The latest fine to be issued by the ICO following a data breach has been announced and over the last week has appeared in many articles, blogs and forums. But for those returning from holidays or those that missed it, here is the headline: NHS Surrey has been fined £200,000 by the ICO following the loss of sensitive personal information. More than 3,000 children’s patient records were found on a second-hand NHS computer that was auctioned on eBay.
Never mind what angle you look at this from or indeed whether you have even heard of the Data Protection Act, I hope you all agree that this is deplorable; patient records being sold on eBay. Now whilst there has been a lot of finger pointing and hopefully a full investigation resulting in pragmatic solutions to prevent any further reoccurrence, my issue at this point in time is not with NHS Surrey but the ICO.
When I initially hear about a new data breach I often have mixed feelings, for those organisations that are have invested heavily and applied the rigors of security to their systems, processes and procedures and have been hacked; I feel some sympathy, whilst for those that that have been say ‘less than diligent’ it’s a feeling of disbelief.
However, there are those data breaches (EG lost and stolen USB drives, laptops, insecure disposals etc) that are completely avoidable. Whilst reading the detail of these types of breaches the feeling is one of anger; not only because the breach has occurred but increasingly because I know that the punishment will be derisory.
Look at the facts:
Google - Unauthorised collection of WIFI details, No Fine
Ask yourself what would you have to do, to be fined the maximum penalty available to the ICO of £500,000?
Secondly, is any financial penalty enough to ensure that the profile of Data Protection is raised to the levels of accounting standards and health and safety in the minds of directors and stakeholders?
I believe not. As whilst a contravention of either accounting standards or health and safety usually results in a financial penalty, it is possible that contravention of either could also result in criminal prosecution of an individual (usually a director or company secretary). This is not true for contravention of the Data Protection Act resulting in a data breach and before the very knowledgeable people say “failure to comply with DPA can be prosecuted through the criminal courts this only pertains to failure to notify or comply with an order etc not for a negligence resulting in a ‘data breach’.
As most data breaches happen because of one or more of the following; poor systems, processes, procedures or training, I have to conclude that these breaches occur as a result of negligence! So is it not time to punish such negligence through the criminal courts?
I believe that this would raise the profile of Data Protection and Data Security to new levels, hopefully resulting in organisations formally auditing these areas as part of their annual audit routines. This would result in organisations adopting ‘Privacy by Design’ and undertaking ‘Privacy Impact Assessments’ which would identify improvements required in systems, processes and procedures. This would reduce the risk of a data breach.
Disappointingly, I think that until the ICO has increased powers in this area and of course uses them, that only a minority of organisations will continue to be proactive in having specialist DPA audits undertaken.