What's new for 2010?...
Here are the highlights for the year ahead enlivened with some useful snippets picked up at a Data Protection conference last week as to the latest developments and how they are likely to impact on businesses.
Monetary penalties
The level of penalty is still under consultation, the proposed maximum currently would be £500k. The consultation is still open at the Ministry of Justice. There is draft guidance on monetary penalties on the ICO website.
Deputy Information Commissioner, David Smith, said that in practice the amount of the penalty would depend on : - The nature of the contravention - The effect of the contravention - The behaviour of the organization - The impact on individuals and on the organization - Other considerations The aim of the ICO is to build a scale of fines over time to generate a consistent approach. This new power is likely to be used in connection with section 55 fair obtaining breaches such as abuses by Private Investigators. Assessment notices - audits The new power to audit government departments is contained in the Coroners and Justice Act 2009, it also contains provision to extend audit rights by Order to public bodies and private organizations. Earlier in 2009 the PM issued an instruction to all government departments to allow spot checks by the ICO, this is not a legal power currently. The ICO’s approach is to aim for cooperation, helping organizations to get it right but if all else fails enforcement action will be taken. They see their role as encouraging and helping organizations to get it right. They have an educational role and play a part in strengthening public awareness of privacy issues. David Smith considered whether or not audit reports will be published. Definitely will publish the reports on government departments and public authorities but recognize it is different in the private sector where competition might take advantage of adverse material. David Smith referred to a conversation between the Information Commissioner and the Minister for Justice about 5 years ago. The ICO was asked what two things he wanted as basic requirements to operate effectively. The first was for penalties for data protection breaches to be strengthened, which is now happening. The second was the power to audit without consent, this has been partly implemented but it seems clear that this is something they will continue to campaign for. Breach notification It was noted that it is still voluntary to report breaches of data protection to the ICO. The statistics for 2009 show a marked increase in incidents reported to 434 compared to 277 over previous similar period. The revised e-privacy directive impacts on telecoms firms which are now required to notify breaches to the “competent authority”. The ICO is likely to be the competent authority in the UK. Mr Smith also thinks that we may see breach notification more widely than just telecoms companies in the future. This makes sense as breach notification is a key element in enforcement and selecting which companies to audit. Privacy Impact Assessments Privacy Impact Assessments or "PIAs" are meant to be an initial assessment of potential privacy risks in a project or new development. They are being promoted by the ICO. There was a certain amount of doom and gloom about organizations not adopting PIAs in the current economic climate when all the speakers agreed they were an essential tool to build privacy into new developments and projects. One interesting view was expressed that each new IT development should be tasked to provide an automated subject access function, so that at the push of a button, say, all relevant material would immediately be produced. The view was that PIAs should be “organic” that is developed within the organization to suit its particular needs rather than being outsourced to management consultants. It was noted that there is a new market in automated PIA tools. BSI likely to introduce its own version shortly at an estimated cost of £500 for a single use.