ICO slated for 'industrial scale' internal data cock-ups

The Information Commissioner’s Office has been accused of presiding over “industrial scale” data cock-ups, with a new report revealing that, since April 2015, the regulator has recorded 564 internal data incidents.

According to a Freedom of Information request, filed by the SMS Works, this equates to an incident being recorded nearly every three working days over the past seven years.

Ironically, even the FoI request was not answered within the 30 day deadline, taking nearly four months to complete. Not that this is unusual; back in 2019 the regulator even threatened itself with legal action over a separate bungled FoI request.

In the report itself, a large range of medium severity incidents were reported and internally recorded, covering a broad range of errors, mishaps and careless procedures.

These gaffes included unauthorised access to employees’ personal data by third party client of ICO’s payroll provider; sensitive personal data emailed to a third party individual in error; storage media which contained data being sent off-site for repair; a Notebook lost in transit; a Casebook unaccounted for; data exposed on a shared device; and data being sent to the wrong address.

One incident, dating back to May 2015, was described as a “system failure”; a high severity incident that the ICO failed to provide any further detail on.

SMS Works director Henry Cazalet said: “There’s no hint of the ICO trying to cover up or minimise the seriousness of data incidents. But I’m alarmed at the sheer volume of mistakes and errors that the ICO is making. It strikes me as sloppy to be making these types of errors on such a massive, almost industrial scale.”

When asked for comment, an ICO spokesperson said: “The vast majority of incidents involve accidental disclosure to a single known recipient. For example, where a customer’s data protection concern is emailed to the wrong data controller.”

But when questioned over a recent separate incident, the ICO claimed: “[Our] aim is to protect people from poor organisational practices that put their personal information at risk. We have a range of powers to help us do that, including issuing reprimands and warnings to ensure the right policies and practices are in place. If we find that organisations have not made changes as set out in reprimands, or if any further incidents or complaints are reported to us, we can consider further regulatory action.”

It is not known whether any of these incidents led to an internal reprimand.

Share with friends and colleagues

Related Articles