Feeds

ICO to focus only on 'serious, repeat' data-protection offenders

Watchdog won't bite until it has barked several times – new draft laws

High performance access to file storage

The Information Commissioner's Office (ICO) will not investigate every complaint it receives about data protection practices by organisations, under a draft new complaint-handling procedure outlined by the watchdog.

The ICO said it intends to pass some complaints it receives onto organisations to deal with, and has set out a proposed new process for determining when to address cases and issues more formally itself.

It said that it currently becomes embroiled in too many disputes between individuals and companies where compliance with data protection legislation is a "peripheral" issue. It has devised a new framework where it defer matters to organisations to deal with where those organisations have been complained about, and only start logging complaints after individuals have engaged with organisations.

"We want to focus on those who get things wrong repeatedly, and take action against those who commit serious contraventions of the legislation," the ICO said. "It is clear to us that when either an individual or an organisation is not sufficiently engaged with, or aware of, their respective information rights and obligations then a complaint or dispute is more likely."

"We want to support both parties to engage with one another clearly about what individuals can expect and what organisations should deliver. This will avoid unnecessary concerns being raised with us and make it much easier for us to identify opportunities to improve information rights practice," it said.

The watchdog's proposals were contained in a consultation it has launched (13-page / 90KB PDF) on plans to change the way it currently handles complaints made about data protection.

The ICO said it would improve its complaint logging systems so as to better identify whether issues are a "one-off" or whether they demonstrate "evidence of a pattern of poor practice". It said it could decide to take enforcement action in cases where it identifies a "systemic issue" at an organisation.

"The approach we intend to take to deal with each concern will depend on whether we identify an opportunity to improve information rights practice," the ICO said. "In most cases we will do this by considering the response provided by an organisation to the individual’s original concern. We will continue to ask organisations to explain their actions in potentially serious cases."

"We may make an assessment [about whether an organisation's personal data processing complies with the Data Protection Act] where we think this adds value or where the customer has asked us to do so. We may simply offer advice to both parties and ask the organisation to take ownership of their customer or client's concern. We will decide how we can best tackle each concern on a case by case basis," it said.

"If we think an organisation needs to improve its practices we will contact them to explain why we think that is the case. Where appropriate we may ask an organisation to commit to an action plan or undertaking, to be published on our website, explaining the work they are doing to improve their practices. If appropriate we will consider further enforcement action," the watchdog added.

The ICO also outlined its intention to proactively publish the number of complaints it receives about organisations.

"In line with our commitment to transparency, we plan to publish the number of concerns raised with us about organisations," the ICO said. "This information is already disclosable under freedom of information legislation. Clearly some organisations are likely to generate more concerns than others. We still expect these organisations to work hard to explain their actions in connection with data protection complaints and avoid unnecessary concerns being brought to our attention. We will use our regular reports to add context to the statistics."

"Of course when we identify serious contraventions of the legislation we regulate we have the power to take enforcement action. This review of our approach will, we believe, give us more capacity to take this kind of regulatory action when it is warranted," it said.

The ICO said that it intends to implement the changes to complaint handling on 1 April 2014. Its consultation is open until 31 January next year. It has asked for views on whether its proposed change of approach could place extra burdens on businesses.

Copyright © 2013, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Big Content goes after Kim Dotcom
Six studios sling sueballs at dead download destination
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
Singapore decides 'three strikes' laws are too intrusive
When even a prurient island nation thinks an idea is dodgy it has problems
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Banks slap Olympus with £160 MEEELLION lawsuit
Scandal hit camera maker just can't shake off its past
France bans managers from contacting workers outside business hours
«Email? Mais non ... il est plus tard que six heures du soir!»
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.