Category Archives: monetary penalty notice

PARKLIFE! (and a £70k monetary penalty)

In August this year I reported that the Information Commissioner’s Office (ICO) had effectively conceded it had no current powers to issue monetary penalties on spam texters. This was after the Upper Tribunal had indicated that in most cases the sending of such texts was not likely to cause substantial damage or substantial distress (this being part of the statutory test for serving a monetary penalty notice (MPN) for a serious contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003) (PECR).

What I’d forgotten were the reports of highly distasteful and in some cases highly distressing texts sent in May to festival-goers by the organisers of the Parklife festival in Manchester’s Heaton Park. The texts didn’t disclose that they were from the event organisers, but instead purported to come from “Mum” and were advertising extra events at the festival.

Regulation 23 of PECR outlaws the sending of direct marketing texts (and other direct marketing electronic communications) where the sender’s identity has been disguised or concealed.

As the Manchester Evening News reported at the time receiving the texts in question left many recipients who had lost their mothers distressed and upset.

And so it came to pass that, as the same newspaper reveals today, the ICO investigated complaints about the marketing, and appears to have determined that the sending of the texts was a serious contravention of PECR regulation 23, and it was of a kind likely to cause substantial distress. The paper reveals that an MPN of £70000 has been served on the organisers, and the ICO has confirmed this on its website, and the MPN itself lists a number of the complaints made by affected recipients.

So, I, and the ICO’s Steve Eckersley, were wrong – powers to serve MPNs for spam texts do still currently exist, although it must be said that this was an exceptional case: most spam texts are irritating, rather than as callous and potentially distressing as these. And this is why the Ministry of Justice is, as I have previously discussed, consulting on lowering, or dropping altogether, the “harm threshold” for serving MPNs for serious PECR contraventions.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under enforcement, Information Commissioner, marketing, monetary penalty notice, PECR, spam texts

No harm done

Why does nobody listen to me?

Quite a few media outlets and commentators have picked up on the consultation by the Department for Culture, Media and Sport I blogged about recently. The consultation is about the possibility of legislative change to make it easier for the Information Commissioner’s Office (ICO)(ICO) to “fine” (in reality, serve a civil monetary penalty notice) on people or organisations who commit serious contraventions of ePrivacy law in sending unsolicited electronic marketing messages (aka spam calls, texts, emails etc).

However, almost every report I have seen has missed a crucial point. So, we have The Register saying “ICO to fine UNBIDDEN MARKETEERS who cause ‘ANXIETY’…Inconvenience, annoyance also pass the watchdog’s stress test”, and Pinsent Masons, saying “Unsolicited marketing causing ‘annoyance, inconvenience or anxiety’ could result in ICO fine”. We even have 11KBW’s formidable Christopher Knight saying

the DCMS has just launched a consultation exercise on amending PECR with a view to altering the test from “substantial damage or distress” to causing “annoyance, inconvenience or anxiety”

But none of these spot that the preferred option of DCMS, and the ICO is actually to go further, and give the ICO the power to serve a monetary penalty notice even when no harm has been shown at all

Remove the existing legal threshold of “substantial damage and distress” (this is the preferred option of both ICO and DCMS. There would be no need to prove “substantial damage and distress”, or any other threshold such as ‘annoyance, inconvenience or anxiety’…

So yes, this is a blog post purely to moan about the fact that people haven’t read my previous post. It’s my blog and I’ll cry if I want to.


Chris Knight is so formidable that he’s both updated the Panopticon post and pointed out the oddness of option 3 being preferred when nearly all of the consultation paper is predicated on option 2 being victorious.

Leave a comment

Filed under Information Commissioner, marketing, monetary penalty notice, PECR, spam texts

DCMS consulting on lower threshold for “fining” spammers

UPDATE: 08.11.14

Rich Greenhill has spotted another odd feature of this consultation. Options one and two both use the formulation “the contravention was deliberate or the person knew or ought to have known that there was a risk that the contravention would occur”, however, option three omits the words “…or ought to have known”. This is surely a typo, because if it were a deliberate omission it would effectively mean that penalties could not be imposed for negligent contraventions (only deliberate or wilful contraventions would qualify). I understand Rich has asked DCMS to clarify this, and will update as and when he hears anything.


