Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

While the new code is not legally binding, it does offer useful “best practice” advice to organizations that collect personal data online.  In particular, the code provides guidance on controversial issues such as behavioral advertising, cloud computing and the use of cookies.  “Organizations must be transparent so that consumers can make online privacy choices and see how their information will be used.  Individuals can take control by checking their privacy settings and being careful about the amount of personal details they post to social networking sites and elsewhere online,” said Mr. Graham.

The Personal Information Online Code of Practice is available on the ICO's website.

Demos created a deliberative process during which they asked 40 members of the British public to discuss their views on how their personal information is used.  Demos recruited participants from a range of socio-economic backgrounds.  During three sessions, the participants heard from data protection and privacy experts from the National Health Service, search engines and mobile phone companies, as well as lawyers and consumer advocates.  In small groups, the participants then explored data protection in the context of (1) communications data; (2) targeted advertising; and (3) medical data and e-health records.

The Report highlights the fact that democratizing personal information means not only giving people a voice in the privacy debate, but also finding better ways of listening to their views.  In this study, participants demanded transparency, security and the means by which they may exercise informed and meaningful choice.

Transparency concerning the protection, use and management of information is identified in the Report as a critical requirement for enhancing public trust in the way the public and private sectors process personal data and derive benefits from it.  Participants felt that those who collect and control their data often are not open about the purposes for which the data are collected and used.  They also considered that their data were shared with too many third parties, without their knowledge and outside their control.  Participants expressed a desire for data controllers and data handlers to take more responsibility, and for tools to give individuals greater control over their data.  On this issue, the Report recognizes the tension between a stated desire to control the use of personal information and the reality that most people lack the time and inclination to manage their data proactively.

The “Calls to Action” section of the Report captures participants’ proposals for better data protection, which participants felt currently are not being met.  The Report concluded that participants largely are demanding the robust application of existing principles of data protection.

Paula Bruening of the Centre for Information Policy Leadership and Natalie Hunt, formerly an associate in Hunton & Williams’ London Office, assisted Demos in preparing materials for the group discussions. Ms. Hunt also attended a series of roundtable discussions held by Demos as the Report was drafted.

The full report, published on March 21, 2010, is available on the Demos website.

The conclusions of the Report are unsurprising, namely that (i) personal information has commercial value, (ii) good data protection can bring business benefits and (iii) there are significant downsides to ignoring data protection.  The Report also reiterates the need for direction and accountability on the part of senior management for the organization’s privacy strategy. 

Against the backdrop of these conclusions, the Report offers a structured approach for Data Protection Officers to build their own business case to secure privacy investment and build a privacy culture.  It highlights the key components of a privacy program, and offers a framework (including examples) for estimating both the value of personal data, and the costs of ignoring data privacy.

In launching the report, the UK Information Commissioner, Christopher Graham, recognized that there can be no ”one size fits all” approach to privacy.  Instead, the Report provides practical tools to help organizations of all sizes and across all sectors to build a business case for investing in privacy.”  The Commissioner challenges organizations to use the tools necessary to ensure that privacy protection is hardwired into organizational culture and governance, and urges organizations to realize the privacy dividend.

In publishing his department’s response to the public consultation, “Civil Monetary Penalties - Setting the maximum penalty,” the Justice Minister, Michael Wills, noted that the misuse of even small amounts of personal data can have serious consequences and that penalties of up to £500,000 “will ensure the Information Commissioner is able to impose robust sanctions on those who commit serious contraventions of the data protection principles.”

Christopher Graham, the UK’s Information Commissioner, has emphasized that he will adopt a pragmatic and proportionate approach to issuing monetary penalties, taking into account the organization’s size, financial resources and industry sector, as well as the severity of the breach.  However, he has stated unequivocally, “I will not hesitate to use these tough new sanctions for the most serious cases where organizations disregard the law.”

Over 700 data breaches have been reported in the UK in the last two years.  It seems likely that the first monetary penalties will not be long in coming.

The Information Commissioner’s statutory guidance explaining how he proposes to use the power is available on the Commissioner's website. 

The Ministry of Justice’s response to the public consultation is available on the Ministry's website.

The Commissioner noted that his vision for the Information Commissioner’s Office (“ICO”) is that of a well-funded regulator working to assist organizations with their data protection compliance activities and deal with any perceived non-compliance as early as possible.  However, he made it clear that sanctions will follow for those organizations that choose not to comply with data protection laws.

Specifically, Christopher Graham noted that the recent increase in data protection registration fees in the UK will greatly improve his office’s funding and enable him to expand its focus on compliance and enforcement.  He envisions a greater number of inspections or audits of data processing activities.  Further, the Commissioner’s power to impose monetary penalties is expected to come into force in April 2010, and Christopher Graham expects that 20 or so organizations are likely to be fined within the first 12 months.

Overall, there was a sense that change is afoot at the ICO.