The DOBlog

Tag: penalty points

  • Compliance, Culture, and Tone at the Top

    The Data Protection Commissioner has just published his annual report. It makes (as always) interesting reading. It has only been released in the last 30 minutes but there are elements of it that I will return to in detail in a post on my company website later this week (once digested).

    Over here on my personal blog I thought I’d pick up on a broader question that bubbles up frequently in Data Governance and Compliance, not least in Data Protection. That is the importance of “tone at the top”.

    The DPC’s Annual report instances a number of breaches by way of case study and a report on an audit follow up. The audit of An Garda Siochana’s Pulse system is mentioned in dispatches. Which brings me to the troubling topic of this post.

    The Minister for Justice and Defence has disclosed into the public domain information about another person (a Data Subject) relating to an alleged (and disputed)  “stop and caution” which came into his possession one must assume in the course of his ministerial function from some, as yet unconfirmed, source. The Minister sees nothing wrong with disclosing personal data, and in this case potentially sensitive personal data, for his own purposes. He has stated in his defence that he felt the disclosure was in the “Public Interest”. His Taoiseach has backed him in his actions.

    It brings to mind the argument put forward by Nixon when challenged by David Frost about the legality of certain actions. Just because you can do something doesn’t mean you should – this is the long repeated mantra of Data Protection practitioners world wide.

    To extrapolate a little: a senior member of the executive management of an organisation has disclosed publicly information about another person that has come into their possession through the course of their professional activities. The disclosure is without a clear lawful purpose but the manager feels it is in the Public Interest to know the kind of person they are dealing with (“Public Interest” and “Of Interest to the Public” are two different concepts). The manager sees nothing wrong with this. His CEO sees nothing wrong with this and backs the manager.

    If this was a private organisation the DPC would be investigating and the executive and CEO would potentially be facing personal liability under section 29 for their consent and connivance in the commission of an offence under the Data Protection Acts.

    When the Minister for Justice and Defence, under whose Department the Data Protection Acts reside, cannot recognise where the political win that comes from dropping the other guy in it because you have a information about them others don’t have runs into conflict with fundamental rights to Personal Data Privacy and the Data Protection Acts themselves, the tone at the top is resonating bum notes.

    When the Taoiseach sees no problem with this, the bum notes become cacophonic.

    If the Minister is to argue that business owners and public servants should respect the law then his recent actions inject a diminished minor note to the fanfare he should have around Data Protection, what with him being the Minister in Europe charged currently with shepherding the revised Data Protection Regulation to a final text.

    Why should an SME owner or CEO of a large corporate challenged with respecting the Data Protection Acts seek now to act in compliance with that legislation? The Minister can flaunt it, why not them? Why should a young garda officer on the beat, struggling to make the mortgage payment that month, respect the Data Protection Acts and their code of conduct under the Garda Siochana Act when offered money by external entities for information when the Minister can unthinkingly ignore the ethics and letter of the legislation in pursuit of political point scoring?

    Over two years ago I wrote about the same issues arising in a political context. One key quote sticks out in the context of the current situation with regard to political leaders:

    If they are promoting a “tough on regulation” policy platform, then they must lead with a clear “tone from the top” of Compliance and good Governance.

    The Office of the Data Protection Commissioner is intended to be independent and is required under the TFEU to be so. However they operate under the auspices of the Department of Justice and Defence. In such a structure there is a significant risk that the clarinet solo of the Commissioner (still grossly under resourced) will be drowned out by the cacophonic discord of the Tone at the Top.

    The DPC has commented today that:

    in general the public sector, including ministers, has a solemn duty to protect any personal data coming into its possession and may only disclose it when it has the consent of the individual concerned or under another basis laid down in law.

    Should Deputy Mick Wallace make, or have made, a complaint it would be interesting to see how the Government and the Commissioner’s office would act to avoid the kind of enforcement actions related to a lack of independence of the Regulatory Authority (the DPC) that have arisen in Hungary. Certainly it would be a matter worthy of mention in the 2013 Annual Report of the DPC. Bluntly it would represent a clear test of the independence of the Office of the Commissioner (and for that matter their resourcing) if they were to have to investigate a Minister rather than just a Minister’s department or agency.

    The Data Protection Acts owe their genesis and evolution to the actions of political forces in Europe in the early years of the 20th century. We should be very worried when the Minister responsible for internal and external State Security feels that encroaching on a right to privacy without a clear lawful purpose is an acceptable political tool.

    The Tone at the Top is braying some bum notes this week and some conductor needs to bring the orchestra back in tune. Otherwise, like all great bands, musical differences may trigger the beginning of the end.

