Data Ethics, Data Quality, and Data Literacy are inextricably linked in a number of ways. And they can have a significant impact and influence when we begin to look at issues of accuracy in Data Protection. Of course, while accuracy in personal data is an obligation under data protection law, accuracy in how you present and report on data protection related issues, like regulatory fines, is an issue of data literacy and potentially data ethics. After all, if we torture the data enough it will tell us what we want to hear.

In recent weeks over on LinkedIN I have been caught up in a few “discussions” about the Information Commissioner’s Office notices of intent to fine issued to BA and Marriott over a year ago. Between both cases the total stated intended fine was over £280 million. Fantastic headlines.

But NOT FINES.

Data Literacy and the definition of a “Fine”

I’ve been skeptical of the ICO fines since day one. They have made for great headlines (as is Commissioner Denham’s style). But they have been kicked down the road multiple times since moving from the issuing of the Notice of Intent to Fine, suggesting aggressive pushback from the Controllers in question and a degree of “sponginess” in the actual cases. Jon Baines, of Mishcon de Reya, has also commented that the impact of Covid-19 on businesses in these industries would likely also now be a factor in the final determination of a fine.

A lot of people have included these “fines” in their reporting and tracking of fines levied by Regulators under GDPR. I could equally include the names of all the girls the teenage me tried to ask out but turned me down in my list of dating achievements, but that would be equally inaccurate in terms of reporting.

Some have tried to explain the divergence as a “peculiarity of the British system“. This is simply not good data quality practice and highlights the importance of data literacy (how we talk about and understand data) when we are presenting statistics.

  1. What is the graph or list intended to show? If it is a report, list or graph of “Fines levied by Regulators” then…
  2. What is a fine? If you are talking about fines actually levied, that would suggest a situation where the full administrative law process of reaching a decision on the fine, dealing with any inter-partes submissions, and finalising your decision has been completed. Anything else is simply not a fine.

This is something I had a small rant about on our recent podcast. You can hear me here, 16 minutes in.

Data Quality and Fines that are not Fines

Ultimately, if you lump things-that-are-not-fines into a report or statistic tracking fines, you have done a disservice to your audience. To draw an analogy: it is the equivalent of putting potato in a fruit salad because they are both sold by a greengrocer. The operational definition of things is important from a data quality perspective. You need to be sure you are counting apples and apples based on the characteristics of the thing that give them the essential nature of being an apple.

Or to put it another way, counting the BA and Marriott notices of intent to fine as fines is not a million miles away from the counter staff in McDonalds handing you a potato and a cow when you order your Big Mac Meal. There are a range of additional processes required to turn those things into the things that you were expecting.

Today, Jon Baines dropped another nugget on us in a blog post on the Mishcon de Reya site. BA’s owners IAG have disclosed in their Annual Report that they have made a provision of £22 million in respect of the ICO’s fine. That’s just 11.9% of the headline-grabbing announcement of a year ago. But they go on to use some interesting language in their Annual Report. This is management’s

best estimate of the amount of any penalty issued by the Information Commissioner’s Office (ICO) in the United Kingdom, relating to the theft of customer data at British Airways in 2018. The process is ongoing and no final penalty notice has been issued  (emphasis added)

What does this all mean?

To translate. IAG have set aside £22 million provision for penalties. This is management’s best estimate of the worst case scenario they are now presented with. When you make a provision, you need to be prudent in it so it will be close to what they reasonably believe the worst case outcome will be. When you make a provision though, you are hoping not to have to use it all up. So, we are now looking at a penalty range of between zero and £22 million, and the haggling continues with the ICO.

What it means from a Data Ethics and Data Quality perspective is that everyone who has been counting the BA “fine” as £183.39 million needs to now issue a clarification, correcting the number they have quoted. If not, then in the words of Buddy The Elf in the movie Elf: “You sit on a throne of lies”.

And it means that we really need to make sure we start paying attention to what it is that is being talked about by the ICO (or indeed any other regulator) when an enforcement action is being discussed or reported on. The Irish DPC, for example (and to many people’s frustration) stays rigorously tight lipped on monetary penalties until their investigation is finalised and their decision on a sanction is submitted to the Courts for approval under the Irish Data Protection Act.

I look forward to all the experts and commentators who referred to the BA enforcement decision as a “fine” and included the figure of £183.39 million in their trackers rushing now to correct the record when the final fine is announced. The final decision is expected sometime between now and the inevitable heat death of the universe, but I expect the ICO will choose a day with a sporting event or a natural disaster to put it out so that everyone is sure to notice.

So, what is the BA fine going to be?

What I can absolutely guarantee you today is that the fine that will ultimately be levied by the ICO against BA is going to be somewhere in the region of (wait for it)…

£0 to £183.39 million.

This is because there IS NO FINE YET. There are, effectively, steps in a negotiation. And at this point, IAG is comfortable telling its investors a bit about how those negotiations are going

IAG wants to pay nothing, but is will grudgingly pay up to £22 million and has braced investors for that level of hit. Liz Denham has hung the credibility of her Office on the hook for a £183.39 million soundbite.

But as of today, BA has been fined ABSOLUTELY NOTHING.

My personal expectation is that the fine will be closer to zero than £183.39 million. Or even £22 million. This has always been my view, particularly since the ICO lost their Facebook bias appeal last year and ultimately had to settle their action against Facebook.

So what can we learn from all this?

Data is something I’m passionate about. It was the source of mirth to my colleagues in the phone company twenty-odd years ago, but my zeal for the importance of getting this stuff right hasn’t wavered. And to see intelligent professionals making an arse of things as fundamental as this tells me that they either don’t understand data, or don’t care about the accuracy of what they are telling their clients and the wider public and are simply chasing headlines.

We can learn four things:

  1. It is essential when you are reporting on things like regulatory action to pay CLOSE attention to what the definition of the thing you are reporting is. We see similar in Covid reporting where one country (Chile I believe) defined “recovered” as “no longer requiring treatment” and therefore had a 100% recovery rate.
  2. If the thing you are counting as a fine is NOT in fact a fine, then your infographic is wrong and is garbage and pushing it as a reliable record or useful insight is unethical and you should STOP. This isn’t “local idiosyncrasies”, this is basic definitions of things.
  3. The regulatory process, particularly in common law legal systems, has a number of checks, balances, and appeals built into it that mean that, like opera, it isn’t over until the fat lady has sung. And that is true no matter how loudly the headline overture is shouted.
  4. Professionals working with data need to develop basic data literacy, understand data quality, and ensure they are acting ethically in their handling of and reporting of headline statistics.

Finally, we can learn that the ultimate fate of the BA fine will be more “Ryanair” in nature…

  • It will be cheaper
  • It will be a bus ride away from where everyone thought we’d be
  • Lots of people will be upset about that
Daragh O Brien

Daragh O Brien

Daragh is the founder and Managing Director of Castlebridge. He brings over twenty years of experience in data strategy and regulatory operations to the table for clients. He lectures in the School of Law in UCD and in the Law Society of Ireland on Data Protection and Data Governance. He is a Fellow of the Irish Computer Society and holds CIPP/E and CIPM certifications from the IAPP and other data management qualifications.