Just a few brief comments about an exchange that occurred during the data protection conference recently run by the National Association of Data Protection Officers (NADPO), which had Deputy Information Commissioner, David Smith, as a keynote speaker.
The questioning surrounded the Enforcement Notice issued to M&S in 2008 relating to a data loss following the theft of an unencrypted laptop which contained the personal information of 26,000 M&S employees. Evidently M&S was offered an undertaking which they were reluctant to sign because a contractor was at fault.
David Smith pointed out that it was now the policy of the Commissioner to issue an Enforcement Notice if a data controller refused to sign an undertaking.
The effect of this is as follows. Undertakings are only required when there has been a serious breach of any data protection principle where the issue is not so serious that an Enforcement Notice is a more appropriate sanction. Note that the Commissioner has identified the loss of unencrypted personal data on a laptop or memory stick as qualifying for consideration for a Monetary Penalty Notice – so getting an Undertaking in these circumstances can be considered to be a “let off”.
In addition, if an Enforcement Notice is served, the Notice will dictate what the Commissioner wants the data controller to do; failure to diligently follow the directions described in a Notice is a criminal offence. By contrast, with an Undertaking, there is a chance of negotiating something that at least considers some of a data controller’s specific problems when implementing new data protection requirements.
Finally, if a data controller accepts an “Undertaking”, it does not require the Commissioner to obtain the evidence that is needed to serve an Enforcement Notice. It also means that the Commissioner does not have to have one eye on an appeal against the Notice, or on the possibility of prosecuting an offence of not complying with the terms of a Notice. “Undertakings” are a quick way of getting a problem off the books so to speak.
In other words, if you are in the unhappy position of being offered an Undertaking, sign up like a man and take it on the chin. The alternatives are far worse.
Note: NADPO members qualify for a £250 discount on Amberhawk’s long DP and FOI courses leading to the ISEB qualification and £150 off our intensive DP and FOI courses. However, if you want to take advantage of this, contact firstname.lastname@example.org with your booking.