Caring about sharing
Author considers whether the recommendations in a report on data sharing are likely to improve public trust and confidence in the practice
The publication of the Data Sharing Review carried out by Richard Thomas, the UK information Commissioner, and Dr Mark Walport comes at a time when public trust and confidence in the management and protection of personal data is at an all-time low. Data mishaps are a regular feature in the media, with the most highly publicised cases involving government agencies (HM Revenue & Customs and MoD, to mention two of many). Such security breaches lead us to question whether data sharing initiatives are to be encouraged at all.
The public need to be confident that they can rely on organisations to handle their information appropriately, and for the purposes for which it was originally collected. Whilst there are numerous potential benefits from being able to share personal data, there need to be assurances that sharing will only occur with those entitled to receive it – not the travelling public on a train.
The technological advances which we have seen over the last decade have enabled the shifting of such quantities of data, and at speeds difficult for most of us to comprehend, that it is not difficult to understand why the sharing of data could be a disaster waiting to happen, as in the case of HMRC.
The Government continues to back data sharing programmes, with cost saving benefits and service improvements as a focus. Until recently, however, such preoccupation has perhaps taken priority over what are clearly the legitimate concerns of the public.
That said, in the last year we have seen calls for a review of how we can appease the dissenters, and some inroads are being made in addressing the wider data sharing issues, with the review and the subsequent publication of a Ministry of Justice consultation paper, The Information Commissioner’s inspection powers and funding arrangements under the Data Protection Act 1998. The consultation, issued some weeks after the review, builds on some of its recommendations.
Just common sense?
The review itself made 19 recommendations, all of which were long overdue. Some are quite fundamental. A key one proposes that there is a requirement for “a significant improvement in the personal and organisational culture of those who collect, manage and share personal data”.
Training of the staff handling personal data appears to be common sense to most members of the public, and without it organisations are unlikely to see the improvements required to instil public confidence. The review identifies that human error has been, and is still, behind the majority of data breaches, and without training it will be difficult to rid some organisations of a culture of apathy in their approach to processing and sharing of data. But there is also a need to put in place clear and comprehensive policies and procedures on how data controllers, and importantly their employees, should handle personal data. Without procedures, training will never be sufficient; and without training, such policies and procedures will never go far. Both are necessary for organisations to create a culture of employee responsibility.
These commonsense recommendations are easy to understand and accept, and you have to ask, why have organisations not already taken such matters in hand before now? You don’t have to look far: as with all carrot and stick approaches to regulation, self regulation fails where there is no stick. So a further key recommendation of the review is “greater powers and sanctions to be made available to the Information Commissioner” – to enable the Commissioner to demand an on-site inspection, and where co-operation is refused, to obtain a court order.
The reach of enforcement
If we are to have any hope of changing the current culture of complacency, we have to look at the current powers afforded to the Commissioner. Currently, his Office (“the ICO”) is poorly funded and he has insufficient resources and powers at his disposal to enforce the Data Protection Act (“DPA”). Any extension to the Commissioner’s authority is to be welcomed, and powers of inspection, would undoubtedly be an important tool in ensuring organisations comply with their obligations. For many years the DPA has been seen as lacking teeth, which has engendered an attitude of “so what?” within many organisations towards how they handle personal data. The powers recommended would include the ability of the Commissioner to apply to the court for a warrant to carry out inspections of organisations.
The consultation seeks consideration of further amendments which would enable the Commissioner to apply for a warrant not only where he has reasonable grounds to suspect a breach of the data protection principles, but even where he does not have reasonable grounds. This seems a most peculiar concept to accept; it is suggested that the Commissioner carries out risk assessments to identify organisations which are “high risk”, but there still appears to be a fundamental problem in that the court will surely seek some form of justification for the proposed action unless the DPA is amended to say otherwise. It would therefore seem appropriate that other methods, allowing for spot checks, or assessments of “high risk” data controllers (other than simply falling into the category of government department), could be employed without the need for a warrant. Perhaps we should consider alternative inspection methods, for example those used in the food handling industry; such an approach might be more straightforward and therefore demand greater compliance.
Good practice assessments
In the USA, most states have adopted legislation whereby organisations that suffer data breaches have to notify the relevant authorities, and also notify in writing the individuals concerned. The UK review supports a “focus on encouraging good practice by recommending the Commissioner should take account of the co-operation of data controllers when imposing sanctions for data protection breaches”.
As a matter of good practice, the review recommends that data controllers should notify the Commissioner when they suffer a significant data breach event – a practice not much adopted by our European counterparts, nor one which is wholly accepted as a good idea by our own Commissioner.
The consultation takes this further by suggesting that organisations could, where they consent to good practice assessments (“GPAs”), be exempted from the civil monetary penalties announced earlier this year and to be introduced under s 55A of the DPA, for “serious and deliberate breaches of the DPA principles”.
Exemption from this section (once in force) would apply if a data breach is discovered whilst in the process of a GPA. This would initially appear to be a positive incentive for data controllers to consent to a GPA; however the Commissioner’s budget is limited and GPAs are perhaps not as commonly enforced as we would like. The more unscrupulous data controller may estimate it to be to their advantage to opt in to an unlikely GPA to secure immunity from punishment for any non-compliance – in essence taking a calculated risk. Perhaps it would be better for Government to adopt a system of “presumed consent”, whereby the data controller would have to opt out of providing a GPA, in which case they would have to give comprehensive and detailed reasons for doing so.
Its own house in order?
It is undoubtedly good news that the Government is investigating the current ineptitude of many data handlers and consulting not only on how to improve compliance with the legislation but also how to engender a confidence in data handlers which the general public just does not have. Greater powers for the Commissioner and his subsequent use of them will clearly raise awareness and hopefully encourage the adoption and implementation of what are essentially commonsense practices in the processing and sharing of data. However, should the government fail to increase the ICO’s woefully inadequate funding, there will continue to be no stick to force the pace of compliance. It will be interesting to see how Government progresses matters in the coming months and how it proposes to implement key recommendations and observations.
A more interesting issue has not really been addressed in either the review or the consultation: what to do with government departments when they fail to observe good data protection practice. Clearly to impose financial penalties on a government department is tantamount to asking the public to pay for the failures of that department’s employees, and whilst the implementation of procedures and policies along with staff training in the immediate future will indeed assist, it still does not address how we should deal with those failures when they do occur. It is an interesting thought…
Valerie Surgenor is a senior associate with MacRobertst