KLF Revisited*

by | Nov 11, 2012 | Data Protection, Data Security, ICO, Uncategorized | 6 comments

On June 1st 2012, the Chief Executive of Brighton and Sussex University Hospital Trust, Duncan Selbie, gave a statement about the threatened ICO Civil Monetary Penalty of £325,000 for a Data Protection breach involving the insecure disposal of hard drives by a subcontractor. In the statement, Mr Selbie said the following:

In a time of austerity, we have to ensure more than ever that we deliver the best and safest care to our patients with the money that we have available. We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal.

Despite these stirring words, the Trust paid up shortly afterwards. Unaware of another FOI request on WhatDoTheyKnow that had already revealed the crucial information, I made my own request to the Trust a few weeks ago about various aspects of the case, including whether they had paid for external advice. Several public bodies have told me that they were tempted to challenge their CMP, but the cost put them off. Given Brighton’s later statement that they were “not prepared to incur further costs“, I guessed that they must have been paying someone, and wondered how much they had paid out. Much of my request was refused, but one answer they did give me was that particular fact.

Brighton paid £168,259.59 in legal fees to Field Fisher Waterhouse up until the point that they paid the penalty, and £10,000 to a barrister. As well as the CMP itself, Brighton paid out an extra £180,000, with nothing to show for it. When the story was originally leaked to the local press in January, the CMP was supposedly £375,000, so the best that can be said is that they shaved off £40,000 (£50,000 minus the 20% discount they got from paying on time). The Interim Chief (who replaced Selbie) stated when the penalty was paid that “We have made repeated attempts over the past six months, most recently last week, to reach a settlement that recognised that errors were made but no harm arose, all of which have been rejected by the Information Commissioner’s Office”. If this was what FFW were being paid to handle, is it possible that £180,000 of public money was spent trying to spare the Trust’s blushes?

You will think me self-serving for saying so, but I think that any organisation that finds itself in this pickle could find better things to spend public money on. For starters, they would have saved a fortune by paying up and doing nothing else. However, I think I speak on behalf of all of my competitors when I say that if you want to spend money in response to a Data Protection incident, the only way training and consultancy will cost you £180,000 is if the training sessions are accompanied by the London Symphony Orchestra, the sandwiches are provided by Ferran Adria and the training rooms are decorated by Elton John’s florist.

Stewart Room is possibly the most high profile of FFW’s lawyers and in a recent blog on CMPs he claimed that they are “stupid” and an “inefficient waste of time and money“. I believe that Room’s take on CMPs is wrong, but in any case, it’s difficult to accept lectures about where public money ends up in a CMP case from someone whose firm trousered the thick end of two hundred grand of it. Given his concern about keeping public money “in the public body“, one can only assume Room refused to have anything to do with the Brighton case. Just to recap the details, Brighton had an out-of-date service level agreement with their contractor (para. 4 of the CMP notice). They let a man into a secure area of their building without – it appears – knowing he was an unpaid subcontractor (para. 5). From the notice, it’s not clear who they thought he was when they let him in, and they did not obtain proper evidence of destruction of the hard drives from him (para. 6). The individual managed to remove 200 hard drives containing information about people’s sexual health without Brighton knowing (para. 11). And of course, all of this mess happened because Brighton were operating a system where sensitive personal data of the most confidential kind was being stored on 1000s of hard drives, which may be a bigger breach than the one that alerted the Commissioner. If these are ‘appropriate technical and organisational measures’, I am a banana. Unlike so many CMPs, this was not human error underpinned by the absence of some policy or training; this looks like a complete system failure, for which the senior corporate level are responsible. A challenge to this CMP was unwinnable and should have been unthinkable.

But even if Brighton’s case had not been open and shut, the apparent cost of challenging a decision has to become a matter of public concern. Central London Community Healthcare NHS Trust is appealing their CMP at the Information Tribunal in December. Their case appears to have some merit and it’s very different to Brighton’s. But their penalty was £90,000, and within the 35-day deadline, they would have paid the discounted rate of £72,000. This is now lost. If they are using a legal firm of similar stature and hourly rate to FFW, that £72,000 may have already been swallowed, and they have set themselves a high bar to clear. They have to win, get the penalty overturned, and get their costs awarded against the ICO. Anything less than that is indefensible, even if they’re right. Needless to say, the same chap who asked Brighton about their costs has now asked CLCH the same question.

To win at the Tribunal on a security case, there are only two options. The breach is not the incident, so the organisation needs to show it has put all the necessary technical and organisational measures in place, and checked that they are being followed. Relatively few organisations can achieve this; they escape CMPs only because they don’t have incidents or they don’t tell the ICO about them. The only alternative to appropriate compliance would be to find some procedural loophole or flaw in the ICO’s process – paragraph 3.1.3. of the minutes of the ICO’s July Information Rights Committee suggest this might be a possibility. FFW employ the former ICO Head of Enforcement as a consultant, but even if he has some cracking inside information about the ICO process, was it really worth £170,000 to find out what it is? Beating a CMP on a technicality will not change the fact that an organisation has breached the DPA, and the combined expertise of all those involved at FFW didn’t seem to help Brighton do anything but back down.

Organisations should be able to challenge the ICO. FOI has proved time and again that the ICO is not infallible and Tribunal intervention is sometimes necessary to protect the public interest in non-disclosure as well as disclosure. Friends tell me that the cost of an FOI challenge is relatively low, especially on a paper hearing, and can often be justified. Challenging a vexatious request can even save money in the long run, given the amount of staff time that can be squandered on a run of requests that a Tribunal success can put a stop to (fingers crossed, Devon). Even Michael Gove’s misbegotten run at the Tribunal over private emails only cost £13,000 – a waste of money, but a snip compared to £180,000. If a CMP recipient with a decent case can challenge the ICO without huge cost, I’ll root for them all the way. It would be good to see the ICO’s CMP approach tested and a bit of embarrassment for Wilmslow is rarely a bad thing. But no matter how aggrieved the organisation may feel, good governance must put a low ceiling on legal costs. The subtle subliminal message of this blog may be BUY TRAINING NOT LAWYERS, BUY TRAINING NOT LAWYERS, but it could equally be a case for more IT security staff or DP staff, better IT systems, or more curious auditors. Had Brighton paid some contract lawyers earlier on, I would not be writing this, and I doubt the bill would be anything like the current figure.

Mr Selbie is now Chief Executive of Public Health England, but he still needs to explain why his public statement about public money is so at odds with the internal decisions made on his watch. Brighton has a management board, auditors, and regulators, all of whom have questions to answer about this mess. I spend much of my time on this blog excoriating the ICO and I also complain about the raw deal that local public authorities get at their hands, especially under DP enforcement. But this one is different – the ICO got it right, and the shocking thing about Brighton’s handling of the case is that in receipt of the biggest penalty in DP history, they contrived to increase it by more than 50%. In a time of austerity, that’s a heavy price to pay.

http://www.youtube.com/watch?v=i6q4n5TQnpA