and lots of our money that hurts no-one in the NHS but costs us more tax? Or will it discover, like it did with ACS:Law, some reason to fine it very little? I would just add this: to my mind, this is the most disturbing of all three breaches. And I have three questions:

The NHS says that the laptop was password protected, but not that the data was encrypted – which means that it was not encrypted (password protection will delay breaking in by just as long as it takes you to remove the hard drive and attach it to a different machine). So, question one: why was the data not encrypted?

Question 2: why did London Health Programmes have this data in the first place? Its website talks about engaging with patients in order to develop health programmes – it says nothing about analysing the health records of thousands of patients, almost certainly without their knowledge or approval.

And question 3: why was this data left on a laptop in a storeroom full of other laptops?

These are rhetorical questions, for there can be no satisfactory answers. But I await the ICO’s decision on this with considerable interest, and with one comment to offer: these privacy breaches just keep on happening; so whatever you’re doing, it ain’t working.

Dr Brian Bandey
M86 Security
ICO