The outing of T-Mobile as the company involved was a predictable consequence. Although the ICO was careful not to name it, T-Mobile’s competitors issued statements confirming that they were not involved. By a process of elimination this was going to leave T-Mobile as the last man standing, so it came forward.
T-Mobile’s press statement revealed an interesting twist in the story. It had been surprised by the ICO’s press release because the ICO itself had requested secrecy so as not to prejudice the regulatory and criminal law processes.
But although the ICO’s release is disappointing, it is not surprising.
It is disappointing because it is bound to deter some controllers from cooperating with the ICO, to which T-Mobile had self-referred itself. How many controllers will now think twice about self-referring a major security incident?
The decision to issue the press release is not surprising because, since May 2006, the ICO has been engaged in a campaign for new powers and penalties. In this context it is important to understand that the purpose of the release was to support the ICO’s response to the Ministry of Justice’s (MoJ) public consultation on the introduction of custodial penalties for offences under Section 55 of the Data Protection Act 1998. In this sense some might consider that the ICO used T-Mobile as a pawn in a wider game of political chess.
Of course, the ICO is right to draw attention to the data security problem in this country. In the two years since the Government revealed that HM Revenue & Customs had lost two disks containing the child benefit database, there has been a slew of news stories and official reports that leave no doubt that data security is posing considerable challenges for data controllers in this country. Yet there is a substantial regulatory deficit between the powers that the ICO and the courts need to deal with seriously failing controllers and those that they have been given by Parliament.
The regulatory deficit is slowly being addressed. The MoJ’s consultation on custodial penalties and its concurrent consultation on introducing a power for the ICO to fine controllers up to £500,000 for bad practices confirm this. Also, there is the Coroners and Justice Bill, which contains a power for the ICO to carry out compulsory audits of controllers. The Conservative Party, if elected next year, will increase the ICO’s powers even further.
These improvements are to be welcomed, although in light of the FSA’s experiences of fining for security breaches (which have exceeded £3m), a case for a fine based on a percentage of turnover, or even unlimited fines, can be made.
Effective regulation is not just about tougher powers and penalties. Substantial improvements in practices could be achieved through a step change in thinking about the relationship between the regulator and the regulated. While some controllers may respond well to the ‘stick’ approach to regulation, many do not. Worse still, workers on the ground, who may be fearing for their jobs in the midst of the recession, are terrified that being transparent about security failures might be met with draconian consequences.
The T-Mobile press release certainly achieved the headlines and column inches that the ICO was seeking, but at what price to the trust relationship between the regulator and those it regulates?