ICO to consult on document that will outline its powers, says Information Commissioner

Elizabeth Denham says the policy document will explain how, when and in what circumstances the Information Commissioner’s Office will act

The Information Commissioner’s Office will consult in January on a new policy document to lay out when it will act and when it will administer sanctions, the Information Commissioner Elizabeth Denham has said.

Speaking at the St John Ambulance headquarters in central London yesterday, Denham said the updated regulatory action plan would be laid before parliament in time for the introduction of the General Data Protection Regulation in May next year.

The GDPR, stringent new European data-protection rules, will give the ICO the power to fine organisations responsible for data-protection breaches, including charities, up to €20m (£17.9m) or 4 per cent of annual global turnover, whichever is largest.

The policy, Denham said, would show how the ICO would use the new tools and sanctions it had been granted.

“The regulatory action policy will explain to you how, when and in what circumstances the ICO will act,” she said, adding that charities and other interested parties would have the chance to comment on the new document in January.

The ICO has fined 13 charities in the past 12 months for breaches of data-protection rules. Denham has previously said that she personally stepped in to reduce the fines by 90 per cent.

Yesterday she defended the decision to issue the fines, which totalled more than £180,000. She said she had hoped that the mere fact of the fines would serve as a warning to charities that practices needed to change, but she had chosen to reduce them to minimise the impact on donors.

She said: “It was a tough decision and there are many who criticised us from both sides, but it was a shot across the bow, something for the sector to look at and use to review its practices.”

Denham said the task facing the data-protection community was “awe-inspiring and immense”. She likened trying to improve data-protection compliance while preparing for GDPR and just as Brexit negotiations were taking place to “trying to change a tyre on a moving car, while it is going round a roundabout and has just burst into flames”.

But she said the most pressing issue for the ICO was the retention and recruitment of staff. She said the data watchdog had lost about 30 per cent of its policy and technical staff as people took up lucrative jobs as data-protection officers at organisations that wanted to prepare for the GDPR.

Denham said she had called on the government to release the ICO from the 1 per cent public sector pay cap to enable it to attract more staff and focus on offering advice and support to organisations such as charities.

Attendees at the event asked what effect data-protection rules that require charities to notify people they have processed their data would have on organisations that wanted to research major donors before contacting them.

Emma Bate, general counsel at the ICO, agreed with Helena Wootten, a partner at the law firm Browne Jacobson, who said charities might be able to rely on the concept of legitimate interest for such processing, if they could prove it did not override the rights of the individuals and if it was something the potential donor might reasonably expect to happen.

Bate said charities would need to be transparent when they did make contact with potential donors and assess whether they were happy with such processing being carried out.

Source link

Fines will be last resort under GDPR, says Information Commissioner

In a blog, Elizabeth Denham says it’s nonsense to suggest her office will be handing out huge fines routinely once the General Data Protection Regulation comes into force

Fines will be the last resort under the General Data Protection Regulation, Elizabeth Denham, the Information Commissioner, has said.

In a blog published on the Information Commissioner’s Office website yesterday afternoon, Denham said she was concerned by reports suggesting the data regulator would be routinely handing out massive fines once the GDPR came into force on 25 May next year.

The EU legislation will impose more stringent privacy and consent rules on data-sharing and processing by charities, companies and other organisations, and will allow breaches to be punished with fines of up to £17m or 4 per cent of annual global turnover, whichever is larger.

Under the Data Protection Act 1998, which the GDPR will replace, the maximum fine is £500,000.

But in her blog Denham dismissed as “nonsense” predictions of huge fines based on previous penalties levied by the ICO and scaled up to the level allowed under the GDPR.

She said: “It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.”

Heavy fines for serious breaches reflected the importance of personal data in the 21st century, Denham said, but the ICO intended to use the powers the GDPR will grant it “proportionately and judiciously”.

In late 2016 and early 2017, the ICO investigated and issued fines totalling £181,000 to 13 charities for breaching data-protection rules after the Daily Mail and The Mail on Sunday newspapers carried out investigations into fundraising practices involving several major charities.

In February, Denham revealed that she had used her discretion to reduce the fines handed out by as much as 90 per cent because they were being issued to charities.

In her blog, Denham said the watchdog had always “preferred the carrot to the stick” in its approach to regulation.

“Just look at our record,” she said. “Issuing fines has always been, and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned.”

She said the ICO had yet to invoke the maximum powers available to it under the DPA.

“While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well suited to the task at hand and just as effective,” she said.

Source link