The Information Commissioner’s Office (ICO) has published reprimands against seven separate organisations all of whom committed serious infringements of data protection law by inadvertently disclosing highly sensitive information in the context of cases involving victims of domestic abuse.
The ICO trumpets the announcement, but does not appear to consider the point that, until recently, most, if not all, of these infringements would have resulted in a hefty fine, not a regulatory soft tap on the wrist. Nor does it contemplate the argument that precisely this sort of light-touch regulation might lead to more of these sorts of incidents, if organisations believe they can act (or fail to act) with impunity.
I have written elsewhere about both the lack of any policy or procedure regarding the use of reprimands, and also about the lack of empirical evidence that a “no fines” approach works.
I think it is incumbent on the Information Commissioner, John Edwards, to answer this question: are you confident that your approach is not leading to poorer compliance?
The cases include
- Four cases of organisations revealing the safe addresses of the victims to their alleged abuser. In one case a family had to be immediately moved to emergency accommodation.
- Revealing identities of women seeking information about their partners to those partners.
- Disclosing the home address of two adopted children to their birth father, who was in prison on three counts of raping their mother.
- Sending an unredacted assessment report about children at risk of harm to their mother’s ex-partners.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
informationrightsandwrongs 