UPDATE: 16 July 2014 – in the comments to this piece the ICO adds some further details on the “non-trivial” incident: “We are unable to provide details of the breach at this stage, as the information involved is linked to an ongoing criminal investigation.”

The ICO had a “non-trivial” data security incident last year. Can it “fine” itself? Will/has it?

There was an interesting teaser in the Information Commissioner’s Annual Report. As The Times reports

Christopher Graham, the Information Commissioner (ICO), revealed yesterday that his office had suffered a “non-trivial data security incident” within the last 12 months, which prompted a full internal investigation

The ICO, of course, processes personal data and in doing so assumes the role of the data controller (according to section 1(1) of the Data Protection Act 1998 (DPA)). It also assumes the obligation to comply with the data protection principles, and the liability for contravening them. In 2012 the ICO responded to a Freedom of Information Act 2000 (FOIA) request for its “data breach log” with a document that showed admirable commitment to recording even the smallest of potential data security incidents (“person taking photographs outside building”, “theft of small amount of money”). In that instance there were two incidents identified as “high risk”, but the ICO declined to provide information, and the requester, it seems, did not pursue the matter.

This time, with national media picking the story up, the matter may be pushed further. At the moment the ICO is apparently declining to offer any further comment to the media, advising The Times that

You will have to fill out a freedom of information request

which doesn’t really sit that well with their normal commitment to transparency.

But to what extent can or should the ICO investigate its own compliance with the DPA? The Act does not provide for any derogation for the ICO from its obligations, and nor does it provide for any alternative to “self regulation”. Nor, moreover, does it appear to provide for any delegation to a third party to investigate. When it deals with complaints about its own handling of FOIA requests it habitually issues decision notices about itself (sometimes even finding against itself). It does this by distinguishing between “the ICO” (the entity dealing with the request) and “the Commissioner” (the entity dealing with the complaint). I would imagine that a similar nominal separation would be used if it came to formal enforcement action being contemplated in response to a data security incident.

I emphasis the word “if” in the previous sentence, because, although The Times says

The ICO, which can levy fines of up to £500,000 for data protection breaches, did not disclose whether it had fined itself for the breach

it is clear in fact that no such enforcement action resulted in this instance. This is clear because, firstly, the ICO’s own Monetary Penalty Guidance says that any monetary penalty notice (for which “fine” is a convenient, if not strictly correct, shorthand) will be published on its website. None has been published (believe me – I check these things very regularly). And secondly, and more fundamentally, the ICO’s report says that the incident in question

did not amount to a serious breach of the Data Protection Act [emphasis added]

By section 55A a monetary penalty can only be served for a serious contravention of the data controller’s obligations under the DPA. If the incident was not a serious contravention, the statutory threshold for a monetary penalty is simply not met. So, regardless of what other information about the incident might be winkled out of the ICO, we are not going to have a story of “ICO fines ICO”.

However, on a final point, I note that the ICO expects data controllers to report serious data security incidents to the ICO. So the question arises – did the ICO report this to the ICO, or did the ICO assess this as not serious enough to refer to the ICO?  How did the ICO get to know? Could it have been a leak by the ICO? Or even by the ICO? These questions deserve answers*.

*no they don’t


Filed under Data Protection, enforcement, Freedom of Information, Information Commissioner, monetary penalty notice

8 responses to “ICO v ICO?

  1. Laura

    Since the ICO are the investigator, prosecutor and judge in relation to the issuing of menetary penalties/fines, why not the accused too? They do not need to comply with Article 6 ECHR, they have the Tribunal. But as with any accused they would lose their discount if they wanted to exercise those human rights!!

  2. Robert Parker from ICO:

    Jon, to help clear things up we’ve added the following to our earlier comment on this, regards, Robert

    “This incident was treated as a self-reported breach, and was investigated in the same way we would handle any similar incidents reported to us by others.

    “It was concluded that it did not amount to a serious breach of the Data Protection Act, and the internal investigation was concluded.

    “We are unable to provide details of the breach at this stage, as the information involved is linked to an ongoing criminal investigation.”

  3. The ICO’s guidance states “serious breaches should be brought to the attention of his Office”. Who considered it a serious breach – and who didn’t?

    • Well quite. The same guidance says “report serious breaches of the seventh principle”, so, as I’ve argued elsewhere, this seems to suggest that the data controller should assess an incident and only notify ICO if it assesses it as a serious DPP7 contravention.

      So in this instance someone must have assessed it as not being a serious contravention. And yet it was brought to the attention of the office.

      While this is all very amusing/confusing one could argue that it indicates that the necessary separation of functions between data controller and regulator has not really been thought through.

  4. Tim Turner

    It’s unclear whether the ICO means that there is a criminal investigation into the incident or if the incident was associated with a criminal investigation that was already in progress. Either way, would saying what kind of incident it was (theft / loss / damage / inappropriate access) really impinge on whatever kind of investigation it is ‘linked’ to? They can’t just say ‘crime’ and expect all questions to go away.

  5. Pingback: ICO refuses to disclose information about “non-trivial data security incident” | informationrightsandwrongs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s