Stephan Shakespeare’s recommendation that;
“the Government should institute increased penalties for the misuse of personal data, including custodial penalties in cases of deliberate and harmful use of data.”
The report is also quick to point out that data offences relating to a fraud by false representation would constitute a breach of the Fraud Act 2006 as would bribing another or being bribed contrary to the Bribery Act 2010. Up to two years in prison could also follow the unlawful interception of communications under Regulation of Investigatory Powers Act 2000 and unauthorised access to computer material under the Computer Misuse Act 1990.
Interestingly we have just seen ICO issue a £55k Monetary Penalty to the North Staffordshire Combined Healthcare NHS Trust for the “entirely avoidable” error of faxing medical data to a member of the public. Is that a ‘reckless disclosure’? If so, should someone go to jail?
For me it raises the question of how does ICO decide the penalty framework? is it;
1. A Civil Monetary Penalty up t0£500k;
2. a fine of up to £5000 in the Magistrates Court or;
3. an unlimited fine in the Crown Court.
I will try to find the answer for my next blog posting.
.. and don’t forget the findings of the Leveson Inquiry, which introduced the idea of custodial sentences under section 77 of the Criminal Justice and Immigration Act 2008 (CJIA) for certain data protection breaches.
The prospect of a Data Controller (employee) going to Jail certainly looks more likely.
Should we be worried as Data Controllers/Data Protection Officers?
It would be easy to ‘over egg this pudding’, but the reality is that the black letter law is hardening. ‘Reckless Disclosure’ is something we are very familiar with if you read the current crop of Enforcement Notices. At some point, ICO will say ‘enough!’, ‘you knew this could happen, failed in your duty of care, and were reckless with sensitive personal data’.
Does the Open Data Agenda (ODA) increase the risk?
Here are some quotes from the report;
“Our default position is for data to become open where it represents value for money for taxpayers, unless there are robust legal (including FOIA), security, or financial complexities”
“Our relentless focus will be on maximising the amount of data released in this way”
If there is a risk resulting from the ODA, it is that we fail to get to grips with pseudonymisation, Privacy Impact Assessment and the concept of minimum data sets. Organisations well-versed in these areas are unlikely to generate a significant increase in risk.
Indeed the Shakespeare report points out that;
“we currently have an unrealistic degree of expectation of any data controller to perfectly protect all of our data – an attitude that inhibits innovation”
There is undoubtedly a plate-tectonic-like shift in the legal framework; it is slow (almost imperceptibly so for some), but it has great momentum. It is unstoppable.
Privacy versus disclosure raises searching questions all in need of an answer. Now Public Sector Information (PSI) is opening up, the time to answer those questions is upon us!
Familiar? It is of course a very sensible (required) security measure. What has made me weep in the past is the ridiculous scenario where they ask to speak to your wife, you hand the phone to a any female close by, and the voice/social context bypasses their ‘rigorous security procedure! In a recent security breach, […]
If you’ve been thinking about adding in the names of your competition into your campaign keyword lists, you may have stopped (briefly) to wonder if this was legal?! Surely this would be using a competitor’s trademark unfairly? A recent (June 3rd, 2013) ruling from the French Supreme Court has ‘flipped’ the thinking on this issue. […]
At the recent Westminster eForum on the European Data Protection Framework, Nick Stringer, IABUK Director of Regulatory Affairs (@nickstringer), said that personal data was the “fuel of the digital economy”. The thrust of his point being that ‘harder’ consent mechanisms embedded in the new European Data Protection Framework (EDPF) would cut-off this fuel supply and […]
They wouldn’t would they? Yes they would. A GP practice in County Armagh is “taking action to improve the way it looks after patients’ information following a breach of the Data Protection Act investigated by the Information Commissioner’s Office.” From the ICO website.. “The breach was caused when a free web-based email account, used by […]