Back in 2012, the ICO did indeed investigate the ICO, documenting its findings in a security incident report dated 26 April 2012 (“SIR”) that has recently been released under FOI.
Some may argue that no-one should be judge in his own case and others may argue the same in Latin. I don’t hold the the ICO to this standard. Part of the ICO’s job is to investigate possible breaches of the law and there isn’t really anyone else to investigate the incidents which the ICO itself gets caught up in. I do of course expect that when the ICO investigates itself it does so properly, that the ICO staff assigned to such investigations make objective decisions and that there is no attempt at a cover up.
Having reviewed the available evidence, I have reached the conclusion that the ICO’s investigation of the ICO simply wasn’t up to the standard I would expect and I am going to explain exactly why:
(1) In the ICO annual report the incident is described as a self-reported breach. Most people would take that to mean that the ICO identified the matter internally before anyone external complained. That isn’t what happened. The investigation was in fact triggered by an allegation received from a firm of solicitors (Field Fisher Waterhouse) that were not working for the ICO (Source: SIR).
(2) The public security incident update refers to just one disc (“disclosed the disc to the Solicitor”) but in fact two CDs were sent out (Source: SIR). It may seem like a minor point but it suggests that the ICO is seeking to downplay the incident in the public update.
(3) The public security incident update stated that “The hard-drive … had not been forensically examined prior to it being copied and disclosed”. Many readers may interpret this as meaning that there was some examination of the documents disclosed but that this examination was not forensic. In fact “Emails contained within email folders and attachments were not reviewed prior to disclosure” (Source: SIR). This would also support the view that the ICO is seeking to downplay the incident.
(4) The ICO’s public update also says that: “After we had been informed that the disc contained personal data unrelated to the investigation we acted promptly and the disc was recovered from the Solicitor who had stored the disc securely up to the point of recovery.” This would suggest that the disk was recovered fairly quickly but in fact this isn’t what happened: “McCartneys [the solicitors] have been guarded in their engagements with the ICO and have not cooperated and despite repeated efforts the CDs have not yet been returned to the ICO” (Source: SIR). So the Solicitors had the discs for at least five months from October 2011 to April 2012 despite the ICO’s repeated efforts to get the disc back. I view the fact that this is omitted as further evidence of attempts to downplay the incident.
(5) The ICO still doesn’t know the full extent of the personal data released in the breach. The ICO disclosed images of a hard drive but the investigators only appear to have looked at emails and attachments (source: SIR)- it is hard to believe that any hard drive being used would not contain other personal data. In addition, not all emails in the sent folder were read by the ICO (source: SIR). Anyone who uses email will know that sent folders contain very similar types of material to inboxes so it is quite hard to justify why the ICO investigators treated the two folders so differently, perhaps they just ran out of time.
(6) When evaluating the seriousness of the breach the ICO appeared to take no account of the fact that the data was collected and stored by criminals who had together committed “potentially 3,000 criminal offences” all related to data protection (source: SIR). In my view much of this information should never have been obtained in the first place and so data subjects would have a much greater expectation of privacy when the data later came into the hands of a public body than for cases where information was created lawfully in the first instance.
(7) Christopher Graham (the Information Commissioner) said of these criminals: “The public expects to see firmer action taken against people who break the rules in this area, and Parliament needs to recognise that.” (20 November 2013 ICO news release) The unfortunate irony is that the ICO also committed a breach when sending on the same data that these criminals had collected. I do not wish to compare the ICO to a company that tricked people into revealing personal data but I do question how the Commissioner can credibly call for tougher action when the rules are broken when I look at how the ICO’s investigation of the ICO was handled.