UPDATE: 04.11.14

An interesting development of this story was how many media outlets and commentators reported that the consultation was about lowering the threshold to “likely to cause annoyance, inconvenience or anxiety”, ignoring in the process that the preferred option of DCMS and ICO was for no harm threshold at all. Christopher Knight, on 11KBW’s Panopticon blog kindly amended his piece when I drew this point to his attention. He did, however observe that most of the consultation paper, and DCMS’s website, appeared predicated on the assumption that the lower-harm threshold was at issue. Today, Rich Greenhill informs us all that he has spoken to DCMS, and that their preference is indeed for a “no harm” approach: “Just spoke to DCMS: govt prefers PECR Option 3 (zero harm), its PR is *wrong*”. How very odd.


The Department of Culture, Media and Sport (DCMS) has announced a consultation on lowering the threshold for the imposing of financial sanctions on those who unlawfully send electronic direct marketing. They’ve called it a “Nuisance calls consultation”, which, although they explain that it applies equally to nuisance text messages, emails etc., doesn’t adequately describe what could be an important development in electronic privacy regulation.

When, a year ago, the First-tier Tribunal (FTT) upheld the appeal by spam texter Christopher Niebel against the £300,000 monetary penalty notice (MPN) served on him by the Information Commissioner’s Office (ICO), it put the latter in an awkward position. And when the Upper Tribunal dismissed the ICO’s subsequent appeal, there was binding authority on the limits to the ICO’s power to serve MPNs for serious breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). There was no dispute that, per the mechanism at section 55A of the Data Protection Act 1998 (DPA), adopted by PECR by virtue of regulation 31, Niebel’s contraventions were serious and deliberate, but what was at issue was whether they were “of a kind likely to cause substantial damage or substantial distress”. The FTT held that they were not – no substantial damage would be likely to arise and when it came to distress

the effect of the contravention is likely to be widespread irritation but not widespread distress…we cannot construct a logical likelihood of substantial distress as a result of the contravention.

When the Upper Tribunal agreed with the FTT, and the ICO’s Head of Enforcement said it had “largely [rendered] our power to issue fines for breaches of PECR involving spam texts redundant” it seemed clear that, for the time being at least, there was in effect a green light for spam texters, and, by extension, other spam electronic marketers. The DCMS consultation is in response to calls from the ICO, and others, such as the All Party Parliamentary Group (APPG) on Nuisance Calls, the Direct Marketing Association and Which for a change in the law.

The consultation proposes three options – 1) do nothing, 2) lower the threshold from “likely to cause substantial damage or substantial distress” to “likely to cause annoyance, inconvenience or anxiety”, or 3) remove the threshold altogether, so any serious and deliberate (or reckless) contravention of the PECR provisions would attract the possibility of a monetary penalty. The third option is the one favoured by DCMS and the ICO.

If either of the second or third options is ultimately enacted, this could, I feel, lead to a significant reduction in the prevalence of spam marketing. The consultation document notes that (despite the fact that the MPN was overturned on appeal) the number of unsolicited spam SMS text message sent reduced by a significant number after the Niebel MPN was served. A robust and prominent campaign of enforcement under a legislative scheme which makes it much easier to impose penalties to a maximum of £500,000, and much more difficult to appeal them, could put many spammers out of business, and discourage others. This will be subject, of course, both to the willingness and the resources of the ICO. The consultation document notes that there might be “an expectation that [MPNs] would be issued by the ICO in many more cases than its resources permit” but the ICO has said (according to the document) that it is “ready and equipped to investigate and progress a significant number of additional cases with a view to taking greater enforcement action including issuing more CMPs”.

There appears to be little resistance (as yet, at least) to the idea of lowering or removing the penalty threshold. Given that, and given the ICO’s apparent willingness to take on the spammers, we may well see a real and significant attack on the scourge. Of course, this only applies to identifiable spammers in the domestic jurisdiction – let’s hope it doesn’t just drive an increase in non-traceable, overseas spam.




Filed under Data Protection, enforcement, Information Commissioner, Information Tribunal, marketing, monetary penalty notice, nuisance calls, PECR, spam texts, Upper Tribunal

Theft of police video interviews – a data protection issue for the CPS?

