Feeds

ICO to focus only on 'serious, repeat' data-protection offenders

Watchdog won't bite until it has barked several times – new draft laws

The Power of One Infographic

The Information Commissioner's Office (ICO) will not investigate every complaint it receives about data protection practices by organisations, under a draft new complaint-handling procedure outlined by the watchdog.

The ICO said it intends to pass some complaints it receives onto organisations to deal with, and has set out a proposed new process for determining when to address cases and issues more formally itself.

It said that it currently becomes embroiled in too many disputes between individuals and companies where compliance with data protection legislation is a "peripheral" issue. It has devised a new framework where it defer matters to organisations to deal with where those organisations have been complained about, and only start logging complaints after individuals have engaged with organisations.

"We want to focus on those who get things wrong repeatedly, and take action against those who commit serious contraventions of the legislation," the ICO said. "It is clear to us that when either an individual or an organisation is not sufficiently engaged with, or aware of, their respective information rights and obligations then a complaint or dispute is more likely."

"We want to support both parties to engage with one another clearly about what individuals can expect and what organisations should deliver. This will avoid unnecessary concerns being raised with us and make it much easier for us to identify opportunities to improve information rights practice," it said.

The watchdog's proposals were contained in a consultation it has launched (13-page / 90KB PDF) on plans to change the way it currently handles complaints made about data protection.

The ICO said it would improve its complaint logging systems so as to better identify whether issues are a "one-off" or whether they demonstrate "evidence of a pattern of poor practice". It said it could decide to take enforcement action in cases where it identifies a "systemic issue" at an organisation.

"The approach we intend to take to deal with each concern will depend on whether we identify an opportunity to improve information rights practice," the ICO said. "In most cases we will do this by considering the response provided by an organisation to the individual’s original concern. We will continue to ask organisations to explain their actions in potentially serious cases."

"We may make an assessment [about whether an organisation's personal data processing complies with the Data Protection Act] where we think this adds value or where the customer has asked us to do so. We may simply offer advice to both parties and ask the organisation to take ownership of their customer or client's concern. We will decide how we can best tackle each concern on a case by case basis," it said.

"If we think an organisation needs to improve its practices we will contact them to explain why we think that is the case. Where appropriate we may ask an organisation to commit to an action plan or undertaking, to be published on our website, explaining the work they are doing to improve their practices. If appropriate we will consider further enforcement action," the watchdog added.

The ICO also outlined its intention to proactively publish the number of complaints it receives about organisations.

"In line with our commitment to transparency, we plan to publish the number of concerns raised with us about organisations," the ICO said. "This information is already disclosable under freedom of information legislation. Clearly some organisations are likely to generate more concerns than others. We still expect these organisations to work hard to explain their actions in connection with data protection complaints and avoid unnecessary concerns being brought to our attention. We will use our regular reports to add context to the statistics."

"Of course when we identify serious contraventions of the legislation we regulate we have the power to take enforcement action. This review of our approach will, we believe, give us more capacity to take this kind of regulatory action when it is warranted," it said.

The ICO said that it intends to implement the changes to complaint handling on 1 April 2014. Its consultation is open until 31 January next year. It has asked for views on whether its proposed change of approach could place extra burdens on businesses.

Copyright © 2013, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

The Power of One Brief: Top reasons to choose HP BladeSystem

More from The Register

next story
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
UK Parliament rubber-stamps EMERGENCY data grab 'n' keep bill
Just 49 MPs oppose Drip's rushed timetable
MPs wave through Blighty's 'EMERGENCY' surveillance laws
Only 49 politcos voted against DRIP bill
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
Delaware pair nabbed for getting saucy atop Mexican eatery
Burrito meets soft taco in alleged rooftop romp outrage
LightSquared backer sues FCC over spectrum shindy
Why, we might as well have been buying AIR
'Two-speed internet' storm turns FCC.gov into zero-speed website
Deadline for comments on net neutrality shake-up extended to Friday
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.