ICO less likely to fine charities for data breaches if they show staff training

ICO less likely to fine charities for data breaches if they show staff training

From Hugh Radojev for Civil Society Online 8 June 2017

The Information Commissioner’s Office has said that in the event of a data breach it would be less likely to issue a monetary penalty to charities which had taken “reasonable steps” to prevent it, including staff training.

When asked whether the Information Commissioner would be more likely to fine organisations who could not show evidence that at least 80 per cent of its staff were trained in data protection, a spokeswoman for the ICO said it would take “full account of the facts” in any investigation.

“In deciding whether it is appropriate to impose a monetary penalty and in determining the amount of that penalty, the commissioner will take full account of the facts of the contravention and of any representations made to her,” said the ICO spokeswoman.

“That includes whether or not ‘reasonable steps’, such as staff training, were taken to prevent the contravention.”

The comment came after Civil Society News learnt that organisations in the charity sector have been briefed that the ICO would be more likely to fine an organisation in the event of a data breach if it could not show that at least 80 per cent of its staff had been given specific data protection training.

‘Would make no difference for serious breaches’

Tim Turner, a data protection trainer and consultant, told Civil Society News that this has been the case for a while, even if it’s not been made public by the ICO. He said however, if the data breach in question is serious enough, the amount of trained staff “may make no difference”.

“If there is another obvious breach – like a lack of encryption, or poor or absent procedures – it may make no difference,” he said. “But having trained the large bulk of staff is part of building a case that it was an unavoidable accident, where someone makes a mistake.”

Anjelica Finnegan, policy and research manager at Charity Finance Group, said the ICO has not made clear what it considers these “reasonable steps” to be, and called on the ICO to ensure that any judgement “take that charity’s individual situation into account”.

“The statement issued by the ICO makes clear that the Commissioner wants evidence that organisations are doing what they can to protect the personal data that they store. What has not been made clear is how the ICO will determine what constitutes reasonable steps, or what they consider training to be.

“It is important, that the Information Commissioner does not go into investigate a data breach with an unrealistic expectation of what they would see as sufficient training for staff.

“The ICO must ensure that any judgement on a data breach within a charity takes the charity’s individual situation into account – this includes the charity’s income and resources, including the number of paid staff and volunteers.”