ICO under fire for taking limited action over serious data breaches
Lawyers and data safety consultants have criticised the Information Commissioner’s Office (ICO) for limiting its enforcement action towards Thames Valley Police (TVP) and the Ministry of Justice (MoJ), regardless of serious data safety failings that positioned the lives of witnesses and prisoners in danger.
While TVP was reprimanded for disclosing info that led to “suspected criminals learning the address of a witness”, the MoJ was reprimanded after “14 bags of confidential documents” had been left in an unsecure holding space of an undisclosed jail.
In the case of TVP, the ICO mentioned data concerning the witness ended up within the arms of suspected criminals when an officer responded to a request by an unnamed housing authority with out correctly redacting the knowledge or following established information-sharing insurance policies.
This resulted within the witness being compelled to maneuver home, though it’s unclear from the reprimand how the knowledge was handed from the housing authority to the suspected criminals. The ICO has since confirmed to Computer Weekly that the housing authority won’t be investigated.
The ICO additional famous that even after transferring home, “the impact and risk to the data subject remains high”.
Given the seriousness of the breaches and the vary of enforcement powers out there to the ICO, nonetheless, attorneys and data safety consultants have questioned whether or not issuing reprimands was the perfect course of action in these cases.
Reprimand particulars
In the case of the MoJ, the ICO mentioned the confidential info – which included medical data and safety vetting particulars of each prisoners and employees respectively – was left unsecure for a complete of 18 days.
During this time, the knowledge was “potentially viewed” by 44 folks, together with an undisclosed variety of prisoners who had been noticed “openly reading the documents” by employees.
“As a result, the risks to individuals in the prison would be significant and include potential identification within the prison or outside in the wider community,” it mentioned. “There would also be a significant risk of intimidation by other prisoners. Outside of the individuals incarcerated, there is also the risk of unwarranted attention of family members if identified.”
In each circumstances, the ICO famous there was a lack of information amongst employees round how delicate info needs to be dealt with, including that whereas every organisaiton has coaching, insurance policies and processes in place to make sure the safety of data, there may be nothing to counsel these had been being adopted.
“Sensitive personal information relating to crimes needs to be handled with great care. This case shows the impact on vulnerable people if that’s not done,” mentioned the ICO’s head of investigations, Natasha Longson, in relation to the TVP reprimand.
“Our enforcement action in this case should act as a warning to other organisations that they must take sensible steps to protect people’s personal details.”
Steve Eckersley, ICO director of investigations, mentioned that within the context of the MoJ breach, publicity of non-public info may doubtlessly have serious penalties: “Whether documents are consigned to waste or not, they must be handled securely and responsibly, and we expect both the prison and the MoJ to continue to take steps to improve practices to ensure people are protected.”
To guarantee compliance with data safety legal guidelines, the ICO has beneficial that TVP present coaching to all employees accountable for redactions and disclosures, share updates to insurance policies or processes as quickly as they’re out there, and constantly assessment insurance policies and steering on the dealing with of non-public data.
For the MoJ, the ICO beneficial a radical assessment of all data safety insurance policies, procedures and steering to make sure they’re satisfactory and updated with laws, and the creation of a separate data breach reporting coverage for employees.
‘A slap on the wrist’
James Kelliher, an affiliate in regulation agency Keller Postman’s data breach crew, mentioned the ramifications of those specific breaches are “massive”, because the context in each circumstances means there’s a actual risk of violence occurring: “Obviously the witness has had to move home, whether they actually moved job or change to a different school it doesn’t really state, but they’re still at high risk.”
Kelliher added that whereas the reprimands from the ICO at all times lay out numerous remedial actions for the organisations to take, “no follow up is ever done” to make sure all of the steps have been adequately carried out.
For Kelliher, this implies the reprimands quantity to little greater than a “slap on the wrist”, and supply limited incentives for the organisations to make the required modifications.
“We’ve said it for many years, and we’ll continue to say it – once a reprimand has been done, then they need to then report back to the ICO within a six-month period to advise on what they’ve done to meet those actions,” he mentioned, including the ICO must go additional to make sure belief in how such public establishments are dealing with folks’s data. “Unless it’s followed up, and they’re accountable for it, nobody really knows what’s being put in place.”
Alex Lawrence-Archer, a solicitor at data safety specialist regulation agency AWO, mentioned whereas “the ICO has very broad powers in relation to enforcement”, together with the issuing of legally enforceable notices and fines, reprimands are “at the lowest end of the enforcement spectrum” as they don’t create any enforceable obligations, that means the ICO would successfully have to start out a brand new enforcement action if it determined to revisit these circumstances.
However, in June 2022, the ICO set out its “revised approach” to public sector enforcement, with the purpose of defending public our bodies from having to make massive payouts for data safety breaches when fines may disrupt public companies.
“In practice, this will mean an increased use of the ICO’s wider powers, including warnings, reprimands and enforcement notices, with fines only issued in the most serious cases,” it mentioned.
Lawrence-Archer mentioned whereas the 2 reprimands are “very much consistent with what the ICO has said at how it’s going to do its job”, the seriousness of the MoJ and TVP’s failings are placing.
“The person continues to face a ‘high-risk’ from criminal gangs against whom they were going to give evidence, and the ICO also found that the responsible officers were not aware of any policies whatsoever that prevent this from taking place. It’s quite striking how bad things were and the consequences,” he mentioned.