    I had looked forward to the Minister’s statement today but am underwhelmed by his position that Deputy Wallace’s status as a public personality is a justification for the disclosure. Where this the case, the DPC audit of the Gardaí and Dept of Social Protection would not have been so concerned about access of data relating to celebrities. The disconnect and discord in the “tone at the top” is palpable!

    (If the use of the phrase “tone at the top” in connection with Fine Gael and Data Protection is familiar to some, this post might refresh your memory)

  • Striking a balance in Data Protection Sanctions

    It was reported yesterday that the Irish Government has issued a “discussion paper” on the proposed administrative sanctions under the new Data Protection Regulation.

    EDRI has criticised the proposals with reference to the “warning/dialogue/enforcement” approach taken by the Irish DPC. Billy Hawkes has, in the past, been at pains to clarify that the Irish DPC uses dialogue to encourage compliance and also seeks to encourage organisations to raise questions and issues with the DPC to avoid breaches. There is a belief that the “brand impact” of even being spoken to by the DPC about an issue can prompt “road to Damascus” conversions in organisations.

    That is all well and good, but my experience working with organisations is that this can result in management playing a game of “mental discounting” (I’ve written about this before in response to the original draft DP Regulation). If there is a perception that the probability of an actual penalty is low, there is little leverage in appealing to intrinsic motivation of a business manager when his extrinsic drivers for behaviour are pushing the decision towards a “suck it and see” approach.

    Having re-read the discussion paper and EDRI’s response to it I can’t help feel that EDRI may be over-stating the “ask” that is being made here a small bit. They cite it as the “destruction of the right to privacy”, citing the Irish DPC’s own experiences with the Garda Pulse system which has been plagued by reports of breaches in Data Protection since its introduction, despite the Gardaí having a statutory Code of Practice for Data Protection. In 2010 the DPC reported that that Code of Practice was not being implemented in the Gardaí.

    However, this says as much to to me about the attitude to Data Protection in some (but not all) parts of the Irish Public Service then it does about the merits of the Data Protection Commissioner’s approach to encouraging compliance or the specifics of anything that might be discussed on foot of this discussion paper. Furthermore it raises questions for me about the capability and resources that the Data Protection Commissioner has to execute their function effectively in Ireland, and even suggests that there may be informal barriers to the effective operation of their function in the public sector which need to be urgently considered (given that the Office of the DPC is supposed to be independent).

    Given the extent of the negative findings in the interim report on the 2012 audit of the PULSE system I personally would hope that there would be some level of penalty for the Garda Siochana for failing to follow their own code of practice. But that is a different issue to what the Discussion paper actually raises.

    What is being discussed (and what would I like them to consider?)

    The Discussion Paper that was circulated invites Ministers at an Informal Council meeting to consider (amongst other things):

    1. If wider provision should be made for warnings or reprimands, making fines optional or at least conditional upon a prior warning or reprimand;
    2. if supervisory authorities should be permitted to take other mitigating factors, such as adherence to an approved code of conduct or a privacy seal or mark, in to account when determining sanctions.

    It flags the fact that the Regulation, as drafted, allows for no discretion in terms of the levying of a penalty. What is proposed here in the discussion is a discussion of whether warnings or the making of fines optional would be the mechanism to go to rather than scaring the bejesus out of people with massive fines. This in itself doesn’t kill the right to Privacy, but it does potentially create the environment where the fundamental Right to Privacy will die, starved of any oxygen of effective enforcement.

    Bluntly – when faced with a toothless framework of warnings and vague threats, businesses and public sector bodies will (and currently do) play a game of mental discounting where the bottom line impact (in terms of making money or achieving a particular goal) outweigh the other needs and requirements of society. So an organisation may choose to obtain information unfairly or process it for an undisclosed secondary purpose because it will hit its target in this quarter and the potential monetary impact won’t emerge for many more months or years, after an iterative cycle of warnings. The big penalty will be seen as something “far away” that can be worried about later. After everyone’s got their bonuses or their promotions etc.

    If strict statutory liability is the model that is being proposed, and the discussion is to look at watering it down to a stern talking to as a matter of formal policy in the Regulation, I must despair of the wingnuts in my government who even thought that would be a good idea to even suggest this. But I do agree that tying the hands of the Regulators to the big ticket monetary penalties might not work in their interests or in the interests of encouraging compliance with the legislation.

