ICO Criticised Over Lack Of Transparency In Internal Breach

The Information Commissioner’s Office (ICO) admitted that  its own staff had breached data privacy regulations in the past 12 months.

Information about a “non-trivial incident” was hidden inside the 84-page annual report, the same document in which information commissioner Christopher Graham asked for more powers and more funding for the UK’s privacy watchdog.

The ICO has been criticised for refusing to provide more information about the breach, other than the two short paragraphs in the report. “You will have to fill out a freedom of information request,” a spokesman for the ICO told The Times earlier today.

Several hours later, the organisation apparently had a change of heart and issued a statement, and here’s where it gets really interesting: “We are unable to provide details of the breach at this stage, as the information involved is linked to an ongoing criminal investigation,” said a spokesperson for the ICO.

Who watches the watchmen

In its latest annual report, the ICO said it handled 259,903 calls to its helpline, resolved 15,492 data protection complaints, investigated a record 1,755 cases, and issued civil monetary penalties totalling £1.97 million.

Now, it has emerged that one of the cases had the ICO investigating itself.

“There has been one non-trivial data security incident. The incident was treated as a self-reported breach. It was investigated and treated no differently from similar incidents reported to us by others. We also conducted an internal investigation,” wrote Graham in the report.

“It was concluded that the likelihood of damage or distress to any affected data subjects was low and that it did not amount to a serious breach of the Data Protection Act. A full investigation was carried out with recommendations made and adopted. The internal investigation was also concluded.”

Despite these assurances, the latest statement from the ICO seems to suggest that the case is far from over. Just how serious was this “non-trivial” incident? What kind of criminal investigation is it linked to? These are just some of the questions the watchdog will have to answer in the coming weeks if it wants to get access to more powers and funding.

The ICO had previously reported an internal data privacy breach in its 2011 annual report. Back then, the organization also called the incident “self-reported” and said it was treating it like any other case.

What do you know about ICO and its counterparts? Take our quiz!