The theft of recordings of police interviews with victims of sexual abuse from a Manchester firm has potentially serious data protection implications for the CPS

UPDATE: 22 September – the Manchester Evening News reports that the burglary took place at a flat. No doubt the ICO, and the CPS will want to know whether the storage of hardware by the firm was appropriate to the sensitivity of the data held. END UPDATE

The 7th principle in Schedule One of the Data Protection Act 1998 requires a data controller to have appropriate technical and organisational measures in place to safeguard against loss etc. of personal data. Furthermore, if the data controller is appointing a contractor to process personal data, it should select that contractor on the basis that it has equivalent measures in place, ensure that the contractor only acts on instructions from the data controller and all of this should be evidenced in writing. Failure to comply with this 7th principle is a contravention of the data controller’s obligation under section 4(4), and serious contraventions, of a kind likely to cause substantial damage or substantial distress, can attract enforcement action from the Information Commissioner (ICO), including monetary penalty notices (MPNs), to a maximum of £500,000. Note the “likely” – a near miss, in data security terms, can still lead to an MPN. It is the failure to have appropriate measures in place (or a suitable contract) which is the contravention of the DPA – not the data security incident in itself.

With this in mind, the Crown Prosecution Service (CPS) must be considering its vulnerability to enforcement action by the ICO, following reports of thefts of highly sensitive recordings of video interviews with victims of alleged sexual abuse from a Manchester video editing firm contracted by the CPS. This may be the case even though the stolen material has apparently been recovered. The Mail reports that

The CPS said it was now demanding an ‘urgent explanation’ of the security arrangements that had been in place

but this in itself points towards a possible prior lack of suitable oversight of the contractual arrangements

Keith Vaz, Chair of the Commons Home Affairs Committee, has expressed surprise that a private firm was involved (which shows either a certain naivety, or disingenuity) but has also said that he will be challenging the Head of the CPS about the security breach when she appears before the committee next month. One suspects the ICO will also be challenging her to explain what arrangements were in place to ensure compliance with the DPA.

1 Comment

Filed under Data Protection, Information Commissioner, monetary penalty notice

Some observations on the MoJ £180,000 data protection “fine”

1. It wasn’t a fine: section 55A of the Data Protection Act 1998 (DPA) gives the Information Commissioner’s Office (ICO) the power to impose a monetary penalty notice (MPN) to a maximum of £500,000 on a data controller which has made a serious contravention of its obligation to comply with the data protection principles, and the contravention was of a kind likely to cause substantial damage or substantial distress (and the data controller knew or should have known about the risk). There is often confusion over the civil and criminal sanctions in the DPA, perhaps not helped by the fact that the main criminal sanction is at section 55, and the main civil sanction at section 55A. However, although the incorrect use of the term “fine” is understandable in some circumstances, I don’t think the ICO themselves should use it.

2. The money goes straight back to the government: this is true – monetary penalties do not get paid to the ICO. Rather, they are paid into the Consolidated Fund – the government’s bank account. While this does have an element of absurdity (and similar complaints are sometimes made when the ICO serves MPNs on other public bodies, such as the NHS, or local authorities) recent research (and personal anecdotal experience) suggests that the MPNs are effective in improving data controller compliance. One wonders if alternative methods, like individual liability for data controller failings (which would require major primary legislation), would have similar effects.

3. The Ministry of Justice funds the ICO: in part, at least. The MoJ funds the ICO for its freedom of information work. Its data protection work comes from the fees data controllers pay the ICO to appear on its register. Nonetheless, penalising the MoJ could be seen as biting the hand that feeds – it is commendable that the ICO is not afraid to do so.

4. The MoJ is data controller for prisoner data within prisons: being the person or persons who determine the purposes for which and the manner in which any personal data are, or are to be, processed. That’s a heck of a lot of highly sensitive personal data to be responsible for. And such responsibility carries potential huge liability for errors.

5. This is not the first MPN the MoJ has received: less than 12 months ago the MoJ received an MPN of £140,000 for a remarkably similar set of events to those which prompted the latest MPN. Both MPNs involved insecure processes to safeguard prisoner databases – in the first an unencrypted database file was emailed to a member of the public, and in the second a hard disk containing a prisoner database, which should have been encrypted but wasn’t, has been lost. As MPNs are often served (as these were) for contraventions of the obligation to have appropriate organisational and technical measures in place to safeguard against loss of data, one might argue that a second such serious contravention might have warranted even more severe sanctions. The ICO even notes that the second contravention was because of a botched attempt to put right what happened in the first, and deems the second contravention “very serious” (as opposed to the first’s “serious”). I am not the only person I have spoken to who is surprised this latest MPN was not higher.

and finally

6. Data security is not just about technology: it’s also about people. In this instance the MoJ, after its first MPN (see above), sent hard drives to all relevant prisons which were capable of holding data in encrypted format.

