Some observations on the MoJ £180,000 data protection “fine”

1. It wasn’t a fine: section 55A of the Data Protection Act 1998 (DPA) gives the Information Commissioner’s Office (ICO) the power to impose a monetary penalty notice (MPN) to a maximum of £500,000 on a data controller which has made a serious contravention of its obligation to comply with the data protection principles, and the contravention was of a kind likely to cause substantial damage or substantial distress (and the data controller knew or should have known about the risk). There is often confusion over the civil and criminal sanctions in the DPA, perhaps not helped by the fact that the main criminal sanction is at section 55, and the main civil sanction at section 55A. However, although the incorrect use of the term “fine” is understandable in some circumstances, I don’t think the ICO themselves should use it.

2. The money goes straight back to the government: this is true – monetary penalties do not get paid to the ICO. Rather, they are paid into the Consolidated Fund – the government’s bank account. While this does have an element of absurdity (and similar complaints are sometimes made when the ICO serves MPNs on other public bodies, such as the NHS, or local authorities) recent research (and personal anecdotal experience) suggests that the MPNs are effective in improving data controller compliance. One wonders if alternative methods, like individual liability for data controller failings (which would require major primary legislation), would have similar effects.

3. The Ministry of Justice funds the ICO: in part, at least. The MoJ funds the ICO for its freedom of information work. Its data protection work comes from the fees data controllers pay the ICO to appear on its register. Nonetheless, penalising the MoJ could be seen as biting the hand that feeds – it is commendable that the ICO is not afraid to do so.

4. The MoJ is data controller for prisoner data within prisons: being the person or persons who determine the purposes for which and the manner in which any personal data are, or are to be, processed. That’s a heck of a lot of highly sensitive personal data to be responsible for. And such responsibility carries potential huge liability for errors.

5. This is not the first MPN the MoJ has received: less than 12 months ago the MoJ received an MPN of £140,000 for a remarkably similar set of events to those which prompted the latest MPN. Both MPNs involved insecure processes to safeguard prisoner databases – in the first an unencrypted database file was emailed to a member of the public, and in the second a hard disk containing a prisoner database, which should have been encrypted but wasn’t, has been lost. As MPNs are often served (as these were) for contraventions of the obligation to have appropriate organisational and technical measures in place to safeguard against loss of data, one might argue that a second such serious contravention might have warranted even more severe sanctions. The ICO even notes that the second contravention was because of a botched attempt to put right what happened in the first, and deems the second contravention “very serious” (as opposed to the first’s “serious”). I am not the only person I have spoken to who is surprised this latest MPN was not higher.

and finally

6. Data security is not just about technology: it’s also about people. In this instance the MoJ, after its first MPN (see above), sent hard drives to all relevant prisons which were capable of holding data in encrypted format.

But they forgot to tell the prison staff to switch encryption on.

1 Comment

Filed under Data Protection, Information Commissioner, monetary penalty notice

One response to “Some observations on the MoJ £180,000 data protection “fine”

  1. If you were somebody working within an organisation with these sorts of responsibilities, ask yourself this – which would make you more likely to be careful: somebody else having to deal with the consequences of your actions or having to deal with the flack yourself? I don’t doubt that what you is probably true, but from the perspective of somebody with far less experience in this type of matter it sounds counter-intuitive.

    The term ‘self serving’ comes to mind when the ICO’s own summary of the ICO’s commissioned research into the ICO’s actions, but even they acknowledge that people can see patterns in what happen. The problem with that is that if people can see that MPNs are being handed out then they can also notice who they’re being handed out *to*. The majority seem to be handed out to public sector organisations. Assuming for a moment that this isn’t an assumption based on insufficient knowledge, then does the ICO really believe that the private sector hasn’t noticed that?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s