Thanks. I did not pick up on that point.
However, given the police are involved and someone could go to jail then there is even *less* incentive to report the issue. The point still stands as the issue was around a DPA breach. I do not recall the author exploring data security breaches that would not need to be reported to the ICO.
However, one can make the valid point that a breach in security is going to raise concerns about the ability of an organisation to meet its principle 7 obligations especially as described in schedule 1. Just as the ICO would begin to take an interest if a building holding personal data is repeatedly broken into even if the PD seem unaffected. To be sure, this may be below their radar (they have limited capacity) yet it still would be an aggravating factor in a breach of the DPA involving security of personal data.
Best,
Lawrence
-----Original Message-----
From: Baines, Jonathan [mailto:[log in to unmask]]
Sent: 08 May 2014 11:38
To: Lawrence Serewicz
Cc: [log in to unmask]
Subject: RE: [data-protection] Interesting article on voluntarily reporting data breaches to the ICO
With respect, you miss my point. Libel is a civil matter over which the police have no jurisdiction. By the same token, a data security breach which is not a contravention of the DPA is a matter over which the ICO has no jurisdiction.
Jon Baines,
Chairman
www.nadpo.org.uk
-----Original Message-----
From: Lawrence Serewicz [mailto:[log in to unmask]]
Sent: 08 May 2014 11:34
To: Baines, Jonathan
Cc: [log in to unmask]
Subject: RE: [data-protection] Interesting article on voluntarily reporting data breaches to the ICO
Jon,
Thanks. I would point out that it is for the wife to report the husband as she will know the libel. (A libel cannot occur until someone reads it. :)) The situation here is that the data subject never knows about the breach because the organisation is not reporting it. The issue remains: How to get an organisation to self-report.
For example, how many organisations do a quick risk assessment (which surprise, surprise almost always falls on (let's not tell the ICO and let's not tell the data subject) the side of the organisation rather than the data subject)? Moreover, if the data subject is a vulnerable person in the *care* of the organisation are they really going to complain to the ICO about a data breach given that the organisation controls their *care* and they do not want to be seen as a "problem customer" or a "serial complainer".
What is interesting, in data breaches, is that the data subject is rarely given the opportunity to assess the potential harm from an internal "breach" or "data security incident which have been internally assessed as not a serious contravention." The organisation does that for them. The Poynter report makes depressing but not unsurprising reading on these issues. http://www.out-law.com/page-9210
Moreover, it is for the organisation to decide the public interest and to decide if it is a breach or if it is a security incidence or a DPA contravention. It is a wonder anything gets reported at all given the *disincentives* to disclose and the incentive to bury such incidents (hey, just delete quickly because s.77 only applies once a request is received and that can only happen if the data subject has an inkling of a data breach has occurred.)
Given the SAR 40 day deadline, the need to have an internal review (note ICO annual plan recommending data controllers resolve issues locally before referring them to the ICO) and soon we are 80-100 days into the 180 days. Then assuming the ICO does not have a backlog and assesses the s.42 request we are well beyond the 180 days. (But then we already knew this from previous blogs on the topic.) At best you find that there are bureaucratic ripples suggesting something happened. That assumes that the records management within the organisation is robust enough to capture the pebble dropping into the pond and the organisation has the culture to protect the individual and hold itself accountable.
The underlying issue still remains unaddressed. How to get organisations to self-report. We are seeing that EU is going to deal with this by regulation, which indicates quite clearly that an voluntary reporting regime is less than satisfactory as it indicates quite clearly that the DPA and FOI have failed to balancing the rights of the individual against the organisation.
Best,
Lawrence
________________________________
Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures.
Buckinghamshire County Council
Visit our Web Site : http://www.buckscc.gov.uk Buckinghamshire County Council Email Disclaimer
This Email, and any attachments, may contain Protected or Restricted information and is intended solely for the individual to whom it is addressed. It may contain sensitive or protectively marked material and should be handled accordingly. If this Email has been misdirected, please notify the author or [log in to unmask] immediately. If you are not the intended recipient you must not disclose, distribute, copy, print or rely on any of the information contained in it or attached, and all copies must be deleted immediately. Whilst we take reasonable steps to try to identify any software viruses, any attachments to this Email may nevertheless contain viruses which our anti-virus software has failed to identify. You should therefore carry out your own anti-virus checks before opening any documents.
Buckinghamshire County Council will not accept any liability for damage caused by computer viruses emanating from any attachment or other document supplied with this email.
All GCSx traffic may be subject to recording and / or monitoring in accordance with relevant legislation.
The views expressed in this email are not necessarily those of Buckinghamshire County Council unless explicitly stated.
This footnote also confirms that this email has been swept for content and for the presence of computer viruses.
________________________________
Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|