FREE ELECTRONIC LIBRARY - Dissertations, online materials

Pages:   || 2 |

«Review of the impact of ICO Civil Monetary Penalties 1. Introduction 1.1 Objective of the research In February 2014, the ICO commissioned SPA Future ...»

-- [ Page 1 ] --

Review of the impact of ICO Civil

Monetary Penalties

1. Introduction

1.1 Objective of the research

In February 2014, the ICO commissioned SPA Future Thinking to carry

out research on the impact of Civil Monetary Penalties (CMPs).

The main purpose of the research was to review the extent to which CMPs

influence or improve data protection compliance and practice by

organisations. The research also measured awareness of the ICO’s

enforcement powers and furthermore, organisations’ experiences of the ICO’s processes when issuing CMPs.

The findings from the research will be used to measure and evaluate how

effectively the ICO’s use of CMPs:

achieves its key corporate objective of improving information rights • compliance and that it is using its enforcement powers proportionately; and meets the following specific aims of the ICO’s Information Rights •


- to ensure organisations are aware of the ICO’s enforcement powers; and

- that the ICO deploys its enforcement tools in a way that provides an incentive for organisations to ‘get it right’ first time.

The research was also commissioned with an eye to the European Commission’s proposals for a new EU Data Protection Regulation, where draft provisions on sanctions extend data protection authorities’ current 1 Review of the impact of ICO Civil Monetary Penalties 20140723 Version: 1.0 enforcement powers. The proposals could require mandatory breach notification by certain data controllers to regulators and individuals, and could raise fines of up to 2 per cent of turnover or €1m (Article 79). The European Parliament’s amendments could increase this to up to €100m or 5 per cent of turnover.

1.2 Context Since April 2010, the ICO has had the power to issue monetary penalty notices of up to £500,000 for serious breaches of the Data Protection Act (the DPA), and (since May 2011) serious breaches of the Privacy and Electronic Communications Regulations (PECR). Section 55A(1) of the DPA allows the Information Commissioner to serve a monetary penalty

notice if he is satisfied that three conditions apply:

there has been a serious contravention of a data protection • principle and “the contravention was of a kind likely to cause substantial • damage or substantial distress” and

the data controller:

• “(a) knew or ought to have known — (i) that there was a risk that the contravention would occur, and (ii) that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but

–  –  –

The ICO uses CMPs as both a sanction and a deterrent against a data controller or person who deliberately or negligently disregards the law.

The overarching aim is to promote compliance and improve public confidence.

–  –  –

to ensure that policies and operational procedures are • proportionate, consistent and targeted;

to ensure it supports organisations to comply;

• to understand its impact on organisations’ information rights • practices and policies; and to evaluate against the ICO’s objectives.

• This helps to ensure that the ICO delivers its services and responsibilities effectively and efficiently.

1.3 Research methodology

The research consisted of:

In-depth telephone interviews with 14 organisations who had • received a CMP. This sample was made up of seven local authorities, three private companies, one local health authority, one police force, one central government department and one regulator.

All of the organisations in the sample had self-reported their breach.

Six respondents challenged the Notice of Intent.

An online survey of 85 ‘peer’ organisations (from similar sectors, or •

local regions) who had not received a CMP. The objective was:

–  –  –

This report summarises the findings from the research and highlights some potential actions for the ICO to consider as part of its duty to review how it delivers its services and responsibilities.

–  –  –

Although the research sample size was relatively small, the results clearly indicate that CMPs have had a positive impact on organisations’ data protection compliance and practice.

Key findings include:

The research findings indicate that CMPs are effective at • improving data protection compliance. This was particularly clear for organisations that had been issued with a CMP; the research showed a clear impact on how those organisations

managed their data protection responsibilities:

–  –  –

The research confirmed that this positive impact was • extended to ‘peer’ organisations, where CMPs had a wider impact as a useful deterrent and an incentive to ‘get it right first time’. A substantial proportion of this sample said that they had reviewed or changed their data protection practices and policies as a result of hearing about CMPs being issued to other organisations. This indicates that CMPs effectively contribute to achieving specific outcomes in the ICO’s

Information Rights Strategy:

–  –  –

Evidence suggests a lack of understanding of the • interpretation of the conditions in Section 55A of the DPA, particularly around the meaning of ‘serious’ and ‘substantial damage and distress’ in relation to a contravention.

