This week, the Information Commissioner’s Office issued its latest Data Protection civil monetary penalty, a £150,000 fine on Greater Manchester Police following the theft of an unencrypted pen-drive. The police perspective was available via the Manchester Evening News, in a comment from Assistant Chief Officer Lynne Potts:
“This was very much an isolated incident. We take all matters relating to the storage of data very seriously and have stringent measures in place to ensure the safe storage of data.”
I was the Data Protection officer in an organisation that suffered a DP breach. These were not the days of hundred thousand pound CMPs, but we were still under a lot of pressure and the local media circled around the story with thinly disguised glee. You couldn’t blame them – a stolen laptop is a lot more newsworthy than the usual fodder of shed fires and pub fights. Throughout, our PR department’s aim was to put forward the corporate perspective and try to see that what was reported was accurate. The only disagreement I had with them during the whole process was when the first press statement was issued about the incident. It was entirely unobjectionable, apart from one thing. They wanted to say at the end: “We take Data Protection very seriously”.
I thought it was a stupid time to say this. The current evidence was that we didn’t and the public would be entitled to point this out. The sentence would be more accurate if it read “We usually take Data Protection very seriously” or “We take Data Protection very seriously, but not seriously enough on this occasion”. I felt that a simple statement about what had happened and what we were doing about it was the right approach. Anything else was like the PR Department of Chernobyl shooting out a press release one day after the isolated incident about how seriously they take nuclear safety. But I was told that it is vital in PR terms to include what was described as the “reassurance statement”.
I don’t know if this term is widely in use, but the technique is evident everywhere. Every time some Data Protection or Privacy SNAFU comes sliding into view, it will be followed by the reassurance statement. We may have sent your private information to someone else, stored it on an unencrypted device, published it on the internet, or left it down the side of your house. We may have put it on hard drives that we asked a sub-contractor who we don’t know to dispose of for free. We may have loaded data about nearly half of the population onto CDs and lost them somewhere. We may have driven unwelcome around streets slurping up your emails via Wi-Fi in every country that has roads. But We Take Data Protection Very Seriously.
I’ve rarely been to an organisation that didn’t give a toss about Data Protection. The quality of compliance varies wildly, the understanding of its implications even more so. In my experience, DP is not the same as FOI, where the reassurance statement of “I’m a big supporter of FOI / transparency” is sometimes just a barefaced lie – a bit of Pinocchio magic could have turned some of the Justice Select Committee’s post-legislative scrutiny into a jousting match. Organisations generally do take DP seriously, but when things go wrong, they find it very difficult to admit that a serious mistake has been made, and they’ll do their best to put things right.
If the statement said “We’re really sorry about this cock-up, and we’re going to do lots of practical things to see if we can stop it from happening again, or at the very least, make it less bad if it does”, I would not be writing this blog, and I would be much more reassured that GMP takes all matters relating to the storage of data very seriously.
If the “isolated incident” is the one where the officer left his back door open, a man walked into his house and stole his car keys, his wallet and then his car, and the wallet contained an unencrypted pen-drive containing the names and other identifiers of members of the public who had reported concerns about drug-dealing to the police, then yes, I’ll buy that. I bet that doesn’t happen every day. But if the isolated incident is the unsafe storage of data, which GMP takes “very seriously”, then Potts’ statement (which I assume was written by someone in PR) is anything but reassuring. The Information Commissioner’s monetary penalty notice makes clear that an amnesty that took place in the force after the incident recovered more than a thousand unencrypted devices, and a previous similar incident in 2010 had not led to improvements in data security. The unencrypted drive wasn’t an isolated incident; it was evidence of a systemic problem with data security that affected the entire force.
Most of the time, the ‘Very Seriously’ press statement is harmless bullshit. It’s just a sentence on the end of a press release, something to fill the space between the adverts. But combined with the nonsense about an ‘isolated incident’, GMP’s words ring hollow. Either they don’t understand what they’ve been fined for or they’re trying to massage the truth to avoid an embarrassing headline, which turns out to be a complete waste of time and insults the intelligence of readers. A glance at the comments on the MEN news story suggests that no one was convinced, although one contributor perhaps left logic behind in the midst of their outrage: “Someone high up in the force is ultimately responsible. They should be dealt with. Hung, drawn and quartered, then put before a court.”
Compared to the delusional hubris of the most reckless CMP recipients, GMP’s PR waffle could have been a lot worse. I would bet that there are people in the force who, behind this smokescreen, are diligently putting things right if they haven’t done so already. But in every organisation I have ever worked, there have been far more PR officers than Data Protection or IG staff and I bet that GMP is the same. Perhaps some of those people could be more usefully employed taking action to prevent problems, rather than reassuring us about how seriously those problems are taken.
UPDATE: in the same week, an unfortunate incident is reported to have afflicted a housing organisation (to be fair to them, it’s as likely to be human error as anything else). But what do we find their statement?