Feeds

ICO to focus only on 'serious, repeat' data-protection offenders

Watchdog won't bite until it has barked several times – new draft laws

SANS - Survey on application security programs

The Information Commissioner's Office (ICO) will not investigate every complaint it receives about data protection practices by organisations, under a draft new complaint-handling procedure outlined by the watchdog.

The ICO said it intends to pass some complaints it receives onto organisations to deal with, and has set out a proposed new process for determining when to address cases and issues more formally itself.

It said that it currently becomes embroiled in too many disputes between individuals and companies where compliance with data protection legislation is a "peripheral" issue. It has devised a new framework where it defer matters to organisations to deal with where those organisations have been complained about, and only start logging complaints after individuals have engaged with organisations.

"We want to focus on those who get things wrong repeatedly, and take action against those who commit serious contraventions of the legislation," the ICO said. "It is clear to us that when either an individual or an organisation is not sufficiently engaged with, or aware of, their respective information rights and obligations then a complaint or dispute is more likely."

"We want to support both parties to engage with one another clearly about what individuals can expect and what organisations should deliver. This will avoid unnecessary concerns being raised with us and make it much easier for us to identify opportunities to improve information rights practice," it said.

The watchdog's proposals were contained in a consultation it has launched (13-page / 90KB PDF) on plans to change the way it currently handles complaints made about data protection.

The ICO said it would improve its complaint logging systems so as to better identify whether issues are a "one-off" or whether they demonstrate "evidence of a pattern of poor practice". It said it could decide to take enforcement action in cases where it identifies a "systemic issue" at an organisation.

"The approach we intend to take to deal with each concern will depend on whether we identify an opportunity to improve information rights practice," the ICO said. "In most cases we will do this by considering the response provided by an organisation to the individual’s original concern. We will continue to ask organisations to explain their actions in potentially serious cases."

"We may make an assessment [about whether an organisation's personal data processing complies with the Data Protection Act] where we think this adds value or where the customer has asked us to do so. We may simply offer advice to both parties and ask the organisation to take ownership of their customer or client's concern. We will decide how we can best tackle each concern on a case by case basis," it said.

"If we think an organisation needs to improve its practices we will contact them to explain why we think that is the case. Where appropriate we may ask an organisation to commit to an action plan or undertaking, to be published on our website, explaining the work they are doing to improve their practices. If appropriate we will consider further enforcement action," the watchdog added.

The ICO also outlined its intention to proactively publish the number of complaints it receives about organisations.

"In line with our commitment to transparency, we plan to publish the number of concerns raised with us about organisations," the ICO said. "This information is already disclosable under freedom of information legislation. Clearly some organisations are likely to generate more concerns than others. We still expect these organisations to work hard to explain their actions in connection with data protection complaints and avoid unnecessary concerns being brought to our attention. We will use our regular reports to add context to the statistics."

"Of course when we identify serious contraventions of the legislation we regulate we have the power to take enforcement action. This review of our approach will, we believe, give us more capacity to take this kind of regulatory action when it is warranted," it said.

The ICO said that it intends to implement the changes to complaint handling on 1 April 2014. Its consultation is open until 31 January next year. It has asked for views on whether its proposed change of approach could place extra burdens on businesses.

Copyright © 2013, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
Singapore decides 'three strikes' laws are too intrusive
When even a prurient island nation thinks an idea is dodgy it has problems
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.