The ICO have been baring teeth and making a lot of threatening noises lately. What does it mean for your organisation and how can you protect yourself from the inevitable impending bites?
I think the title of The Information Commissioner Christopher Graham’s presentation at the 10th Annual Data Protection Compliance Conference speaks volumes: ‘The ICO: Helping You Comply; On Your Case if You Don’t’. Following announcements over recent months that a further 5 Trusts are being investigated for Data Protection Breaches, Graham gave an interview ahead of the ICO’s Annual Report publication, with a stark warning to the NHS, published in The Guardian.
Calling for stiffer penalties to be given to those brought up under Section 55 of the Data Protection Act, Graham warned “The health service needs to do more to keep patient’s personal data more secure”, calling for a change in the Culture of NHS organisations to reflect the seriousness and systemic nature of Data Breach incidents Graham warned “It’s a much wider problem and we do need some tougher penalties”.
The NHS are not the only sector under Mr. Graham’s glare, Local Authorities have also featured prominently in Data Breach investigations following Hertfordshire CC’s £100,000 fine, and the Private Sector has increasingly come under the spotlight also, following A4E’s penalty. In the Annual Report Private Sector companies are highlighted as being less likely to seek guidance and invite audits than their public sector counterparts last year. Mr. Graham has called for more engagement, or else. Private Sector companies do not currently have to report data breaches, but all this is set to change following an announcement that The European Commission plans to make the reporting of security breaches mandatory for Banks and Businesses. High profile private sector cases such Sony and Fox have dominated media headlines globally for losing sensitive customer data in recent months.
Interestingly, the Annual Report also highlighted that a £505m boon was sent to The Ministry of Justice from The ICO this year in unspent Data Protection Fees. It would appear that monetary penalties are here to stay and set to rise further.
Comply or Die?
How does your organisation mitigate the risk of costly fines and reputational damage an ICO fine would entail?
Guidance on Monetary Penalties as well as the Commissioner’s View on what constitutes a Section 55 Breach can be found here. If investigated for a serious Data Breach you will have to demonstrate you took reasonable steps to prevent a contravention.
In essence you need to be able to prove the following: