In pursuit of certainty — ICO enforcement

This month marks a year since John Edwards replaced Elizabeth Denham as Information Commissioner. Early on, Mr Edwards identified certainty as a key goal for his tenure. Acknowledging the uncertainty resulting from the Government’s intentions to reform data protection laws post-Brexit, Mr Edwards also acknowledged that there was scope for his office to provide greater clarity as to the current law. In a more recent speech, Mr Edwards focused on the value of providing certainty about the ICO’s approach to enforcement, announcing a number of important changes in his office’s approach.

Transparent regulation

The ICO has taken steps to achieve greater transparency in its enforcement decisions. Decisions to reprimand a data controller are now published on the ICO’s website unless there is a good reason not to. It is clear that the ICO expects data controllers to have an awareness of regulatory action which it has taken. The ‘I didn’t know any better’ defence is likely to get short shrift. Mr Edwards stressed that every regulatory action taken by his office should be ‘a lesson learned’ across the economy and should contribute to behaviour change.

Public sector controllers

The regulator also announced that it was changing its approach to enforcement in the public sector. Stressing that the enforcement toolkit provides a series of graduated responses, Mr Edwards announced a shift away from the use of fines in relation to public sector organisations, noting that fines can ‘punish the victims’ by reducing the resources available for delivery of public services. However, he made it clear that fines remain an option where they are ‘truly needed’. By way of example, he cited “breaches which cause or have the potential to cause the most harm to people, or where a business has profited from its non-compliance.”

A dramatic illustration of this new approach was the ICO’s decision to issue a reprimand against a Government department in place of the £10 million fine which it had initially contemplated.

Mr Edwards described his philosophy of regulating for outcomes, not for outputs. He emphasised that the guidance and advice that his office can offer businesses “to encourage compliance and to help their understanding of the law and their obligations under it” can have greater impact than headline grabbing fines.

Four more years

Mr Edwards’ outcomes-focussed approach will be put to the test during the four years which remain in his term of office. That approach is likely to be welcomed by many data controllers, especially in the public sector. It incentivises constructive, responsive engagement with the regulator when things go wrong. The remainder of Mr Edwards’ term is likely to witness further evolution in the data protection claims landscape and, potentially, changes to the UK data protection regime.

ICO prosecutes employee for data theft

A recent prosecution by the ICO serves as a reminder that mishandling of personal data can result in criminal prosecution. Many of the previous prosecutions brought against (former) employees have arisen in the context of healthcare – a number of registered healthcare professionals have been successfully prosecuted with obvious consequences for their careers.

In this case, the employee worked for the RAC. He had used his mobile phone to photograph data on the screen of his work computer. The issue came to light as a result of accident victims receiving calls from claims management companies. Access logs identified the employee as the only individual who had accessed all of the records which had been disclosed. The employee was fined £5,000 and now has a criminal record.

The offence

The prosecution was brought under Section 170 of the Data Protection Act 2018. Subject to certain limited exceptions, Section 170 makes it an offence knowingly or recklessly:

• to obtain or disclose personal data without the consent of the controller,
• to procure the disclosure of personal data to another person without the consent of the controller, or
• after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.

Comment

For employees, this case serves as a reminder that abusing the access to data – whether for profit or curiosity – can result in a criminal record.

For employers, the case illustrates the challenges in securing personal, or confidential, data in an era when the majority of employees have the means to capture and store large quantities of data by simply photographing their computer screens. The risk of such conduct is more acute in the context of homeworking. Appropriate, granular, access controls are one important safeguard, and the ability to audit access on a granular level can facilitate the effective investigation of concerns. Staff awareness of those audit tools may serve as an effective deterrent, particularly in conjunction with awareness of prosecutions such as this one.