 |
 |
It’s worth noting that Selbie left a local NHS Trust to run Public Health England, a national job with a bigger salary. It could be considered a promotion. It’s a bold claim that Lawrence appears to be making here, and not one necessarily backed up by any evidence. I’m also not sure that the Trust’s initial belligerence was extraordinary - the BPAS chief executive said they would appeal but it didn’t happen and they paid up. Sony pursued an appeal for several months, and both Central London Community Healthcare and Scottish Borders Council went through with it, and in Borders’ case, they were successful. Given the flawed reasoning in some of the ICO’s earlier CMP decisions (up to and including Borders), I think it’s extraordinary that there were not more appeals. I am certain that some would have been successful. I’d be quite happy for the Chief Executive to take on the ICO if I was a DPO and the case was good, and would equally relish telling them it was a bad idea if it was.
Some people will not welcome the raised profile and additional responsibilities that being a DPO will involve. It will be a hard job that won’t suit everyone. However, having spoken to many DP officers over the past year, most of them actively want or expect to be the DPO once the GDPR comes into force. I can foresee the potential for conflict between a local DP or IG specialist, and an external contractor brought in above them whose advice is given more sway. Imagine, friends, someone like me swanning into your offices as the DPO-for-hire and giving advice you don’t agree with. The DPO must be consulted in a timely manner on all issues that relate to the processing of personal data, which means the local DP or IG bod becoming the sidekick for the outsider. I would have been seething if, when I was a DP officer, an external contractor was consulted as well as, and perhaps instead of me.
It’s also worth scrutinising the number of people who, having had a career in sales or IT security (or in some cases, no apparent experience of anything), are magically reinventing themselves as GDPR experts and touting for business. These folk will surely move into the DPO on Demand market, and any organisation dipping a toe into these waters will need to do some thorough research and due diligence.
I personally have little interest in being an external DPO but the idea of going back to being a DP Officer with the autonomy envisaged by the GDPR is tempting. Some DPOs may not get the independence that the GDPR demands, and some organisations will contract it out or force the DPO to work without the recognition they deserve. But frankly, the DPO role is one of the most interesting developments in the GDPR, and if you are a DP or IG person in a relevant sector, you should grab the opportunity with both hands.
--
Tim Turner
On 23 January 2017 at 18:15:26, Lawrence Serewicz ([log in to unmask]) wrote:
Dear All,
In all organisations, things take time to change. Usually, organisations take a measured approach to change and succession planning as the Chief Executive (CX) signals when they plan to depart so that the transition can be smooth.
On some occasions, events overtake an organisation. Usually, we can see when an organisation is ill prepared for a departure when they have to appoint an interim CX. The longer the interim period, the more chaotic or abrupt is the departure since the HR service has to organise a search for a replacement, usually with an outside agency, and vet those candidates.
All of this brings us to Brighton and Sussex University Hospital (BSUH). You may recall they achieved the very dubious distinction of having the largest monetary penalty notice imposed on a public sector organisation by the ICO. The ICO imposed an initial MPN of £325k. This was announced in January 2012. http://localgovernmentlawyer.co.uk/index.php?option=com_content&;view=article&id=9004%3Anhs-trust-faces-massive-ico-monetary-penalty-after-hard-drives-sold-on-ebay&catid=174%3Ahealthcare&Itemid=99
The January announcement was bad publicity. However, BSUH did something extraordinary. They decided to fight the MPN both privately and publicly. In much the same way that Haringey initially fought the bad publicity around the death of Peter Donnelly they though the best defence was a good offence. Only one person is ultimately responsible for such a strategy—the CX. They may do it because advisors recommend it but they are the ones who are ultimately responsible.
In April 2012, The CX Duncan Selbie announced he was leaving. http://www.theargus.co.uk/news/9634864.Brighton_hospital_chief_stepping_down/
Here is how he responded *publicly* to the ICO on 1 June 2012.
Chief Executive Duncan Selbie said: “We dispute the Information Commissioner’s findings, especially that we were reckless, a requirement for any fine. We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay. No sensitive data has therefore entered the public domain.”
Selbie pointed out that it had voluntarily reported “all of this” to the ICO, and claimed that he had been told by the watchdog in the summer of 2011 that this was not a case worthy of a fine.
BSUH’s chief executive added that the ICO had ignored its extensive representations.
