1. It wasn’t a fine: section 55A of the Data Protection Act 1998 (DPA) gives the Information Commissioner’s Office (ICO) the power to impose a monetary penalty notice (MPN) to a maximum of £500,000 on a data controller which has made a serious contravention of its obligation to comply with the data protection principles, and the contravention was of a kind likely to cause substantial damage or substantial distress (and the data controller knew or should have known about the risk). There is often confusion over the civil and criminal sanctions in the DPA, perhaps not helped by the fact that the main criminal sanction is at section 55, and the main civil sanction at section 55A. However, although the incorrect use of the term “fine” is understandable in some circumstances, I don’t think the ICO themselves should use it.
2. The money goes straight back to the government: this is true – monetary penalties do not get paid to the ICO. Rather, they are paid into the Consolidated Fund – the government’s bank account. While this does have an element of absurdity (and similar complaints are sometimes made when the ICO serves MPNs on other public bodies, such as the NHS, or local authorities) recent research (and personal anecdotal experience) suggests that the MPNs are effective in improving data controller compliance. One wonders if alternative methods, like individual liability for data controller failings (which would require major primary legislation), would have similar effects.
3. The Ministry of Justice funds the ICO: in part, at least. The MoJ funds the ICO for its freedom of information work. Its data protection work comes from the fees data controllers pay the ICO to appear on its register. Nonetheless, penalising the MoJ could be seen as biting the hand that feeds – it is commendable that the ICO is not afraid to do so.
4. The MoJ is data controller for prisoner data within prisons: being the person or persons who determine the purposes for which and the manner in which any personal data are, or are to be, processed. That’s a heck of a lot of highly sensitive personal data to be responsible for. And such responsibility carries potential huge liability for errors.
5. This is not the first MPN the MoJ has received: less than 12 months ago the MoJ received an MPN of £140,000 for a remarkably similar set of events to those which prompted the latest MPN. Both MPNs involved insecure processes to safeguard prisoner databases – in the first an unencrypted database file was emailed to a member of the public, and in the second a hard disk containing a prisoner database, which should have been encrypted but wasn’t, has been lost. As MPNs are often served (as these were) for contraventions of the obligation to have appropriate organisational and technical measures in place to safeguard against loss of data, one might argue that a second such serious contravention might have warranted even more severe sanctions. The ICO even notes that the second contravention was because of a botched attempt to put right what happened in the first, and deems the second contravention “very serious” (as opposed to the first’s “serious”). I am not the only person I have spoken to who is surprised this latest MPN was not higher.
6. Data security is not just about technology: it’s also about people. In this instance the MoJ, after its first MPN (see above), sent hard drives to all relevant prisons which were capable of holding data in encrypted format.
But they forgot to tell the prison staff to switch encryption on.