The ICO has recently, and without much publicity, published on its website a report it had commissioned on the effect of Civil Monetary Penalties. It uses CMPs as both a sanction and a deterrent against a data controller or person who deliberately or negligently disregards the law. The overarching aim, according to the ICO, is to promote compliance and improve public confidence.
Given that this (19 page) report supports CMPs, I’m surprised that it has not attracted more attention. Perhaps, if it were accompanied by an ICO press release, the privacy panoptican more fondly known as the IAAP daily digest might have drawn more attention to it. But no.
The document was formally published the week after many of the UK’s data protection finest had gathered in Central London to mark the launch of the ICO’s Annual Report for 2013-14. But I don't think that anyone at the event mentioned its forthcoming release.
The document contains the output from a team of independent researchers who had interviewed representatives from 14 organisations who had received a CMP. The researchers had also canvassed the views (by means of an online survey) of 85 organisations that had not received a CMP. It’s not clear whether any of the researchers who were involved in this exercise had received any formal data protection training. It might have added to the credibility of the report if the text had contained a section describing what data protection experience and qualifications the researchers actually had.
In the absence of this, we are left to ponder the impact of a report that summarises the views of a small number of respondents.
The key findings included the following:
- Organisations that had been issued with a CMP subsequently took their data protection obligations more seriously, as a result of greater senior management buy-in.
- This greater focus on compliance extended to peer organisations, especially those who appreciated that they shared a range of the shortcomings that had attracted the ire of the ICO’s enforcement team.
- There remains a lack of understanding of just what poor practices trigger the CMP threshold, particularly around the meaning of the terms “serious” and “substantial damage and distress”.
- Some respondents felt there was a lack of transparency about how CMPs were calculated. These could be linked to some organisations expressing discontent about the clarity of the Notice of Intent.
What we don’t know – because the report did not set out to inquire, was how these findings compare with the views (and subsequent behaviours) of data controllers who were subject to other ICO enforcement tools.
Have organisations that have received Enforcement Notices, or who have made Voluntary Undertakings, also taken their data protection obligations more seriously, as a result of greater senior management buy-in? And has this greater focus on compliance extended to peer organisations, especially those who appreciated that they shared a range of the shortcomings that had attracted the ire of the ICO’s enforcement team?
Once we understand the answers to those questions, we might be in a better position to appreciate the relative value of CMPs as an appropriate enforcement tool.
In these circumstances, I think the ICO is to be congratulated for not drawing too much attention to the report.
I am grateful to Janine Regan of Speechleys for drawing this report to my attention.