UK: Target practice?
Is Local Government being disproportionately targeted by the Information Commissioner? Jonathan Baines looks at the evidence.
On 1 July 2011 the Information Commissioner (IC), Christopher Graham, issued a strongly-worded press release, which announced the publication of five undertakings he had required NHS Trusts to sign, following serious breaches of the Data Protection Act 1998 (DPA). In an interview in The Independent the same day there was even more tough-talking about NHS data breaches: “There’s just too much of this stuff going on. The senior management is aware of the challenge but the breaches continue. Whether it’s a systemic problem in the NHS or an epidemic we have got to do something about it.”
In one obvious way, there is something that can be done about it. Section 55A-E of the DPA (as amended by the Criminal Justice and Immigration Act 2008) came into force in April 2010, and gave the IC the powers to impose Monetary Penalty Notices (MPNs), to a maximum of £500,000, on organisations committing serious breaches of the DPA. He will only exercise this power where the breach is of a kind “likely to cause substantial damage or substantial distress” and where it was deliberate or, effectively, reckless. Since he acquired the powers, he has issued six MPNs, to a total sum of £431,000, and the maximum being £120,000.
It is noteworthy that none of these six MPNs has been imposed on an NHS body (nor, indeed, central government nor the police). And only two, totalling £61,000, have been imposed on private companies.
Read more on LocalGovernmentLawyer