1 / 22

Dealing with data protection related complaints

Dealing with data protection related complaints. Laura Booth Pam Clements Rachael Cragg Jonathan Langley Dan Snowden Complaints Resolution. #dpoc2012. Who deals with the cases? . The First Contact teams deal with 60% of complaints related casework, usually within 30 days of receipt

nirav
Download Presentation

Dealing with data protection related complaints

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dealing with data protectionrelated complaints Laura BoothPam ClementsRachael CraggJonathan LangleyDan Snowden Complaints Resolution #dpoc2012

  2. Who deals with the cases? The First Contact teams deal with 60% of complaints related casework, usually within 30 days of receipt These are usually cases where there is limited need for further investigation with the data controller This can include where there has been no response to subject access requests The Complaints Resolution department deals with cases where more in depth consideration may be required

  3. Complaints handling structure Helpline Website Mail Customer Contact Department Complaints Resolution Department Policy advice Legal advice Enforcement Department Good Practice Department

  4. Complaints Resolution structure • Five separate Groups dealing with information rights related complaints • Multi-skilled teams handling both data protection and freedom of information related disputes • Three broad areas covering public and private sector • Central government, police and society • Business, finance, health and education • Local government, housing and telecoms • Regional staff in Wales and Northern Ireland utilising local knowledge of issues and context

  5. Complaints Resolution volumes We dealt with around 5200 complaints cases during the last financial year We currently have 21 staff dealing with data protection casework Equates to roughly 245 cases per case officer per year To deal effectively with these volumes we have to be proportionate with our case handling activity

  6. Our complaints handling obligations • When complaints are raised with us we have an obligation under section 42 of the Data Protection Act to make an assessment • Our assessment is whether the processing in an individual case is likely or unlikely to have breached the principles of the Data Protection Act • Assessments can help us to decide whether we should take any further regulatory action against a particular organisation • If an organisation refuses to take their responsibilities under the Data Protection Act seriously then we may consider formal action to ensure they comply with the law

  7. We also… • Consider individual complaints but have choices as to how far to investigate • Concentrate on identifying and addressing areas of significant non compliance • Extract information from complaints to better understand public concerns and the impact of our actions

  8. Managing complainant expectations Complainants’ issues are important as they help us decide if the Data Controller is complying with its obligations under the law We will make an assessment in each case, where that assessment indicates a breach of the Data Protection Act we will inform the Data Controller and expect that they take action to put things right. Compliance unlikely assessments will not usually result in further action and we will consider whether or not further action is appropriate We use the information from complaints to help build intelligence about particular organisations

  9. Our expectations of Data Controllers Responsibility to resolve the complaint is with the Data Controller Data Controller to explain circumstances of the complaint Data Controller to consider if there is any further action that might resolve the case Data Controller to share any corrective or remedial action taken with us and the complainant Data Controller to provide evidence of ongoing compliance with the relevant principle or principles

  10. Managing Data Controller expectations Our role is to ensure that Data Controllers take their obligations under the law seriously not to act on behalf of the complainant We use the evidence that you provide to decide if we should take further action We can take action where obligations are ignored, however we will not resort to regulatory action where we are satisfied risks are being adequately addressed

  11. Decision making We make an assessment in each particular case We consider any other relevant information that we currently hold We decide whether further action is appropriate taking into account the evidence provided and the Data Controller’s response We also consider informal monitoring arrangements of organisations within groups We notify both parties of the assessment decision

  12. Risks and priority considerations Where help is requested there may be an opportunity for focussed audit Certain responses from the Data Controller will prompt us to consider further action. These may include: A deliberate, wilfully negligent approach to future compliance Evidence that many will be impacted by an uncorrected breach Inappropriate processing of sensitive personal data Triggers for enforcement (in line with regulatory action policy) action have been reached

  13. Examples of poor responses • “We have provided a response to the complainant on xx date.” • “I know our data protection policies are in line with requirements as I wrote them.” • “The college is able to apply an exemption…we will supply the information requested if required by a court order.”

  14. Characteristics of good responses • Chronology of complaint (and any relevant history) • Evidence of attempted resolution - remedy or apology • Answers all the questions • Admit to mistakes, where applicable, and ask for help • Provide full details – and copies of – relevant safeguards • Explanations of action taken (or timescales for the work) • Clear explanation – no need to quote large sections of the DPA or use overly ‘legalistic’ language

  15. Outcomes of casework finished in complaints resolution April-Jan’12

  16. Top 10 reasons for complaining

  17. Top 10 most complained about areas

  18. Top 10 areas for compliance unlikely assessments

  19. Conclusions As the regulator it is our decision whether to take further action against an organisation Complaints raised with us help us make those decisions but individual breaches of the Data Protection Act may not result in automatic enforcement activity We will try to help individuals by our involvement but the responsibility to resolve disputes is with the data controller We want organisations to learn from the concerns that are shared with them and us so they can fully comply with their information rights, and information handling, obligations

  20. Useful links • Helpline – 0303 123 1113 • www.ico.gov.uk • Guide to Data Protection • Regulatory Action Policy • Data Protection Casework Procedures

  21. Case studies – questions to consider • Based on what you have heard in our presentation what do think we did? • Do you think the data controller handled this correctly? • If you were the regulator what do you think you would have done? • If appropriate what steps do you think the Data Controller should take in this situation?

  22. Keep in touch Subscribe to our e-newsletter atwww.ico.gov.uk or find us on… • www.twitter.com/iconews

More Related