ICO under fire for taking limited action over serious data breaches

Reprimand details

In the case of the MoJ, the ICO said the confidential information – which included medical data of prisoners and security vetting details of staff – was left unsecure for a total of 18 days.

During this time, the information was “potentially viewed” by 44 people, including an undisclosed number of prisoners who were observed “openly reading the documents” by staff.

“As a result, the risks to individuals in the prison would be significant and include potential identification within the prison or outside in the wider community,” it said. “There would also be a significant risk of intimidation by other prisoners. Outside of the individuals incarcerated, there is also the risk of unwarranted attention of family members if identified.”

In both cases, the ICO noted there was a lack of awareness among staff around how sensitive information should be handled, adding that while each organisation has training, policies and processes in place to ensure the security of data, there is nothing to suggest these were being followed.

“Sensitive personal information relating to crimes needs to be handled with great care. This case shows the impact on vulnerable people if that’s not done,” said the ICO’s head of investigations, Natasha Longson, in relation to the TVP reprimand.

“Our enforcement action in this case should act as a warning to other organisations that they must take sensible steps to protect people’s personal details.”

Steve Eckersley, ICO director of investigations, said that in the context of the MoJ breach, exposure of personal information could potentially have serious consequences: “Whether documents are consigned to waste or not, they must be handled securely and responsibly, and we expect both the prison and the MoJ to continue to take steps to improve practices to ensure people are protected.”

To ensure compliance with data protection laws, the ICO has recommended that TVP provide training to all staff responsible for redactions and disclosures, share updates to policies or processes as soon as they are available, and continuously review policies and guidance on the handling of personal data.

For the MoJ, the ICO recommended a thorough review of all data protection policies, procedures and guidance to ensure they are adequate and up to date with legislation, and the creation of a separate data breach reporting policy for staff.

When issuing reprimands, the ICO asks the organisations to report back on the actions they have taken to remedy the situation within a three- to six-month timeframe.

‘A slap on the wrist’

James Kelliher, an associate in law firm Keller Postman’s data breach team, said the ramifications of these particular breaches are “massive”, as the context in both cases means there is a real threat of violence occurring: “The witness has had to move home. Whether they actually moved job or change to a different school it doesn’t really state, but they’re still at high risk.”

Kelliher added that while reprimands from the ICO always lay out a number of remedial actions for organisations to take, “no follow-up is ever done” to ensure all the steps have been adequately implemented.

For Kelliher, this means the reprimands amount to little more than a “slap on the wrist” and provide limited incentives for organisations to make the necessary changes.

“We’ve said it for many years, and we’ll continue to say it – once a reprimand has been done, they need to report back to the ICO within a six-month period to advise on what they’ve done to meet those actions,” he said, adding that the ICO needs to go further to ensure trust in how such public institutions are handling people’s data. “Unless it’s followed up, and they’re accountable for it, nobody really knows what’s being put in place.”

Alex Lawrence-Archer, a solicitor at data protection specialist law firm AWO, said while “the ICO has very broad powers in relation to enforcement”, including the issuing of legally enforceable notices and fines, reprimands are “at the lowest end of the enforcement spectrum” as they do not create any enforceable obligations, meaning the ICO would effectively have to start a new enforcement action if it decided to revisit these cases.  

However, in June 2022, the ICO set out its “revised approach” to public sector enforcement, with the aim of protecting public bodies from having to make large payouts for data protection breaches when fines could disrupt public services.

“In practice, this will mean an increased use of the ICO’s wider powers, including warnings, reprimands and enforcement notices, with fines only issued in the most serious cases,” it said.

Lawrence-Archer said while the two reprimands were “very much consistent with what the ICO has said at how it’s going to do its job”, the seriousness of the MoJ and TVP’s failings are striking.

“The person continues to face a ‘high risk’ from criminal gangs against whom they were going to give evidence, and the ICO also found that the responsible officers were not aware of any policies whatsoever that prevent this from taking place. It’s quite striking how bad things were and the consequences,” he said.

“I think that what many people have been asking, and what many commentators have been asking themselves since seeing these reprimands, is does this mean that the ICO, effectively, would never fine a public body? It’s difficult to see or imagine the circumstances in which they would consider a fine of a public body appropriate, if not in these cases,” Lawrence-Archer added.

He pointed out that while there is no clear-cut objective way the ICO should be regulating in terms of when to issue fines or how big they should be, “where you seemingly have a policy developing of effectively never being willing to issue fines against public bodies, that raises some legitimate concerns”.