    What is needed is a middle ground. A mechanism whereby organisations can make errors of judgement and be warned, but that the warning will have some sanction with it. The sanction needs to be non-negotiable. But it needs to be transparent and obvious that this is what will happen if you ignore DP rules. It needs to be easily enforced and managed. There should be a right of appeal, but appealing the non-negotiable fixed-penalty should carry with it the risk of greater penalties. And the ability of an organisation to benefit from iterative small penalties should be removed if they are a recidivist offender.

    There is a system that operates like this in most EU countries – it is the Penalty Points system for motoring offences. Hopefully the discussion will move to looking at how a similar system might be implemented for Data Protection offences. The penalties could be tiered (e.g. no cookies notification – €150 fine and 2 points on first offence, €500 and 4 points on second, failure to document processing €500 fine on first offence and 6 points). The points could be cumulative, with the “optionality” of higher sanctions being removed if you were, for example, an organisation with 100 points against you (congratulations, you’ve failed to up your game and now you are being prosecuted for the full tariff). Organisations bidding for public sector contracts could be required to have a “Data Protection Points” score below a certain level.

    This system could be devised in a way that would take account of mitigating factors. If a code of practice was entered in to, and was successfully audited against by an appropriate body, then points could be removed from the “scorecard” at the end of a 12 month period. If there were mitigating factors, a lower level category of offence might actually apply (I’ll admit I’m not sure how that might work in practice and need to think it through myself a little). Perhaps self-notification to the DPC, engagement in codes of practice, mitigating factors or actions etc. would carry a “bonus points” element which could be used to off-set the points total being carried by a Data Controller (e.g. “adopted code of practice and passed audit: minus 3 points, introduced training and has demonstrated improved staff knowledge: minus 3 points).

    Certain categories of breach might be exempt from mitigation, and certain categories of offence, just like with motoring offences, might be a permanent black mark on the organisation’s Data Protection record (e.g.: Failure to engage with DPC in an investigation, failing to take actions on foot of an audit/investigation).

    The scheme could be administered at an EU level by the EDPB, with the points accumulated by organisations operating in multiple member states either being cumulative or averaged based on a standardised list of key offences. Member States could be free to add additional offences to this list locally, within the spirit and intent of the Regulation.

    That would be an innovative idea, based on a model that has been proven to have an influence on compliance behaviour in motoring. And it would provide a transparent mechanism that would ensure that warnings could be given, advice could be sought, and positive engagement could be entered into by Micro Enterprises, SMEs, and large corporates. It would provide a relatively low impact mechanism for levying and collecting penalties from organisations who are in breach (penalties could potentially be collected as part of annual tax returns as a debt owed to the State), and it could be used to reward organisations who are taking positive actions (“bonus points”).

    Finally, it would give the basis of a transparent scorecard for organisations seeking to evaluate data processors or other service providers (in the same way as Insurance providers use penalty points data for motoring to assess driver risk), and it would give a clear escalation path to the full sanctions in the Regulation (e.g. 100 points and you go straight to full penalties).

    What it does not give is a death spiral of warnings that don’t amount to penalty and as a result give a platform for organisations to ignore the Right to Privacy. It is an evolution of the conciliatory approach to encouraging compliance but one that is given teeth in a manner that can be transparent, easily explained, and standardised across the EU27.

    I’ve written about this in 2010 and 2012. Maybe the time is right for it to be discussed?

  • An open letter to Viviane Reding

    Dear Commissioner Reding,

    I’m writing to you as an EU Citizen who is passionate about data, is use, its quality, and its protection. I’m not writing to you as the Managing Director of a company that offers Data Protection training and consulting services, but in the interests of transparency I think it best to disclose that that is my day job.

    I am writing to you about the new Data Protection Regulation. In particular I’m writing to you about the penalties contained in the current draft proposal. Frankly I think they suck. I don’t think they’ll have the effect that you think they will have. I’m basing my opinion on a number of bases:

    1. I have worked in Regulatory Operations in a Regulated industry that you are familar with, telecommunications.
    2. I’m a keen student of human psychology and economics, particularly the psychology and economics of risk and reward.Understanding this “theory of psychology” is important in the world of Information Quality.
    3. I like to observe and learn from other industries and areas of life to see what can be applied to improving quality systems for and the governance of information.
    4. I’m the parent of a toddler. This might not appear immediately relevant but, in the context of Data Protection, my immediate experiences dealing with a stubborn personality in development who is programmed to push boundaries and infuriate me with apparent disregard for the standard of behaviour expected of her all too often find their parallels in the management teams and staff of organisations I’ve worked with.

