Last week I blogged about enforcement notices served on three Midlands police forces by the Information Commissioner (IC). I was surprised that the circumstances hadn’t merited stronger sanctions, in the form of monetary penalty notices (MPNs), and I tweeted to ask why.
As you can perhaps see, the IC’s office has kindly replied to my tweet. I had asked
I would really like to know why the IC did not see fit to issue Monetary Penalty Notices. Can you advise?
and their reply says
enforcement notices best means of improving compliance. Considered details of the case inc limited involvement of each force
I have to say I think this is a questionable response (although I take the point that a 140-character limit is restrictive).
Firstly, enforcement activities are not mutually exclusive – it is not uncommon for an enforcement notice and an MPN to be served in tandem on a data controller. thus, as recently as June this year, Glasgow City Council was served an MPN of £150,000 by the IC following the loss of, er, unencrypted laptops, and at the same time was served an enforcement notice requiring certain corrective actions to be undertaken.
Secondly, and I may be misinterpreting, but the reply seems to say that the “limited involvement of each force” was a determining factor in a decision not to serve an MPN. However, there were three data controllers involved. If each of them had a “limited” involvement, one is led to ask “wasn’t that the main problem?”. Derbyshire and Leicestershire both “did not carry out a risk assessment before they joined [the collaboration unit]…relying on the security measures taken by Nottinghamshire“, but those security measures were inadequate (lack of encryption, laptops not physically secured). Meanwhile, none of the forces properly monitored its officers while they were seconded.
It seems to me that the limited involvement of each of the forces might, instead of excusing it, have in fact been the key factor why the security breach happened.
Principle seven of the first schedule to the Data Protection Act 1998 (DPA) requires that
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
Many many public (and private) sector data controllers are undertaking collaborative and partnership working, or are taking steps to do so. All responsible organisations are very aware, where they continue, either jointly or in common with other organisations, to determine the purposes for which and the manner in which any personal data are, or are to be, processed, that they remain a data controller, with the consequent responsibilities and liabilities. They are very aware of the IC’s Data Sharing Code of Practice.
And they are very aware that, if things go wrong with data-sharing, it will not normally be sufficient to point at a partner, and say “it was their fault”, or, even less, for all partners to shrug their shoulders and say, “that wasn’t our responsibility”.