Home
DM News
Articles Archive		 Resource Guide
Media Pack
Contact Information
 Features List
Subscribe
 

Feature

Doing the right thing

From Document Manager Magazine Vol 18 No 01 - January/February 2010

In challenging economic times, local councils are faced with the prospect of delivering better for less. Information can help and hinder this process.

But new regulations coming into force in April 2010 could give organisations that hold data a much needed wake up call and force inactive public authorities into action. Darren Howe of Northgate Public Services explains the proposed change in law and examines its impact on all organisations that hold data - and the public sector and local councils in particular - and calls for local authorities to adopt a radical approach which moves beyond the traditional approach employed by document and records management solutions

On 6 April 2010 it is anticipated that the Information Commissioner's Office (ICO) will be able to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act 1998 (DPA). The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 which were laid before Parliament in early January provides the ICO with this new enforcement power.

Although the ICO was given powers to impose civil monetary penalties by inserting section 144 of the Criminal Justice and Immigration Act 2008 into the DPA, these provisions are not currently in force.

All that will change in April. Under the new law the ICO can impose a monetary penalty notice if there has been a serious contravention of the Act, and the contravention was deliberate or reckless, and of a kind likely to cause substantial damage or substantial distress to an individual.

The ICO can use this new power of enforcement with organisations in the private, public and voluntary sectors, including government departments and officer holders created by statute such as electoral registration officers.

The government hopes that financial penalties for non-compliance will provide a powerful deterrent for organisations which may otherwise ignore their responsibilities under the DPA. Organisations which face such penalties are not only likely to suffer hefty fines, but also reputation damage. The media profile of such cases is likely to be high in the same way that data loss and data security is a media issue now. All monetary penalties imposed by the ICO will be made public. The monetary penalty notice will be published on the Commissioner's website, with any confidential or commercially sensitive information redacted.

The Data Protection principles
Since March 2000 organisations have been under an obligation to comply with the data protection principles. The Data Protection Act gives individuals the right to know what information is held about them and provides the framework to ensure that personal information is handled properly. Anybody who processes personal information must comply with the following eight principles, which make sure that personal information is:

  • fairly and lawfully processed
  • processed for limited purposes
  • adequate, relevant and not excessive
  • accurate and up to date
  •  not kept for longer than is necessary
  • processed in line with people's rights
  • secure
  • not transferred to other countries without adequate protection

How will the ICO use these powers?
"I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law." Christopher Graham, Information Commissioner, January 2010

Overview
There must have been a serious contravention of the Act and the Commissioner must decide that a monetary penalty is appropriate.

A notice of intent will then be issued with the proposed amount and organisations can make written appeals at this stage.

Once a penalty has been issued, there is a further right of appeal to a tribunal.

A penalty cannot be imposed until 28 days have expired since the notice of intent was served.

Organisations with higher financial resources are likely to receive a higher monetary penalty than others with more limited resources.

If the Commissioner receives full payment of the monetary penalty within 28 days of the monetary penalty notice being served, penalty will be reduced by 20%.

Serious contravention
Examples of serious contraventions include:

  • failing to take adequate security measures (operational procedures, guidance etc.) resulting in the loss of personal data.
  • losing records containing sensitive personal data following a security breach

Have organisations taken reasonable steps to prevent contravention?
Many organisations have good intentions when it comes to how they manage their information. It's just they don't necessarily put them into action. For example, retention policies are common but organisations can find them difficult to implement. Where information is managed in an EDRM system it needs to be set up by suitably skilled professionals in line with best practice.

In considering whether organisations have taken reasonable steps to prevent a breach the ICO will consider the following:

  • whether a risk assessment has been carried out and whether the organisation took reasonable steps to address risk including: have polices, procedures, practices or processes been put in place; or, advice and guidance given to employees
  • there are good governance and/or audit arrangements in place to establish clear lines of responsibility for preventing contraventions
  • there are appropriate policies, procedures, practices or processes in place which are relevant to the contravention
  • ICO guidance or codes of practice have been implemented

The likelihood of damage or distress suffered by an individual
The ICO will consider whether the damage or distress is merely perceived or of "real" substance. An example of substantial damage is given in the ICO statutory guidance as a situation where an ex-employer issues a reference based on inaccurate personal data which results in the loss of a job opportunity for an individual.

The extent of the penalty
In deciding the level of the penalty, the ICO will consider issues such as the following:

  • how serious the contravention was or is in terms of the nature of the personal data concerned and the number of individuals actually or potentially affected
  • whether the contravention was a "one-off" or part of a series of similar contraventions
  • whether the contravention was caused or exacerbated by activities or circumstances outside the direct control of the data controller, for example, a data processor or an errant employee
  • the duration and extent of the contravention
  • whether guidance or codes of practice published by the Commissioner or others and relevant to the contravention were used

The ICO will also take into account what steps have been taken by the organisation once a contravention has taken place. An organisation that conceals the issue is more likely to incur a penalty than an organisation that voluntarily reports the contravention to the ICO, all other things being equal.

