> A stern talking to isn't going to improve things... and in this case it's just resulted in talking back.
>
> I can see that fining a public body could be seen as self-defeating but the only alternative I can think of is having someone take the fall.
For public agencies a "stern talking to" is exactly what ICO decided to do a few years ago rather than issuing fines.
Issuing fines to public agencies is just another form of "money musical chairs" (any ICO fine goes to Treasury, not to ICO, and it's the Treasury who ultimately funds public agencies directly or indirectly in the first place) and so doesn't make sense, expecially if it's a NHS org as paying fines would then affect their ability to provide services.
However "a stern talking to" should not be the alternative used - there should be some form of santions imposed on senior management of the public agency to hold them to account.
Relating to accountability, the latest in my Northern Ireland "NHS NI" (aka HSC NI) data protection related saga:
In response to a FOI Request the Department of Health (NI) have revealed that a letter that they sent to all the NI Community Opticians (i.e. "high street" opticians which provide, amongst other things, some "NHS services" like free eye tests) late last year along with a Data Processor engagement contract was effectively not actually written by the DoH (NI) - the wording in the letter was given to them by another "NHS NI" organisation (Business Services Organisation).
The letter was intended to convince all the Opticians to sign the attached contract to avoid 'legal issues' (i.e. the fact that the opticians have all been acting as Data Processors regarding the NIECR system for several years without actually ever having signed any engagement contracts with the Joint Data Controllers, as required by GDPR, to become valid Data Processors).
From that original letter:
"Please note that failure to agree acceptance to the DPA and return of same may call into question the legal basis for the Practice to continue to access NIECR."
DoH (NI) have also confirmed in their FOI response that when their letter said:
"As such each Practice is required to sign the revised Data Processing Agreement"
that (a) that text was written by BSO not DoH, and (b) that DoH are:
"are not aware of any previous NIECR Data Processing Agreement being put in place with Community Optometry Practices"
i.e. as far as DoH (NI) are concerned the DPA sent out was *not* a "revised" document, it was the 1st time the Opticians have been given any DPA to sign (5+ years after Opticians here starting using the NIECR system as alleged engaged Data Processors).
In DoH NI's FOI response they also said they were not a member of the Steering Group that I asked about....however the DPA that was sent out along with DoH's letter late last year included details of the Steering Group's member which....included DoH (NI) lol. Now I'll have to go back to DoH to ask them to explain/provide the "information held" which led them to state DoH were not a member of this group.
I wonder if it is common practice and/or policy for public agencies/gov departments to send out letters, under "false pretenses", that they didn't actually write (and also didn't bother to check the accuracy of the contents).
Biting the hand that feeds IT
