Is Local Government being disproportionately targeted by the Information Commissioner? Jonathan Baines looks at the evidence.
On 1 July 2011 the Information Commissioner (IC), Christopher Graham, issued a strongly-worded press release, which announced the publication of five undertakings he had required NHS Trusts to sign, following serious breaches of the Data Protection Act 1998 (DPA). In an interview in The Independent the same day there was even more tough-talking about NHS data breaches: “There’s just too much of this stuff going on. The senior management is aware of the challenge but the breaches continue. Whether it’s a systemic problem in the NHS or an epidemic we have got to do something about it.”
In one obvious way, there is something that can be done about it. Section 55A-E of the DPA (as amended by the Criminal Justice and Immigration Act 2008) came into force in April 2010, and gave the IC the powers to impose Monetary Penalty Notices (MPNs), to a maximum of £500,000, on organisations committing serious breaches of the DPA. He will only exercise this power where the breach is of a kind “likely to cause substantial damage or substantial distress” and where it was deliberate or, effectively, reckless. Since he acquired the powers, he has issued six MPNs, to a total sum of £431,000, and the maximum being £120,000.
It is noteworthy that none of these six MPNs has been imposed on an NHS body (nor, indeed, central government nor the police). And only two, totalling £61,000, have been imposed on private companies. Four of the six, however, totalling £370,000, have been imposed on local authorities. A recent Freedom of Information request revealed that since November 2007 1674 instances of serious breaches of the DPA had been self-reported to the IC’s office. Of these, only 302 were from local authorities. By contrast 473 were from NHS bodies, and 502 from the private sector. These four-year figures are broadly reflected in figures in the annual report released on 6 July by the IC, which, for the past year, show 146 local authority breaches, compared to 165 by the NHS (with 186 by the private sector).
So are local authorities being disproportionately targeted by the IC when it comes to the imposing of MPNs? The IC would no doubt state that each breach will be considered on its facts, and he will have close regard to the nature and volume of the data involved (the more sensitive and voluminous the data, the worse the breach) as well as to any remedial steps the authority has taken and to its financial resources. Local authorities, by their nature, handle large amounts of particularly sensitive data, but so do most, if not all, NHS bodies and it would be surprising if one arm of the public sector was very much better at keeping personal data secure than another. Indeed, when one compares those recent NHS breaches which haven’t attracted MPNs, with the others which have, one notices some obvious similarities (wrongly-directed faxes being a common mistake).
One should sound a note of caution however: without close analysis of the facts of each breach considered by the IC it is not possible fully to equate one breach with another.
Nonetheless, one wonders what sort of critical media coverage might ensue, as well as what the effect on the reputation of the DPA regime would be, if the IC were to impose hefty monetary penalties on the NHS. And as the sums levied go not towards improving general data security, but rather straight into the government consolidated fund, one begins to see why it might not be a particularly attractive option: a regulator who takes direly-needed money from the NHS, and places it in the government’s wallet, could well struggle to maintain popularity with the media and the public.
Christopher Graham does not have any easy task when he hands out MPNs. When (or if) he imposes one on the NHS he will no doubt cause controversy, but he might also reassure local government that it is not being disproportionately targeted when it comes to DPA enforcement.
Jonathan Baines works in Local Government. His blog, Information Rights and Wrongs, can be read here.