Next time you get a warning from the Information Commissioner’s Office, you can reassure yourself – in private at least – that its own record is far from spotless after the regulator was forced to admit that it has found itself in breach of data laws 14 times in the past four years.
The blunders have been exposed through a Freedom of Information request made by Liberal Democrat peer Lord Paddick, the former Metropolitan Police deputy assistant commissioner.
The FoI request reveals that on at least three occasions, the ICO’s own officials self-reported breaches after discovering that they had lost or accidentally released people’s private information.
One case where ICO staff reported themselves involved the accidental release of “a small amount of personal information about five individuals” to “a customer of the same name”. However, bosses ruled that no action was required.
But two other cock-ups – dubbed “non-trivial data security incidents” – triggered full-blown investigations and resulted in recommendations being made. Decision Marketing reported on a 2013 incident two years ago. At the time, the ICO said: “It was concluded that the likelihood of damage or distress to any affected data subjects was low and that it did not amount to a serious breach of the Data Protection Act.”
Out of 40 complaints against the ICO sent by the public since 2013, seven ended with the ICO being ordered to take action to prevent further breaches, two with compliance advice being given, two with concerns raised and 29 ended with no breaches of the law being found.
Lord Paddick said: “The ICO is responsible for ensuring that our data is being held safely and securely. The fact that they have managed to breach their own rules is extremely concerning.
“More and more of our data is being held by government agencies, if even the ICO can’t stick to the rules, it does raise questions about how secure our data really is.”
Big issues to tackle in 2017: red alert on legislation
ICO poised to draw up new code for direct marketing
ICO issues privacy notice warning in first GDPR code
ICO commits to data law overhaul despite Brexit win
Third of businesses still feel unprepared for GDPR
Canadian to take over as Information Commissioner
ICO admits internal data breach