ICO slammed over 'slap on the wrist' for PO data breach

The Information Commissioner’s Office is seemingly oblivious to the growing row over its regulatory “failings” after changing its mind over a £1m fine against the Post Office for a major data breach.

The incident, which happened last year, resulted in the personal information of hundreds of postmasters involved in the Horizon IT scandal being leaked online.

The breach occurred when the Post Office’s communications team mistakenly published an unredacted version of a legal settlement document on its corporate website.

The document contained the names, home addresses and postmaster status of 502 people who were part of a group litigation against the organisation, dramatised in the award-winning ITV show Mr Bates vs The Post Office (pictured).

The file remained publicly accessible from April 25 to June 19 2024, before being removed following notification from an external law firm.

When investigating the circumstances of this data breach, the ICO found that the Post Office failed to implement appropriate technical and organisational measures to protect people’s information.

It found there to be a lack of documented policies or quality assurance processes for publishing documents on the corporate website, as well as insufficient staff training, with no specific guidance on information sensitivity or publishing practices.

ICO head of investigations Anne Poole said: “The people affected by this breach had already endured significant hardship and distress as a result of the Horizon IT scandal. They deserved much better than this.

“The postmasters have once again been let down by the Post Office. Our investigation highlighted that this data breach was entirely preventable and stemmed from a mistake that could have been avoided had the correct procedures been in place.

“Other organisations should take notice of this reprimand and apply its learnings, so they don’t find themselves making the same mistake. Data protection by design must be embedded into everyday operations so people’s information is handled appropriately.”

The ICO admitted that it initially considered imposing a fine of up to £1.094m but then changed its mind, insisting it did not consider the data protection infringements identified reached the threshold of “egregious” under its public sector approach. Instead a reprimand, seen by many as just a slap on the wrist, been issued.

The controversial decision comes just days after a coalition of more than 70 civil liberty groups, academics and legal experts joined forces to demand MPs launch a major investigation into a “collapse in enforcement activity” at the regulator.

In an open letter to the chair of Parliament’s Science, Innovation & Technology Committee, Chi Onwurah, arguing that the ICO is plagued by deep “structural failures”.

It also alleges that a lack of enforcement actions by the ICO, particularly against public sector agencies, has led to an 11% increase in reported breaches and an 8% increase in data protection complaints.

The move follows a call by Cambridge Don, Professor David Erdos for UK and European lawmakers to take a long hard look at the record of the ICO, following what he branded “a severe and serious weakening of information rights regulation” under the current regime, which is threatening its primary role to “robustly protect people’s personal data”.

In response to the latest ruling, freelance data security and data protection professional Keith Dewey posted on LinkedIn “That’ll teach them…Nothing”. Meanwhile, the owner of compliance consultancy Garden City Assurance, Suze P, added: “Thank whichever god appeals to you that they’re not actually involved in investigating *anything* to do with Horizon.“