Redefining the Role of the ICO in connection with Data Protection Breaches

Scotland

The Information Commissioner's Office (ICO) launched a consultation last month in an attempt to redefine its role in the regulation and enforcement of information handling breaches under the Data Protection Act 1998 (DPA).

The full consultation document can be accessed here. The deadline for responses (which were sought primarily from information-handling organisations) was 31 January 2014. As the proposed reforms do not mark a particularly onerous shift in the ICO's activities, it is expected that the new approach will take effect from 1 April 2014. The ICO will update the relevant content on its website and the way in which it deals with organisations in line with this timescale.

Why is this important?

The ICO does not have compensatory remit. Its role is to promote the proper handling of information in accordance with the DPA and, in the case of serious contraventions, to take enforcement action. The consultation, and the ICO's redefined role thereafter, is intended to reinforce its 'supervisory' function and improve the effectiveness and efficiency of its referral procedures.

Most obviously, this will mean that the ICO will focus more on serious contraventions of the DPA and 'repeat offenders' rather than being drawn into individual disputes/breaches. It is hoped that this new approach will be effective in enabling the ICO to identify and address poor organisational practices and procedural weaknesses. As such, authorities should be equipped to face wider questioning as to systematic failings, as opposed to individual breaches. Identification of any such failings could lead to:

dialogue between the ICO and the relevant organisation;
imposition of an 'action plan' or organisational undertaking; and
(in more extreme cases) appropriate enforcement action.

The ICO also intends to publish regular reports which will include details of the action it has taken. Other points to note:


All individual breach notifications will continue to be recorded by the ICO. These records will act as a source of intelligence for the Commissioner in identifying and combatting continual organisational failings.
The overall tone of the consultation is positive - the ICO's revised role is billed as a supportive one. It will offer advice and assistance to organisations seeking to strengthen their data handling procedures and an audit service to examine key aspects of those procedures, where required.
The consultation serves as a reminder that authorities should take ownership of, and responsibility for, public concerns in connection with their data handling procedures. The ICO is an advisory and regulatory body in this respect, not an active party to information disputes.

Impact

The ICO's focus on wider compliance should not be viewed as a 'relaxation' of the current DPA regulatory framework, nor of handler obligations in respect of individual breaches thereunder. In fact, it should prompt authorities to take renewed responsibility for their own compliance with the DPA, in the knowledge that the ICO is there in a predominantly supportive capacity. Authorities should use this consultation as an opportunity to examine their current internal handling procedures and to address any weaknesses.



Whereas, traditionally, the ICO has been involved in large numbers of individual disputes, it is expected that from April it will step back and focus on 'threats, themes and trends' in an attempt to effect wider compliance. The focus is on transparency and co-operation between the ICO, data-handling organisations and the public. It follows that any resulting action by the ICO is likely to be more targeted and proportionate.