But they forgot to tell the prison staff to switch encryption on.

1 Comment

Filed under Data Protection, Information Commissioner, monetary penalty notice

Red light for ICO spam text “fines”

A week ago I noted that the Information Commissioner’s Office (ICO) had effectively conceded that, since the Upper Tribunal’s decision in the Niebel case, it could not realistically serve monetary penalty notices (MPNs) on spam texters. I observed that

the result of the Niebel litigation has been to remove their powers to serve MPNs for spam texts, [with the ICO saying] it had “largely [rendered] our power to issue fines for breaches of PECR involving spam texts redundant”.

This perception has been reinforced by the press release today from the ICO, reporting a raid on a claims management call centre “thought to be connected to a spam text operation”. Information and hardware were seized in the raid, but the ICO says it

will now consider whether an enforcement notice compelling the organisation to comply with the rules regarding text marketing can be issued

Notably, no reference to an MPN is made. To recap, MPNs can be served under section 55A of the Data Protection Act 1998 to serve such a notice if there has been a serious contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) of a kind likely to cause substantial damage or substantial distress. The Niebel litigation, in very broad terms, cast doubt on whether receiving spam texts could ever cause substantial damage or substantial distress (as opposed to, say, irritation).

Whether this Llanelli operation was in contravention of the law, and if so what sanctions will flow will no doubt be determined on the basis of the seized information and other information.

And although enforcement notices are serious sanctions, with breach of one being a criminal offence (although not a recordable one) whether people running spam texting operations see them as a real deterrent is another matter.



Leave a comment

Filed under Data Protection, Information Commissioner, marketing, monetary penalty notice, PECR, Upper Tribunal

Green light for spam texters – for now

The ICO has effectively conceded he has no current powers to issue monetary penalties on spam texters.

In June this year the Upper Tribunal dismissed the appeal by the Information Commissioner’s Office (ICO) against the quashing of a £300,000 monetary penalty notice (the MPN) served on spam texter Christopher Niebel. The MPN had been issued pursuant to the ICO’s powers under section 55A of the Data Protection Act 1998 to serve such a notice if there has been a serious contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) of a kind likely to cause substantial damage or substantial distress. The Upper Tribunal held that the First-tier Tribunal had not erred in law in finding that the ICO’s relevant interpretation of “distress” was unsustainable:

the tribunal took issue with the Commissioner’s guidance as to the meaning of “distress” and, in my opinion rightly so. According to that guidance, “Distress is any injury to feelings, harm or anxiety suffered by an individual” (at paragraph [12], emphasis added). The tribunal’s conclusion was that if this “involves the proposition that it is not possible to have ‘any injury to feelings’ which falls short of ‘distress’ then, it seems to us, that the definition is at odds with common experience and with the ordinary use of English [¶60]

As the law required evidence that Niebel’s company’s sending of spam texts had been of a kind likely to cause substantial distress, and as the ICO’s evidence did not match up to this, the MPN had been rightly quashed. Implicitly, the Upper Tribunal was suggesting that further MPNs of this kind would also not be sustainable, and, explicitly, it questioned whether, if Parliament wanted to give the ICO powers to financially punish spam texters, it would require a change in the law

[a] more profitable course of action, is for the statutory test to be revisited…a statutory test that was formulated in terms of e.g. annoyance, inconvenience and/or irritation, rather than “substantial damage or substantial distress”, might well have resulted in a different outcome.

