The UK's data protection watchdog was not justified in serving a monetary penalty on a Scottish council over an allegedly flawed outsourcing arrangement it had with a data disposal contractor, an Information Rights Tribunal has ruled. Scottish Borders Council was issued with a £250,000 fine by the Information Commissioner's …
The judge took the view after determining that the standard of proof for assessing the likelihood of substantial damage or substantial distress requires that a data breach has to be likely to cause such damage or distress rather than for it merely to be likely for those consequences to be possible.
Good point. Hands up all those here who have had government clients who have assigned unrealistically high business impact levels to their data, because they are shit-scared of the consequences of a breach. And then complain that either they can't afford the system or that it will be unusable (often because it can't be connected to anything else).
Data privacy and protection are very important - so too is realism and pragmatism.
This bears all the DNA of every instance where a Government and IT are in the same room.
Broad but good intentions
Lack of accountability
Unexpected costs to be borne by the taxpayer
Regulator who Cannot/Does not/Will not enforce the rules
blah blah...Daily Mail...blah blah Return to Start
Re: Ah dichotomies
You could swap Government for Management and Taxpayer for Shareholder, and your statement would still be valid.
Based on the evidence in the article, the judge got the decision right. Yes, I want the buggers fined to buggery and people to take data protection seriously; but the laws have to be written to allow that and it doesn't sound as if they are.
In fining the Council, you are in fact fining the Council Tax payers, which doesn't seem entirely fair (although clearly something is required otherwise there'd be no disincentive to abide by the law).
Councils (and other pubic bodies) should be held to the same standards and laws as the private sector.
Instead of fines against the "company", perhaps the law should focus on personal prosecutions of the "Directors" of public bodies for the organisations failings . There are many areas where private sector directors are personally liable, so why not public sector "Chief Executives"?
Make your Councillor work - don't re-elect them!
good point, which the judgement could have addressed and didn't, it seems - although your point slightly undermined by being very wide-reaching ("Councils (and other pubic bodies) "?
I don't see a problem with fines being against the "company", as long as public money isn't used to pay the fines for people's mistakes: if an individual employee within the council can't be identified as the responsible individual (and therefore liable for the fine), then make the all of the councillors joint & severally liable for the fine on the grounds that a named individual should be responsible for such things and the councillors are negligent if that is not the case. Then apply the same rules at a national level.
It'll never happen. (For reasons why not, refer to Yes Minister "The Challenge", about failure standards, or perhaps a clip from Yes Prime Minister).
You don't fine the council...
...that just punishes the tax payers.
You take it out on the councillors and managers who failed in their duty and that probably means firing them/blocking re-election (certainly for a repeat offence). Clearly they need an opportunity to defend themselves, but we shouldn't punish the public for the failure of civil servants.
Also, why didn't the contractor face censure? They took on the role, why didn't they advise the council that it would cost a wee bitty more for secure disposal? Strikes me a negligence.
Re: You don't fine the council...
Then 100% of the councils budget goes on compliance.
Imagine your job if you were personally liable for any legal screw ups but could spend an infinite amount of shareholders money avoiding them - what would you do?
Did the contractor get off scot-free?
According to the article the Council outsourced the data processing to a "reputable" company. Why didn't the outsourcing contract stipulate that the work was to be carried out with regard to the law, and create consequential liability to the contractor for any failure to comply. Then the Council coul have just accepted the fine, and past it plus any other costs on to the contractor.
Or was this another case using on of the big IT companies who insist on high fees and no liability as to fitness for purpose? Does anyone know who it was?
Re: Did the contractor get off scot-free?
Have a read of the link in the article, referring to the original report of the fine...
It explains who the "contractor" was, and how he failed to take disposal seriously. The council was found liable as it did not have a contract with him stipulating that the data should be destroyed after processing. It's quite laughable how it was disposed of, and for someone who had a 25 year record of data processing they should have known better, even if this contract made no mention of disposal
SBC (or BRC as it was back then) were my employer 20 years ago, so maybe I was one of the ones dumped in a supermarket paper recycling bin.......
SBC is my local authority - I hope to god SBC get away without a fine, we don't want any tax rate increases thank you very much!
It is amusing that the British are so concerned with their privacy. Does any nation have as many surveillance cameras per capita as England ? There doesn't yet seem to be an understanding by the members of any society today that privacy is an anachronism. We are holding on to a value that was for a different time much like the morality and view of human beings that rests on Christian theology (at least in the West).
Societies today in the developed world are highly complex machines where people are simply the cogs that make it function. Everyone in the tech world knows the difficulties one has to overcome to scale for large volumes of data. The scale of our societies today seems to be moving in a direction that requires that the concept of the individual become irrelevant. We are becoming more and more like ants.
Oddly enough, in days when people lived in small villages there was no privacy. Escaping to large urban population centers provided a sense of anonymity but what really happened was that one's identity became an identity based upon the system's knowledge of you. Computational capacity has allowed for the system to expand its knowledge and control over identity. We may exist as flesh and blood but our life in the developed world is a data life. If all records of a human being's existence were eliminated, that person actually would cease to exist. They may exist as any animal does but their existence within a society would cease and their range of action would be very circumscribed.
We know what is happening which is probably why there are so many people screaming today about privacy issues. We are always looking to hold someone liable for things that don't go the way we would like them to go and though there will be the occasional scapegoat, the overall direction doesn't change. There will always be those people at the margins who will attempt to remove themselves from the system to keep their nebulous concept of privacy intact but for the rest of us, that battle is over.
There is no conspiracy in all this, no cabal at command central. It is a dynamic necessary for societies to exist at the scale we currently live. Our existence is the sum total of the trail of records we leave behind us like slime from a snail.
There has been more taxpayer money spent to show that the money taken from the taxpayer and given to the taxpayer is too much.
Money well spent I say.
- Does Apple's iOS make you physically SICK? Try swallowing version 7.1
- Fee fie Firefox: Mozilla's lawyers probe Dell over browser install charge
- Pics Indestructible Death Stars blow up planets with glowing KILL RAY
- Video Snowden: You can't trust SPOOKS with your DATA
- Review Distro diaspora: Four flavours of Ubuntu unpacked