Data protection watchdog the Information Commissioner’s Office (ICO) has been forced to take action several times over the past few years to prevent breaches at its own offices, according to a new investigation.
A Freedom of Information request sent to the privacy commissioner by Liberal Democrat peer and former London mayoral candidate Lord Paddick revealed 40 complaints have been made against the organization since 2013.
Of those, seven resulted in the ICO effectively ordering itself to take action to prevent further breaches, two in compliance with advice being issued, and two with various concerns raised, according to the Evening Standard.
However, on three occasions, ICO staff apparently self-reported potential breaches when personal data on citizens was accidentally exposed.
Two of these were classed as “non-trivial data security incidents” and required full investigations, resulting in recommendations being made on how to improve data handling.
On a third occasion an incident apparently involved the release of a small amount of info on five people to a person with the same name. However, this was deemed not to require any further action.
Lib Dem Lords Home Affairs spokesperson Paddick argued the findings of the FoI request raised concerns about the safety of the public’s data.
“More and more of our data is being held by government agencies, if even the ICO can’t stick to the rules it does raise questions about how secure our data really is,” he’s quoted as saying.
The ICO is an independent organization tasked with upholding information rights in the UK, although the commissioner is chosen by a Commons select committee.
In the period July-September 2016 the watchdog find organizations over half a million pounds for data security failings.
An official ICO statement sent to Infosecuity had this:
“As the regulator for data protection we take our own responsibilities to comply with the legislation extremely seriously. We aim to have the necessary controls in place to mitigate the risk of accidental disclosures.
“Incidents involving the ICO are investigated fully in the same way as any other data controller and there have been a small number of cases over the past three years when action has been required. However, we want to be aware of and learn from all incidents, however minor, in order that we minimise the risks of serious incidents occurring.”