Fining public bodies is a disgrace, it just impacts the people funding them. Unless the fines are taken from the execs pension funds! The punishments should be expanded to require dismissals of managers and staff where appropriate.
I have just read the information tribunal decision and the reasons why the panel quashed the UK Information Commissioner’s £250,000 fine against the Scottish Borders council. The local authority was punished after a worker dumped employees' private data in bins at a nearby Tesco and another unnamed supermarket. It seems clear …
I agree - the fines should be charged to the individuals responsible. If it impacts their own pockets then they might take these matters more seriously.
this was a very good/informative article.
Perhaps the Data Controller should be a named individual, rather than an organization. Then an Enforcement Notice could include a ban on that individual, or require evidence of suitable education.
"typically… a name, an address, date of birth, national insurance number and salary. In some cases the files contained bank account details, a signature, a nominee to receive benefits”. In other words there was no sensitive personal data involved". I beg to differ this is sensitive personal data.
Otherwise a very interesting article.
@Matt: The key word there is "sensitive". The data is definitely personal, but not the higher category.
I would consider my bank account details and signature as "sensitive" information, especially when combined with name, address, date of birth and possibly NINO.
Sensitive in this context doesn't mean information that could affect sensibilities, e.g. embarrassing or intimate; it means data that can compromise the security of important things - in this case, the bank accounts of the people who's data was carelessly discarded.
Given the act has been in force since 1998 its beyond doubt the person/s dealing with the documents knew about the act but chose to ignore it that's why work places have sensitive material boxes available which are safely destroyed.
Secondly a name,address, date of birth, national insurance number and salary is quite clearly considered sensitive data as defined under the act ,that's the whole point to provide adequate protection from misuse of such data.
In what way are the details you list defined under the act as sensitive data?
- racial or ethnic origin
- political opinions
- religious beliefs
- trade union membership
- physical or mental health
- sex life
- criminal records?
Doesn't look like it, does it?
As the first Data Protection Officer I ever worked with put it - sensitive personal data means the things that the Nazi's killed people for
"Finally, I think the idea of an MPN levied against any public sector data controllers lacks logic; there should be instead an offence associated with deliberately ignoring or grossly neglecting an obligation to comply with a data protection principle."
There should be both; an MPN levied against the named individual responsible for compliance in that specific case (and followed by their dismissal), and if no individual can be identified an offence of "failing to supervise" where the elected representatives (councillors or ministers) responsible for supervising their departments get automatically booted out of office, no pay-offs or parachutes.
Sensitive Personal Data
It looks like some commentators need to remind themselves what Part 1 Section 2 of the Data Protection Act 1988 actually says. These records were clearly not within the definition of 'sensitive personal data'.
What a huge amount of wasteful bullshit
All those boards and panels and committees and guidelines and bureaucratic crap. Costing how many millions of pounds of taxpayers' hard-earned money. And all failing to prevent someone doing the wrong thing.
A little common sense and common decency would go a long way. Fat chance.
So what you're saying is
That government bodies at every level are inept? Who knew? Next thing you know we'll have politicians distorting the truth to fit their own agenda (or someone else's if they've been paid enough).
"name, an address, date of birth, national insurance number" you're saying this isn't sensitive personal data? Like to give me your details and I'll see what I can do with them?
This whole thing is legalistic timewasting, they're guilty, fine the idiots half their annual budget. As for the perennial harping on about the taxpayers paying the fine, that's ok, the taxpayers are responsible for what is done in their name.
Seemed sensible to me
Firstly, have you ever actually tried to get anything out of a supermarket paper recycling bank? It isn't easy, to put it mildly; and if you manage to avoid injury, then at the very least you will draw attention to yourself trying.
Secondly, who's expecting for there to be anything "interesting" in there anyway? Chances are the contents are mostly junk mail and newspapers. Yes, that's "security by obscurity" and therefore not especially strong, but the question "which one of thousands of pieces of paper out of which bin is the one I'm looking for?" is a bit of an obstacle.
Thirdly, if someone's paying for some "waste product", you can be reasonably confident that they are actually going to recycle it properly.
All things considered, there are worse ways they could have tried to get rid of it -- and easier ways to get hold of people's sensitive personal data.
Re: Seemed sensible to me
The problem in this specific case was that the recycling bins were overflowing when the papers were added, which means it didn't take a major exercise to see the papers just someone glancing down at the ones that had fallen out.
I don't see the difference between people delivering junk mail to my door (And takeaway menu's) and fly tipping.