«Review of the impact of ICO Civil Monetary Penalties 1. Introduction 1.1 Objective of the research In February 2014, the ICO commissioned SPA Future ...»
Review of the impact of ICO Civil
1.1 Objective of the research
In February 2014, the ICO commissioned SPA Future Thinking to carry
out research on the impact of Civil Monetary Penalties (CMPs).
The main purpose of the research was to review the extent to which CMPs
influence or improve data protection compliance and practice by
organisations. The research also measured awareness of the ICO’s
enforcement powers and furthermore, organisations’ experiences of the ICO’s processes when issuing CMPs.
The findings from the research will be used to measure and evaluate how
effectively the ICO’s use of CMPs:
achieves its key corporate objective of improving information rights • compliance and that it is using its enforcement powers proportionately; and meets the following specific aims of the ICO’s Information Rights •
- to ensure organisations are aware of the ICO’s enforcement powers; and
- that the ICO deploys its enforcement tools in a way that provides an incentive for organisations to ‘get it right’ first time.
The research was also commissioned with an eye to the European Commission’s proposals for a new EU Data Protection Regulation, where draft provisions on sanctions extend data protection authorities’ current 1 Review of the impact of ICO Civil Monetary Penalties 20140723 Version: 1.0 enforcement powers. The proposals could require mandatory breach notification by certain data controllers to regulators and individuals, and could raise fines of up to 2 per cent of turnover or €1m (Article 79). The European Parliament’s amendments could increase this to up to €100m or 5 per cent of turnover.
1.2 Context Since April 2010, the ICO has had the power to issue monetary penalty notices of up to £500,000 for serious breaches of the Data Protection Act (the DPA), and (since May 2011) serious breaches of the Privacy and Electronic Communications Regulations (PECR). Section 55A(1) of the DPA allows the Information Commissioner to serve a monetary penalty
notice if he is satisfied that three conditions apply:
there has been a serious contravention of a data protection • principle and “the contravention was of a kind likely to cause substantial • damage or substantial distress” and
the data controller:
• “(a) knew or ought to have known — (i) that there was a risk that the contravention would occur, and (ii) that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but
The ICO uses CMPs as both a sanction and a deterrent against a data controller or person who deliberately or negligently disregards the law.
The overarching aim is to promote compliance and improve public confidence.
to ensure that policies and operational procedures are • proportionate, consistent and targeted;
to ensure it supports organisations to comply;
• to understand its impact on organisations’ information rights • practices and policies; and to evaluate against the ICO’s objectives.
• This helps to ensure that the ICO delivers its services and responsibilities effectively and efficiently.
1.3 Research methodology
The research consisted of:
In-depth telephone interviews with 14 organisations who had • received a CMP. This sample was made up of seven local authorities, three private companies, one local health authority, one police force, one central government department and one regulator.
All of the organisations in the sample had self-reported their breach.
Six respondents challenged the Notice of Intent.
An online survey of 85 ‘peer’ organisations (from similar sectors, or •
local regions) who had not received a CMP. The objective was:
This report summarises the findings from the research and highlights some potential actions for the ICO to consider as part of its duty to review how it delivers its services and responsibilities.
Although the research sample size was relatively small, the results clearly indicate that CMPs have had a positive impact on organisations’ data protection compliance and practice.
Key findings include:
The research findings indicate that CMPs are effective at • improving data protection compliance. This was particularly clear for organisations that had been issued with a CMP; the research showed a clear impact on how those organisations
managed their data protection responsibilities:
The research confirmed that this positive impact was • extended to ‘peer’ organisations, where CMPs had a wider impact as a useful deterrent and an incentive to ‘get it right first time’. A substantial proportion of this sample said that they had reviewed or changed their data protection practices and policies as a result of hearing about CMPs being issued to other organisations. This indicates that CMPs effectively contribute to achieving specific outcomes in the ICO’s
Information Rights Strategy:
Evidence suggests a lack of understanding of the • interpretation of the conditions in Section 55A of the DPA, particularly around the meaning of ‘serious’ and ‘substantial damage and distress’ in relation to a contravention.
Some respondents felt that there was a lack of transparency • about how CMPs were calculated. This could be linked to some organisations expressing discontent about the clarity of the Notice of Intent.
3.1 Impact on organisations that had received a CMP The research strongly suggests that CMPs are effective in improving and promoting compliance and practice by organisations. Receipt of a CMP had a positive impact on how data protection responsibilities were managed in the organisation. Organisations that had received a CMP gave data protection a higher profile; became more proactive in addressing their information rights obligations; and took steps to increase staff awareness of their responsibilities.
“…We’ve put together… an information security group, which meets on a regular basis, to talk through all aspects of the data protection policy...” “…We became more proactive in our relationships with subcontractors and people working with our data. We’re using our ICO audit by invitation as a catalyst for change...” Following receipt of a CMP, organisations increased and improved staff training, and initiated stronger communication to staff about data protection, with the aim of changing behaviours when handling information. Five out of the 14 organisations made changes to relevant departments, with the addition of new staff, or restructures. Four organisations completely overhauled their information security policies.
