On 5th January 2016 the Information Commissioner (“ICO”) served an Enforcement Notice (“EN”) on the Alzheimer’s Society under s40 of the Data Protection Act 1998 (“the Act”). The background is set out in the EN and need not be repeated here save to note that there is a clear history of concern on the part of the ICO as to whether the Society was complying with its duties under the Act.
The Society is appealing against the EN, or at least some parts of it and this has garnered much criticism in some quarters (see e.g. here including an adverse comment by me), to the effect that the Society should simply get on with what it should do to comply and not waste charity monies on unmerited appeals. The Society has defended its actions essentially on the basis that aspects of the EN are unclear and this is particularly unfair (they say) given that they have limited resources. Resource is a relevant issue – see Schedule 1 Part II Paragraph 9 of the Act. One would not expect them to go into more detail at this stage.
As a matter of law one must have some sympathy with their position. Failure to comply with an EN is a criminal offence. See s47. An EN may therefore effectively be equated with a court order. It is clear law in many areas that a court order must be precise and capable of being understood by the person to whom it is directed. That person must be clear and in no doubt as to the steps that are required for compliance. An issue here clearly is whether an EN should be similarly clear given the potential sanction for breach
As indicated the full basis of the appeal is not known at this stage but consider paragraph 9 of the EN which perhaps most clearly raises the issues:
“Appropriate organisational and technical measures are taken against the unauthorised access by staff (including volunteers) to personal data”
That is effectively a statement of the requirement in data protection principle 7. But the EN does not say what ICO considers to be appropriate on the facts of the case. How will the Society know if and when it has met the relevant standard? Is this part of the Order sufficiently clear? Privacy and data protection advisers will know just how difficult it is in practice to set the relevant standard for a particular organisation, given that the standard is mutable having reference to the factors set out in paragraphs 9-12 of Schedule 1 Part II.
Similar issues arise on other parts of the EN but perhaps to a lesser extent. For example paragraph 5 refers to encryption “.. which meets the current standard or equivalent”. Which current standard? AES? DES? 128 bit? 256 bit? Quantum cryptography?
The appeal if it is pursued actually raises therefore a matter of general importance relating to EN’s. This issue can arise in other areas. For example a subject may claim he has not received all the personal data he is entitled to following a subject access request under s7 of the Act. The ICO on investigation agrees and orders the data controller to disclose “all the personal data to which the subject is entitled”, or something similar, where one issue was whether certain information was or was not ‘personal data’. Is that acceptable or must the ICO go through the material and decide and specify exactly what he considers to be personal data so that the data controller is in no doubt at all what he needs to disclose?
A decision in this case may bring some welcome clarity.
In fairness I must mention the defence in s47(2) of the Act. A data controller is not guilty of an offence if he “exercised all due diligence to comply with the notice in question”. There may be an issue as to whether, and as to the extent to which, the availability of this defence moderates the requirement that an EN be precise. Where the EN is as vague as paragraph 9 I have my doubts as to how much it can do so. It may be possible to assess due diligence for requirement 5 (encryption standard) where there are some definitive published guidelines but how do you test due diligence for a requirement which is not actually specified and has such a wide range of variables as set out in the Act.
The defence may actually make a non-specific EN practically worthless. Compliance could become a tick-box exercise in producing documentation and accepted risk assessments to set your own standards. Unless you set these at a level which no reasonable data controller could possibly accept the due diligence defence would always be available.
In summary paragraph 9 of the EN does not appear, as required by s40, to specify the steps required for compliance with principle 7. It simply appears to specify and repeat that the data controller must comply with principle 7 – which is already a legal duty.
Finally it is interesting to note and compare, given their current position, the undertaking that the Society signed in February 2010. It does contain some similarly vague terms e.g. “Physical security measures are adequate…” although the equivalent of paragraph 9 of the EN actually let them decide for itself what standard was adequate; “The data controller shall implement such other security measures as it deems appropriate… ”. There may equally be a lesson for anyone contemplating giving an undertaking – make sure there is no doubt what you need to do to comply with your own promises.