Some respondents felt that there was a lack of transparency • about how CMPs were calculated. This could be linked to some organisations expressing discontent about the clarity of the Notice of Intent.

–  –  –

3.1 Impact on organisations that had received a CMP The research strongly suggests that CMPs are effective in improving and promoting compliance and practice by organisations. Receipt of a CMP had a positive impact on how data protection responsibilities were managed in the organisation. Organisations that had received a CMP gave data protection a higher profile; became more proactive in addressing their information rights obligations; and took steps to increase staff awareness of their responsibilities.

“…We’ve put together… an information security group, which meets on a regular basis, to talk through all aspects of the data protection policy...” “…We became more proactive in our relationships with subcontractors and people working with our data. We’re using our ICO audit by invitation as a catalyst for change...” Following receipt of a CMP, organisations increased and improved staff training, and initiated stronger communication to staff about data protection, with the aim of changing behaviours when handling information. Five out of the 14 organisations made changes to relevant departments, with the addition of new staff, or restructures. Four organisations completely overhauled their information security policies.

“…It’s a cultural shift but we always knew it would take some time to address. What we try to do, without being too heavy-handed about it, is to ensure that people understand the implication of getting it wrong and that may sound terribly self-evident, but people lose sight of the fact that the smallest mistake can cause a major incident further down the line.” 6 Review of the impact of ICO Civil Monetary Penalties 20140723 Version: 1.0 Some organisations proceeded to proactively engage with the ICO once the process was complete. For example, three organisations arranged a good practice audit with the ICO and two more reported that they are currently considering one. One organisation set up a series of workshops in conjunction with the ICO across ten of its sites.

Security was the main area that received attention following the receipt of CMP. This reflects that CMPs have been predominantly issued for data breaches related to principle 7 of the DPA, which requires ‘appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’.

Half of the respondents reported that they felt more confident about their data security, but could not guarantee there wouldn’t be another breach.

Several said that reported incidents of breaches of data security had increased within their organisations.

3.2 Impact on organisations who had not received a CMP There was a high level of awareness about CMPs being issued to sanction organisations which had seriously breached the DPA, with over 70 per cent of respondents reporting that they had heard about such incidents.

The ICO’s website was the most common source of information regarding CMPs that had been issued (57 per cent); followed by ‘word of mouth’ (47 per cent); and thirdly, media reporting (45 per cent).

For peer organisations, the research showed that CMPs had a wider impact as a useful deterrent, with the positive impact on data protection compliance and practice extended to these organisations. Around 60 per cent said that hearing about CMPs had influenced how their organisation managed its data protection responsibilities and the importance it attached to information rights. When asked about specific impacts the news of a CMP had, the research showed that for organisations who had

not received a CMP:

–  –  –

Others introduced new systems (18 per cent); appointed new staff • or added new responsibilities to existing roles (15 per cent).

3.3 Reputational damage Eleven out of the 14 respondents who had received a CMP agreed that it is appropriate for the ICO to publish actions taken against organisations that breach information rights law. Ten respondents reported that their organisation received bad press as a result of the CMP, with most reporting that the negative publicity was short-lived. More respondents claimed that the damage to reputation had a greater impact than the CMP. For local authorities, the political dimension heightened their sensitivity to bad publicity.

Almost 70 per cent of the wider sample agreed that the ICO should do more to publicise CMPs it issues for breaches of the DPA.

–  –  –

4.1 Fairness of the CMP 4.1.1 General perceptions Public authorities expressed objections to money being taken out of the public purse, away from frontline services. There was also a misperception about what happens with the money collected through


“… the public perception is they’re doing it to generate income…. Where does it go? Nobody knows. What public benefit are we achieving by fining a public body?...” There was also anecdotal evidence expressing doubt about the inclination of private sector companies to report breaches, with an unfair impact on public authorities.

