Saturday, 14 November 2009

“Am I bovvered?” (Setting a maximum penalty for data breaches)

Has the Ministry of Justice embarked on yet another attempt to undermine the Information Commissioner’s Office?

That was the first thought that came into my head when I read the “consultation document” the MoJ has recently rushed out on setting the maximum penalty the Commissioner will be able to impose for serious breaches of data protection principles.

To be brutally honest though, it’s not really a proper consultation document. Those awfully clever mandarins at the MoJ have managed to publish something which has 22 pages. But, it really is a dead cert to win the annual “Don’t tell him, Pike” award (sponsored by the BBC's "Dad's Army programme) for the crassest attempt to provide as little evidence as possible from which consultees can base their views.

What would an uneducated reader learn from the consultation document itself? Hardly anything. The proposal is set out (on page 8) in 123 words. The background to the issue is sketched out in 198 words, while the “evidence” on which views are sought is covered (on pages 8 and 9) in just 190 words. And that’s it. There’s nothing else to read, really. Blink and you’ve missed it.

The real evidence – and the really interesting stuff, is tucked away elsewhere, about which there is just one single reference in the entire consultation document, This is the "Impact Assessment", which is 33 pages in length and contains some very interesting assumptions about just how the Information Commissioner’s Office would really use the powers it was given.

In a nutshell, the MoJ mandarins have worked out what the Information Commissioner might do if he were able to award maximum fines of £50,000, £500,000 or £2.5million per offence. If the maximum fine were to be just £50,000, then 12 data controllers would be in for the chop each year. If the maximum fine were to be raised to £500,000, then just 8 data controllers would be up before the beak. But, if the maximum fine were to be a whopping 2.5 million, only 6 data controllers would need to stiffen themselves for a whacking every year. These assumptions appear on pages 4,6 and 8 of the analysis.

Somewhat confusingly, page 17 of the analysis reports that the ICO estimates that monetary penalties are imposed approximately 25 times each year for serious contraventions. I can only explain the difference in these statistics by assuming that this larger figure refers to court fines, rather than the new penalties that are being discussed in this consultation document.

The bean counters have also done their sums in anticipation of the income that would be generated from those caught in the firing line. Should the maximum penalty be £50,000, the working presumption is that each of the 12 will be fined £25,000 (raising some £300,000). If the maximum fine were to be £500,000, the 8 unfortunates will be fined £100,000 (raising £800,000). Finally, if the maximum fine were to be £2.5 million, the 6 miscreants will be fined £1 million (raising £6 million).

In 2009 there were about 319,000 data controllers registered on the public register of data controllers. So if they all behave alike, they can’t each expect to get caught that often. If the maximum fine were to be set at £500,000 then they might expect their own £100,000 fine to be levied once every 39,875 years. So if I were a data controller’s accountant, I would suggest that they set aside £2.50 each year for the “ICO statutory fine” pot.

And what would the benefits be to society? It’s been assessed that if the maximum fine were £50,000 or £500,000, then controllers would take additional precautions that would result in 4 serious data breaches being prevented every year. And if the maximum fine were to be increased to £2.5 million, then the additional controls might ensure that 6 serious data breaches would be prevented every year. These really are the assumptions that appear on pages 4,5 and 7 of the analysis.

That does not appear (to me) to be much of a deterrent. Nor, is it assessed (by me), will it have much of an impact.

Custodial sentences, on the other hand, might concentrate the minds of some of the more reckless data controllers. But that's my view - not the stated views of any of the MoJ mandarins, as far as I have been able to glean from the two MoJ documents I've referred to in this blog.

I was interested to understand whether the MoJ felt that larger companies would feel more motivated to improve their data protection standards if larger fines were likely. After all, the Financial Services Authority is able (and willing) to fine banks and other financial institutions millions of pounds for inadequate security controls, yet it appears that the ICO is not to be allowed to aware similar fines when data controllers allow other breaches to occur. It's not at all clear why the protection of someone's financial information is apparently more important than the protection of their “sensitive” personal information about matters such as their health, sexuality, religious views, political persuasions or criminal background.

And I’m still none the wiser.

So, what messages should the reader be picking up from the MoJ, as it strives to find a slogan that most adequately sets out its aspirations? Having recently re-read (bits of) Jonathan Swift’s “Gulliver’s Travels”, I think it’s fair to assume that, as power is steadily devolved from Westminster to the “People’s Republic of Wilmslow”, visitors to that new land should expect to be greeted by natives who are as friendly as those who lived in Lilliput, rather than as fearsome as the gigantic beasts that Gulliver encountered during his later voyage to Brobdingnag.