Jonathan,
Thanks for the email. I appreciate that it is Friday. ☺ I also appreciate that Scottish Borders had a good case and they were right to fight. In that case, the MPN was not appropriate as they argued. I wonder if the ICO used them as a test case for data processing contracts. If nothing else, it certainly forced organisations to focus on that issue, the data processor contracts, more than they might have before the publicity around the fine and the tribunal.
Despite this, I am still of the view that what you have referred to is the overwhelming majority approach across all organisations. The best example is the one involving the hospital where the disks they said had been cleaned were showing up on e-bay. I really doubt they were in the position where Scottish Borders was with the contravention that was unlikely to cause substantial damage and substantial distress. Instead they fought that to the hilt. I believe they spent over £200k on the case. Another person might comment on the mind-set within such organisations and the approach to risk and regulators that reflects, but I am not going to do that.
Instead, I want to focus on whether compliance work is increasing since 2010 or whether it is the same as it was before the fines. I noticed that Caldicott II stressed that DPA training had to avoid the “sheep dip” approach. It had to develop officers judgment and understanding of how to apply or work with the act. Yet, we see from the information sharing consultation that most organisations fail to share out of culture, lack of training, blame avoidance, and ignorance of the law. All of these could be rectified by better training and better management. To put it differently, but directly, how many s.61 breaches have been pursued by the ICO? By contrast the number of people dismissed if not quietly allowed to leave for inappropriate access to computer systems remains high. Yet, we never see a s.61 prosecution around these cases.
I wonder if fines or any regulatory system only encourages blame avoidance, rather than improving compliance, so that we see the world that Christopher Hood described so well in his excellent article “What happens when transparency meets blame avoidance”.
Best,
Lawrence
From: Baines, Jonathan [mailto:[log in to unmask]]
Sent: 08 November 2013 15:54
To: Lawrence Serewicz; [log in to unmask]
Subject: RE: Article
Hi Lawrence
I was being slightly flippant, and my message was typed quickly. It should have said “If I were a data controller and of the opinion that we there had not been a serious contravention of the DPA of a kind likely to cause serious damage or serious distress, I would be appealing it aggressively”.
The point from the Scottish Borders case though is that there was a contravention of the DPA (DPP7), and it was a serious contravention. However, it was not of a kind likely to cause substantial damage or substantial distress. Why should a data controller not robustly appeal a notice which it believes was not in accordance with the law? In fact, in the case of a public authority, *not* appealing in those circumstances would potentially be in breach of its fiduciary duty.
Of course we should all promote compliance, ferociously and vociferously. Equally, the ICO should ensure it issues MPNs which are in accordance with the law.
Cheers
Jonathan
Jonathan Baines
Complaints and Information Rights Officer
Legal and Democratic Services
Buckinghamshire County Council
01296 383681
Follow us on twitter @buckscclegal
From: Lawrence Serewicz [mailto:[log in to unmask]]
Sent: 08 November 2013 15:38
To: Baines, Jonathan; [log in to unmask]<mailto:[log in to unmask]>
Subject: RE: Article
Jonathan,
I often find it interesting that data controllers are so vociferous and ferocious in their defence against a MPN. In many cases they pay QCs upwards of £500 an hour for their services. (By the way the QCs are worth that money so no problem with their skill set). What always puzzles me is why they did not spend that type of money preventing the breach. More to the point, why do appear not have had that ferocious and vociferous approach to compliance?
I believe everyone has a right to a fair hearing and they are right to a forensic analysis of the case against them. Yet, I cannot help wondering if that sends the right message to their own organisation. They spend so much time and effort fighting the penalty. Is there a lesson about a stitch in time saves nine? So, is the lesson that we should learn is that we get a good QC or that we promote compliance to prevent MPNs? If there was no breach, would there have been a MPN?
Sir Alex Ferguson’s approach to referees only worked, in large part, because Manchester United were so good. If they had been a relegation club, would the referees have been as deferential? Perhaps the referees were not that good, however I have never seen a referee score a goal.
Best,
Lawrence
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Baines, Jonathan
Sent: 08 November 2013 14:53
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: Re: [data-protection] Article
Agree completely. The “if you do/don’t do this” you run the risk of a £500,000 fine concentrates people’s minds very quickly.
That said, if I were a data controller in receipt of an MPN I would probably be appealing it aggressively!
Jonathan Baines
Complaints and Information Rights Officer
Legal and Democratic Services
Buckinghamshire County Council
01296 383681
Follow us on twitter @buckscclegal
[Image removed by sender. Strategic Plan]<http://www.bucksccbrochures.co.uk/strategic_plan/>
Hear from residents about the difference Buckinghamshire County Council is making to people’s lives
www.buckscc.gov.uk/plan<http://www.buckscc.gov.uk/plan>
[Image removed by sender. Facebook]<http://www.facebook.com/pages/Our-Buckinghamshire/118283=198190717>Like Us<http://www.facebook.com/pages/Our-Buckinghamshire/118283=198190717> [Image removed by sender. Follow Us] <http://www.twitter.com/buckscc> Follow Us<http://www.twitter.com/buckscc> [Image removed by sender. Watch Us] <http://www.youtube.com/buckinghamshirecc> Watch Us<http://www.youtube.com/buckinghamshirecc>
[Image removed by sender. Investors In People]
Buckinghamshire County Council
Visit our Web Site : http://www.buckscc.gov.uk
Buckinghamshire County Council Email Disclaimer
This Email, and any attachments, may contain Protected or Restricted information and is intended solely for the individual to whom it is addressed. It may contain sensitive or protectively marked material and should be handled accordingly. If this Email has been misdirected, please notify the author or [log in to unmask]<mailto:[log in to unmask]> immediately. If you are not the intended recipient you must not disclose, distribute, copy, print or rely on any of the information contained in it or attached, and all copies must be deleted immediately. Whilst we take reasonable steps to try to identify any software viruses, any attachments to this Email may nevertheless contain viruses which our anti-virus software has failed to identify. You should therefore carry out your own anti-virus checks before opening any documents.
Buckinghamshire County Council will not accept any liability for damage caused by computer viruses emanating from any attachment or other document supplied with this email.
All GCSx traffic may be subject to recording and / or monitoring in accordance with relevant legislation.
The views expressed in this email are not necessarily those of Buckinghamshire County Council unless explicitly stated.
This footnote also confirms that this email has been swept for content and for the presence of computer viruses.
________________________________
Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
