Companies with UK operations should check their security procedure in light of the regulator's new powers
The UK’s data regulator has gained new powers as from April which will allow it to issue fines of up to £500,000 for serious breaches, as well as enable it to conduct compulsory audits in central government departments where breaches may have occurred.
Previously, the Information Commissioner’s Office (ICO) was unable to fine an organisation for a data breach – it could only censure it for doing so. However, other regulators, such as the Financial Services Authority, have levied fines –like the £1.26m penalty against Norwich Union in 2007 – for failing to adequately protect customer data.
The ICO says that the power to impose a financial penalty is designed to deal with the most serious personal data breaches and is part of its overall “regulatory toolkit”. This includes the power to serve an enforcement notice and the ability to prosecute those involved in the unlawful trade in confidential personal data.
Information Commissioner, Christopher Graham, said: “These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act… I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law.”
To qualify for a fine, the Information Commissioner must be satisfied that there has been a serious breach that was likely to cause damage or distress (such as losing or mishandling financial data that results in a customer fraud, or failing to secure a person’s medical records), that the breach was either deliberate or negligent, such as a marketing company passing personal data on to a third party without consent, and that the organisation failed to take reasonable steps to prevent it.
To encourage organisations to co-operate with its enforcement measures, the ICO is offering to reduce its financial penalties by 20% if it receives full payment within 28 calendar days of the notice being served
The ICO has also launched a consultation on a new draft code of practice which sets out the privacy watchdog’s proposed approach to using its new auditing powers. These allow the regulator to issue an “Assessment Notice” – a compulsory audit notice – if an organisation is responsible for a serious data breach or if a risk assessment indicates that there is a likelihood that one may occur. Initially the ICO will only be able to conduct these compulsory audits on central government departments, but it says that it hopes to widen these powers in the future to include the rest of the public and private sectors.
Ann Bevitt, partner and head of the EU privacy group at law firm Morrison & Foerster, says that “until now, the ICO has largely been a toothless regulator as it had no real punitive powers. That is beginning to change and organisations need to be aware of that.”
“Organisations will be very keen to see how the Information Commissioner flexes his new muscles in the coming months,” says Bevitt. “The expectation is that it will be looking for a few high profile scalps to warn others. To ensure that they are not one of these, organisations should study the guidance and review their own practices as a matter of urgency,” she adds.
The ICO hopes that the new measures will encourage organisations to take data protection issues more seriously as controls have been found to be lax in many cases brought to its attention. In March the ICO found St Albans City and District Council in breach of the Data Protection Act after a laptop which was used to store postal voters’ records as part of an election process in June 2009 was stolen. The personal information, which was password protected but unencrypted, remained on the laptop when it was no longer required.
Also in March, the ICO found Zurich Insurance in breach of the Data Protection Act after it lost an unencrypted back-up tape containing financial personal information belonging to 46,000 policy holders of Zurich Private Client, Zurich Special Risk and Zurich Business Client. The back-up tape, which also included personal details of 1,800 third parties, was lost by a sister company, Zurich Insurance Company South Africa, during a routine transfer to a data storage centre in South Africa. The data loss occurred on 11 August 2008, although the sister company did not inform Zurich Insurance until over a year later. Subsequent internal investigations revealed failings in the management of security procedures involving data tapes in South Africa.
Earlier this year, the ICO released a report which found that “mistakes” account for 195 of the 818 data security breaches reported to the ICO since November 2007. Furthermore, 262 breaches are the result of theft, often where the personal information was held on an unencrypted portable device.
Neil Hodge is a freelance writer
Five ways of avoiding a fine
1. Have policies and procedures in place which deal with both the appropriate handling of personal data within your organisation and what to do when a problem arises. For example, the data controller can demonstrate compliance with the BS ISO/IEC 27001 standard on information security management.
2. Conduct a risk assessment to identify the risks associated with the handling of personal data within your organisation.
3. Focus on those risks involving sensitive personal data and/or the personal data of large numbers of individuals, where the risk of substantial damage or distress is greater.
4. Don’t turn a blind eye to problems: if you become aware of an issue, act quickly to put it right.
5. Learn from past mistakes to improve your data protection practices.