Re: Here we go again...
In this case the position the ICO is taking is the best way to protect citizens data.
The person who stole the data was authorised to access it. He needed to access it and provide a copy to the external auditor for regulatory reasons. I have been in this situation myself multiple times. By virtue of being the internal point person supporting the external audit, the data owner would always approve the access and accept my call how the data is extracted and transferred. Typically I used use an encrypted USB. Taking additional copy of the data for myself during this process would be trivial. I don't even need to use company system to do it. Taking an extra copy would be morally wrong, a breach of integrity, and something I would never do. Unfortunately some individuals might be tempted if it meant that they had gained something that could be used to hurt their employer or for their own personal gain. Perhaps they would think of it as an insurance policy.
A ruling against Morrison will put needless temptation into the hands of some people who could sneak data out of a firm. In this specific type of incident the precedent needs to be made clear that the criminal is the person taking the data and the victim is the firm.
Biting the hand that feeds IT
