An interesting enforcement notice has been slapped into the
hands of the Chief Constables of the Leicestershire, Derbyshire and
Nottinghamshire Police Forces. Usual reason – sloppy data protection handling standards,
bordering on the farcical. Here we go again – unencrypted laptops were stolen,
containing (among other things) prison records and other details relating to approximately
4,500 offenders from across the forces.
The subsequent ICO investigation found that an East Midlands
Collaboration Unit had been set up for mutual assistance purposes, although it
wasn’t clear why the information on the laptops really needed to be pooled. No-one had bothered to carry out a risk assessment to assess what information
needed to be pooled to ensure the Unit met its objectives, nor how such information
ought to be appropriately protected.
I could go on but I won’t . And I guess that all over the
country, some of the more enlightened members of the data protection community
are thinking “there but for the grace of God go I”. This unit can’t have been
the only one to have been set up, no doubt with the best intentions and with no desire
to operate recklessly, but now something
has gone wrong, someone will get a good
kicking for having allowed the reputation of the police to get another
hammering.
What stands out to me is just why, in this case, the ICO
decided that an enforcement notice was more appropriate than a Civil Monetary Penalty.
After all, the theft of the laptops occurred in August 2010 – some 4 months
after the ICO had the power to award Civil Monetary Penalties. So how can the
police not be fined when Health Trusts have been fined when they lost similar
amounts (and often much less) sensitive personal data?
Is the ICO appreciating the futility of fining public sector
organisations? Or is it just concerned not to damage the close working
relationships that must be maintained with the police forces as it works with
them and the Crown Prosecution Service to take effective action against the criminals
who commit data protection (and similar) offences?
Or is it for another reason?
We may get a better idea of the current attitude to fining
public sector bodies when the ICO announces what action it will have taken
against the Ministry of Justice following the recent admission that a network server
containing 400,000 confidential court files – including the personal details of
victims and witnesses, was apparently stolen by a subcontractor in January 2012
during the decommissioning of Salford Magistrate’s Court. No-one noticed the
theft for several months – until the server was offered for sale on eBay.
Will the MoJ be required to pay a Civil Monetary Penalty for
this awful incident? Or will the Minister of Justice simply be served with an Enforcement
Notice that requires him to ensure his Department follows the laws he is responsible for drafting more carefully? And how will this affect the quality of the working relationship between
the ICO and the MoJ?
I can’t wait to find out.
Sources:
.
Posts