Lawrence-Archer said, for example, that it would be perfectly legitimate for an ordinary person to take the view that “merely issuing a written warning is not really a response [with a] seriousness in proportion to the things that have gone wrong”.

“I think there are good arguments to say that these cases show that the ICO is taking an extremely light approach to regulation of public bodies. The effectiveness of that will only be capable of being judged in the fullness of time,” he added.

Given the seriousness of the TVP and MoJ breaches, Kelliher took the view that this practice should not be permitted to continue.

Owen Sayers, an independent security consultant and enterprise architect with over 20 years’ experience in delivering national policing systems, shared similar sentiments.

“The commissioner himself should be required to publicly give account for his office and justify why his ‘no touch’ policy for public sector should be permitted to continue,” he said.

“This time, someone had to move home. Next time, someone might be hurt, or worse. Those are the real risks vulnerable victims and witnesses, and their families, live with day in and day out.

“They should have a reasonable expectation that when things go wrong, the regulator (who is supposed to put their interests as a subject above those of the breaching controllers) will actually regulate and use the full range of powers at their disposal. This ‘action’ is woefully inadequate for the impact on the subject.”

Information commissioner’s defence

Responding to questions from Computer Weekly about his office’s reprimand decisions, information commissioner John Edwards said: “Our focus as a regulator is where the impact on people is the greatest. In these recent cases, we’ve seen a real serious impact on people from organisations having poor practices, and so we’ve responded to make sure that changes are made to prevent this in the future.

“A reprimand makes clear that mistakes were made and holds an organisation to account, and that’s why we felt they were the most appropriate response in these recent cases. I would prefer that public authorities applied the resources that would otherwise be diverted with a fine to investing in training, and resolving the issues which lead to the breach. And we’ve seen that in practice with organisations making positive changes in response to our reprimands.”

Edwards added while he understands that people will want to see fines, and they do play a role, there is limited evidence that fines alone are an effective deterrence for public sector bodies.

“They do not affect those responsible for the breach in the same way that fining a private company can affect shareholders or directors,” he said. “Perhaps most importantly, the impact of fines issued to the public sector is often visited upon the victims of the breach themselves, in the form of reduced budgets for vital services. In effect, people affected by a breach get punished twice.

“Our approach is a two-year trial. We recognise that Parliament has expressly made provision for fines against public sector organisations, and we reserve that option for the most egregious cases judged by the scale and potential consequences of the breach, and the nature of the conduct that led to it. We’ll review the approach at the end of the trial to make sure our work continues to be impactful.”

Moving forward

In terms of legal liability, Kelliher said while any legal case would need to be taken forward on its merits alone, he would advise those affected by the TVP breach to “proceed immediately”.

In 2008, a similar case to the TVP incident saw the Crown Prosecution Service and Met Police pay out more than £600,000 in damages to a family after a child witness had their information inadvertently passed on to gang members. This gives an indication of the compensation that could be paid if legal action is taken forward by those affected.

AWO’s Lawrence-Archer similarly said while he would not want to give advice on the merits of a challenge without sight of the details, it is “quite possible” that they would be able to pursue private legal action.

“The ICO is not an ombudsman. It’s not there to vindicate individuals’ data rights. That’s what courts [are] for…effectively, the administrative courts are saying, ‘If you don’t like what the ICO has done, then you’ve got to go and sue the person you think has breached your rights’,” he said.

“Strictly looking at the law, that makes sense – that is what the law says – but whether that provides people with effective protection in reality is another matter, because it’s no small thing to take legal action against a data controller.”

Lawrence-Archer expressed further concern about the UK’s regulatory future, noting these reprimands have been handed down at a time when the regulation of artificial intelligence (AI) is taking centre stage in public debates.

“I’m just very mindful that in that debate around the regulation of AI, we need to realise that data protection is AI regulation – it’s not the end of the story, but it’s an important part and I think that gets lost,” he said, adding that the government’s proposed Data Protection and Digital Information Bill is “quite seriously undermining” people’s data rights in the UK.

“The ICO’s effectiveness as a regulator, the public’s confidence in the ICO as a regulator, those are going to be really important things that determine how well equipped you are to deal with AI risks and AI safety.”

He added: “I’m personally quite sceptical that the reprimands in these cases, in the context of these very stark failings, increase confidence in the ICO as a regulator.”