Not long ago, I did a data protection audit for a medium-sized company (about 1,000 employees). Their data protection officer had other responsibilities and they were concerned that he might not be able to keep up to date with the Act. I recommended use of the ICO website as an infallible way of always keeping up to date. The ICO Home Page contains all the latest news and the RSS feed will also enable new material to be picked up. But recently a couple of things have happened to cause me to reconsider that.
First there was the successful appeal by Scottish Borders Council against a monetary penalty of £250,000 imposed by the Commissioner in Sept 2012. The infringement was caused when a contractor to the Council to digitise its pension records and dispose of the spent paper files simply dumped the files in recycling bins. The Appeal to the Information Tribunal resulted in July of this year in overturning the penalty on the grounds that the infringement of the Act though serious was not of a kind likely to result in substantial damage or substantial distress.
I suppose it might just be considered a set-back for the ICO. But the essential point must be that data controllers should always bear in mind the possibility of substantial damage or substantial distress, particularly when conducting a risk assessment – no bad message surely. Yet it never appeared as a News item on the ICO Home Page[1].
Secondly on 25 August 2013 new EU Regulation 611/2013 came into force. It is concerned with data breaches, and the need for them to be notified to the Commissioner and sometimes also to the individuals whose date has been compromised. Admittedly the Regulation affects only ISPs and the like – a select body of organisations and, it must be confessed, one whose record on data loss is pretty good. It is also the case that the new EU Regulation overlaps with our own Regulations 5A to 5C of the Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended in May 2011 (SI 2011 No 1208), so one would like to hope that all ISPs were at least two thirds of the way to implementing the requirements anyway. In September, the Commissioner issued a revision to his Notification of PECR security breaches (Version 2), but it was announced with no fanfare and was not in a prominent place on the Home Page[2].
Instead we have been treated on the Home Page to more and more blogs from the ICO, prominently displayed as News. The present Commissioner has of course a background in advertising, so might be supposed to be interested in publicity in its widest sense. I see nothing wrong with that, provided the essential stuff is also provided. Could he ensure that we – and our clients – can always and swiftly be alerted to everything that defines or refines the law?
Richard Morgan is an IT Consultant and Fellow of the British Computer Society. For many years he was Computer Officer at the two Houses of Parliament. He is a founder member and a past Chairman of SCL. He is the author with Kit Burden of Morgan & Burden on Computer Contracts, 8th edition Sweet & Maxwell 2009, and of Legal Protection of Software: A Handbook, xpl (formerly EMIS) 2002, and with Ruth Boardman of Data Protection Strategy, 2nd edition Sweet & Maxwell 2012.
[1] SCL readers have known about this since 30 August.
[2] Again SCL readers were told on 26 September.
