Data delinquents and the money-go-round
You know the ritual. A laptop computer, smartphone or memory stick goes missing and, a few weeks or months later, some shamefaced public body admits that the device contained sensitive personal data.
Over the past year, however, the Information Commissioner’s Office (ICO) has started getting tougher with delinquent data handlers. As well as prosecuting offenders it now has the power to impose monetary penalties on organisations ‘in the most serious situations’.
A remarkable proportion of these ‘serious situations’ seem to occur in public bodies. Of nine penalties issued last year, seven went to local authorities. (The remaining two were a solicitors' firm, ACS:Law and an employment services company, A4e Limited.) We’re talking fairly serious money - £130,000 imposed on Powys county council, £120,000 on Surrey county council and £100,000 on Hertfordshire.
These were all exceptional cases, involving highly sensitive information - including, incredibly, details of child protection cases - being sent to the wrong recipients. Someone should be punished. But is it right to hit the organisation with a monetary penalty, especially if all you’re doing is cycling money back to the exchequer? (The ICO is at pains to point out that the penalties go to the Treasury’s Consolidated Fund, not to pay for champagne parties at its Wilmslow HQ.)
One opponent of this money-go-round is the Taxpayers’ Alliance pressure group. It reckons that financial penalties mean citizens are hit with a double tax - once to pay for collecting the data, and once for losing it. It has proposed instead that responsible managers be held personally liable for data lost while in their care.
In principle, that sounds reasonable to me - and, as a registered data controller in a small business, I know I’m potentially in a glasshouse myself.
The arguments against seem to be, first, that putting managers on such a spot would reduce the public sector to such a state of fear that nothing would ever get done. Possibly that’s what the Taxpayers’ Alliance has in mind.
However, the second objection may have more force - the practical difficulty of imposing liability on people who would typically be employed staff, even at chief executive level. I’d welcome thoughts, especially from colleagues in local government and the NHS. If the whole personal liability idea is bonkers, it’s best to kill it off now before it gains political traction.
After all, whatever efforts we make to promote good data governance, those memory sticks and mobiles will keep going astray.
Comments
Ultimate loss of data
I did recall that President Clinton at one stage lost - for c 3 months - the card containing THE code for activating the US nuclear force . Apparently it was lost in a suit which went for dry cleaning ......you could not make it up!
I do not agree with monetary
I do not agree with monetary penalties, they never change anything. We need more involvement from the authorities because data delinquencies become more and more serious, it's a clear sign that the current legal punishments doesn't work for them. I am studying now for my masters in criminal justice and this kind of situations really are an interesting hypothetical challenge for me.
Data security
Thank you for this interesting article.The problem with delinquent data handlers seems to take huge proportions despite of the security measures that many authorities have taken.As a Securities Fraud Lawyer I am dealing very often with this kind of situations and it is very difficult to prevent them as the ones who are stealing laptops or other devices are very intelligent.
The is a well written
The is a well written article. Data security is a big problem of our days,especially if the stolen data is highly sensitive.Recently my company needed a Criminal Check for a new employ so we wondered how the fine will appear in the criminal record of the person which soled the data and how the punishment for a data thief should be harsher if the data regarded a case sensitive case.