Information Commissioner’s ‘Today’ Interview 13/12/23

Stuart Skelly
|
Senior Consultant at URM
|
PUBLISHED on
14 Dec
2023

Table of Contents

On Wednesday 13 December, the UK’s Information Commissioner, John Edwards, was interviewed on Radio 4’s ‘Today’ programme.  Mr Edwards was invited to discuss a fine of £350,000 which his office, the ICO, had just imposed on the Ministry of Defence (MOD) for a breach of the UK’s data protection (DP) rules in September 2021.

The breach, though ‘very serious’, was caused by a simple oversight which occurs frequently in many British organisations – failing to use email’s ‘blind copy’ or ‘BCC’ feature to hide the personal email addresses of individuals to whom a bulk ‘circular’ email was being sent.  Many email addresses contain people’s names or other details (such as nicknames) from which they can be identified.  This makes the addresses ‘personal data’, protected by law.

The reason why the MOD’s error was particularly grave in this case was that the addresses CC’d (not BCC’d) on its email were 265 individuals who had assisted UK forces in Afghanistan and who were therefore potentially subject to life-threatening reprisals by the Taliban regime.  In other words, the MOD’s mistake had not only compromised the email recipients’ privacy, but also endangered their lives.

The Information Commissioner’s remarks, as well as being a stark reminder of the possible ramifications of seemingly ‘minor’ data security breaches, were interesting because of the insight they gave into the ICO’s process for assessing the level of fines which they issue.  The Commissioner explained how, based on the seriousness alone of the breach, the ICO in its ‘Notice of Intention to Fine’ which it served on the MOD suggested an initial penalty amount of £1m (this figure Mr Edwards referred to as the ‘tariff’ for the infringement).

Having set this proposed tariff, the ICO then allowed the MOD to make representations.  As a result of these representations (which included the MOD’s willingness to cooperate with the ICO’s investigation, and the remedial steps – such as reviewing their methods of communication - which the Ministry took immediately after becoming aware of the breach), the ICO reduced the fine by £300,000.

Mr Edwards then went on to explain that the remainder of the discount applied to the tariff to arrive at the eventual fine of £350,000 was accounted for by what he called the ICO’s ‘public sector stance’.  This stance, first announced in the summer of 2022, dictates that monetary penalties are not the primary means that the regulator prefers to enforce public sector bodies’ compliance (and to punish their non-compliance) with DP laws.  Since then, the ICO has favoured the ‘public accountability’ of issuing reprimands naming public authorities who break the law as a more effective deterrent than fines which, ultimately, the taxpayer picks up the tab for.

When asked why he wasn’t concerned that the Ministry might just ‘brush off’ a fine of this figure (which is relatively low, in terms of government department budgets), Mr Edwards replied that the MOD had convinced him they appreciated the gravity of their security breach, exacerbated as it was by the fact that it went to the heart of their mission in respect of the individuals involved – which was to protect them.

The final, very useful, takeaways from the Information Commissioner’s interview were the changes which he described the MOD as having made to their means of communicating as a result of the breach (and which had led him to be confident that the set of circumstances which gave rise to it would not recur in future):

  • not relying on fallible humans to use BCC in the first place;
  • instead, using volume-send email and mail merge services which automatically conceal individual email addresses from other recipients; and
  • having policies and staff procedures in place to support the use of such tools.

These are measures which organisations of all kinds – not just those in the public sector – can adopt to control against this common data security risk, and hopefully use to avoid repetition of the kind of situation in which the Ministry of Defence failed to defend some very vulnerable individuals.

Stuart Skelly
Senior Consultant at URM
Stuart is a highly experienced and knowledgeable GRC consultant at URM who has specialised in data protection law for 25 years.
Read more

Do you need assistance in improving your GDPR compliance position?

URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, privacy notices, data retention schedules and training programmes etc.
Thumbnail of the Blog Illustration
Data Protection
Published on
25/7/2022
Data Transfer Risk Assessment

We are focussing on transfer risk assessments (TRAs), commencing with the background that led to their introduction and then addressing the five questions.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
5/10/2022
Avoiding Email Data Security Breaches

For all of us, email can be both a blessing and a curse. On one hand you have the speed and convenience of communication....

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
7/12/2023
Conducting Data Protection Impact Assessments (DPIAs)

URM answers key questions around data protection impact assessments (DPIAs), providing detailed guidance on the best practice approach to conducting them.

Read more
Very Enjoyable and Informative. Thank you!
Webinar 'GDPR - Back to Basics'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.