“…It’s a cultural shift but we always knew it would take some time to address. What we try to do, without being too heavy-handed about it, is to ensure that people understand the implication of getting it wrong and that may sound terribly self-evident, but people lose sight of the fact that the smallest mistake can cause a major incident further down the line.” 6 Review of the impact of ICO Civil Monetary Penalties 20140723 Version: 1.0 Some organisations proceeded to proactively engage with the ICO once the process was complete. For example, three organisations arranged a good practice audit with the ICO and two more reported that they are currently considering one. One organisation set up a series of workshops in conjunction with the ICO across ten of its sites.
Security was the main area that received attention following the receipt of CMP. This reflects that CMPs have been predominantly issued for data breaches related to principle 7 of the DPA, which requires ‘appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’.
Half of the respondents reported that they felt more confident about their data security, but could not guarantee there wouldn’t be another breach.
Several said that reported incidents of breaches of data security had increased within their organisations.
3.2 Impact on organisations who had not received a CMP There was a high level of awareness about CMPs being issued to sanction organisations which had seriously breached the DPA, with over 70 per cent of respondents reporting that they had heard about such incidents.
The ICO’s website was the most common source of information regarding CMPs that had been issued (57 per cent); followed by ‘word of mouth’ (47 per cent); and thirdly, media reporting (45 per cent).
For peer organisations, the research showed that CMPs had a wider impact as a useful deterrent, with the positive impact on data protection compliance and practice extended to these organisations. Around 60 per cent said that hearing about CMPs had influenced how their organisation managed its data protection responsibilities and the importance it attached to information rights. When asked about specific impacts the news of a CMP had, the research showed that for organisations who had
not received a CMP:
Others introduced new systems (18 per cent); appointed new staff • or added new responsibilities to existing roles (15 per cent).
3.3 Reputational damage Eleven out of the 14 respondents who had received a CMP agreed that it is appropriate for the ICO to publish actions taken against organisations that breach information rights law. Ten respondents reported that their organisation received bad press as a result of the CMP, with most reporting that the negative publicity was short-lived. More respondents claimed that the damage to reputation had a greater impact than the CMP. For local authorities, the political dimension heightened their sensitivity to bad publicity.
Almost 70 per cent of the wider sample agreed that the ICO should do more to publicise CMPs it issues for breaches of the DPA.
4.1 Fairness of the CMP 4.1.1 General perceptions Public authorities expressed objections to money being taken out of the public purse, away from frontline services. There was also a misperception about what happens with the money collected through
“… the public perception is they’re doing it to generate income…. Where does it go? Nobody knows. What public benefit are we achieving by fining a public body?...” There was also anecdotal evidence expressing doubt about the inclination of private sector companies to report breaches, with an unfair impact on public authorities.
“There are a lot of private companies who aren’t selfreporting where they should be, because the chance of them becoming public are pretty much null and void. I’ve attended training courses where people have been very open about incidents that have happened to them in their organisation which are far worse than our breach and they’ve never reported it. I would arguably say that the ICO could be seen to be picking the low hanging fruit” For the wider sample, there was a division in organisations’ perception of the fairness of CMPs issued by the ICO, with 22 per cent reporting that they are ‘fair’; 21 per cent said they are ‘not fair’ and 57 per cent said they ‘don’t know’. When this was explored in more detail, respondents who thought CMPs are fair and proportionate said that they were necessary as an incentive to make sure organisations handle personal data properly.
“…large fines act as a deterrent...” “Public awareness is important” Those respondents who thought CMPs are unfair questioned the severity of them, the fact that they often hit public sector organisations and the fact they do not take human error (rather than a deliberate contravention of the law) into account.
4.1.2 Understanding the triggers for a CMP Only four of the 14 who had received a CMP were able to explain what conditions must be met for a breach to trigger a monetary penalty notice.
While respondents reported that the conditions were fair, the research showed that some respondents found them slightly ambiguous and open to interpretation, with comments suggesting that there was a lack of certainty about the meaning of ‘serious’ and ‘substantial damage or distress’ in relation to a contravention.
Several respondents also expressed a lack of understanding of the threshold for the conditions, expressing doubt as to whether the circumstances of the data breach in question actually satisfied the requirements of Section 55 of the DPA.
“… it comes down to interpretation… There was absolutely no proof in any way that these few misdirected faxes caused any harm to the individuals whose data it was. So, whilst I think those are good conditions for a fine, I don’t think they were interpreted properly in our particular situation.”
“…we were… a little bit perplexed about how any of this had caused harm of distress to individuals because we’d had no instances where we could identify that any fraud or distress had been caused to the customers. There was no evidence that had caused any problems for them.”
4.2 Perceptions about the ICO’s CMP process Most respondents considered that the time taken to determine the issuing of the CMP to be too long.
4.2.1 Transparency Some of the organisations who had received a CMP expressed dissatisfaction in relation to the perceived lack of transparency around
how the amount of the CMP was calculated: