For the first time in its history, the UK’s data protection watchdog has come clean on how it will enforce data laws going forward in a ‘Strategy for Data Protection Regulatory Action.’ What’s more, it’s also threatened to put its money where its mouth is.
Topic: Privacy
Who: The Information Commissioner's Office
Where: Wilmslow, Cheshire
When: November 2005 – January 2006
What happened:
In November 2005 the UK data protection watchdog The Information Commissioner's Office ("ICO"), published "A Strategy for data protection regulatory action". In February 2006 it followed this up with an uncharacteristically combative announcement of likely enforcement action against cold calling in breach of the Privacy & Electronic Communications (EC Directive) Regulations 2003 ("2003 Regs").
The strategy document begins by summing up what it calls "the overriding data protection imperative" of the ICO. This is:
"to take a practical, down to earth approach – simplifying and making it easier for the majority of organisations who seek to handle personal information well, and tougher for the minority who do not".
This nets out, the ICO continues, to a "targeted, risk-driven approach to regulatory action".
Summing up the ICO's aims in this area, the strategy states that regulatory action will be taken where personal information is at risk because:
- obligations are deliberately or persistently ignored; or
- examples need to be set; or
- issues need to be clarified.
Five principles of good regulation
The paper lists five principles of good regulation which will be its guiding lights. These are Transparency (the ICO being open about the actions it is taking and the outcome), Accountability (reporting its actions in its annual report to parliament and making sure those on the wrong end of regulatory action are aware of their rights of appeal), Proportionality (not resorting to formal action where it is satisfied that the risk can be addressed by negotiation or other less formal means), Consistency and Targeting.
The ICO arsenal
The paper then goes on to remind us of the various enforcement weapons which are at the ICO's disposal.
These include
- criminal prosecution under the 1998 Data Protection Act
- a formal Enforcement Notice requiring an organisation to take action specified in the Notice
- applications to the court for an Enforcement Order under Section 213 of the Enterprise Act 2002 requiring a person to cease conduct harmful to consumers
- an audit conducted (but only with the consent of an organisation) as to whether that organisation is processing personal data and is following good practice and
- Negotiation", which is not of course a form of regulatory power but a form of regulatory action that the ICO says will be used widely in order to bring about compliance with the Act.
Other powers can be used in connection with regulatory action. These include service of an Information Notice requiring an organisation to supply the ICO with information specified in the notice in order to enable the ICO to assess whether the Data Protection Act or for instance the 2003 Regs have been complied with.
Separately a Search Warrant can be obtained, which on grant by a judge gives the ICO powers of entry and inspection where there are reasonable grounds for suspecting that data protection offences have been committed.
Selective approach to regulatory action
The paper then lists the criteria which will guide ICO decisions about when to take regulatory action. These will usually be:
- issues of general public concern including those raised in the media;
- concern arising because of the novel or intrusive nature of particular activities;
- concerns raised with the ICO in complaints that it has received;
- concerns that become apparent through the ICO's other activities;
The ICO says that it will not place unreasonable demands on organisations selected for attention, but it will expect cooperation even if there is no strict legal obligation on the organisation to do so. Furthermore, if the organisation does not co-operate, the ICO threatens to name and shame them.
In something of a new initiative, the ICO also says it will work with outside providers to encourage and support the development of reputable data protection audit services.
As regards formal regulatory action, this will only be taken where the ICO's criteria are satisfied and either a sanction for criminal breach or formal action to bring about compliance is a proportionate response and an outcome that is reasonably achievable.
Key factors in enforcement action decisions
The ICO says that in determining whether to take action, the form of the action and how far to pursue it, it will apply the following criteria:
- is the past, current or prospective detriment for a single individual resulting from a breach so serious that action needs to be taken?
- are so many individuals adversely affected, even if to a lesser extent, that action is justified?
- is action justified by the need to clarify an important point of law or principle?
- is action justified by the likelihood that the adverse impact of a breach will have an ongoing effect or that a breach will recur if action is not taken?
- are the organisation and practices representative of a particular sector or activity to the extent that the case for action is supported by the need to set an example?
- is the likely cost to the organisation of taking the remedial action required reasonable in relation to the issue at stake?
- does a failure by the organisation to follow a relevant guidance, code of practice or accepted business practice support the case for action?
- does the attitude and conduct of the organisation in relation to the case in question and more generally in relation to compliance issues suggest a deliberate, wilful or cavalier approach?
- how far does the ICO have a responsibility to organisations that comply with the law to take action against those who do not?
- would it be more appropriate or effective for action to be taken by other means (e.g. another regulator legal action through the courts)?
- is the level of public interest in the case so great as to support the case for action?
- given the extent to which pursuing the case will make demands on ICO resources, can this be justified in the light of other calls for regulatory action? and
- what is the risk to the credibility of the law or to the ICO's reputation and influence in taking or not taking action?
Four units for delivery
The ICO's regulatory action division will be charged with delivery of this strategy through four units.
The Remedies Unit will be responsible for negotiating the resolution of non criminal cases where there appears to be a breach in the law and remedial action is required.
The Audits Unit will be responsible for systematically checking an organisation's compliance with good practice.
The Enforcement Unit will be responsible for non criminal infringement action in cases where it is not possible or it is inappropriate to achieve remedial action by negotiation.
The Investigations Unit will be responsible for bringing professional investigatory skills to bear on all aspects of the division's work.
Types of conduct likely to lead to enforcement action
The paper concludes with some examples of the types of conduct which will lead the Information Commissioner to consider using his formal regulatory powers. These include, especially after a prior warning:
- repeated failure to take adequate security measures;
- inaccurate or long outdated information;
- seriously intrusive marketing, for example repeated failure to observe telephone preference service requirements;
- failure to notify despite reminders;
- denial of subject access where it is reasonable to suppose significant information is held.
Conduct not likely to lead to enforcement action
Then there is a list of conduct which is unlikely, the ICO says, to lead to regulatory action. Examples of these are, though they come with no immunity guarantees:
- accidental" non-compliance with the data protection principles which is recognised and where effective remedial action is swiftly taken;
- business v business disputes where there is no detriment to customers;
- single non criminal breaches by small businesses caused by ignorance of requirements;
- non compliance which is not particularly intrusive and does not cause significant detriment, for example a single mail shot.
Sabre rattling at telemarketers
Following on from this development, the ICO announced in February 2006 that it anticipated taking formal action against cold callers who were failing to comply with the telephone preference service and the 2003 Regs. If appropriate assurances were not received that the relevant companies would be complying with those regulations, the ICO stated it would take formal action, possibly by way of an application for an enforcement order under the Enterprise Act 2002, requiring the relevant persons within those organisations to cease the harmful conduct.
Why this matters:
As previously reported on marketinglaw, the ICO has been since its inception hamstrung by limited resources and enforcement powers. However, even when the ICO has been handed further enforcement powers, indirectly by way of the Enterprise Act 2002 for example, precious little action has been taken to date. This Strategy paper certainly confirms that the ICO has to be selective in the taking of enforcement action, but we will have to wait and see whether all the sabre rattling and threats will lead to a tougher stance being taken against those who blatantly breach data protection laws.