Feeds

ICO to focus only on 'serious, repeat' data-protection offenders

Watchdog won't bite until it has barked several times – new draft laws

Top three mobile application threats

The Information Commissioner's Office (ICO) will not investigate every complaint it receives about data protection practices by organisations, under a draft new complaint-handling procedure outlined by the watchdog.

The ICO said it intends to pass some complaints it receives onto organisations to deal with, and has set out a proposed new process for determining when to address cases and issues more formally itself.

It said that it currently becomes embroiled in too many disputes between individuals and companies where compliance with data protection legislation is a "peripheral" issue. It has devised a new framework where it defer matters to organisations to deal with where those organisations have been complained about, and only start logging complaints after individuals have engaged with organisations.

"We want to focus on those who get things wrong repeatedly, and take action against those who commit serious contraventions of the legislation," the ICO said. "It is clear to us that when either an individual or an organisation is not sufficiently engaged with, or aware of, their respective information rights and obligations then a complaint or dispute is more likely."

"We want to support both parties to engage with one another clearly about what individuals can expect and what organisations should deliver. This will avoid unnecessary concerns being raised with us and make it much easier for us to identify opportunities to improve information rights practice," it said.

The watchdog's proposals were contained in a consultation it has launched (13-page / 90KB PDF) on plans to change the way it currently handles complaints made about data protection.

The ICO said it would improve its complaint logging systems so as to better identify whether issues are a "one-off" or whether they demonstrate "evidence of a pattern of poor practice". It said it could decide to take enforcement action in cases where it identifies a "systemic issue" at an organisation.

"The approach we intend to take to deal with each concern will depend on whether we identify an opportunity to improve information rights practice," the ICO said. "In most cases we will do this by considering the response provided by an organisation to the individual’s original concern. We will continue to ask organisations to explain their actions in potentially serious cases."

"We may make an assessment [about whether an organisation's personal data processing complies with the Data Protection Act] where we think this adds value or where the customer has asked us to do so. We may simply offer advice to both parties and ask the organisation to take ownership of their customer or client's concern. We will decide how we can best tackle each concern on a case by case basis," it said.

"If we think an organisation needs to improve its practices we will contact them to explain why we think that is the case. Where appropriate we may ask an organisation to commit to an action plan or undertaking, to be published on our website, explaining the work they are doing to improve their practices. If appropriate we will consider further enforcement action," the watchdog added.

The ICO also outlined its intention to proactively publish the number of complaints it receives about organisations.

"In line with our commitment to transparency, we plan to publish the number of concerns raised with us about organisations," the ICO said. "This information is already disclosable under freedom of information legislation. Clearly some organisations are likely to generate more concerns than others. We still expect these organisations to work hard to explain their actions in connection with data protection complaints and avoid unnecessary concerns being brought to our attention. We will use our regular reports to add context to the statistics."

"Of course when we identify serious contraventions of the legislation we regulate we have the power to take enforcement action. This review of our approach will, we believe, give us more capacity to take this kind of regulatory action when it is warranted," it said.

The ICO said that it intends to implement the changes to complaint handling on 1 April 2014. Its consultation is open until 31 January next year. It has asked for views on whether its proposed change of approach could place extra burdens on businesses.

Copyright © 2013, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Combat fraud and increase customer satisfaction

More from The Register

next story
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
US Supreme Court supremo rakes Aereo lawman in oral arguments
Antenna-array content streamers: 'Ruling against us could dissipate the cloud'
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
prev story

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.