“I feel that what many individuals have been asking, and what many commentators have been asking themselves since seeing these reprimands, is does this imply that the ICO successfully would by no means tremendous a public physique?
“It’s difficult to see or imagine the circumstances in which they would consider a fine of a public body appropriate, if not in these cases.”
Lawrence-Archer added that whereas there isn’t any clear-cut goal approach the ICO needs to be regulating when it comes to when to situation fines or how large they need to be, “where you seemingly have a policy developing of effectively never been willing to issue fines against public bodies, that raises some legitimate concerns”.
He mentioned, for instance, that it might be completely authentic for an odd particular person to take the view that “merely issuing a written warning is not really a response [with a] seriousness is in proportion to the things that have gone wrong.”
“I think there are good arguments to say that these cases show that the ICO is taking quite an extremely light approach to regulation of public bodies. The effectiveness of that will only be capable of being judged in the fullness of time.”
Given the seriousness of the TVP and MoJ breaches, Kelliher took the view that this follow shouldn’t be permitted to proceed: “I understand it’s the public monies that any damages to be awarded will be coming out of, we get that, but ultimately, if impact is being caused that’s as significant as in these two instances, why shouldn’t a client be awarded damages as a result of it?”
Owen Sayers, an impartial safety guide and enterprise architect with over 20 years’ expertise in delivering nationwide policing methods, shared comparable sentiments.
“The commissioner himself should be required to publicly give account for his office and justify why his ‘no touch’ policy for public sector should be permitted to continue,” he mentioned.
“This time spherical somebody needed to transfer residence. Next time somebody is perhaps damage, or worse. Those are the actual dangers weak victims and witnesses, and their households, reside with day in and day trip.
“They should have a reasonable expectation that when things go wrong, the regulator (who is supposed to put their interests as a subject above those of the breaching controllers) will actually regulate and use the full range of powers at their disposal. This ‘action’ is woefully inadequate for the impact on the subject.”
Information commissioner’s defence
Responding to questions from Computer Weekly about his workplace’s reprimand selections, info commissioner John Edwards mentioned: “Our focus as a regulator is the place the affect on folks is the best. In these latest circumstances, we’ve seen an actual serious affect on folks from organisations having poor practices, and so we’ve responded to make it possible for modifications are made to forestall this sooner or later.
“A reprimand makes clear that mistakes were made and holds an organisation to account, and that’s why we felt they were the most appropriate response in these recent cases. I would prefer that public authorities applied the resources that would otherwise be diverted with a fine to investing in training, and resolving the issues which lead to the breach. And we’ve seen that in practice with organisations making positive changes in response to our reprimands.”
Edwards added whereas he understands that individuals will need to see fines, and so they do play a task, there may be limited proof that fines alone are an efficient deterrence for public sector our bodies.
“They do not affect those responsible for the breach in the same way that fining a private company can affect shareholders or directors,” he mentioned.
“Perhaps most significantly, the affect of fines issued to the general public sector is usually visited upon the victims of the breach themselves, within the type of diminished budgets for important companies. In impact, folks affected by a breach get punished twice.
“Our approach is a two-year trial. We recognise that Parliament has expressly made provision for fines against public sector organisations, and we reserve that option for the most egregious cases judged by the scale and potential consequences of the breach, and the nature of the conduct that lead to it. We’ll review the approach at the end of the trial to make sure our work continues to be impactful.”
Moving ahead
In phrases of authorized legal responsibility, Kelliher mentioned whereas any authorized case would must be taken ahead on its deserves alone, he would advise these affected by the TVP breach to “proceed immediately”.
In 2008, the same case to the TVP incident noticed the Crown Prosecution Service and Met Police pay out more than £600,000 in damages to a household after a baby witness had their info inadvertently handed on to gang members, giving a sign of the compensation that might be paid if authorized action is taken ahead by these affected.
Lawrence-Archer equally mentioned whereas he wouldn’t need to give recommendation on the deserves of a problem with out sight of the small print, it’s “quite possible” that they’d have the ability to pursue non-public authorized action.
“The ICO is not an ombudsman. It’s not there to vindicate individuals’ data rights. That’s what courts [are] for…effectively, the administrative courts are saying, ‘If you don’t like what the ICO has done, then you’ve got to go and sue the person you think has breached your rights’,” he mentioned.
“Strictly looking at the law, that makes sense, that is what the law says, but whether that provides people with effective protection in reality is another matter, because it’s no small thing to take legal action against a data controller.”
Lawrence-Archer expressed additional concern concerning the UK’s regulatory future, noting these reprimands have been handed down at a time when the regulation of synthetic intelligence (AI) is taking centre stage in public debates.
“I’m just very mindful that in that debate around the regulation of AI, we need to realise that data protection is AI regulation – it’s not the end of the story, but it’s an important part and I think that gets lost,” he mentioned, including that the federal government’s proposed Data Protection and Digital Information Bill is “quite seriously undermining” folks’s data rights within the UK.
“The ICO’s effectiveness as a regulator, the public’s confidence in the ICO as a regulator, those are going to be really important things that determine how well equipped you are to deal with AI risks and AI safety.”
He added: “I’m personally quite sceptical that the reprimands in these cases, in the context of these very stark failings, increase confidence in the ICO as a regulator.”