UK Data Breaches: ICO Reviewing Impact Of Monetary Penalties, Threatens "Contempt Of Court" Charges.
The UK’s Information Commissioner’s Office (ICO) is investigating the effects of monetary penalties on organizations that breach the Data Protection Act (DPA). With the ability to fine up to £500,000, the monetary penalty is a formidable way DPA enforcement tool: not only does the fear of a large fine prompt action, it spreads the news to people in charge who may not be familiar or aware (or downplay) data security.
Opening Up Lines of Communication
According to governmentcomputing.com,
the commissioner’s office had been speaking with councils and other bodies that have faced enforcement notices and financial penalties as a result of data breaches during this period to understand the impacts of its work.
It’s nice to know that the ICO cares. On the other hand, perhaps this is not necessarily a concerned inquiry into the well-being of public agencies after being hit with a fine.
Details of the review coincided with the ICO’s decision to give Wolverhampton City Council 50 days to ensure all its staff are adequately trained in data protection.
The warning was issued after the ICO found that about two thirds of council staff had not received mandatory training by an agreed deadline of February this year.
Something about Wolverhampton must have set the ICO off, because (my emphasis),
Rather than directly imposing a fine, the ICO has said that the council would be charged with contempt of court should it fail to meet the 50 day deadline to ensure all staff are provided with sufficient data protection training.
Why a contempt of court versus a fine?
Contempt of Court – How It Could Trump Monetary Penalties
According to the site findlaw.co.uk,
If you are guilty of contempt of court you may be sent to prison… Contempt of court is essentially where somebody is deemed to have interfered with the administration of justice…. By committing contempt of court you are betraying the entire justice system
Seeing how all of the Wolverhampton City Council cannot be put in jail, it stands to reason that a representative would be – assuming the charges of contempt are valid.
And assuming that it is valid, it would give the heads of organizations a personal stake in swiftly and completely effecting necessary changes to their approach to data security. The problem with monetary penalties is that – at least for public sector organizations – the fine doesn’t have a personal impact. You could say that it delves into the Tragedy of the Commons since the money is ultimately comes from taxpayers.
In fact, the ICO has been asking to be legally empowered with the ability to hand out prison sentences, something that hasn’t happened yet (although is technically possible, apparently).
Could this latest action by the ICO be the public servant looking to flex its muscles, as opposed to a legitimate move? Perhaps not.
Wolverhampton City Council Dragging Its Feet
An ICO representative had this to say about finding Wolverhampton in contempt.
Stephen Eckersley, head of enforcement at ICO said Wolverhampton City Council had shown a “lack of urgency” in dealing with data protection concerns.
“Over two years ago, we reviewed the council’s practices and highlighted the need for guidance and mandatory training to help its staff keep residents’ information secure,” he said.
“Despite numerous warnings the council has failed to act, with over two thirds of its staff still remaining untrained. We have taken positive steps and acted before this situation is allowed to continue any longer and more people’s personal information is lost.”
Wow. Two years. For training. No wonder the ICO feels rubbed the wrong way. Even technically complex remedial actions like installing laptop encryption software across an entire organization takes less time than that, from researching a list of candidates to ensuring to protecting the last machine.