Ico new powers and penalties l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 37

ICO: new powers and penalties PowerPoint PPT Presentation


  • 100 Views
  • Uploaded on
  • Presentation posted in: General

ICO: new powers and penalties. Mick Gorrill Assistant Commissioner Sally Anne Poole Head of Enforcement and Investigations. New powers and penalties. Presentation: New structure Powers and Penalties What this means to Data Controllers?

Download Presentation

ICO: new powers and penalties

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Ico new powers and penalties l.jpg

ICO: new powers and penalties

Mick Gorrill

Assistant Commissioner

Sally Anne Poole

Head of Enforcement and Investigations


New powers and penalties l.jpg

New powers and penalties

  • Presentation:

    • New structure

    • Powers and Penalties

    • What this means to Data Controllers?

    • What is an appropriate penalty? Your views on the scale of the monetary penalty.


New structure l.jpg

New structure

  • The Regulatory Action Division (RAD) will become the Enforcement division

  • currently RAD

  • Data protection enforcement

  • Audit and investigations (S55 Data Protection Act, S77 Freedom of Information Act)


New structure4 l.jpg

New structure

  • Enforcement Division

  • Responsibility for Data Protection Act and Freedom of Information Act

  • Bigger enforcement teams

  • Concentration on serious breaches of the DPA and FOIA

  • Audit will become a separate division


Powers and penalties l.jpg

Powers and penalties

  • Cover the new monetary penalty in the main

  • Also, our current investigation into self reported security breaches

  • Still problems with unencrypted portable media devices and poor governance, risk assessment.


Background l.jpg

Background

  • Significant losses of personal data in 2007

  • Existing powers deemed inadequate

  • Public calls for criminal offence

  • Preferred option was power to impose a Monetary Penalty – civil sanction

  • New power inserted into section 55 of Data Protection Act 1998 by section 144 of the Criminal Justice and Immigration Act 2008 (CJIA)


Policy objectives l.jpg

Policy objectives

  • Enhanced power for ICO to impose monetary penalties

  • Sanction and a deterrent to data controllers who may otherwise ignore their responsibilities under the Data Protection Act

  • Encourage data controllers to approach ICO and promote compliance

  • Improve public confidence


Legislative framework l.jpg

Legislative framework

  • Section 144 CJIA inserted section 55A-E into DPA 1998 – In force on 6 April 2010

  • The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010

  • The Data Protection (Monetary Penalties) Order 2010

  • Statutory guidance about the issue of Monetary Penalties – section 55C


Main features l.jpg

Main features

  • ICO may serve a Monetary Penalty Notice on a data controller requiring payment of a Monetary Penalty which must not exceed £500,000

  • Applies to all data controllers in the private, public and voluntary sectors except Crown Estate Commissioners or a person who is a data controller by virtue of section 63(3) DPA 1998-Royal Household


Specific requirements l.jpg

Specific requirements

  • Before the ICO can impose a Monetary Penalty it has to be satisfied under section 55A DPA 1998 that:

    • There has been a serious contravention of data protection principles by the data controller,

    • The contravention was of a kind likely to cause substantial damage or substantial distress and either…


Specific requirements contd l.jpg

Specific requirements (contd.)

  • The contravention was deliberate or,

  • The data controller knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention


General approach l.jpg

General approach

  • Only applies to serious contraventions of data protection principles

  • May be wide variations depending on the circumstances of each case

  • Financial resources will be a factor

  • New territory for the ICO and further guidance will be produced based on actual precedents

  • ICO may still serve an Enforcement Notice


Enforcement notice l.jpg

Enforcement Notice

  • S40 DPA 1998

  • If the Commissioner is satisfied that a data controller has contravened or is contravening any of the DP principles the Commissioner may serve him a notice requiring him to….

  • to take ..or refrain from taking …such steps


Enforcement notice14 l.jpg

Enforcement Notice

  • to refrain from processing any personal data….purpose or manner…time so specified…

  • In deciding whether to serve an enforcement notice, the Commissioner shall consider whether the contravention has caused or is likely to cause any person damage or distress.


Factors making imposition of a monetary penalty more likely l.jpg

Factors making imposition of a Monetary Penalty more likely

  • Seriousness of contravention

  • Nature of personal data involved

  • Duration and extent of contravention

  • Number of individuals actually or potentially affected by the contravention

  • Matter of public importance

  • Example – security breach


Factors making imposition of a monetary penalty more likely16 l.jpg

Factors making imposition of a Monetary Penalty more likely

  • Contravention was of a kind more likely than not to cause substantial damage or distress to one or more individual

  • Considerable in importance, value, degree, amount or extent

  • Not perceived but of real substance

  • Damage is financially quantifiable

  • Injury to feelings, harm or anxiety suffered by one or more individual


Factors making imposition of a monetary penalty more likely17 l.jpg

Factors making imposition of a Monetary Penalty more likely

  • Contravention was deliberate

  • The contravention was deliberate or premeditated

  • Data controller was aware of and did not follow relevant advice published by ICO and others

  • Series of similar contraventions and no action taken by data controller to rectify cause of original contraventions