To no real surprise, since the ICO lost this appeal, no further MPNs have been issued for spam texting (some have been served for spam telephone calls). Now the ICO, in a blog post by their Head of Enforcement Steve Eckersley has effectively conceded that the result of the Niebel litigation has been to remove their powers to serve MPNs for spam texts, saying it had “largely [rendered] our power to issue fines for breaches of PECR involving spam texts redundant”. And Eckersley picks up the call for a law change, confirming that there will be a consultation later this year (whether any of this will see results this side of the general election, however, is another question).  This call echoes one made by the Information Commissioner himself, who said in February

We have just got to lower that hurdle because I think if you ask most people they would say silent calls and unsolicited spam texts are one of the great curses of the age – and if the Information Commissioner can’t protect you it’s a poor lookout.
There are, of course, other strings to the ICO bow, and Eckersley refers to some of them
we are using our existing powers to hold companies to account and to disrupt their unlawful activities….and we are obtaining undertakings from and issuing enforcement notices, effectively cease-and-desist orders, to companies that breach PECR.
This sounds good, but leaves me rather puzzled: as the ICO has confirmed to me, no enforcement notices have been served and only one undertaking obtained, against companies or individuals who have sent spam texts in breach of PECR. Enforcement notices are a strong power – breach of one is a criminal offence – and only require the ICO to consider whether the PECR contravention has caused or is likely to cause any person damage or distress, not “substantial damage or substantial distress”. This lower threshold should make it much more difficult for enforcement to be resisted. Maybe some enforcement notices are on their way? One rather hopes so, because, for the moment, it looks like spam texters have received a green light.
Tim Turner points out to me that a conviction for breach of an enforcement notice is not a recordable offence it will not make its way on to the Police National Computer, and will not therefore generally result in disclosure for, e.g. employment purposes. Tim’s view, and it is a compelling one, is that for a lot of spammers the threat of a minor conviction for breach of a legal notice is not one which is likely to dissuade them from their practice.


Filed under Data Protection, enforcement, Information Commissioner, Information Tribunal, marketing, monetary penalty notice, nuisance calls, PECR, Upper Tribunal

Watch out lawyers – the ICO has you in his sights

The Information Commissioner’s Office (ICO) has “sounded the alarm” to the legal profession regarding breaches of the Data Protection Act 1998 (DPA). In a press release today it says it is

warning barristers and solicitors to keep personal information secure, especially paper files. This follows a number of data breaches reported to the ICO involving the legal profession

Fifteen incidents (which, of course, are not in themselves, breaches of the DPA)  involving members of the legal profession have been reported to the ICO in the last three months, and the release goes on to point out that

The information handled by barristers and solicitors is often very sensitive. This means that the damage caused by a data breach could meet the statutory threshold for issuing a financial penalty. Legal professionals will also often carry around large quantities of information in folders or files when taking them to or from court, and may store them at home. This can increase the risk of a data breach

This of course is shorthand for what enforcement of the DPA really entails. Solicitors and barristers will often be data controllers pursuant to section 1(1) of the DPA (but not always – in-house lawyers are employees, and their employer will generally be the relevant data controller) and as such they will have an obligation under section 4(4) DPA to comply with the data protection principles of Schedule One. The seventh principle requires a data controller to take

Appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

and this is what the ICO refers to (or should refer to) when it talks about a “data breach”: a data security incident (such as loss of files) might occur as a result of a seventh principle breach, but, equally, it might not (I blogged at length on this distinction previously).

Nonetheless, the ICO will often give a shot across the bows of a particular group or industry, prior to taking formal enforcement action, such as the serving of monetary penalty notices, to a maximum of £500,000. The likelihood of any individual barrister or solicitor or any but the very largest firms getting such a large penalty is very very low (the ICO’s own rules state that he must take into account the impact on a data controller of a penalty). That said, all lawyers would do well to check their compliance with the DPA, and with their information security obligations.

1 Comment

Filed under Breach Notification, Data Protection, Information Commissioner, monetary penalty notice

ICO penalty after one million credit card details extracted from vulnerable website

The Information Commissioner’s Office (ICO) has served a monetary penalty notice (MPN) of £150,000 on online travel company Think W3 Ltd.

MPNs (sometimes wrongly described as “fines” *cough* are civil penalties which can be served by the ICO where it has determined that the data controller in question has contravened the Data Protection Act 1998 and the contravention was: serious, of a kind likely to cause substantial damage or substantial distress and the data controller knew or ought to have known that there was a risk the contravention would occur but failed to take steps to prevent it. The ICO classed this contravention as very serious.

