Thursday, 1 August 2013

ICO’s approach to Civil Monetary Penalties audited

Well done to the ICO for publishing a review into the way it imposes Civil Monetary Penalties. 

Last year, independent auditors were asked to review the ICO’s stance towards CMS, given the risks that

  • The ICO may not operate a coherent, consistently applied approach to reported breaches;
  • The ICO may not maintain robust records of its investigations into breaches;
  • The rationale for the CMP that it issues may not be transparent to both ICO teams and the general public; and 
  • The ICO may operate an inefficient approach to investigating cases and issuing CMPs.

When they delivered the report, the auditors included the standard gumpf restricting access to the document:  “This report is confidential and is intended for use by the management and Directors of ICO only. It forms part of our continuing dialogue with you. It should not be made available, in whole or in part, to any third party without our prior written consent. We do not accept responsibility for any reliance that third parties may place upon this report. Any third party relying on this report does so entirely at its own risk. We accept no liability to any third party for any loss or damage suffered or costs incurred, arising out of or in connection with the use of this report, however such loss or damage is caused. It is the responsibility solely of ICO management to ensure that there are adequate arrangements in place in relation to risk management, governance and control.”

Fortunately, common sense has prevailed, and someone has taken the decision to publish the entire document on the ICO’s website.  Hurrah for the ICO’s transparency agenda.  Now we can all see where the problems were.

Well, lo and behold, internal problems were there few.  A key audit observation was on the length of time it took to issue CMPs. While the ICO had set itself an internal target of processing cases within 80 working days (or 112 calendar days), this target had never actually been met. During the period under review, the time to complete ranged from 119 days to 357 days. Some cases were taking up to 63 days to be allocated to a Case Officer.  Explanations for other delays included the time taken for data controllers to respond to requests for information.

Another key audit observation was that the time taken to investigate the cases can lessen the impact of the penalty when it is finally announced. After all, it’s hard to convince a sceptical public that a regulator is serious about compliance when it takes them so long to decide what action to take following knowledge of an incident. Data controllers who misbehave ought to be punished quickly, not so long after the event that some of the key people who were responsible for the inaction may have actually moved on. But this requires more effective ICO casework allocation, and (probably) more investigative ICO resources – which will be a challenge in the current economic climate.

The audit focussed in the ICO’s internal procedures for issuing CMPs.  It did not check whether the imposition of CMPs have had a measurable impact in improving data protection standards generally, or even whether the impact of the fines had led to improved data protection standards in those authorities that had been fined.

What I can report, from my perspective as an independent consultant, is that the publicity surrounding the fines to public authorities for their sloppy data handling practices has had a slightly positive impact on me. This is because an increasing number of private companies have contacted me to ask how they might assure themselves that they can have independent assurance as to the quality of their internal data protection standards.

But I have not heard anything from anyone in the cash-strapped public sector. I fear that these guys are unlikely to be capable of affording the investment that will be required to get their houses in order, and I doubt that that CMPs will actually make it easier for them to obtain the resources that are required to guarantee reasonable levels of data security.

So, Wilmslow, please continue to wield your fining stick. It’s good for business. My business, anyway. Even though it probably won’t lead to higher standards in the public sector.