The Information Commissioner’s Office (ICO) suffered a “non-trivial data security incident” within the last 12 months.
In the same week that it released its 2013/2014 annual report, Information Commissioner Christopher Graham said that there was one “non-trivial data security incident” that was treated as a self-reported breach.
He said: “It was investigated and treated no differently from similar incidents reported to us by others. We also conducted an internal investigation.”
The ICO, which can levy fines of up to £500,000 for data protection breaches, did not disclose whether it had fined itself for the breach.
In a statement send to IT Security Guru, an ICO spokesperson said: “This incident was treated as a self-reported breach, and was investigated in the same way we would handle any similar incidents reported to us by others. It was concluded that it did not amount to a serious breach of the Data Protection Act, and the internal investigation was concluded.We are unable to provide details of the breach at this stage, as the information involved is linked to an ongoing criminal investigation.”
President of the National Association of Data Protection Officers, barrister and solicitor, Stewart Room, said that even though the ICO said it was ‘non-trivial’, if the ICO declines to explain the situation on the basis that a FOI statutory exemption applies, then there will be more concerns about transparency, fairness and natural justice.
“Particularly because the ICO is currently acting as judge in its own case on subject matter that it is the regulator of, about which it has been particularly tough where third party data controllers are concerned,” he said.
“As to whether a fine could be imposed on the ICO, the answer must be yes as a matter of law. Moreover, I doubt that ICO will claim that it should get some kind of exemption or special treatment.”
NADPO chair Jon Baines said that the ICO has to investigate/enforce against themselves regularly with FOI act requests, and they draw a distinction between “the commissioner” and “the ICO”. He said: “If it fined itself, then a) its own monetary penalty notice guidance requires it to put all notices on its website, and b) as it determined that this wasn’t a ‘serious’ contravention, then the statutory threshold was not met.”
Room suggested that it is impossible to justify ICO being a judge in its own case and the only way that justice can be seen to be done is via independent oversight, for there to be a regulator for the regulator.
“Independent scrutiny might be provided by Parliament, although that risks a charge that ICO’s independence is threatened,” he said. “A more practicable approach would be to set up a ‘clean team’ of external investigators who are truly independent of ICO. This body would look to see whether ICO has breached the law and, if so, whether it should be sanctioned.
“The Commissioner, who is legally distinct of ICO, would be expected to act on the external team’s findings. All of this work would be done as transparently as possible, but with necessary savings for other interests.”