How should a data controller respond to the question “Has the
organisation ever been subject to action by the Information Commissioner
regarding complaints and or enforcement notices?”
Should
a ”Rehabilitation of ICO Offenders Act” should be created, to set the
expectations of people who ask such question? After all, if an ex-offender can’t be
questioned about their criminal convictions after a certain period, perhaps
similar standards ought to apply to those who have fallen foul of the folk in
Wilmslow.
A
quick glance at the ICO enforcement site provides some clues to the answer. If
you want to learn who’s been told to stand on the ICO’s naughty step, then this
is a good place to start. The good news is that it lists no details of ICO prosecutions
before June 2011, Enforcement Notices before December 2011, or Undertakings
before May 2011. But it does list all Decision Notices since February 2005, all
Monetary Penalty Notices (ie those awarded since it was given powers February
211) and all PECR breaches (ie those awarded since it was given powers in July
2011).
However,
even though the old prosecutions, Enforcement Notices and Undertakings no
longer appear on the ICO’s Enforcement Pages, details can still be found if
you’ve a rough idea of what you’re looking for. Thanks to the mighty internet
search engines (and the sterling efforts of a number of journalists and firms of solicitors), details and occasionally
comments about old enforcement actions can readily be found all over cyberspace.
Should
a responsible data controller take the ICO’s lead, and assume that it is
obliged to reveal details of enforcement actions when they are also available on
the ICO enforcement site, but once they have been removed they can forget about
having been on the ICO’s naughty step?
Some
would suggest that it’s unfair to expect an ex-offender to be required to
reveal information that the Regulator has decided is no longer worthy of
mention on the Regulator’s own website.
I’ve
had a look at the ICO’s own policy on “Communicating Enforcement Activities” to
see if that provided any useful guidance. A policy document was published in
January 2010 and contained a commitment that the policy would be reviewed in a
2011. However, it’s not clear if the review took place – and if it did, whether
anything changed.
On the assumption that it has not changed, then (a slightly condensed version of) the ICO’s policy for communicating enforcement and regulatory activities is as follows:
On the assumption that it has not changed, then (a slightly condensed version of) the ICO’s policy for communicating enforcement and regulatory activities is as follows:
“The default assumption is that we are likely to publicise
enforcement and regulatory activities:
- If it’s already a news story. We would probably also publicise the fact we’re investigating in these circumstances.
- Where there’s an opportunity for education/prevention.
- If it’s new, extreme, a first etc (standard news criteria).
- If it meets a communications, corporate or information rights objective.
- If it would help an investigation to publicise it.
- If there are aggregate stories showing trends etc.
- Where publicity is likely to deter others.
- Where publicity would be in the public interest.
- When releasing information could prejudice a trial.
- When an investigation is underway (and it could be hindered by publicity, or the investigation may come to nothing)
- When we have several similar cases and time or news constraints mean we have to choose.
- If it is too dull or technical to make the news.
- Where we would breach S59 of the Data Protection Act.
Preliminary notices
- More suited to aggregate story, unless there is an overriding public interest to publicise it, all parties agree, if it was already in public domain, or if there is a regulatory need.
Undertakings
- We will publicise undertakings depending on news value and/or if there is a need to address public concerns.
- Where they relate to section 55 and are given by individuals in lieu of possible prosecution they will normally be put on our website in an anonymised form.
- Undertakings will normally be kept on our website for two years.
Prosecutions
- We may inform journalists in advance.
- We will adhere to contemporaneous reporting rules.
- We may issue a news release.
- In some cases we’ll provide the case summary to a journalist.
- We will report on prosecutions in our Annual Report to Parliament. This also goes on our website and will normally be kept on our website for three to four years.
Cautions
- We may publicise cautions depending on news value.
- More suited to aggregate story.
Enforcement Notices
- We will publicise these depending on news value.
- Enforcement notices will be put on our website
and reviewed after two years.
Injunction application
- More suited to an aggregate story.
Application for Enforcement order
- We may publicise these depending on news value.
Inspection
- If publicity is desired, we will work with the relevant authority on communicating international inspections.
Information Notice
- We are likely to publicise if it’s in the public domain.
- We may publicise if it helps the investigation.
- We are likely to publicise if there’s an expectation of an update or we need to show we have taken action.
Search warrant
- We will publicise these in aggregate (eg in the annual report).
- We may publicise if it helps the investigation.
- We are likely to publicise if it’s in the public domain.
- We are likely to publicise if there’s an expectation of an update or we need to show we have taken action.
Penalties
- We will not normally publicise the notice of intent to serve a monetary penalty. This is more suited to aggregate story, unless there is an overriding public interest to publicise it, all parties agree, if it was already in public domain, or if there is a regulatory need.
- We will publicise the serving of a monetary penalty.
There ought certainly be to a right to forgive. I’m just not
sure how we can actually enforce a right
to forget.
Source:
Image credit:
http://static.guim.co.uk/sys-images/Guardian/Pix/pictures/2009/5/5/1241516425432/The-Scales-of-Justice-Old-001.jpg.