Thursday, 3 May 2012

The folly of fining public authorities for data breaches

I just don’t get it. Is it just me? Or are others concerned at the implications, in these straightened financial times, of instructing public authorities to use less of their budgets for public services because they have been responsible for a data breach?

Perhaps the Information Commissioner should have his powers tweaked a bit – so rather than being able to issue Civil Monetary Penalty Notices against public authorities, he should be able to issue a Financial Reallocation Notice, which could force the authority to spend part of their budget on, say, DPA training and awareness schemes, rather than just returning money to the Treasury. It might have a much more powerful effect.

If this seems a stupid idea, then perhaps a group of committed Data Protection Officers might like to join me in running the London Marathon next year, to raise funds for those authorities whose funds were stripped by the ICO. Or we could, say, push a hospital bed around the course, to highlight the fact that a patient was denied use of the bed because a Health Authority had sloppy data handling practices.

Hey, warming to this idea, perhaps we could encourage the Chief Executive of the relevant Health Authority either to join the marathon runners, or to allow themselves to be wheeled around the course in the very hospital bed that had been denied to patients!

If we got the media interested, we could even relocate the charity run from London to Wilmslow. Teams of brightly dressed athletes could start at the Wilmslow flyover, and follow a course to the football player’s homes in Alderly Edge, back past a few run-down schools and a (recently closed) emergency services unit of a local hospital, then finishing in the Commissioner’s car park. And, it being Wilmslow, I expect that minor TV celebrities would be falling over themselves trying to get in on the act too.

Let’s be frank. The novelty factor of fining public authorities is surely wearing off – and it’s really hard to find any evidence which demonstrates a renewed determination on the part of public officials to improve data handling standards just because some of their service users will now have to suffer just that little bit more, since less money will be spent on them.

Does anyone else have any cunning plans that might deliver behavioural change to public authorities faster than a Civil Monetary Penalty? If so I would be delighted to know.


Image credit: