Businesses Must Wake Up to Data Protection Responsibilities
Associate Solicitor Caroline Redhead considers the Information Commissioner’s view that businesses need to do more when it comes to data protection compliance.
The Information Commissioner recently gave evidence to the House of Commons Justice Select Committee on a wide range of issues, including compliance by private sector businesses with data protection obligations. The Information Commissioner’s well known view is that business generally “isn’t as good as it thinks it is” when it comes to data protection compliance. In his view, although businesses understand what is required, they still “need to get on with doing it”. The Information Commissioner’s views appear to be upheld by figures published in this year’s Annual Track survey which indicates a lack of public confidence in how personal information is handled. The Annual Track survey is one of the tools used by the ICO to look at awareness and understanding of both the Data Protection Act and the Freedom of Information Act, specifically to identify the level of awareness both of individuals’ rights and of organisations’ corresponding obligations in respect of the processing of personal data.
Interestingly, although nearly three quarters of businesses surveyed knew what was required in relation to keeping personal information secure (an increase of 26% on last year’s figure) this knowledge and awareness on the part of business does not appear to have improved public confidence in organisations’ ability to process their data fairly. The Annual Track survey indicates that online businesses are not generally trusted by consumers to keep their personal data secure.
Why should you care about data protection?
Clearly, the fact that the Information Commissioner now has powers to fine data controllers up to £500,000 for serious breaches of the Data Protection Act means an understanding of, and compliance with, data protection obligations has taken on greater significance for businesses, the availability of monetary penalties being designed to act as a deterrent and to promote compliance.
The Information Commissioner has made it clear that he fully intends to use powers to issue monetary penalty notices in appropriate cases. Very briefly, a monetary penalty notice (being the mechanism by which a fine is issued) is likely to be issued if the Commissioner is satisfied that there has been a serious contravention of any of the data protection principles by the data controller and the contravention was of a kind likely to cause substantial damage or substantial distress where either the contravention was deliberate or the data controller knew (or ought to have known) that the contravention might occur and, if it did, would be likely to cause such damage or distress.
The ICO has published various guidance notes concerning steps which should be taken if any data security breach is identified. The ICO emphasises that, although there is no legal obligation to do so, it is considered best practice to report breaches of security which result in the loss, release or corruption of personal data where they are sufficiently serious. If a report is made, the nature of the breach can properly be considered and the data controller’s actions measured against its obligations under the Data Protection Act. In appropriate circumstances, a business’ self-reporting of any breach to the Commission and subsequent co-operation with any investigation will also be regarded positively.
The key focus in measuring the seriousness of any breach is the potential harm to the individual data subjects whose personal data is processed by the data controller. Clearly there are a number of factors involved, including volume of personal data involved and its sensitivity. Where a breach is investigated, a monetary penalty notice will not be issued in a vacuum and the data controller’s practice and processes will all be considered. The Information Commissioner emphasises the importance of risk management, good corporate governance, having regard to the ICO’s guidance and the behaviour of a data controller after the occurrence of a breach. Clearly repetition of the breach will be detrimental, but steps which a data controller takes to address any governance issues, repair any damage and prevent recurrence will all count in favour of the data controller when the breach is investigated.
Reducing the risks of breach
The following six steps are clearly identified by the Information Commissioner as constituting good practice and, in the event of a data breach occurring, seem likely to count “for” the data controller in any subsequent investigation;
• carrying out risk assessments as appropriate;
• putting in place policies and procedures relevant to the risks identified. Regularly auditing compliance internally;
• putting in place good governance arrangements with clear lines of responsibility; Regularly auditing internally
• encrypting all laptops and portable devices on which personal data is stored. Carry out employee training and audit compliance;
• ensure that standards/guidance etc. relating to information and security management are implemented. Again, training is key;
• put in place written contracts with any data processors setting out what is required (and auditing compliance).
If the worst happens ….
Clearly, the Information Commissioner anticipates that, in appropriate circumstances, data controllers should self-report. Looking back at the cases in which no penalty has been imposed following a data breach, data controllers who promptly report the breach to the Commissioner, co-operate with any subsequent investigation and readily take steps to put matters right appear more likely to be required to give an undertaking to secure future compliance than be on the receiving end of a monetary penalty. This is unlikely to be the outcome where a serious breach with severe risk to individuals has taken place, but pro-active action appears likely to pay off.
Readers are unlikely to be surprised by our conclusion that the Commissioner will impose more fines for data breaches going forward. In particular, serious breaches of the electronic marketing rules may well see use of his extended powers to fine. However, organisations can (and should) protect themselves from the risk of a penalty by taking the steps briefly discussed above and, from time to time, inform themselves about the Information Commissioner’s developing enforcement strategy by reviewing decision notices in cases where penalties are imposed on organisations or undertakings required.All Factsheets