Every week or so there is a press announcement from the ICO dealing with an errant data controller who has reported a data loss. The statement usually says that “so and so organisation” has lost a memory stick or laptop or whatever and has signed a public undertaking to improve matters and to behave properly in future.
For example, last week the Alzheimer’s Society promised to improve data security after staff details were lost. In fact, the Society is rather recidivist in relation to data loss as it reported three separate breaches involving personal data to the ICO during 2009.
The data loss (presumably the third of a series) that tipped the ICO into “asking” for an Undertaking from the Society involved the loss of several unencrypted laptops. The laptops were neither physically secured by cable locks nor locked away securely; one of the laptops contained personal details including names, addresses, national insurance numbers and salary details for about 1,000 staff across England, Wales and Northern Ireland. Staff were notified of the loss.
Signed undertakings are “requested” when there has been a serious breach of any data protection principle brought to the attention of the Commissioner where the issue is not so serious that an Enforcement Notice is a more appropriate sanction. The Commissioner’s decision between an Undertaking or an Enforcement Notice is the result of a thought experiment (or the product of paranoia if one is unkind) as it depends on what any putative data-thief could do with the lost personal data and not on what any thief actually does.
If a data controller accepts an “Undertaking”, it does not require the Commissioner to obtain the evidence that is needed to serve an Enforcement Notice. It also means that the Commissioner does not have to have to consider an appeal (as there isn’t one) and the Undertaking can be couched in general terms. A signed Undertaking (and the promise of future action to improve data protection compliance) is a quick way and non-statutory way of getting a serious problem off the Commissioner’s books so to speak.
There are rumours going around the data protection circuit that a Borough Council in the North West of England has suffered a second significant data loss, subsequent to a first Undertaking for another data loss. If that Council is judged not to have acted diligently with respect to the first Undertaking, it can expect an Enforcement Notice with respect to the second data loss. The rumour is that an Enforcement Notice is in the post,
So, it is important to understand that if you have to sign an Undertaking there is an element of “drinking at the last chance saloon”. So if your CEO signs one, don’t stay in the pub after closing time!
Reference: to assist users I have prepared a detailed analysis of the Commissioner’s Undertaking policy on https://www.amberhawk.com/policydoc.asp). This policy will form part of the UPDATE sessions we are holding with our Pinsent Masons colleagues in April in London, Manchester and Edinburgh (details on www.amberhawk.com).