The Information Commissioner’s Office has admitted it broke the Data Protection Act – the very law it is tasked with upholding – in a “non-trivial” data security incident at some point over the past 12 months. The admission was hidden away on page 46 of the privacy watchdog’s Annual Report 2013/14, which was released this week.
It claimed that the solitary incident was “self-reported” and handled internally by ICO investigators.
“It was investigated and treated no differently from similar incidents reported to us by others,” the report stated. “It was concluded that the likelihood of damage or distress to any affected data subjects was low and that it did not amount to a serious breach of the Data Protection Act,” the brief explanatory note continued. “A full investigation was carried out with recommendations made and adopted. The internal investigation was also concluded.”
While ironic that the body tasked with investigating and fining organizations that break the Data Protection Act itself suffered an incident, it’s not without precedent. In the 2011/12 report, the ICO confessed to a similar “non-trivial data security incident”, which it said was also self-reported and investigated by its own staff.
“There was no resulting adverse impact on, or damage to, individuals, and the ICO is treating the matter no differently from similar incidents reported by others,” the statement noted.
While minor incidents of this kind are to be expected in most organizations, there have been some raised eyebrows over the ICO’s lack of transparency in explaining exactly what happened on these two occasions.
A spokesman told The Times that it would have to fill out a Freedom of Information (FoI) request if it wanted to find out more.
The case may harm the watchdog’s chances of getting more funding.
In a foreword to this year's report, commissioner Christopher Graham called for “stronger powers, a more sustainable funding system, and a clearer guarantee of independence”.
David Harley, senior research fellow at ESET, argued that it's unlikely an independent agency even exists that could have investigated the case. "The sort of breach as a result of human error that the ICO mostly seems to address could happen in any organisation whether in the private or public sector, though in the absence of an FoI request we can't say exactly what sort of infraction took place here," he told Infosecurity.
"Since the fact that it did take place has, quite properly if inconspicuously, been made public, I imagine that the ICO will take what steps it can to minimize the risk of a recurrence."
Chris McIntosh, CEO of ViaSat UK, argued that although the ICO divulged more info on its breach that it does for the vast majority of incidents it deals with, the watchdog needs to pay careful attention to how it is perceived.
"There is a clear claim to be made that it must be whiter than white and completely transparent when applying its procedures to itself. Otherwise, as we have already seen, people will begin asking 'who watches the watchmen?'," he told Infosecurity.
"The ICO needs to perform a delicate balancing act in order to maintain its reputation as the arbiter of data protection, use of data and openness in the public sector. If people lose their trust then requests for increased funds will ring increasingly hollow."