Skip to main content

ICO is guilty of its own data breach

The ICO, the body which polices data breaches in the UK, has suffered from a data spillage of its own in a rather embarrassing incident.

The details of the affair, or the "non-trivial" breach as it's called – scant as they are – were revealed in the ICO's recent annual report, buried on page 46 of the document, under the title "Personal Data Incidents".

In the report, the ICO said: "There has been one non-trivial data security incident. The incident was treated as a self-reported breach. It was investigated and treated no differently from similar incidents reported to us by others. We also conducted an internal investigation."

"It was concluded that the likelihood of damage or distress to any affected data subjects was low and that it did not amount to a serious breach of the Data Protection Act. A full investigation was carried out with recommendations made and adopted. The internal investigation was also concluded."

So there you have it. Although with self-investigation, there's always the temptation to be a tad more lenient than you may otherwise be. The Times, which spotted this (via the Register), tried to tap the Information Commissioner for further comment, but he wouldn't be drawn.

You'd certainly have expected the Commissioner to be more forthright about the incident, both in terms of the initial reporting, and in giving more details now the media at large has picked up on it.

The ICO has recently been beating the drum concerning upping its funding and powers, as we reported earlier this week. In the face of major incidents like Facebook's "emotion" experiment and Google's "right to be forgotten", Christopher Graham, the Information Commissioner, said that "to do our job properly, to represent people properly, we need stronger powers, more sustainable funding and a clearer guarantee of independence".