“It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would ‘prejudice the monetary penalty process’,” he said.
Selbie added: “In a time of austerity, we have to ensure more than ever that we deliver the best and safest care to our patients with the money that we have available. We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal.” [Emphasis added]
I would suggest what I highlighted reflected the view of senior managers. Would you want to the DPO in this organisation, before, during, or after the event? Imagine if you had signed off on the process whereby the disk drives were disposed? Do you think you would face any scrutiny? In particular, as you are now a publicly identifiable individual, your contact details are available to the public, how will you handle media questions? Have you had media training?
On 9 July interim CX Chris Adcock announced BSUH was not contesting the MPN and paid the discounted amount of £260k.
You will note his conciliatory statement.
Adcock added: “There is, however, nothing more odious than one public body having a public argument with another at the taxpayer’s expense. We are not prepared to incur further costs and are therefore paying the ICO £260,000.” [emphasis added]
Mr Adcock is acting after Mr Selbie had left. He would remain the interim CX for 10 months. We see that the BSUH has changed its tune as it has changed CX. It may have suggested that Mr Selbie’s approach, fighting the ICO, was not considered to be in the organisation’s best interest, in particular as the organisation changed course soon after he left.
I will leave it readers to decide if the security incident contributed to Mr Selbie’s departure.
I would ask list members to reflect on whether they want to be a DPO since the fines in the future can be up to 20 Million Euros. I would suggest you need to consider how an organisation reacted to what was, in effect, a £260k MPN. Do list members think the work they have done as data protection officers has prepared them adequately for this new role? Does the organisation think that it will have an adequate approach to the DPO if it changes the dpo to the DPO?
Best,
Lawrence
Lawrence Serewicz
Information and Records Manager
Transformation and Partnerships
Durham County Council
County Hall
Room 143-148 4th Floor
Durham
County Durham
DH1 5UF
Direct 03000 268 038
Switchboard 03000 26 0000
Follow us on Twitter @durhamcouncil
Like us at facebook.com/durhamcouncil
Follow us on linkedin.com/company/durham-county-council
From: Tim Turner [mailto:[log in to unmask]]
Sent: 20 January 2017 07:47
To: Lawrence Serewicz <[log in to unmask]>; [log in to unmask]
Subject: Re: [data-protection] With fines of up to £20million Euros are DPOs ready for that kind of pressureThat's really interesting - which Chief Executive stepped down after an MPN was issued?
Tim Turner
On Thu, Jan 19, 2017 at 10:56 PM, Lawrence Serewicz <[log in to unmask]> wrote:
Dear All,
At the moment, the UK has a DP regime where the max monetary penalty notice is £500k. Since the MPN was introduced, organisations have reacted in different ways. We have seen some organisation fight the MPN to the final stage, incurring legal costs. We have seen CEOs step down after the MPNs were received.
What has occurred is that the MPNs have focused the minds. In that sense, it has made it important for the organisations to get it right. All along, the humble DP officer has been on the side lines saying “Mind the DPA or the MPN will get you.” With that advice, the organisation operates as it needs to without the DP officer being responsible for either the advice or the organisation. In the end, the organisation can take the advice or operate as they want.
The DPO is a different creature. They will now be responsible for giving clear guidance to the organisation for it to comply with the GDPR. If they get that guidance wrong, if they say “You need to do x, y and z” but it turns out that z was not the correct interpretation of the GDPR, then they will be in for some scrutiny. To be sure, the Data Controller is responsible not the DPO. The GDPR makes this clear. However, if the DPO has said that is ok I am certain that organisations will want to ask some questions.
Much will depend on how the organisation sees the DPO and the way their contract is written. The contract will reflect how they are seen to work with the normal GDPR compliance work within the organisation. No matter what, the DPO will be under more scrutiny than the Data Protection officers.
Best,
Lawrence
Lawrence Serewicz
Information and Records Manager
Transformation and Partnerships
Durham County Council
County Hall
Room 143-148 4th Floor
Durham
County Durham
DH1 5UF
Direct 03000 268 038
Switchboard 03000 26 0000
Follow us on Twitter @durhamcouncil
Like us at facebook.com/durhamcouncil
Follow us on linkedin.com/company/durham-county-council
All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]
Any queries about sending or receiving messages please send to the list owner [log in to unmask]
(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)