1650 registered users. Call us - US: 1 303 285 0530 | UK: + 44 (0)20 7250 0100
Stewart Room's Blog » ICO fines – what’s the plan exactly?
Stewart Room's Blog

About Stewart

He's a London-based lawyer practising in privacy, data protection and data security law. Stewart started his career as a Barrister in 1991 and in 2002 he also became a Solicitor. He  now practises as a partner at Field Fisher Waterhouse LLP, within his market-leading Privacy and Information Law Group. The UK legal directories rate him as one of the UK’s leading data protection lawyers

His specialities are representing organisations in regulatory proceedings and investigations, dealing with security and confidentiality issues and advising on the legally compliant use of technologies. He also advises on the commercial exploitation of data and the sharing and movement of data between organisations and across jurisdictions.

 Follow him on Twitter: @StewartRoom 

Read his website: http://www.stewartroom.com/

 

Syndication

Recent Posts

Tags

View more

Archives

ICO fines – what’s the plan exactly?

 

The most interesting piece of data protection news today is the story that the Information Commissioner has informed Brighton and Sussex NHS Hospitals that he is planning to fine them £375k. We don’t know from the news reports whether this is one data controller or two, or, if two, whether they are to be fined £375k each, or if this is the total amount of two separate fines, but if we are talking about one single fine of £375k, then this really is big news.

So far the highest single fine has been £120k (or £200k, if you treat the Crossley case as such), so in that sense this is big news. But what interests me the most – and why I actually consider this to be big news – is the fact that ICO is getting perilously close to the £500k cap, which cannot be exceeded.

And so this raises the question has ICO got its fining scale right? If we are to take £500k as being reserved for the extreme end of seriousness (which, surely, must be right) then does the insecure decommissioning of NHS computers get close to that level? Or can we imagine a security breach situation that would make such insecure decommissioning pale into insignificance in a relative sense? If we can, then these events get pushed down the scale of seriousness and the quantum, £375k, becomes difficult to justify.

You can argue the point both ways; after all, patient data is sensitive and it’s easy to see real distress being caused, perhaps even real “damage” (in the sense of pecuniary loss, including personal injury). So in the eyes of some, the insecure decommissioning of hospital computers might be the worst thing that can be imagined. And I know I wouldn’t be happy if my health records were affected. Yet these points on their own do not justify the quantum. Instead, you need the additional justifications of punishment, deterrent effect etc.

And all of this takes you to the key point of this blog, which is simply this – what is ICO’s plan? By this I mean, how does ICO arrive at its figures and how are they justified?

We’re probably not going to get to the bottom of this until someone takes a case on to appeal, but as we are nearly two years into the fining regime I think we’ve arrived at the point when we can legitimately 

 

Share

 

Posted 01-17-2012 7:31 PM by stewartroom
Filed under: ,
If you would like to leave a comment, please either sign in or register to join us as a community member.
Sign In   Join Us

Send this page to a colleague| Privacy Policy | Terms & Conditions