Getting it wrong is no longer an option
With the unrelenting glare of public scrutiny and the introduction of financial penalties, data management compliance is now a matter of central concern for the private and public sector alike.

For local councils, and other public sector bodies, the management of information and information sharing is a vital and incredibly under-used asset which can help to deliver better, joined up services which place the citizen at their heart.

Ensuring data compliance should be seen as an opportunity to organise information in such a way that it can empower public service employees and create better services. One thing is clear - getting it wrong on data compliance is no longer an option.

Organisations that hope to build public confidence and satisfaction in public services must ensure that they have measures in place to protect personal privacy. At the same time, there are increasing pressures on public bodies to put public information in the public domain, under the Freedom of Information Act 2000, and as a result of public and commercial campaigns to free up information. Councils and other public bodies have to balance these and handle diverse sets of information in a professional and legally compliant manner.

Tackling unstructured information
The problem that many councils face is a simple one: chaos. Poor governance and management in the early days when information technology arrived, combined with a proliferation of information communications channels, are largely responsible.

Local councils are fast facing a digital landfill with unstructured and unnecessary information cluttering up systems taking up increasing amounts of electronic and paper storage. And this creates problems of lack of control and increases the risk of lack of compliance with legislation such as DPA.

Nowadays, managing unstructured information is no longer simply a matter of traditional documentation and records management. Councils have to go further. To maximise opportunities and minimise risk they need to adopt enterprise content management solutions. These should encompass a review and audit of key stores of information within an enterprise such as: the internet, email, paper storage, documents and network storage. This approach must encompass the whole information lifecycle.

Putting it right
People are key to putting things right. If you don't have or encourage a culture where information is seen as a key asset to be protected and guarded for the public benefit, then things can easily go wrong.

Leadership from the very top of the organisation is critical to changing the way the organisation perceives the significance of information. There must be clear procedures to assess and manage risk. Regular review and auditing of these is essential to ensure that all forms of risk, including physical security, are managed appropriately and effectively. Ensuring proper handling of documentation and unstructured information is also key.

Doing it right
Doing it right involves an initial analysis of all the information held by a council which involves a staged approach. Our approach, for example, uses the latest technology and encompasses the entire information lifecycle through a five stage process:

  • Discover: ensuring that you have a better understanding of what information currently exists, volumes of data, breakdown of data, key topics and any redundant data
  • Cleanse: identifying not just the exact document duplicates but also those documents that are very similar in nature - reducing the volume of data held by your organisation
  • Organise: developing meaningful file structures, and applying rules to help with the filing of information in a new filing structure/file plan - this creates an ordered environment in which information can be saved in a way which is business driven
  • Migrate: moving files rapidly from the old filing structure to the new filing structure and identifying where content should reside in the new structure - only once this process has been completed does it make sense to migrate data to an EDRM
  • Exploit: empowering employees by enabling content to be retrieved quickly and efficiently at the same time as enhancing productivity and effectiveness - information can be managed effectively to ensure both legal compliance and to enhance services

 

Simply by using this approach an average sized district council has generated over £600,000 of savings over the next five year, as well as additional savings through reducing its storage space.

Investing to save
Our research shows that information chaos is growing for councils with storage requirements increasing by an average 53 per cent. At the same time, the costs of storage are growing by around 20 per cent.

Too often meeting compliance is seen as a cost. But an increasing number of councils are recognising that, by achieving compliance, it is possible for them to save cash. Incorrectly managing information could lead to increased costs and the loss of reputation for councils at a national and local level.

Wider benefits also accrue to councils. Employees are more productive and are able to make use of more flexible and sustainable methods of working, such as home-working. The processes become faster and accurate as information is readily accessible. This leads to improvement in frontline services to citizens and more efficient back office systems. At the same time, the risk of legal compliance is reduced by handling data securely, sensitively and within the context of an agreed and monitored structure.

April is fast approaching. It's time to act. Will you be doing the right thing?

More info: www.northgate-is.com

More info: www.northgate-is.com

Feature
 
The products referenced in this site are provided by parties other than BTC. BTC makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be directed to the appropriate manufacturer or vendor. Click here for usage terms and conditions.
For Comments towards this website please contact the webmaster

©2004 Business and Technical Communications Ltd. All rights reserved.
No part of this site may be reproduced without written permission of the owners.
www.Document-Manager.com