ICO told to ‘come clean’ over FCA data protection breach

FCA_2The Information Commissioner’s Office is being urged to provide full disclosure over an investigation into fellow regulator the Financial Conduct Authority, which has reportedly been found guilty of breaching UK GDPR.

According to a report in The Times, the FCA has been fingered for intercepting and diverting emails to keep track of employees considered to be a “nuisance”. It is claimed the policy was signed off in 2016 by the office of then CEO Andrew Bailey, now governor of the Bank of England.

The Times reports that the ICO concluded “last month that the FCA had infringed their data protection obligations”, after a former employee complained about the policy to the data protection regulator.

Emails from certain individuals were diverted from reaching their recipients, including more confidential lines of business such as whistleblowing and independent reviews, and were intercepted by a designated employee within the FCA.

The individual had to choose whether to forward the correspondence to the intended recipient or not.

However, there is nothing on the ICO website about the investigation, whether a reprimand was issued or whether any further action will be taken.

The employee who sent the complaint told The Times the policy “compromised the integrity of the FCA’s confidential channels” while exposing people’s personal and confidential data. The individual added they had warned the FCA a number of times that the policy was unlawful.

The policy was also widened to go beyond employees and include “vocal members of the public”, the FCA staffer claimed. “It was a way of tracking reputational risk by monitoring people who raised concerns and were considered a nuisance.”

An FCA spokesperson told The Times: “Like many other organisations, we do redirect some emails as part of our day to day work, which aims to ensure emails are received by the most appropriate recipient to help manage our resources effectively. As part of this, we have in place a very small number of specific email redirections, but recognise in this one case we made mistakes in the implementation of the redirection for which we apologised.”

The FCA and ICO work closely in many areas and both are part of “super-regulator” The Digital Regulation Cooperation Forum, which also includes the Competition & Markets Authority and Ofcom.

One industry insider said: “Why doesn’t the ICO just come clean? This breach is very much in the public interest. Could there be some sort of cosy regulator relationship at play? Let’s face it, if this was any other organisation, the press team would be all over it like a rash.”

Related stories
Super-regulator seeks even more views on digital action
New digital regulator vows be ‘tough’ on US tech giants
‘Super-regulator’ puts TikTok, AI and adtech on notice
Tech giants face tailored rules – and fines – in CMA plan
New Digital Markets Unit ‘to bring tech giants to heel’