The Information Commissioner has published the latest in a long line of undertakings, this time involving Northumbria NHS Trust. As always, the ICO’s press release is very misleading about what has really happened. This time, the notice has been ‘issued’, a word clearly intended to imply that the Trust had no choice in the matter. Recent undertakings have also purported to be “rulings“. However, the Information Commissioner has two powers to enforce the Data Protection Act, and the undertaking isn’t one of them.
Where the ICO identifies a serious breach of the DPA that was likely to lead to serious harm, and which the organisation could have prevented, they can issue a civil monetary penalty – it’s not technically a fine, although that’s the shorthand that most people use. In security cases, the breach is often the lack of training, the lack of management supervision, the lack of procedures or checks. It’s entirely possible for the ICO to issue a CMP without an incident (a loss or a theft of data), but they currently seem to lack the imagination to accomplish this. The CMP is a punishment – even if everything that was wrong has been put right, the ICO can still issue the penalty.
The other power that the ICO has is the Enforcement Notice. Here, there is no direct punishment, only the threat of prosecution if the notice is not complied with. The crucial difference between a CMP and an enforcement notice is that with the latter, the breach must be ongoing. The staff have not been trained, the laptops remain unencrypted, crucial and risky procedures are undocumented and unchecked. If an organisation refuses to undertake the steps required to put things right, an Enforcement Notice is plainly the tool to use. It’s possible – and logical – for the ICO to use either or both, depending upon the problem. They did both with Powys Council in 2011, for example. There could be a particularly heinous breach (CMP) which the organisation still hasn’t rectified (EN).
Neither of these problems is solved by an undertaking, a measure that is not even mentioned in the Data Protection Act. Put simply, an undertaking is the ICO asking the organisation to make a public promise that they will put things right and do better next time. If an organisation does not do what it has promised to do, there are no immediate consequences. If the ICO found an undertaking that had been ignored, they could do nothing other than issue an Enforcement Notice. Nothing is triggered by the failed undertaking in itself, whereas failure to comply with an Enforcement Notice leads to prosecution. There are people who think that the undertaking is a bargain to snapped up – if you refuse to sign, an enforcement notice or CMP will be winging its way from Wilmslow. But think about what that means: the ICO thinks they could make the case for a CMP, but is letting the organisation off the hook. Do you believe that? Alternatively, the ICO thinks that there is a significant ongoing breach (an Enforcement Notice cannot be issued if the identified breach has already been dealt with), but is choosing to trust an organisation that has already cocked it up to sort it out because they’ve been asked to. Which is nice.
I can see what’s in it for the ICO. Their investigations advance at a glacial speed (I have spoken to data controllers who have dealt with enforcement for years on a single case), and the ICO’s reputation for being risk averse and indecisive is richly deserved. Going for an undertaking closes the case. Asking the organisation to sign an undertaking does not require the ICO to identify a breach that is sufficiently serious to survive scrutiny by the Tribunal, should the data controller decide to appeal, so rather than making a firm decision, the undertaking allows for woolly compromise. Crucially, the ICO can still announce the undertaking as if they have actually made a decision – DP people will tweet and comment, there will be some stories in the IT and local press, and overall, the impression of action will have been created.
However, I don’t understand how the undertaking is anything but a kick in the teeth for the cooperative organisation: they don’t need to be cajoled with an enforcement notice and don’t deserve a CMP. If the ICO thinks the organisation will do it without being forced to do it, would they really risk a tribunal appeal on an Enforcement Notice that the data controller might already have complied with? And on the other side, would they really risk letting a recalcitrant or unwilling data controller off with a glorified press release instead of a CMP or an enforcement notice? If an unsigned undertaking might result in a CMP, is there any evidence that any of those that have actually received an undertaking were first offered a CMP and refused it? And if not, why not? Why were they immediately punished, but all the undertaking recipients not?
I can see only two possibilities – the ICO lacks the confidence to enforce when they should be doing (which is possible), or the ICO does not want to admit that it has spent months on a hiding-to-nothing case where the incident is more eye-catching than the breach. Wilmslow’s senior staff still have a real problem telling incidents and breaches apart, and the undertaking allows them to make a move without ever really deciding. If they offer your organisation an undertaking, they’ve already decided that they don’t have the evidence or the serious breach for a genuine exercise of their powers.
Don’t get me wrong, I have no problem with those that breach the DPA receiving CMPs and Enforcement Notices: I’m all for it. The absence of enforcement on fairness, dodgy re-use and selling of data, inaccuracy and failed subject access is a scandal. But for an organisation that hasn’t breached the DPA sufficiently badly to warrant a CMP, and who has put the problems right (or is clearly willing to do so), the undertaking is a PR exercise for the ICO. It is not an order, it is not a requirement, it is a request. You can say no.