Monday 9 January 2012

Assessing fair sanctions for Subject Access Mistakes

It won’t be long now before the European Commission publishes its proposals for a revised legal framework, and will then be required to face the reaction. Given that many of the politicians who will be required to take the final vote on the measure may not even have been elected to the European Parliament yet, I don’t want to focus too greatly on the current draft (the infamous Version 56, currently undergoing some form of EC Interservice consultation.

But, I have been wondering how some of the sanctions in the document might be credibly applied. And, as I’ve just completed my own annual review of assessments that the ICO has made of complaints that were made about my current employer, I’ve been wondering just how it could fairly wield some of the very considerable powers that are contemplated.

To be more specific, there are powers to fine data controllers between 500 Euros and 600,000 Euros (or up to 3% of their turnover if they are a company) if they intentionally or negligently impose a standard Subject Access Fee, or fail to fully respond to a Subject Access Request within one month.

Such penalties are about as appropriate as a medieval ducking stool. In 20 years as a data protection professional I’ve never heard of a case where such a penalty is remotely relevant. If any evidence exists, I will be challenging the European Commission (or a data protection regulator) to publish it, to put all our minds at rest.

If I were a determined individual, I could easily cause havoc for data controllers by flooding their offices with Subject Access Requests and then complaining very loudly when, after a month, not enough information had been supplied to meet my whims. And then I would probably complain even louder to the Ministry of Justice and to everyone else who would listen when it became clear that the ICO felt that it had better things to do than to take action against every data controller who was subsequently complained about.

Let’s unpick this a little – because the root cause lies with the European Commission giving vague rights to people, who will then get understandably frustrated when the regulators find it impractical and undesirable to enforce them.

What’s going to happen?

Well, it looks as though the Commission will extent the categories of information about people (and objects) that will fall within the definition of “Personal data”. And, in giving individuals the right to access all this information free of charge (unless they make repeated requests or they are manifestly excessive, in particular because of their repetitive character), I predict that data controllers’ inboxes will soon start to overflow with requests from the mildly (or obsessively) curious, rather than from those who actually need the information for a good reason.

Many applicants do need information for a good reason, They may have a legitimate complaint, or need the stuff to help defend themselves against accusations that they are innocent of. But there are also those people who just appear to have time on their hands. Believe me, I’ve dealt with them.

This is why I like the concept of a Subject Access Request fee, as at least it deters some applicants, particularly those who have unreasonably high expectations of customer service departments. I find that the vast majority of such applicants decide not to pursue their Subject Access Request when they have to exchange just a little bit of their own money for information that most often has been assembled for them at a far greater cost. The costs, of course, are generally in redacting inappropriate material from the raw information initially swept up, removing from the records the information which the applicant is not entitled to see, and simply correcting the short hand, grammar and spelling of contemporaneous notes made by Customer Service Advisors.

But how will the ICO take action when it gets complaints from unhappy Subject Access Request applicants? After all, technical breaches will always occur as it takes time to assemble (and redact) the relevant information, and the ICO will generally only be aware of the cases where an applicant has decided to complain.

In 2011, for example, less than 20 of the some 18 million customers my company deals with complained to the ICO about problems relating to Subject Access Requests. Yes, 20 complaints are 20 too many complaints. But, these 20 complainants comprised less than 3% of all the Subject Access Requests that were dealt with by my company in 2011. And, even after a thorough investigation, the ICO still didn’t find fault with the way that a number of them were had been dealt with. While in others, the fault lie in complicated requests taking slightly longer than 40 days to fully deal with.

So, is an ICO assessment about less than 3% of a corporate workload a cause for concern? Or is it a cause for celebration that the company appears to getting many things right? And just how will the ICO be capable of commencing meaningful disciplinary action against a data controller if it can’t fully take into account the overwhelming majority of cases where, evidently, applicants are satisfied with what they have received?

I really don’t know. But, don’t panic! We’ve got a good few years to find out, before these potentially grotesque fining powers come into force.

The full details of the proposed administrative sanctions are to be found in Article 79.