“There are a lot of private companies who aren’t selfreporting where they should be, because the chance of them becoming public are pretty much null and void. I’ve attended training courses where people have been very open about incidents that have happened to them in their organisation which are far worse than our breach and they’ve never reported it. I would arguably say that the ICO could be seen to be picking the low hanging fruit” For the wider sample, there was a division in organisations’ perception of the fairness of CMPs issued by the ICO, with 22 per cent reporting that they are ‘fair’; 21 per cent said they are ‘not fair’ and 57 per cent said they ‘don’t know’. When this was explored in more detail, respondents who thought CMPs are fair and proportionate said that they were necessary as an incentive to make sure organisations handle personal data properly.

–  –  –

“…large fines act as a deterrent...” “Public awareness is important” Those respondents who thought CMPs are unfair questioned the severity of them, the fact that they often hit public sector organisations and the fact they do not take human error (rather than a deliberate contravention of the law) into account.

4.1.2 Understanding the triggers for a CMP Only four of the 14 who had received a CMP were able to explain what conditions must be met for a breach to trigger a monetary penalty notice.

While respondents reported that the conditions were fair, the research showed that some respondents found them slightly ambiguous and open to interpretation, with comments suggesting that there was a lack of certainty about the meaning of ‘serious’ and ‘substantial damage or distress’ in relation to a contravention.

Several respondents also expressed a lack of understanding of the threshold for the conditions, expressing doubt as to whether the circumstances of the data breach in question actually satisfied the requirements of Section 55 of the DPA.

“… it comes down to interpretation… There was absolutely no proof in any way that these few misdirected faxes caused any harm to the individuals whose data it was. So, whilst I think those are good conditions for a fine, I don’t think they were interpreted properly in our particular situation.”

–  –  –

“…we were… a little bit perplexed about how any of this had caused harm of distress to individuals because we’d had no instances where we could identify that any fraud or distress had been caused to the customers. There was no evidence that had caused any problems for them.”

4.2 Perceptions about the ICO’s CMP process Most respondents considered that the time taken to determine the issuing of the CMP to be too long.

4.2.1 Transparency Some of the organisations who had received a CMP expressed dissatisfaction in relation to the perceived lack of transparency around

how the amount of the CMP was calculated:

Pages:   || 2 |

Similar works:

«Journal of Arti cial Intelligence Research 11 (1999) 131-167 Submitted 12/98; published 8/99 Identifying Mislabeled Training Data Carla E. Brodley brodley@ecn.purdue.edu School of Electrical and Computer Engineering Purdue University West Lafayette, IN 49707 USA Mark A. Friedl friedl@crsa.bu.edu Department of Geography and Center for Remote Sensing 675 Commonwealth Avenue Boston University Boston, MA 02215 USA Abstract This paper presents a new approach to identifying and eliminating mislabeled...»

«Minion Park (Reserve 27292) Management Plan ADOPTED JUNE 2007 Minion Park Management Plan 1.0 INTRODUCTION Minion Park is a small urban reserve located in Broadwater, Busselton. It is comprised of two separate parcels. The main area is approximately 0.45 ha in size and bounded on the east and north by Little Colin St, Harnett St to the west and Bussell Hwy to the south. The remaining portion is a thin strip approximately 60 metres long and between 10 and 15 metres wide between Bussell Hwy and...»

«FEDERAL RESERVE BANK of ATLANTA What Explains Differences in Foreclosure Rates? A Response to Piskorski, Seru, and Vig Manuel Adelino, Kristopher Gerardi, and Paul Willen Working Paper 2010-8 March 2010 WORKING PAPER SERIES FEDERAL RESERVE BANK of ATLANTA WORKING PAPER SERIES What Explains Differences in Foreclosure Rates? A Response to Piskorski, Seru, and Vig Manuel Adelino, Kristopher Gerardi, and Paul Willen Working Paper 2010-8 March 2010 Abstract: In this note we discuss the findings in...»

«Chapter 9 It's about time: Intergroup emotions as time-dependent phenomena Eliot R. Smith and Diane M. Mackie One of the most immediately obvious facts about intergroup relations is that they often involve emotions, particularly in terms of people's negative reactions to outgroups. People often feel angry, resentful, frustrated, disgusted, or afraid when they think about or encounter members of rival or challenging groups. Yet, as many of the chapters in this volume note, the role of emotions...»

