Wednesday, 31 July 2013

More evidence of the death of civil monetary penalties?

An interesting enforcement notice has been slapped into the hands of the Chief Constables of the Leicestershire, Derbyshire and Nottinghamshire Police Forces. Usual reason – sloppy data protection handling standards, bordering on the farcical. Here we go again – unencrypted laptops were stolen, containing (among other things) prison records and other details relating to approximately 4,500 offenders from across the forces. 

The subsequent ICO investigation found that an East Midlands Collaboration Unit had been set up for mutual assistance purposes, although it wasn’t clear why the information on the laptops really needed to be pooled. No-one had bothered to carry out a risk assessment to assess what information needed to be pooled to ensure the Unit met its objectives, nor how such information ought to be appropriately protected.

I could go on but I won’t . And I guess that all over the country, some of the more enlightened members of the data protection community are thinking “there but for the grace of God go I”. This unit can’t have been the only one to have been set up, no doubt with the best intentions and with no desire to operate recklessly,  but now something has gone wrong, someone will get a good kicking for having allowed the reputation of the police to get another hammering.

What stands out to me is just why, in this case, the ICO decided that an enforcement notice was more appropriate than a Civil Monetary Penalty. After all, the theft of the laptops occurred in August 2010 – some 4 months after the ICO had the power to award Civil Monetary Penalties. So how can the police not be fined when Health Trusts have been fined when they lost similar amounts (and often much less) sensitive personal data? 

Is the ICO appreciating the futility of fining public sector organisations? Or is it just concerned not to damage the close working relationships that must be maintained with the police forces as it works with them and the Crown Prosecution Service to take effective action against the criminals who commit data protection (and similar) offences? Or is it for another reason?

We may get a better idea of the current attitude to fining public sector bodies when the ICO announces what action it will have taken against the Ministry of Justice following the recent admission that a network server containing 400,000 confidential court files – including the personal details of victims and witnesses, was apparently stolen by a subcontractor in January 2012 during the decommissioning of Salford Magistrate’s Court. No-one noticed the theft for several months – until the server was offered for sale on eBay. 

Will the MoJ be required to pay a Civil Monetary Penalty for this awful incident? Or will the Minister of Justice simply be served with an Enforcement Notice that requires him to ensure his Department follows the laws he is responsible for drafting more carefully? And how will this affect the quality of the working relationship between the ICO and the MoJ?

I can’t wait to find out.