I would like to think that Mills & Reeve’s clients are no more careless than most. Certainly, judging by the frequency with which I am asked to help with data protection strategy – audits, planning and policies – they take their data protection responsibilities increasingly seriously.
No doubt this reflects in part the nervousness of in-house lawyers that a wrong move might tempt the ICO to exercise its enforcement powers. I suspect it also owes something to data protection continuing to be viewed as a rather confusing and esoteric area of the law. I think that this, rather than carelessness, explains the regularity with which I am asked by clients who fear that they may have breached the Data Protection Act 1998 what they should do next.
The law today
As with much that it covers, the DPA is not prescriptive. Data controllers are required to process personal data ‘fairly’ (sch 1, first principle). In certain circumstances, this would require data controllers to notify data subjects of breaches that affect them to enable ongoing processing to remain ‘fair’. In deciding whether to continue allowing their data to be processed, data subjects may need to know about particular security vulnerabilities that affect their data (and potentially to take action in respect of the breach, for example to cancel a credit card).
Public electronic communications services providers (typically ISPs and telcos – but not content providers) have their own additional responsibilities under reg 5A of the amended Privacy and Electronic Communications Regulations. These include notifying the ICO of any ‘personal data breaches’ and potentially also notifying the data subjects. The ICO can issue monetary penalty notices for failures to comply.
There were widespread concerns when this law was being implemented that ambiguities in the drafting might make compliance difficult. For example, could the Regulations have an unintentionally broad effect (catching, say, universities offering internet connections to people on campus)? And could this amount to a ‘hair-trigger’ rule, given that all breaches (rather than only ‘serious’ ones) were caught? To date, there have not been significant headlines to suggest that these concerns were justified. However, as I discuss below, with the publication of the new draft General Data Protection Regulation, this question looks set for further debate.
Help from the ICO
For organisations other than public electronic communications services providers, the lack of a specific data breach notification law means that they need to take a look at the ICO’s guidance to inform their response. This is not only to fill the gaps in the legislation. With the ICO’s power to impose monetary penalty notices for serious breaches of the DPA (without recourse to the courts), the ICO’s views on breaches demonstrate its likely approach to enforcement action.
The ICO’s track record is indicative. At the time of writing, the ICO has issued 17 monetary penalty notices. Though the ICO’s powers can be used in relation to any serious breaches of the DPA, all of the notices have related to breaches of security (seventh principle).
The same is true of the ICO’s published undertakings (http://www.ico.gov.uk/what_we_cover/taking_action/dp_pecr.aspx). Almost all of the penalty notices have involved breaches by public authorities.
We also have a flavour of the sorts of breaches that cause the ICO concern. In themselves, they do not sound remarkable: loss of unencrypted laptops, faxes and emails sent to the wrong recipients, envelopes stuffed with the wrong papers and web sites being hacked because of poor levels of security. Generally, the ICO has taken action because of aggravating factors: the sensitivity of the information, the vulnerability of the data subjects, the identity of the recipient, the quantity of the information, the repetition of breaches and failures to learn from mistakes.
These cases can help inform an organisation’s response to a security breach, indicating how seriously it is likely to be treated by the ICO. Also helpful are details of the signed undertakings published by the ICO, where the ICO has decided that the breach does not justify a monetary penalty notice. In some cases, similar breaches (eg lost laptops) do not result in penalty notices, generally because the ICO does not feel that the aggravating factors are sufficiently serious.
Organisations can also learn from the ICO’s written guidance. Two ICO publications are particularly relevant:
· ‘Guidance on data security breach management’; and
· ‘Notification of Data Security Breaches to the ICO’.
The former provides some common-sense advice. It suggests that organisations should seek to contain the breach and recover the data, assess the risks of the breach, decide whether to notify the ICO or data subjects, evaluate what went wrong and respond to the breach. It reminds organisations that, in deciding whether to notify, they should consider whether notification would help the individuals and whether a ‘large number’ of people are affected (though pointing out that ‘notifying a whole 2 million strong customer base of an issue affecting only 2,000 customers may well cause disproportionate enquiries and work’).
The paper on notification provides more specific information. This suggests that, in considering whether to notify the ICO, organisations should consider the potential harm to data subjects and the volume and sensitivity of the affected data. The ICO says: ‘there should be a presumption to report to the ICO where a large volume of personal data is concerned and there is a real risk of individuals suffering some harm’. So loss of passport numbers and financial circumstances are likely to require notification – loss of an encrypted laptop is not.
The examples are not altogether helpful. Loss of an unencrypted laptop containing names, addresses, dates of birth and national insurance numbers of 1,000 people should be reported. Loss of a marketing list containing contact details of 500 people probably should not. It is not clear where this would leave, say, loss of unencrypted data with national insurance details of 100 people (or a marketing list of 1,000 people).
Risk analysis
In some instances, it is obvious whether a breach is sufficiently serious to merit notification. In most, the position is rather greyer. Organisations are therefore left balancing the merits of notification (showing that they are taking the breach seriously, putting their case to the ICO before someone else complains, avoiding criticism for failing to notify) with the attraction of holding back in the hope that it will stay below the ICO’s radar and avoid the bad publicity of enforcement action. In these circumstances, organisations often wait to see how the situation develops before deciding how to act: has the breach been contained and how have data subjects reacted?
On this basis, it might be argued that improving clarity in data breach notification would be welcomed by data controllers.
The law tomorrow
The European Commission’s draft General Data Protection Regulation was finally published earlier this year. Though only in draft form at this stage and still subject to review and approval by member states and the European Parliament, it gives an indication of the direction of travel on data breach notification. The good news is improved certainty.
The Regulation states that:
‘In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority.’
‘When the personal data breach is likely to adversely affect the protection of the
personal data or privacy of the data subject, the controller shall, after the notification
[of the supervisory authority] … communicate the personal data breach to the data subject without undue delay.’
A ‘personal data breach’ means any breach of the security principle (rather than any breach of the other principles). None of the tests that the ICO currently applies to determine whether a breach is sufficiently serious (harm, volume, sensitivity) would apply here. Unsurprisingly, given the huge burden that this would place on the ICO to sift through the large numbers of breaches that would be reported, the ICO has expressed concerns (‘the Commissioner considers this should be restricted to serious breaches only’).
A possible area of concern – particularly for IT businesses hosting or accessing data on behalf of their customers – is the imposition of obligations on data processors. Under the DPA, processors have no obligations other than complying with the contracts imposed by data controllers. Under the draft Regulation, many of the security obligations apply to both controllers and processors and some only to processors. For example, ‘the processor shall alert and inform the controller immediately after the establishment of a personal data breach’. This amounts to a significant transfer of risk to IT suppliers that have previously been able to limit their exposure to the letter of the contracts with their customers.
Be careful what you wish for
Though the draft Regulation would improve clarity, organisations are likely to feel that the proposed law is unduly onerous. I am sure that it will be an area for debate before the Regulation is finalised. For now, organisations will continue to scratch their heads over every security breach (and I will continue to receive calls from worried clients!).
Peter Wainman is an Associate at Mills & Reeve: www.mills-reeve.com
