Who: Information Commissioner’s Office
Where: United Kingdom
When: 15 August 2013
Law stated as at: 6 September 2013
The Information Commissioner’s Office (“ICO”) has updated its Data Protection Regulatory Action Policy. The policy sets out the factors that the ICO will take into account when deciding whether to initiate regulatory action in accordance with its regulatory powers under the Data Protection Act 1998 (“DPA”), the Electronic Communications Regulations 2003 and associated legislation. Regulatory action open to the ICO includes monetary penalties of up to £500,000, compulsory data protection audits, and criminal prosecutions.
The policy remains substantially similar to the previous policy published in 2010. The ICO maintains that it adopts a selective approach in initiating and pursuing regulatory action. Key drivers behind regulatory action continue to be issues of general public concern (including those raised by the media), complaints, and concerns that arise because of the novel or intrusive nature of particular activities.
The policy further states that in setting priorities for enforcement the ICO will pay particular attention to the priority areas in its existing information rights strategy (currently healthcare, criminal justice, local government and online and mobile services) and the extent to which market forces act as regulator. This implies that the public sector, which cannot be adequately regulated by market forces, will face increased scrutiny from the ICO. Conversely, the ICO is likely to pay less attention to sectors in which compliance with data protection regimes offer a competitive advantage.
However the new policy does clarify and implement several key updates. These include:
• Increased emphasis on enforcement powers in relation to online data privacy – the updated policy specifically sets out the ICO’s enforcement powers under the Privacy and Electronic Communications Regulations 2003 (“PECR”), which require electronic communication service providers to take appropriate technical and organisational measures. Penalties specific to the PECR that are available to the ICO relating to breaches of the personal data breach notifications of the PECR have been added to the policy. These include monetary penalties of £1,000, power to issue Compulsory Audits and Third Party Information Notices requiring communication providers to supply information on third party usage of electronic communications.
• Impact of the Leveson Report – in line with the ICO’s response to recommendations in the Leveson Report, the updated policy includes a new section on the processing of data for artistic, literary or journalism purposes (“Special Purposes”). In recognition of the public interest in freedom of expression, the ICO emphasizes that its enforcement powers are significantly restricted in these areas: the ICO cannot serve an enforcement notice to prevent the publication of journalistic, literary or artistic material that has not been previously published and before it can take action in relation to published material it must determine that personal data is not being processed only for such Special Purposes and seek court permission (which can only be granted if the court is satisfied that the contravention of the data processing principles being addressed is of substantial public importance). The policy now sets out the ICO’s power to issue Special Information Notices requiring the supply of information necessary to ascertain whether personal data is being processed for a Special Purpose.
Why this matters:
This updated policy should help businesses understand the enforcement process and the risks of non-compliance with the DPA and the PECR. It gives a good indication of the ICO’s continued priority sectors for regulatory attention and reiterates that complaints, issues of general public concern and issues that arise as a result of novel or intrusive activities continue to be key drivers for regulatory action. However whether any measurable improvements in privacy protection will develop in the UK as a result of this updated policy remains to be seen.
The impact of this policy, and in particular its guidance on the ICO’s approach to serving monetary penalty notices, should be considered in light of the fact that a £250,000 fine issued by the ICO against Scottish Borders Council (“SBC”) has recently been overturned by the Information Tribunal on the basis that the ICO had insufficient grounds to justify serving this monetary penalty notice on SBC.
SBC had outsourced the digitization of its pension records to a data processing company. The processor disposed of more than 700 employee pension records (which contained a wealth of personal information relating to SBC employees) in a recycling bin in a public car park. The ICO issued a monetary penalty of £250,000 (the second largest fine ever imposed by the ICO in the UK at the time) under section 55A of the DPA for SBC’s failure to properly check how the pension records would be stored and disposed of by the processor.
Under section 55A of the DPA the ICO can serve monetary penalties for a serious contravention of the DPA that is likely to cause substantial damage or distress. SBC successfully overturned the fine on the basis that the ICO had insufficient grounds to serve the monetary penalty notice: the Information Tribunal agreed that SBC had committed a serious breach of the DPA, but the monetary penalty was unfounded as this breach was not “of a kind likely to cause substantial damage or distress”.
The Tribunal’s decision may not result in any substantial change to the ICO’s enforcement approach. However it will no doubt encourage the ICO to be more vigilant in ensuring any monetary penalties are only issued when it is clear that the relevant data breach did lead, or was likely to lead, to the relevant data subject suffering substantial distress or damage and provides an interesting context to the ICO’s approach to regulatory action going forward.