Think of a number

On Friday, DataGuidance (“the global data protection and privacy compliance solution”) published research headlined ‘Total fines imposed on private sector outstrip public sector‘. They also claimed that the level of fines against private sector organisations has increased year on year: the private sector CMPs amounted to 50.7% of the total, compared to 20.5% in 2012 and only 0.2% in 2011.

A few people – presumably those who didn’t actually read the article – were impressed by the findings. A former ICO employee accused me of making illogical claims because I did not think my belief in the ICO’s anti-public sector bias had finally been refuted. However, DataGuidance’s methodology and conclusions are eccentric and potentially unhelpful. The figures were broken down at the bottom of the article, but the headlines and the colourful bar charts conflate enforcement on both Data Protection and the Privacy and Electronic Communications Regulations. They also looked only at the total amounts, rather than the number of enforcement actions.

The law on PECR enforcement was changed in 2011; before that, it was impossible for the ICO to issue CMPs for PECR breaches at all, and even after that, until the statutory guidance was published, the ICO’s hands were still tied. The guidance was published in 2012. The ICO served their first PECR CMPs in November 2012. DataGuidance don’t acknowledge the fact that one of these PECR CMPs was overturned (admittedly, the ICO says they’re appealing), but much more importantly, the report does not register that the increase in private sector CMPs is almost entirely down to PECR and to this change in the law.

Data Protection and PECR are two completely different types of legislation and thus, two completely different strands of enforcement. Obviously, the public sector does some electronic direct marketing  and is no better at complying with PECR than the private sector in my experience. However, it’s equally obvious that the vast majority of direct marketing in the UK is carried out by the private sector. Therefore, the vast majority of complaints received by the ICO about PECR breaches will be about private sector organisations. If you’re trying to assess whether the ICO has a bias against the public sector in enforcement, it’s illogical to use legislation focussed on the private sector as evidence. It’s like trying to draw conclusions about the ICO’s attitude towards the private sector by looking at FOI. Any FOI enforcement would be against the public sector. Virtually all PECR enforcement will be against the private sector. There are interesting conclusions to be drawn here – whoever makes decisions about enforcing FOI clearly doesn’t have the bottle to do so, whereas whoever makes decisions about PECR clearly does. But the issue that really interests me is whether the ICO is generally biased against one sector versus another, and it’s Data Protection where I think this can best be examined.

Unlike FOI or PECR, there can be no argument about scope with DP. Some parts of public and private sector are at greater risk because of the nature of their work. For example, local government is more at risk because they share so much data, and the financial services sector is more at risk because of the effect of inaccuracies and losses on people’s finances.  However, in general, DP applies equally to all sides. DataGuidance clearly feel that the ICO’s attitude to the sectors is the crucial issue; their headline refers to it, and they quizzed the ICO on that topic, obtaining this unconvincing response ”We don’t consider whether a data controller is public or private sector when deciding whether to pursue enforcement. We judge everything on a case-by-case basis. It all comes down to the nature of the breach. It’s difficult to say how many public or private enforcement actions we will take in 2014.”

To get to the bottom of whether there is bias, let’s consider the evidence for each of the four years in which the ICO has been issuing Data Protection CMPs:

  • 2010: 1 public (£100,000), 1 private (£60,000)
  • 2011: 6 public (£540,000 in total), 1 private (£1000)
  • 2012: 20 public (£2,385,000 in total), 2 private (£200,000 in total), 1 charity (£70,000)
  • 2013: 10 public (£1,115,000 in total), 3 private (£330,000 in total)
  • TOTALS: 37 public (£4,140,000 in total), 7 private (£591,000 in total), 1 charity (£70,000)

There is no doubt that the private sector figure has gone up each year, but the Sony CMP in 2013 has a distorting effect. The private sector numbers are so low that Sony’s £250,000 CMP accounts for nearly 50% of the private sector total across all four years. Equally, the number of public sector CMPs are markedly down in 2013, but they still dwarf the private sector, and in any case, the drop in public sector enforcement is probably accounted for by the fact that a public sector organisation successfully overturned their CMP (Scottish Borders Council), showing up significant flaws in the ICO’s approach as they did so.

And consider these nuggets:

  • The highest CMP served (£325,000) was on a public sector organisation
  • Of the five CMPs that were £200,000 or above, only one (£250,000 on Sony) was served on a private sector organisation
  • Ignoring the two CMPs that were reduced because of the state of the Data Controller’s finances (both private sector), the lowest CMP served was on a private sector organisation (£50,000 on Prudential Insurance)
  • The only CMP successfully overturned was on a public sector organisation (£250,000 on Scottish Borders Council)
  • Of the seven private sector CMPs, only two were over £100,000 (of the 45 CMPs issued overall, 16 were below £100,000, 29 were £100,000 or over)
  • The ICO has served more CMPs on the NHS alone (9) than the whole of the private sector (7)
  • The ICO has served more than three times as many CMPs on local government (24) as it has on the whole of the private sector (7)
  • The ICO has twice served CMPs on public sector organisations that have been wound up and did not exist when the CMP was served (NHS Surrey and Stockport PCT for £200,000 and £100,000 respectively)
  • The first CMP issued against a private sector organisation was against A4e. A4e’s CMP was £60,000, the third lowest CMP if you disregard the two reduced CMPs. In a single year, A4e paid a bonus to its Chief Executive of £8.6million

If you want to believe that the ICO’s DP enforcement is an accurate reflection of Data Protection compliance in the UK, feel free to do so. All of my personal experience, the anecdotes I have heard over the years, and everything I have been told by private sector DP people tells me the opposite. Moreover, the ICO’s Annual Report suggests that something different. In 2012-13, the sector with the highest number of complaints was lenders with 17% of the total (local government, who account for the bulk of the enforcement, came in second with 11%). 47% of the complaints (the largest group) were about subject access, with disclosure coming in second at 19% and inaccuracy coming in third at 16%. There have been no subject access related CMPs, none related to disclosure, and only one about accuracy (needless to say, that was a private sector one). The Annual Report does not break down the complaints in terms of sector outcome, and it also only shows the top eleven most complained about sectors. However, private sector organisations account for at least 37% of the total, while the public sector account for 35%. So if 35% of all complaints result in ‘compliance unlikely’, while only 22% were ‘compliance likely’, unless the ICO can confirm otherwise, it’s reasonable to assume that the private sector have more than their fair share of breaches.

The ICO’s DP enforcement is skewed by an obsession with security, and a reliance on self-reporting above all other things. The private sector does not own up but the public sector does, as the ICO’s own Technology adviser admitted. On page 3 of the Information Commissioner’s ‘Regulatory Action Strategy‘, the following statement can be found: “In selecting areas for attention we will bear in mind the extent to which market forces can themselves act as a regulator”. I asked the ICO under FOI for any evidence that they hold establishing that market forces act as a regulator. They admitted that they had no evidence at all to back up this assertion. It’s an unfounded statement to justify inaction against the private sector under DP.

The ICO’s approach to Data Protection enforcement is biased against the public sector, and public sector bodies have far more to fear from them.