Saturday 19 December 2009

Should the ICO be presumed to have the competence to fine miscreants?

I’ve spent some time over the past few months mulling over whether the ICO should be given powers to fine miscreants, and if so, what maximum fining powers should be available.

My first inclination was to assume that the ICO should be viewed in a manner similar to that of the Financial Services Authority. But I quickly realised that they were very different organisations. Citizens of Canary Wharf and and the People's Republic of Wilmslow are not the same. Lots of bling in both locations, but different breeds of regulators. In Wilmslow, you can expect to see the WAG driving the Porsche. Around Canary Wharf, it’s more likely to be the bread winner.

The FSA plays two quite different roles simultaneously. On the one hand, 750,000 individual complaints are assessed by the Financial Ombudsman Service each year, by the staff of some 860 people, who can deal with cases up to the value of £100,000. And on the other hand, the FSA itself can deal with cases that may not be raised by a specific individual, for example when an unencrypted lap top is lost, and can fine the miscreant £ millions. I have heard complaints that the FOS does not understand the issues it judges on and lacks suitably qualified and experienced staff. Former Chief Ombudsman Walter Merricks has explained that the service employs professionals and graduates from different backgrounds and moves them between different areas to build experience.

I’ve often wondered whether it’s much easier to recruit and employ qualified and experienced professionals and graduates from a central London pool of talent than it is to attract people with the necessary range of skills to Wilmslow. But people obviously do wish to work in Wilmslow. And the “Wilmslow culture” is certainly different to that of Canary Wharf. Think “Guardian reader” rather than “The Financial Times”.

Whether the ICO can keep people for a sufficiently long period in Wilmslow (so they can make a really significant contribution to the organisation) before other employers make them offers they would find hard to refuse is another matter. In a recession, private industry may feel constrained in making too many generous pay offers. But, when the consequences of getting Data Protection “wrong” are as serious as they currently are, the market for Data Protection professionals is comparably strong. (Most companies fear the loss of their reputation following a data breach far more than any ICO sanction). And, given pressures over budgets within the public sector, will the ICO really be able to compete with the demand for people who think they know what they are doing?

So, this takes me back to my original point. Financial institutions have come to accept the jurisprudence of the FSA, and have come to accept that it has the competency to fine miscreants £ millions when mistakes are made. They also accept the awards made by the FOS, generally without question. And this is because a bond of trust and competence has been built up between the regulators in the FSA’s compliance function and the regulated.

I don’t think that a similar bond exists in the Data Protection world. I have not had (believe it or not) a particularly high level of interaction with the compliance function of the ICO. I’ve been deeply involved in the policy development function for many years, but I can honestly say that I have not yet had the time to build up a comparable level of trust with the ICO’s compliance team. I’ve dealt with a wide range of people who make assessments, but none of them appear to have remained in their post for very long. Perhaps they get promoted or are relieved of the duty to deal with me when they have completed their probationary period...

Anyway, for that reason, I won’t yet be supporting suggestions that the ICO be given powers to fine miscreants at a level which is similar to that of the FSA. I first need to have confidence in their experience and competence. Let them start with a maximum of £500,000 and let’s see what they do with that. For these days, it’s someone’s track record, rather than their promise or potential, which is so very important.