    Taking these elements together I am afraid that 5% of Global turnover will not work as a penalty. It’s a great soundbite but will, in practical terms, amount to little more. There are a few reasons for this.

    (more…)

  • John Gormley, Commercial motor tax, and Data Protection Penalties

    This post was originally published in August 2010 on the Irish Computer Society’s Data Protection blog. It has been republished here as it is my original work and I’m trying to get all my Data Protection musings in one place. Some links have been updated to point to different targets here and on my company’s website.

    I listened with interest this morning to the media coverage of how John Gormley was introducing a new tax on commercial vehicles. My interest was twofold. My wife used to work in the Motor Tax section of a local authority. She left there nearly 4 years ago. Even then drivers of light commercial vehicles had to sign a declaration that the vehicle was for commercial purposes and not for private use. Back then, she used to have private motorists trying to register their large 4x4s as commercial to avoid the higher rates of motor tax on private vehicles. And I’ve recently written about how penalties for breaches of legislation are the third lever the government has to help balance the books.

    So, the existence of a declaration form isn’t really anything new it seems. What is new is that the Minister is asking people to take it seriously and some penalty is now attached to making a false declaration. It may well be that the specifics of enforcement will be difficult, and it is likely that a blanket ban on “mixed use” will ever be 100% effective. But it does show that the Government are seeking to maximise the income they can generate from existing processes by increasing the enforcement and the penalties associated.  This is precisely the point I made in my last post on this blog when I wrote about how the introduction of penalties for breaches of the Data Protection Acts was probably inevitable, regardless of when the new Directive comes into being, simply by reason of the State needing to open as many sources of revenue as possible.

    Of course this “change” in the Motor Tax regime is, to an extent, unfair as commercial vehicle owners have gotten used to being able to drop the kids to school and use their vehicles on weekends for leisure purposes etc, enjoying all the benefits of private vehicle use on a fraction of the tax. The media response (particularly from the AA) has been to suggest that the Minister will drive people to buy second cars or is imposing a burden on small businesses. And that is unfair. Personally, I think a change to the motor tax regime where a “mixed use” category would be introduced might have merit.

    However, thinking back to my last post on this blog, would there be as much of an outcry if penalties for breaches of the Data Protection Acts were introduced? Bear in mind that the Commissioner operates on a conciliatory basis, seeking to promote Compliance, not punish non Compliance. Also bear in mind that breaches of the Data Protection Acts occur when Data Controllers fail to respect the Duty of Care that they owe to individuals to hold their personal data on trust and to respect their privacy.  I would suspect that, when penalties are introduced (I say “when” because it will happen either through domestic legislation or further alignment of EU frameworks through a revised Directive) they will be applied only where a Data Controller has failed to act, or acted with willful neglect of their duties under the legislation.

    Where currently the Commissioner can dangle the carrot of constructive engagement and guidance, in the future that will be supplemented by the big stick of fines or other penalties.

    I suspect that penalties that might be levied for breaches such as (for example) operating CCTV without adequate Fair Processing Notices would be quite small (at least initially), perhaps just enough to get the Data Controller to engage with the DPC. But persistent offending might lead to higher penalties

    In short – only the worst offenders will likely be penalised.

    So, the morning talk-radio interview might go:

    Data Controller: “These new penalties are a burden on us”

    Interviewer: “But they are just penalties for stuff you are supposed to be doing anyway to protect people’s privacy etc.”

    Data Controller: “But it’s a big cost to our business if we get a fine every time we do this”.

    Interviewer: “But you shouldn’t be doing it, and the fine is only imposed after the Commissioner tries to get you to correct your behaviour”

    Data Controller: “That’s not the point”

    Interviewer: “That is the point. If you want to avoid the penalty, stop playing fast and loose with people’s personal data”.

    And that’s the point…  while it may be unfair and burdensome in the land of soundbites to expect a small business owner to buy and run a second car or face a penalty for misusing a commercial vehicle, penalties under the Data Protection Acts would be avoidable simply by complying with the legislation.

    So long as you know the rules of the game, work on being compliant, and respect the Duty of Care you owe to your Data Subjects (all things a Data Controller should be doing anyway) there is no additional burden. As such, any increase in penalties would likely be easier to defend than an increase in taxes or restrictions on how a vehicle is used.

    It would also be easier to enforce.

    So, the call to action from this article? I am suggesting that anyone processing personal data in the course of their commercial activities should start getting their house in order now ahead of any changes which might bring in penalties. Ensure your staff are properly trained in the principles of Data Protection. Start working now to make it part of “how things get done” in your organisation, not “another bloody thing to do”.