ICO Confirms It Breached Data Rules Multiple Times

The Information Commissioner’s Office (ICO) has confirmed it investigated itself for failing to meet British data protection laws in a number of cases since 2013.

And even worse, the ICO found itself guilty, after it upheld 14 complaints against its own office over a four year period.

The self investigations were revealed after Freedom of Information requests by Liberal Democrat peer Lord Paddick, the former Metropolitan Police deputy assistant commissioner.

Data Complaints

Most of the complaints against the ICO it seems were sent in by members of the public, but according to the Evening Standard, on at least three occasions, the commissioner’s own officials self-reported breaches after they discovered that they had lost or accidentally released people’s private data.

And one of those cases where ICO staff self reported themselves, involved the accidental release of “a small amount of personal information about five individuals” to “a customer of the same name”.

But two other self-reported blunders – described as “non-trivial data security incidents” – apparently resulted in recommendations being made after full investigations.

It seems out of the 40 complaints against the ICO sent by the public since 2013, seven ended with the ICO being ordered to take action to prevent further breaches. Two complaints resulted in compliance advice being given, and two complaints had concerns raised.

It was also reported that 29 complaints ended with no breaches of the law being found.

“The ICO is responsible for ensuring that our data is being held safely and securely,” Lord Paddick was reported by the newspaper as saying. “The fact that they have managed to breach their own rules is extremely concerning.

“More and more of our data is being held by government agencies, if even the ICO can’t stick to the rules it does raise questions about how secure our data really is,” he reportedly said.

Serious Duty

But ICO spokesperson told Silicon UK that it does take its  responsibilities seriously, and investigates all complaints, even against itself, as it would any other outside data controller.

“As the regulator for data protection we take our own responsibilities to comply with the legislation extremely seriously,” the ICO spokesperson told Silicon UK. “We aim to have the necessary controls in place to mitigate the risk of accidental disclosures.”

“Incidents involving the ICO are investigated fully in the same way as any other data controller and there have been a small number of cases over the past three years when action has been required,” the spokesperson said. “However, we want to be aware of and learn from all incidents, however minor, in order that we minimise the risks of serious incidents occurring.”

The ICO recently changed its leadership after Elizabeth Denham succeeded Christopher Graham as Information Commissioner last summer.

And the ICO has some significant powers. In 2010 the ICO for example was given the power to issue large fines, of up to £500,000, for any serious data breaches.

Quiz: Are you a privacy expert?