Re: Threatened the ICO ?
"or could reasonably be expected to be aware of it "
Such as, for instance, ensuring that you run industry-standard software to stop unauthorised devices on the authorised machines.
"Reasonable" in terms of data protection has included - in case law - things such as reasonable preventative measures to ensure compliance with your verbal "don't do that"'s. Saying "I told them they should have a password" just doesn't pass muster any more. You have to show that you've enforced that and are aware of those exceptions. To not do so is negligent in your data handling duties.
It's also been a factor that you can say "we don't allow that" until the cows come home - but the courts only consider it reasonable if you're also CHECKING that it's not possible, and that people aren't doing it. You can only do that by putting in, for example, device and data control systems. Courts deem that to be the "reasonable" measure, not "Oh, well, it's Sheila, we did tell her".
The fact is - this is all a consequence of DPA case law, where the definition of reasonable has been decided by a judge but not written back into law. GDPR is an attempt to codify that case-law back into actual words.
Hint: An NHS trust was fined for NOT BEING ABLE to prove that a lost disk had been encrypted before it left the building. Not that it WASN'T encrypted. Not that it wouldn't have been expected to be encrypted. But that they couldn't definitively prove that it WAS encrypted BEFORE it was posted and then lost. Case law is not on the side of liberal interpretations of "reasonable" here. Even *potential* for someone *unauthorised* (i.e. not necessary for their job) to see any amount of personal data that they don't need to see as part of their job, can be interpreted as a breach. i.e. that there was even a brief window of opportunity for Fred Bloggs who works for the company to have BEEN ABLE to log into something that might have given him more info than was strictly required for his job? Fineable offence, including personal liability of whoever facilitated that.
You can scream "but nobody ever would prosecute for something so minor" until you're blue in the face, because that's not how the courts are interpreting it.
Take an example: Some minimum wage phone operator sells on your customer list to a rival before they leave. It's STILL a breach of the DPA, even if you told them not to do that, even if their doing that was a breach of everything in question, and even if they were authorised access to those records as part of their job. You will still be fined, as a company, for a) it happening, b) allowing it to happen without a reasonable safeguard against it. It really doesn't matter what THEY do, which is the essence of the whole problem. They just shouldn't have access to anything they could do that with, or be able to splat that information about willy-nilly and you need to show reasonable attempts to control that data (which doesn't wash if you just say "Oh, well, they had an Excel of every email address"... the next question the court asks is "Why?" and "How did they get that?")