Tuesday, 18 September 2012
ICO fines – when is it easier just to pay up and keep quiet?
Many thanks for your recent email asking for my advice on when it may, on balance, be better for your authority to give in and pay whatever fine the Information Commissioner is going to levy, or when there is much benefit in challenging it.
First, let’s get the facts right. Something pretty awful happened. It shouldn’t have happened, and everyone is sorry that it happened. Thankfully, no real damage has been caused to anyone because the incident was spotted pretty quickly and some remedial action was taken. However, a whistleblower informed the ICO about the incident before anyone in your team managed to tell them.
If past form is anything to go by, your authority will be hit with a civil monetary penalty of about £80,000. If you agree to pay the fine quickly, you’ll get a discount of 20% - so the direct cost will be about £64,000.
If, on the other hand, you challenge the fine, you’ll probably face an unrecoverable legal bill of £20,000, and if the Tribunal finds against you, or even holds you partly responsible, you’ll lose the 20% discount – so the direct cost to your authority could well be £100,000.
Let’s suppose, being charitable, that the ICO will find a few things wrong with the processing systems that are supposed to be in place, and which fell down, causing the incident to occur in the first place. It’s not that hard to find fault with at least one of the policies, training, systems, updates, or for you to lack robust evidence that enough of your staff are aware of all this stuff. There are so many systems that you need to have in place, if you read the official guidance etc (I’ll write separately in relation to this matter if you need chapter and verse), that you’re going to thank your lucky stars if the ICO only finds a few things faulty.
So, what might happen on appeal? Well, let’s suppose the Tribunal disagrees violently with the ICO and decides to slash the fine by 50%. In my view, that’s not really a win. After all, it’s still going to result in a fine of £40,000 plus the £20,000 legal bill – which is not much of a saving on the original £64,000 figure, especially when you think how drawn out this appeal could be and how much awful publicity the authority could continue to generate until the whole thing is resolved.
So, my message to you is pretty clear.
If it’s a fine of less than £200,000, you may be best placed just to pay up and hope the press focuses their attention on another ICO press release, fast. If it’s greater than £200,000, it may be worth challenging – but make sure that your data protection systems are in a pretty decent shape before you do.
Yes, I know it’s a lot of money – money that could be better spent on training and awareness programmes rather than on fewer services. But, you are stuck between a rock and a hard place. We all know the direction that local authority budgets are heading, so we all know that what is being expected of you is increasingly unaffordable and unachievable. But you shouldn’t be seen as an apologist for sloppy standards.
When you next get a carpeting by the Chief Executive of your newly combined local authority for causing them to divert funds from their supply teacher budget to pay the fine, just remind them of the economics of the situation. They deliberately starved you and your team of the funds that could have helped meet the authority’s statutory responsibilities. The Chief Executive ought to thank her lucky stars that it’s just service users, rather than local authority executives, who will feel the direct effect of these disciplinary measures.
Don’t let them grind you down. It’s not all bad news. Keep plugging away – and keep pointing your press team to the ICO’s web site, so they can see for themselves what is down the track and likely to be heading their way some time soon.
PS – If you are going to copy this advice to anyone else in the authority, please please please remember to use the.bcc field in the address section, not the .c c field. It was so hard to recover that last email from those people whose addresses you really didn’t want to share.