Feeds

ICO to focus only on 'serious, repeat' data-protection offenders

Watchdog won't bite until it has barked several times – new draft laws

Providing a secure and efficient Helpdesk

The Information Commissioner's Office (ICO) will not investigate every complaint it receives about data protection practices by organisations, under a draft new complaint-handling procedure outlined by the watchdog.

The ICO said it intends to pass some complaints it receives onto organisations to deal with, and has set out a proposed new process for determining when to address cases and issues more formally itself.

It said that it currently becomes embroiled in too many disputes between individuals and companies where compliance with data protection legislation is a "peripheral" issue. It has devised a new framework where it defer matters to organisations to deal with where those organisations have been complained about, and only start logging complaints after individuals have engaged with organisations.

"We want to focus on those who get things wrong repeatedly, and take action against those who commit serious contraventions of the legislation," the ICO said. "It is clear to us that when either an individual or an organisation is not sufficiently engaged with, or aware of, their respective information rights and obligations then a complaint or dispute is more likely."

"We want to support both parties to engage with one another clearly about what individuals can expect and what organisations should deliver. This will avoid unnecessary concerns being raised with us and make it much easier for us to identify opportunities to improve information rights practice," it said.

The watchdog's proposals were contained in a consultation it has launched (13-page / 90KB PDF) on plans to change the way it currently handles complaints made about data protection.

The ICO said it would improve its complaint logging systems so as to better identify whether issues are a "one-off" or whether they demonstrate "evidence of a pattern of poor practice". It said it could decide to take enforcement action in cases where it identifies a "systemic issue" at an organisation.

"The approach we intend to take to deal with each concern will depend on whether we identify an opportunity to improve information rights practice," the ICO said. "In most cases we will do this by considering the response provided by an organisation to the individual’s original concern. We will continue to ask organisations to explain their actions in potentially serious cases."

"We may make an assessment [about whether an organisation's personal data processing complies with the Data Protection Act] where we think this adds value or where the customer has asked us to do so. We may simply offer advice to both parties and ask the organisation to take ownership of their customer or client's concern. We will decide how we can best tackle each concern on a case by case basis," it said.

"If we think an organisation needs to improve its practices we will contact them to explain why we think that is the case. Where appropriate we may ask an organisation to commit to an action plan or undertaking, to be published on our website, explaining the work they are doing to improve their practices. If appropriate we will consider further enforcement action," the watchdog added.

The ICO also outlined its intention to proactively publish the number of complaints it receives about organisations.

"In line with our commitment to transparency, we plan to publish the number of concerns raised with us about organisations," the ICO said. "This information is already disclosable under freedom of information legislation. Clearly some organisations are likely to generate more concerns than others. We still expect these organisations to work hard to explain their actions in connection with data protection complaints and avoid unnecessary concerns being brought to our attention. We will use our regular reports to add context to the statistics."

"Of course when we identify serious contraventions of the legislation we regulate we have the power to take enforcement action. This review of our approach will, we believe, give us more capacity to take this kind of regulatory action when it is warranted," it said.

The ICO said that it intends to implement the changes to complaint handling on 1 April 2014. Its consultation is open until 31 January next year. It has asked for views on whether its proposed change of approach could place extra burdens on businesses.

Copyright © 2013, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Heavy VPN users are probably pirates, says BBC
And ISPs should nab 'em on our behalf
Former Bitcoin Foundation chair pleads guilty to money-laundering charge
Charlie Shrem plea deal could still get him five YEARS in chokey
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.