Government created body fails at IT.
(We need a sarcastic, picking myself off the floor, icon).
Britain's data cops have coughed to a serious security screw-up at the Information Commissioner's Office, and concluded that the ICO - only mildly - violated the Data Protection Act that it is supposed to police. It carried out an internal probe into what the ICO passively described as a "non-trivial security incident" that …
As it is a first offence then it is likely that the ICO will not issue a fine to the ICO but will see what measures the ICO put in place to ensure this never happens again and, assuming the ICO are happy with the new processes that the ICO are proposing to put in place, the ICO will consider the matter closed.
This would be treating the incident exactly the same as all the others, in fairness, which tells you all you need to know.
... As it is a first offence then it is likely that the ICO will not issue a fine to the ICO ....
Nonsense! As the formal body enforcing the DPA, the ICO ought to know better, and be subject to much higher standards than the general public. Indeed, it made exactly this point when fining a financial organisation recently for having a laptop stolen which had unencrypted personal data on it.
I suggest that the ICO fines the ICO a sum equal to its ENTIRE assets. That will show that the DPA is not to be trifled with...
I get the joke, but good God that would be a good precedent to get. A fine of their entire department, to be taken from them on Friday afternoon and repaid in full to them at 0900 Monday morning.
That'd likely be one of the biggest fines they'd ever levy, certainly the highest percentage, so it'd open the door for some /proper/ enforcement. After all, it does seem larger than last time- but there's a precedent for that now.
Surely the time is at hand to abolish this hopeless quango and put the power back in individuals hands.
Company leaked your data? You should be able to sue them in small claims. They still get the bad PR and pay out some cash, but you benefit directly rather than paying perks and pensions for fat cat quango staff.
Only, you can't. Because the ICO have rights of enforcement for data leaks, and as I've learned through their repeated failures, breaching section 7 access rules results in nothing more than a moderately worded email to the bodies data controller to remind them of the rules they were wilfully ignoring.
It's time to start again.
"You should be able to sue them in small claims"
This is still your right, there's no law that says you can't do this; but proving that you have suffered an actual loss due to negligence is going to be pretty tough. And remember, they have lawyers on the payroll already, you'll have to pay for yours.
Like anything that's broken the decision is "do without", "fix it" or "replace it"; the "do without" is probably not a good option in this case so whichever is cheapest of the other alternatives for getting the required service. If you think they're doing a bad job then you need to write to your MP, and when there's enough political pressure they'll do something (might even be the right thing for once).
Frankly, I wish someone would take them to court over their breaking of the cookie law so we can have the stupid legislation amended or better still removed.
The only thing we can be sure of is that the ICO won't take you to court for breaking the law in the way that it does :-)
Several hours later, the organisation apparently had a change of heart and issued a statement, and here’s where it gets really interesting: “We are unable to provide details of the breach at this stage, as the information involved is linked to an ongoing criminal investigation,” said a spokesperson for the ICO.
Post as AC due to once having worked for the ICO.
I always found them very serious about following their own rules, they also have to deal with a truly staggering amount of enquiries on a daily basis.
A bunch of genuine, decent folk who take defending the privacy and data of the UK public seriously.
They aren't perfect but they do try very hard.
I currently have a complaint being processed by the Parliamentary and Health Service Ombudsman (PHSO) where I have outlined the failings of the ICO. To support my complaint I have included a detailed analysis of seven case reviews from last year where the view of the ICO was either wrong or likely to be wrong. These are case reviews too... so for each case review to be wrong it means that two members of staff hold the incorrect opinion: the Case Officer who conducted the original Assessment and their line manager who conducted the Case Review.
In one case I argued that a data controller had failed to comply with my subject access request (SAR) because they held the actual date: day, month, year of when they obtained my information but only provided me with the year in response to my SAR. I argued that a year on its own does not constitute a date and as they held an actual date, that's what they should have provided. As they didn't they failed to comply with my SAR. Three different levels of staff at the ICO: the person who conducted the assessment, their line manager who conducted the case review, and their line manager - who got pissed off with me complaining all held the view that a year on its own constitutes a date.
The organisation works in silos so that two different case workers can give you two different responses depending on who you ask. I'm hoping that the BBC's Panorama team will do a show on it once the PHSO has concluded it's investigation.
Webmaster - www.mindmydata.co.uk.
Biting the hand that feeds IT © 1998–2019