«COLING82, J. Horeck~ (ed.) North-Holland Publishing Company © Academia, 1982 A MESSAGE-PASSING CONTROLS R C U E F R TEXT U D R T N I G TUTR O N E S A DN Brian Phillips and JamesA. Hendler Texas Instruments Inc. Dallas, Texas, USA This paper describes an object-oriented, message-passing system for natural language text understanding. The application domain is the texts of Texas Instruments' patent descriptions. The object-oriented environment permits syntactic analysis modules to communicate...»

«Court Financial Services PTY LTD Version: 1.0 Date prepared: Wednesday, 27 July 2016 It is important that you read this Financial Services and Credit Guide (FSCG). It contains information that will help you decide whether to use any of the financial services offered by us, as described in this guide, including:  who we are and how we can be contacted  the advice and services we provide  information about our licensee AMP Financial Planning Limited (AMPFP)  our fees and how we, your...»

«October 2015 Exposure Draft ED/2015/8 IFRS Practice Statement: Application of Materiality to Financial Statements Comments to be received by 26 February 2016 Exposure Draft IFRS Practice Statement Application of Materiality to Financial Statements Comments to be received by 26 February 2016 Exposure Draft ED/2015/8 IFRS Practice Statement Application of Materiality to Financial Statements is published by the International Accounting Standards Board (IASB) for comment only. The proposals may be...»

«Laser Locking with Doppler-free Saturated Absorption Spectroscopy Paul L. Stubbs, Advisor: Irina Novikova W&M Quantum Optics Group May 12, 2010 Abstract The goal of this project was to lock the frequency of a 795 nm diode laser using a saturated absorption spectroscopy method. Laser locking in AMO physics is done to stabilize the frequency of lasers used in the laboratory in order to make results more reliable and reproducible. Locking the laser frequency to a particular absorption resonance...»

«Minority Practice, Majority’s Burden: The Death Penalty Today James S. Liebman & Peter Clarke** Although supported in principle by two-thirds of the public and even more of the States, capital punishment in the United States is a minority practice when the actual death-sentencing practices of the nation’s 3000-plus counties and their populations are considered. This feature of American capital punishment has been present for decades, has become more pronounced recently, and is especially...»

«ADMISION Y ORIENTACION MANUAL DEL CONFINADO FEDERAL BUREAU OF PRISONS FCI FORT DIX NEW JERSEY 08640 Abril 2016 **This is a translation of an English-language document provided as a courtesy to those not fluent in English. If differences or any misunderstandings occur, the document of record shall be the related English-language document.*** ***Esta es una traducción de un documento escrito en inglés, distribuida como una cortesía a las personas que no pueden leer inglés. Si resulta alguna...»

«PROVA INAUGURAL DO KART CLUBE DE LAGES 2016 REGULAMENTO TÉCNICO E DESPORTIVO Art. 01ºDAS RESPONSABILIDADES E COMPETÊNCIAS : O Kart Clube de Lages, fará realizar o PROVA INAUGURAL DE KART. Edição 2016, o Regulamento Nacional de Kart RNK, da Confederação Brasileira de Automobilismo – CBA, FAUESC e o presente REGULAMENTO PARTICULAR. Art. 02ºETAPA : O Campeonato será disputado em uma etapa. Etapa Única PROVA FESTIVA 27/28/08/2016 Art. 03 CATEGORIAS: 3.1 Categoria Five Speed (anexo...»

«Gestión de Transferencias Documentales al Archivo Histórico Comunal de San Bernardo Autor: Irma Acevedo Llanos Cargo: encargada Archivo Histórico Comunal de San Bernardo Correo electrónico, iacevedo@sanbernardo.cl Institución: Ilustre Municipalidad de San Bernardo El Archivo Histórico Comunal (2006 ) perteneciente a la Ilustre Municipalidad de San Bernardo, es el lugar donde se custodian documentos históricos de la Comuna, cualquiera sean sus soportes, donados o adquiridos, cuyo...»

<<  HOME   |    CONTACTS
2016 www.dissertation.xlibx.info - Dissertations, online materials

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.