The website of Essential Travel Ltd, a subsidiary and trading brand of Think W3, was subject to a major attack under which more than 1 million credit card records were extracted. The attack was the result of an SQL injection enabled by a coding error on a login page which (for the facilitation of home-working) was publicly available over the internet. It appears that the coding error, and the lack of suitable checks since, meant the site had been vulnerable since early 2006 until December 2012 (when the attack happened).

The fact that the MPN was at the lower end of the scale available is probably because of the need (laid out in guidance) for the ICO to consider the data controller’s financial ability to pay a penalty. What I find interesting here is that Think W3 Ltd were a company wholly owned by Thomas Cook Group, who acquired 100% of it in 2010 until January this year. Company law normally provides that liability of a company within a group attaches to that company alone, so the assets of the Group were not available to be taken into account by the ICO, but, given that the seventh data protection principle was already being contravened, in a very serious manner, at the time of the 2010 aquisition, some questions might now be asked of those in charge at the time. And it is noteworthy that Thomas Cook appear to be prepared to pay the penalty, rather than new owners Holiday Extras.

1 Comment

Filed under Data Protection, Information Commissioner, monetary penalty notice


UPDATE: 16 July 2014 – in the comments to this piece the ICO adds some further details on the “non-trivial” incident: “We are unable to provide details of the breach at this stage, as the information involved is linked to an ongoing criminal investigation.”

The ICO had a “non-trivial” data security incident last year. Can it “fine” itself? Will/has it?

There was an interesting teaser in the Information Commissioner’s Annual Report. As The Times reports

Christopher Graham, the Information Commissioner (ICO), revealed yesterday that his office had suffered a “non-trivial data security incident” within the last 12 months, which prompted a full internal investigation

The ICO, of course, processes personal data and in doing so assumes the role of the data controller (according to section 1(1) of the Data Protection Act 1998 (DPA)). It also assumes the obligation to comply with the data protection principles, and the liability for contravening them. In 2012 the ICO responded to a Freedom of Information Act 2000 (FOIA) request for its “data breach log” with a document that showed admirable commitment to recording even the smallest of potential data security incidents (“person taking photographs outside building”, “theft of small amount of money”). In that instance there were two incidents identified as “high risk”, but the ICO declined to provide information, and the requester, it seems, did not pursue the matter.

This time, with national media picking the story up, the matter may be pushed further. At the moment the ICO is apparently declining to offer any further comment to the media, advising The Times that

You will have to fill out a freedom of information request

which doesn’t really sit that well with their normal commitment to transparency.

But to what extent can or should the ICO investigate its own compliance with the DPA? The Act does not provide for any derogation for the ICO from its obligations, and nor does it provide for any alternative to “self regulation”. Nor, moreover, does it appear to provide for any delegation to a third party to investigate. When it deals with complaints about its own handling of FOIA requests it habitually issues decision notices about itself (sometimes even finding against itself). It does this by distinguishing between “the ICO” (the entity dealing with the request) and “the Commissioner” (the entity dealing with the complaint). I would imagine that a similar nominal separation would be used if it came to formal enforcement action being contemplated in response to a data security incident.

I emphasis the word “if” in the previous sentence, because, although The Times says

The ICO, which can levy fines of up to £500,000 for data protection breaches, did not disclose whether it had fined itself for the breach

it is clear in fact that no such enforcement action resulted in this instance. This is clear because, firstly, the ICO’s own Monetary Penalty Guidance says that any monetary penalty notice (for which “fine” is a convenient, if not strictly correct, shorthand) will be published on its website. None has been published (believe me – I check these things very regularly). And secondly, and more fundamentally, the ICO’s report says that the incident in question

did not amount to a serious breach of the Data Protection Act [emphasis added]

By section 55A a monetary penalty can only be served for a serious contravention of the data controller’s obligations under the DPA. If the incident was not a serious contravention, the statutory threshold for a monetary penalty is simply not met. So, regardless of what other information about the incident might be winkled out of the ICO, we are not going to have a story of “ICO fines ICO”.

However, on a final point, I note that the ICO expects data controllers to report serious data security incidents to the ICO. So the question arises – did the ICO report this to the ICO, or did the ICO assess this as not serious enough to refer to the ICO?  How did the ICO get to know? Could it have been a leak by the ICO? Or even by the ICO? These questions deserve answers*.

*no they don’t


Filed under Data Protection, enforcement, Freedom of Information, Information Commissioner, monetary penalty notice