The ICO has recently, and without
much publicity, published on its website a report it had commissioned on the effect of
Civil Monetary Penalties. It uses
CMPs as both a sanction and a deterrent against a data controller or person who
deliberately or negligently disregards the law. The overarching aim, according
to the ICO, is to promote compliance and improve public confidence.
Given
that this (19 page) report supports CMPs, I’m surprised that it has not
attracted more attention. Perhaps, if it
were accompanied by an ICO press release, the privacy panoptican more fondly
known as the IAAP daily digest might have drawn more attention to it. But no.
The
document was formally published the week after many of the UK’s data protection finest
had gathered in Central London to mark the launch of the ICO’s Annual Report for 2013-14. But I don't think that anyone at the event mentioned its forthcoming release.
The
document contains the output from a team of independent researchers who had
interviewed representatives from 14 organisations who had received a CMP. The researchers had also canvassed the views (by means of an online survey) of 85
organisations that had not received a CMP. It’s not clear whether any of the
researchers who were involved in this exercise had received any formal data
protection training. It might have added to the credibility of the report if the text had contained a section describing what data protection experience and
qualifications the researchers actually had.
In the
absence of this, we are left to ponder the impact of a report that summarises
the views of a small number of respondents.
The
key findings included the following:
- Organisations that had been issued with a CMP subsequently took their data protection obligations more seriously, as a result of greater senior management buy-in.
- This greater focus on compliance extended to peer organisations, especially those who appreciated that they shared a range of the shortcomings that had attracted the ire of the ICO’s enforcement team.
- There remains a lack of understanding of just what poor practices trigger the CMP threshold, particularly around the meaning of the terms “serious” and “substantial damage and distress”.
- Some respondents felt there was a lack of transparency about how CMPs were calculated. These could be linked to some organisations expressing discontent about the clarity of the Notice of Intent.
What
we don’t know – because the report did not set out to inquire, was how these
findings compare with the views (and subsequent behaviours) of data controllers
who were subject to other ICO enforcement tools.
Have
organisations that have received Enforcement Notices, or who have made Voluntary Undertakings, also taken their data protection obligations more
seriously, as a result of greater senior management buy-in? And has this
greater focus on compliance extended to peer organisations, especially those
who appreciated that they shared a range of the shortcomings that had attracted
the ire of the ICO’s enforcement team?
Once
we understand the answers to those questions, we might be in a better position
to appreciate the relative value of CMPs as an appropriate enforcement tool.
In
these circumstances, I think the ICO is to be congratulated for not drawing too
much attention to the report.
Source:
I am grateful to Janine Regan of
Speechleys for drawing this report to my attention.
.
Posts
