back to article UK data watchdog broke data law, says UK data watchdog

Britain's data cops have coughed to a serious security screw-up at the Information Commissioner's Office, and concluded that the ICO - only mildly - violated the Data Protection Act that it is supposed to police. It carried out an internal probe into what the ICO passively described as a "non-trivial security incident" that …

  1. Steve Evans

    Stop press

    Government created body fails at IT.

    (We need a sarcastic, picking myself off the floor, icon).

    1. NogginTheNog

      Re: Stop press

      To be fair, public or private seems to be absolute no barrier to being utterly clueless when it comes to data security.

      1. Steve Evans

        Re: Stop press

        But those that are supposed to be encouraging better IT practice really should be setting a standard...

        It's rather like a policeman being completely oblivious to the law he is enforcing... Oh... Bad analogy!

      2. et tu, brute?

        Re: Stop press

        "To be fair, public or private seems to be absolute no barrier to being utterly clueless when it comes to data."

        Fixed that for you! :)

        1. JeffUK

          Re: Stop press

          "To be fair, public or private seems to be absolute no barrier to being utterly clueless "

          Fixed that for you

          1. HMB

            Re: Stop press

            "To be fair, being either public or private seems to be absolutely no barrier to being utterly clueless"

            Fixed that for you :P

  2. Sir Sham Cad

    First offence

    As it is a first offence then it is likely that the ICO will not issue a fine to the ICO but will see what measures the ICO put in place to ensure this never happens again and, assuming the ICO are happy with the new processes that the ICO are proposing to put in place, the ICO will consider the matter closed.

    This would be treating the incident exactly the same as all the others, in fairness, which tells you all you need to know.

    1. Dodgy Geezer Silver badge

      Re: First offence

      ... As it is a first offence then it is likely that the ICO will not issue a fine to the ICO ....

      Nonsense! As the formal body enforcing the DPA, the ICO ought to know better, and be subject to much higher standards than the general public. Indeed, it made exactly this point when fining a financial organisation recently for having a laptop stolen which had unencrypted personal data on it.

      I suggest that the ICO fines the ICO a sum equal to its ENTIRE assets. That will show that the DPA is not to be trifled with...

      1. Anonymous Coward
        Anonymous Coward

        Re: First offence

        I get the joke, but good God that would be a good precedent to get. A fine of their entire department, to be taken from them on Friday afternoon and repaid in full to them at 0900 Monday morning.

        That'd likely be one of the biggest fines they'd ever levy, certainly the highest percentage, so it'd open the door for some /proper/ enforcement. After all, it does seem larger than last time- but there's a precedent for that now.

  3. Fred Flintstone Gold badge


    It's unclear if the ICO fined the ICO or let the ICO off with a gentle warning from the ICO.

    Hahaha - quality :)

  4. Hollerith 1

    If it was such a mild breach...

    ...why not come clean with the details? Why be coy and say a Freedom of Info request has to be waved in order to pry the details out of their hands?

    1. mark 63 Silver badge

      Re: If it was such a mild breach...

      true, plus its not that hard to submit a FOA req. They are basically saying "Give us a tenner and 21 days to think of a good story"

  5. LucreLout Silver badge


    Surely the time is at hand to abolish this hopeless quango and put the power back in individuals hands.

    Company leaked your data? You should be able to sue them in small claims. They still get the bad PR and pay out some cash, but you benefit directly rather than paying perks and pensions for fat cat quango staff.

    Only, you can't. Because the ICO have rights of enforcement for data leaks, and as I've learned through their repeated failures, breaching section 7 access rules results in nothing more than a moderately worded email to the bodies data controller to remind them of the rules they were wilfully ignoring.

    It's time to start again.

    1. Anonymous Blowhard

      Re: FFS

      "You should be able to sue them in small claims"

      This is still your right, there's no law that says you can't do this; but proving that you have suffered an actual loss due to negligence is going to be pretty tough. And remember, they have lawyers on the payroll already, you'll have to pay for yours.

      Like anything that's broken the decision is "do without", "fix it" or "replace it"; the "do without" is probably not a good option in this case so whichever is cheapest of the other alternatives for getting the required service. If you think they're doing a bad job then you need to write to your MP, and when there's enough political pressure they'll do something (might even be the right thing for once).

    2. smartermind

      Re: FFS

      If you've suffered a financial loss, you can still make a civil claim.

  6. thomas k.
    Thumb Up

    "non-trivial security incident"

    Wow, right up there with "least untruthful answer".

  7. Neil Barnes Silver badge

    Quis custodiet ipsos custodes?

    Oh wait, that would be them.

  8. Anonymous Coward
    Anonymous Coward

    So who expensed the

    Tea/Muffuns during the meeting where they gave themselves some advice.

  9. smartypants

    And then there's the ICO and 'Cookie Law'

    Remember that?

    Well today, the ICO on its own website is breaking the cookie law, just as everyone else is who thinks that informing people that they use cookies is, even though we all have to pretend that it is legal.

    The ICO originally reminded us all that the law was clear that sites could *NOT* use cookies until they had gained explicit consent.

    That is not the same thing as telling people you do use cookies.

    Frankly, I wish someone would take them to court over their breaking of the cookie law so we can have the stupid legislation amended or better still removed.

    The only thing we can be sure of is that the ICO won't take you to court for breaking the law in the way that it does :-)

  10. Anonymous Coward
    Anonymous Coward


    Several hours later, the organisation apparently had a change of heart and issued a statement, and here’s where it gets really interesting: “We are unable to provide details of the breach at this stage, as the information involved is linked to an ongoing criminal investigation,” said a spokesperson for the ICO.

  11. Anonymous Coward
    Anonymous Coward

    To be fair

    Post as AC due to once having worked for the ICO.

    I always found them very serious about following their own rules, they also have to deal with a truly staggering amount of enquiries on a daily basis.

    A bunch of genuine, decent folk who take defending the privacy and data of the UK public seriously.

    They aren't perfect but they do try very hard.

  12. Derichleau

    The ICO regularly screw up

    I currently have a complaint being processed by the Parliamentary and Health Service Ombudsman (PHSO) where I have outlined the failings of the ICO. To support my complaint I have included a detailed analysis of seven case reviews from last year where the view of the ICO was either wrong or likely to be wrong. These are case reviews too... so for each case review to be wrong it means that two members of staff hold the incorrect opinion: the Case Officer who conducted the original Assessment and their line manager who conducted the Case Review.

    In one case I argued that a data controller had failed to comply with my subject access request (SAR) because they held the actual date: day, month, year of when they obtained my information but only provided me with the year in response to my SAR. I argued that a year on its own does not constitute a date and as they held an actual date, that's what they should have provided. As they didn't they failed to comply with my SAR. Three different levels of staff at the ICO: the person who conducted the assessment, their line manager who conducted the case review, and their line manager - who got pissed off with me complaining all held the view that a year on its own constitutes a date.

    The organisation works in silos so that two different case workers can give you two different responses depending on who you ask. I'm hoping that the BBC's Panorama team will do a show on it once the PHSO has concluded it's investigation.

    Webmaster -

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019