JISCMail - DATA-PROTECTION Archives

It is not just a code of practice issue. If they can bring it within s51(7)  /"The Commissioner may, with the consent of the data controller, assess any processing of personal data for the following of good practice and shall inform the data controller of the results of the assessment."/ then s55A(3A)(b) kicks in: / "The Commissioner may not be satisfied as mentioned in subsection (1) by virtue of any matter which comes to the Commissioner's attention as a result of anything done in pursuance of—... an assessment under section 51(7)"/

 I guess ICO's view will be that after receiving a voluntary breach notice, (a)  *he *decides whether to assess, and that assessment is not therefore by consent under s51(7) but under his other powers - simplified if he also gets at least 1 complaint about the issue as then s42 kicks in; (b) he is satisfied by virtue of things which came to his attention  *before *he carried out any assessment

 It cannot have been parliament's intent that a DC could always avoid a CMP by self reporting a breach to get the protection of s55A(3A)(b). Having said that the argument is more than spurious and it is not impossible that the Tribunal / Court may find itself constrained by the wording, whatever the intention.


----- Original Message -----
From: Baines, Jonathan
Sent: 11/15/12 11:25 AM
To: [log in to unmask]
Subject: Re: [data-protection] Hawktalk: A curiosity concerning the Monetary Penalty Notice issued to Scottish Borders Council

Yes, there was some discussion about this on twitter* a while ago.

Regarding costs, list members might want to read - if they haven't already - Tim Turner's extraordinary blog post on the costs incurred by Brighton and Sussex University Hospital Trust in their abortive appeal -  *£168,000.* (I go a bit light-headed every time I see that figure). This means that, effectively, they paid half a million £s on a case which, if they'd paid the early discount, would have cost them about £250k.

http://2040infolawblog.com/2012/11/11/klf-revisited/ 

Central London Community Healthcare NHS Trust are believed to be using the same firm to assist with their appeal, and someone has made an FOI request to them for the fees they've paid.

It looks like the appeal turns on a possible loophole, whereby the argument is - as I understand it - that if a breach is self-referred to the ICO he is barred under his own statutory guidance from issuing a CMP. 

My reckoning is that the argument would be that a self-referral is a referral of a discrete incident of processing under section 51(7) DPA, for the ICO to determine whether the processing accorded with good practice. His statutory guidance says that he will not issue a CMP if it comes to light as part of a section 51(7) assessment. Normally section 51(7) is used as a full audit provision, but the words could be construed so as to limit the assessment to a single act of processing (e.g. a data breach). Spurious perhaps, but if a Tribunal is persuaded of it it would negate the biggest enforcement stick the ICO has.

See http://www.computerweekly.com/news/2240171109/Will-the-ICOs-big-stick-approach-backfire-long-term  which strangely says it is a unnamed Trust which is appealing.

Jonathan Baines
Complaints and Information Rights Officer
Legal and Democratic Services
Buckinghamshire County Council
Ground Floor, New County Offices
tel: 01296 383681

*I continue my quest to persuade Chris that twitter is an excellent resource/tool

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^