About the rather odd Friday afternoon news that the ICO has served enforcement notices, not monetary penalties, on three police forces
In February 2011 the Information Commissioner (IC) served civil Monetary Penalty Notices (MPNs) under section 55A-E of the Data Protection Act 1998 (DPA) on Ealing and Hounslow Councils (£80,000 and £70,000 respectively), after two unencrypted laptops containing sensitive personal data of approximately 1700 individuals were stolen. The Councils had a joint working arrangement whereby Ealing would provide an out-of-hours service on behalf of both councils. The MPNs were fair enough – the IC and others had been saying for some time that encryption of hardware was a necessary data security measure, and even though Ealing Council had a policy on this, it issued the laptops to an employee in breach of it. Hounslow took the hit because they didn’t have a written contract in place to describe and prescribe the collaborative working arrangements it had entered into with Ealing.
One might have wondered, more than two years further on, what size of monetary penalty a data controller would receive if it had also entered into a joint working arrangement in the absence of a written contract, but had failed to carry out a risk assessment, simply relying on what turned out to have been inadequate security measures taken by one of parties, and several unencrypted laptops containing the sensitive personal data of approximately 4500 individuals were stolen.
The answer (unless MPNs are to follow) based on the IC’s news release and blog today about three police forces, appears to be that no MPNs of any size will be served. Rather, enforcement notices have been issued, requiring the police forces to appoint Senior Risk Information Owners (you mean they haven’t got them already?), encrypt all portable devices (you mean they don’t already?), ensure appropriate security measures are taken to protect personal data (you mean they aren’t already?), and ensure officers have received training on the security requirements of the DPA (you mean…etc, etc, etc).
Don’t get me wrong, enforcement notices are an important part of the IC’s regulatory weaponry (I just wish he’d use them on FOI miscreants) but they are a step down from MPNs, and they don’t really serve as a punishment for serious contraventions of the DPA, but merely act as a warning.
Clearly, considerable discretion is conferred on the IC as to what sort of enforcement action is appropriate, but, on the facts, and on comparison with previous MPNs, it is very hard to avoid the conclusion that: the contraventions of the DPA were serious; they were likely to cause damage or distress which was significant; and the police forces knew or ought to have known that there was a risk that a contravention of this kind would occur but failed to take reasonable steps to prevent it. In those circumstances, the relevant conditions for an MPN exist, and I struggle to understand why none transpired.
I do note that the laptop thefts were in August 2010, but this was after DPA provisions conferring the power on the IC to serve MPNs were commenced. I also note that the data subjects appear to have been criminals, but information about criminality is sensitive personal data under the DPA and accorded a higher level of protection.
I’ve asked the ICO on twitter if they can tell me why MPNs were not served. I don’t really expect an answer – it’s a thorny question, and probably doesn’t qualify as an FOI request, but I am, genuinely, interested to know. If anyone has any ideas, I’d like to hear them.