Before 2010, the ICO operated a brisk production line of undertakings to tackle the self-reported security breaches that came in the wake of the HMRC lost discs fiasco. Now they have the power to issue civil monetary penalties, the production line keeps humming. The obsession with security is such that even CMPs like the ones aimed at Belfast Health and Social Care Trust (which is as much about retention as security or St Georges Healthcare Trust and Stoke on Trent Council (both exclusively about accuracy) are branded as security breaches, as if only one DP principle exists. Enforcement shouldn’t be solely about public sector security, and a few CCTV and private sector wildcards do not change the overall picture.
A glance at their annual report explains why: the ICO has a fixation with figures, statistics, numbers, numbers, numbers, all the livelong day. Self-reported security breaches feed the numbers monster much more efficiently than complex decisions about fairness or adequacy, which have to be sought out before they even are made. All of the principles are breached by all sorts of organisations every day of the week, but because they don’t tell anyone or the ICO doesn’t notice, nothing happens. But wait for people to confess their security SNAFUs, and it’s like shooting fish in a barrel.
This tactic has now tipped into self-parody, with the ICO ensuring that the fish are dead first. In June 2013, Stockport Primary Care Trust was fined £100000 (£80000 if paid on time) for leaving patient records in a vacated building, and NHS Surrey were fined £200000 (£160000 if paid on time) for not controlling their IT contractor. Both organisations were wound up in April 2013, which means that the CMPs were served on successor bodies.
I don’t know why different organisations have inherited responsibility for PCTs, and the ICO doesn’t appear certain, claiming to have fined NHS England for NHS Surrey’s breach in the press release, and the Department of Health in the notice itself. NHS England told me in an FOI response that they asked the ICO to change this, but there is no evidence the ICO wanted to correct their mistake. The confusion is nevertheless irrelevant – neither DoH nor NHS England played any part in the breaches. They are not even real local successors like the Clinical Commissioning Groups where the PCT managers might now be plying their trade. They’re bystanders.
I’d have more respect for the ICO if they enforced the first or sixth DP principles, or didn’t rely almost entirely on the confessional / masochistic tendency in public sector Data Controllers to identify DPA breaches. Nevertheless, if the two former PCTs were open for business, I could not fault the ICO for taking action. But I can only see two main reasons to issue a CMP. The first reason is to educate everyone else. However, the ICO has already issued bigger CMPs for the same issues (£325,000 for Brighton NHS Trust for non-recycled hard drives, £225,000 for Belfast Health and Social Care Trust’s documents in an abandoned building).
The key reason for a CMP is to punish the organisation and in particular, the senior managers who allowed the breach to happen. The CMP recipient in NHS Surrey’s case is the ‘Department of Health Regional Legacy Management Team’ who presumably hold a budget to clean up after the dissolution of the PCTs. But the chief effect of the ICO’s intervention is to recycle some money back to the Treasury – that’s all. No awkward decisions for the PCT board, no hand-wringing in front of the local media – outcomes that concentrate the mind of even the most recalcitrant of managers. NHS Surrey is gone. DoH can legitimately say it’s nothing to do with them, so beyond a few headlines and extra figures for the 2013-14 annual report, what’s the point? It’s probably frustrating to have done the work only to drop the case, but as soon as you know you’re flogging a dead horse, is the effort of finishing the job really worth it? Wouldn’t the ICO staff be better employed going after organisations that are still processing personal data?
Well, funny I should mention that. Perhaps the only valid reason to inject Frankensteinian life into these cadavers can be found when you look at NHS Surrey’s case. According to the ICO,
“the Head of the data controller’s IT team was contacted by the Director of a company (the “company”) who was looking for new business”
and
“The IT team explained that the hard drives would have to be physically destroyed because they may store confidential medical information. The company’s Director provided an assurance to the IT team that the hard drives would be crushed by an industrial guillotine.”
I want one of those. Having guillotined the hard drives, “the company” would then sell off the other components. On this basis, they did the work for NHS Surrey for free. The Trust’s Information Governance Head was – you’ll be surprised to learn – not involved in the decision. “The company” then received as many as 1500 PCs between 2010 and 2012 before third parties buying hard drives on auction sites revealed that the hard drives were in fact being sold on. Those of you with good memories will remember another hard-drives-on-auction-sites case involved a contractor who was also not paid.
If NHS Surrey still existed, the clowns who agreed to this without a formal contract would deserve a hard time. Even now, the ICO presumably knows who they are, and could name them. Given Christopher Graham’s determination that the CQC three should be outed, one can only wonder that his views on transparency are not more widely understood within Wycliffe House.
Of course, the recycling company would be an appropriate target itself, but as a data processor it is out of the ICO’s enforcement reach. However, if this outfit is still trading and actively touting for business, every actual and potential customer needs to know about their role in this sorry business. Whether the failure to protect the hard drives was a mistake or a deliberate act, the company’s customers need to know whom they are dealing with. If the ICO had picked the NHS Surrey case as a vehicle to name and shame the errant processor, I would have cheered them on. Instead, they go after a dead organisation and give “the company” anonymity.
I asked both the Department of Health and ICO for the names of the company and the director and both refused. The Department of Health refused, citing (perhaps satirically) concerns about the data protection rights of the Director. The ICO relied on Section 44 of the FOI Act, which prevents organisations from breaching existing legal barriers on disclosure. If the law says you can’t disclose, Section 44 kicks in. But the ICO has a problem. The specific legal barrier in their case – Section 59 of the Data Protection Act – does indeed prevent the disclosure of information about any organisation or business obtained as part of an investigation but not if the ICO has ‘lawful authority’ to give it out. So is it all over? Quite simply, no, and I’m challenging both decisions.
Section 59(2)(e) states that, having regard to the right and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest. Without the information being in the public domain, it is impossible for data controllers to comply with the Seventh Data Protection principle, in that they need to find data processors that can give sufficient guarantees of security. It is absolutely necessary and the ICO’s hands are not tied.
In my experience, the ICO treats Section 59 as a no-questions-asked absolute exemption, ignoring the public interest element. Of course, they exercise their own judgement about what to disclose all the time – if Section 59 was an absolute ban, they couldn’t have published much of what was into the CMP notice that kicked this blog off in the first place. But the ICO cannot hide behind Section 59. The Supreme Court has recently had the opportunity to consider the meaning of the word ‘necessary’ in the DPA. In the case of South Lanarkshire Council v Scottish IC [2013] UKSC 55, the Court confirmed that ‘necessary’ need only mean ‘reasonably necessary’ and does not have to be ‘absolutely or strictly necessary’. On this basis, how can anyone say that having regard to the legitimate interests of Data Controllers in the South East and beyond, there is not an overwhelming public interest in making public who the data processor is?
Admittedly, there will be consequences for the company if they are known. Without a credible explanation of what went on, their business would suffer. Even with one, they would be at a great disadvantage when compared to all the disposal companies who had not sold hundreds of their customer’s hard drives on the internet without permission. But the ICO should not tiptoe around this. The company probably could not offer its attractive “free” service if it properly disposed of the drives. But even if disclosure puts them out of business, that’s nobody’s problem but theirs. If processors know that they act with total impunity, what is to stop this organisation or another from making the same mistake again?
The ICO should not lightly divulge information it receives from the organisations it is investigating. There is much that they find out in the course of their enquiries that should legitimately remain secret. But Section 59 is not intended to prevent legitimate disclosures. It does not stop the dissemination of important information that needs airing in the public interest – it is specifically written to allow this. It is, therefore, remarkable that the ICO believes that it is more important for it to issue penalties to phantoms.