ICO reports its own data security breaches

January 11, 2017

An article in the Evening Standard last week revealed that the ICO has investigated itself in a number of complaints made against it since 2013, at least 11 of which have been upheld.

Seven of the complaints resulted in the ICO being ordered to take action to prevent further breaches, two with compliance advice being given, and two with concerns being raised.

There were also at least three occasions where the ICO’s own staff reported themselves to the Information Commissioner for accidental breaches of individuals’ personal data, although the Information Commissioner ruled that there was “no detriment” to anyone arising from the self-reported breaches.

The ICO’s internal investigations were revealed following a Freedom of Information request made by Liberal Democrat peer, Lord Paddick. In a letter to Lord Paddick’s office, the ICO’s lead information access officer, Ian Goddard, said: “We oversee the Data Protection Act 1998 but we also have to comply with its requirements. This means that on occasion we will have to self-report to ourselves in our capacity as a regulator. It also means that individuals can raise complaints about us, to us, in our capacity as a regulator.”

The article serves as a reminder that, from 25 May 2018, when the General Data Protection Regulation (“GDPR”) comes into force, it will be mandatory to report data breaches. Currently, under the Data Protection Act, it is not compulsory for data controllers (excluding telco’s) to report breaches of data security to the ICO although ICO non-binding guidance recommends that serious breaches should be brought to its attention.

Under the GDPR, organisations will be required to notify the ICO of a data breach without undue delay and where feasible, within 72 hours. In addition, data processors will be required to notify data controllers of a data breach. Failure to report a breach could result in a fine, as well as a fine for the data breach itself. With the maximum fines under the GDPR raised to the higher of 4% of annual worldwide turnover or 20 million euros, organisations should ensure that they have the right procedures in place to detect, report and investigate a personal data breach.


Related pages:

Cyber Security more

Data protection privacy & emarketing more

Data Protection, Privacy and emarketing more

Technology and Online more

Technology and Online more

Technology, Media & Digital more

icons Addthis Print Contact Register

Contact

tel: +44 (0) 20 7628 2000
10 Finsbury Square, London, EC2A 1AF
View map


For more information

 image

Josey Bright
Associate
Direct dial: +44 (0)2076282616
jbright@foxwilliams.com

Accreditations

  • Top Ranked Chambers UK 2014 - Leading Firm
  • Ranked in Chambers Europe 2013 - Leading Individual
  • Ranked in Chambers Global 2014 - Leading Firm
  • Legal 500 - Leading Firm
  • The Lawyer UK 200 - Listed Firm
  • The Law Society Excellence Awards 2012 - Shortlisted
  • Investors in People - Bronze