Thursday, 19 July 2018

Data protection and the redistribution of public funds

Data protection. You can't get away from it. I am spending nearly all my working hours at present helping clients comply with the General Data Protection Regulation - a piece of legislation that, however well-meaning, is crazily technical and obscure (as I remarked in a post a little while ago). Even my morning scan of The Guardian's website has thrown up a data protection story this morning.

The story (and I don't use the word to suggest that it is made up!) says that the ICO has fined the independent inquiry into child sexual abuse £200,000 for revealing a number of email addresses from which individuals could be identified - the email was sent to 90 participants in the inquiry, 52 of whom were identified by name in their address, and "vulnerable people were placed at risk", although the report doesn't say how - it depends in part on where the email went, I suppose. One complainant was reported to be very distressed, which I don't think requires any explanation. This all seems to me to be exactly what data protection law is there to deal with.

How did this disclosure come about? By a failure to use the bcc box for email addresses. So simple, so damaging, so expensive. It doesn't seem the most egregious breach of the law, but the potential consequences are probably completely out of proportion to the mistake, and equally out of proportion to the ease of making sure it didn't happen. Human error can be largely avoided if humans are trained in how to do their jobs - but I've come across so many instances where people have been ignorant of the importance of using bcc.

A further twist is that the IICSA hired an external provider - a data processor in the terminology of the Data Protection Act 1998, which although now repealed and replaced was the governing law at the time - to handle its mailing list, and in doing so breached its own privacy notice. There's an object lesson in the importance of keeping these things under review and making sure you aren't doing things with people's data that you haven't told them you are doing.

The IICSA is a statutory inquiry under the Inquiries Act 2005, although it started life as a panel inquiry and has had a chequered history, which I think it's fair to say just became even more chequered. In the year ending 31 March 2017, according to its financial report, it spent £20.8 million. The data protection penalty will therefore be a substantial part of its spending, although the report says that its "full year budget" for the financial year ending 2017 was £30.94 million, which I must say sounds rather odd but I don't feel I need to look into it for the purpose of this blog. My point is that it's a lot of public money, and even when it is just being redistributed to another emanation of the state it is a pretty appalling state of affairs. Even if the inquiry isn't spending its entire budget, I'd prefer that its money was going on looking into the important matters that it was set up to deal with rather than filling the coffers of the Information Commissioner.

One final point: under the new legislation, the very wonderful General Data Protection Regulation, the ICO is able to levy much larger financial penalties. Perhaps, with a little effort, the Information Commissioner could appropriate the entirety of the UK's public spending! Only if public bodies continue to make such appalling errors, and I hope the lesson is not lost on them.

No comments:


blogger templates | Make Money Online