Wednesday 24 November 2010

Fines – the ICO’s poker game begins

Today’s announcement that Hertfordshire County Council has accepted the fine from the Information Commissioner for its sloppy procedures that failed to prevent details of a child sex abuse case from being sent to a member of the public sets an extremely interesting precedent. And if I were a Hertfordshire council tax payer I would be furious that the Council didn’t take steps to challenge the fine. The council may well have behaved disgracefully, but is this misbehaviour really worth £100,000? That amount would probably be enough to employ another couple of workers in the Council’s Childcare Litigation Unit to help prevent more children from being abused.

I would love to know who thought it would be the easy way out, just to pay the fine and hope the matter will die away. They may have though that “it’s only public money” – but it does means that this public money won’t be able to be spent on the vital stuff that the Council was supposed to finance. Like a parking fine, the penalty will be discounted by 20% if the Council makes the payment to the Commissioner by 21 December.

Who’s going to be so accountable that they actually lose their job over this mistake? I only hope that their payment procedures are not so poor that the money isn't paid in time for the Council to take advantage of the 20% discount.

There is really serious point here, though.

The Council did not have to accept the finding. They could have appealed to what is now called the (First-tier Tribunal) General Regulatory Chamber, and at that stage the Commissioner would have been required to provide a more detailed explanation, together with some evidence, about the way the fine was set. Some words of explanation are set out in the decision notice, but I don’t see enough about how the Commissioner has quantified the harm that may accrue to an individual as a result of the poor processes that the Council had adopted.

Data controllers need to carefully appreciate the Commissioner’s thought process, as I expect that risk catalogues will now be revisited in the light of this decision – and the decision in that of A4e Ltd, also announced today, who managed to lose an unencrypted laptop containing details of 24,000 clients to whom confidential legal advice had been provided. The loss occurred during a burglary at the home of a home-worker. Despite being in the midst of a laptop encryption programme when the unfortunate article was stolen. A4e Ltd were subsequently fined £60,000 – again with a 20% discount if they pay before 22nd December.

There is a right of appeal, against both the imposition of the monetary penalty and the amount of the penalty specified in the monetary penalty notice.

Now, since I don’t know what legal advice or research has been carried out to assess how well the Commissioner had managed to quantify harm in these cases – and how his assessments match up to those awarded by judges who are required to make rulings in other liability trials, I would welcome a “friendly” appeal to the First-tier Tribunal to “sanity check” these penalties.

And could I also suggest that an experienced data protection lawyer offer his services on a pro bono (voluntary) basis to Hertfordshire County Council. The council may be incompetent, but they need all the money they can get to make life less miserable for those at risk who live in that county. That lawyer will make a real name for themselves if they manage to reduce, or quash, these initial penalty notices.

Penalty notices like this affect all data controllers, not just those who get caught.