Factors making imposition of a monetary penalty more likely18 l.jpg

Factors making imposition of a Monetary Penalty more likely

  • Knew or ought to have known

  • Contravention was or should have been apparent to a reasonably prudent data controller

  • Failure to carry out any risk assessment

  • No evidence that data controller recognised risks of handling personal data

  • Cavalier approach to compliance


Factors making imposition of a monetary penalty more likely19 l.jpg

Factors making imposition of a Monetary Penalty more likely

  • Failed to take reasonable steps to prevent the contravention

  • Inadequate procedures, policies, processes and practices in place

  • No clear lines of accountability

  • Failure to implement guidance or codes of practice published by ICO or others

  • Not exhaustive


Factors making imposition of a monetary penalty less likely l.jpg

Factors making imposition of a Monetary Penalty less likely

  • Contravention was caused or exacerbated by circumstances outside direct control of data controller

  • Data controller has already complied with requirements of another regulatory body

  • There was genuine doubt or uncertainty that any relevant conduct, activity or omission was a contravention


Next steps notice of intent l.jpg

Next steps – Notice of Intent

  • ICO must serve a data controller with a Notice of Intent setting out the proposed amount

  • Notice of Intent must contain prescribed information and provide the data controller with at least 21 days to provide written representations to the ICO beginning with the first day after date of service


Next steps monetary penalty notice l.jpg

Next steps – Monetary Penalty Notice

  • ICO must consider any written representations before deciding whether to issue a Monetary Penalty Notice

  • ICO may decide to issue a Monetary Penalty Notice requiring a data controller to pay the amount specified

  • Alternatively ICO will inform data controller that no further action will be taken


What does this mean for data controllers l.jpg

What does this mean for data controllers?

  • ICO not seeking to impose many monetary penalties

  • However, there is still some concern

  • Self reported security breaches for example

  • Unencrypted portable devices

  • Serious breach?


What does this mean for data controllers26 l.jpg

What does this mean for data controllers?

  • In most cases where there is poor security there is also excessive information and poor retention

  • In the security breaches reported to the ICO there is still little evidence of privacy impact assessments and or risk assessment.


What does this mean for data controllers27 l.jpg

What does this mean for data controllers?

  • Undertaking – not always appropriate

  • alternative to an enforcement notice?

  • serious principle breach

  • good new procedures in place?

  • prevention of a reoccurrence?

  • if serious breach – monetary penalty

  • still use enforcement notices


What is an appropriate penalty l.jpg

What is an appropriate penalty?

Sally Anne Poole

Head of Enforcement and Investigations


What is an appropriate penalty29 l.jpg

What is an appropriate penalty?

  • Following seven cases are in our view

  • serious contravention of data protection principles by the data controller

  • the contravention was of a kind likely to cause substantial damage or substantial distress and either…

  • …deliberate or data controller knew or ought to have known that there was a risk..


What is an appropriate penalty30 l.jpg

What is an appropriate penalty?

  • Case 1

  • Encrypted and password protected USB stick lost

  • Contained data for 6,300 prisoners – medical condition and treatment

  • HIV, hepatitis B and C, mental health conditions drug or alcohol addictions

  • Encryption pass key attached to device by post it note

  • Poor security

  • Excessive information

  • Poor governance


What is an appropriate penalty31 l.jpg

What is an appropriate penalty?

  • Case 2

  • Unencrypted USB stick found by car wash attendant

  • details of 741 patients

  • Name, date of operation, treatment, clinic list, X rays

  • Breach of Trust policies

  • Poor governance


What is an appropriate penalty32 l.jpg

What is an appropriate penalty?

  • Case 3

  • Unencrypted DVD containing database of 20,000 patients

  • Name, DOB, gender, cardiology test dates and results

  • details of clinician

  • Not clear why data had been put on disc

  • Five month delay in reporting

  • Poor governance

  • Lack of risk assessment


What is an appropriate penalty33 l.jpg

What is an appropriate penalty?

  • Case 4

  • File containing personal data relating to 60 people found in a skip

  • Office refurbishment

  • Details of job applicants with PSNI

  • Name, address, place and date of birth

  • Security vetting documents

  • Poor governance


What is an appropriate penalty34 l.jpg

What is an appropriate penalty?

  • Case 5

  • Data relating to 15,333 individuals emailed to member of public in error

  • Names, addresses and mortgage accounts details

  • Re possession proceedings

  • Arrears information

  • No risk assessment

  • Poor security


What is an appropriate penalty35 l.jpg

What is an appropriate penalty?

  • Case 6

  • Theft of unencrypted laptop

  • Details of 110,000 individuals

  • Name, address. DOB, NINO

  • Employer, salary, bank details

  • Breach of policy


What is an appropriate penalty36 l.jpg

What is an appropriate penalty?

  • Case 7

  • Theft of unencrypted laptop

  • 36,800 data subjects

  • 1,900 motoring convictions

  • Name, address, telephone number

  • Registration, make and model of vehicle

  • Poor governance


So what is an appropriate penalty l.jpg

So, what is an appropriate penalty?

  • Discussion


  • Login