ICO logo

ICO Reports 564 internal data incidents since April 2015

The ICO (Information Commissioner’s Office) is the UK government regulator responsible for policing and overseeing how personal data is handled and protected under GDPR.

Even though the UK has left the EU the rules under GDPR remain broadly the same.

Over the past few years they’ve been responsible for handing out massive fines to companies that have failed to look after personal data.

Along with each fine they usually release a statement emphasising the consequences of incorrect or inadequate protection of personal data that organisations handle.

When the ICO fined TicketMaster £1.25 million for a large leak of customer information in November 2020, James Dipple-Johnstone, Deputy Commissioner said:

“The £1.25 million fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”

So we wanted to probe the ICO to discover whether they themselves are compliant with the very rules that they are there to enforce.

The SMS Works sent a freedom of information request in early Nov 2021 to to ask whether there had been any internal data incidents over the past few years

In early Feb 2022, the ICO responded to the request. (Somewhat outside of their 30 day target response time.)

The ICO revealed the following,

Since April 2015, the ICO reported an astonishing 564 internal data incidents that were deemed by the organisation as serious enough for them to record. That’s an incident of some sort every 3.2 working days.

When asked for more detail on the incidents they responded,

‘The vast majority of incidents involve accidental disclosure to a single
known recipient. For example, where a customer’s data protection
concern is emailed to the wrong data controller.’

Examples of these low severity types of incidents were provided as follows.

We also asked for details on all the medium and high severity incidents that did not fall into the categories above.

A large range of medium severity incidents were reported and internally recorded, covering a broad range of errors, mishaps and careless procedures. These included the following – 

Unauthorised access to employees’ personal data by third party client of ICO’s payroll provider

Sensitive personal data emailed to third party individual in error.

Misaddressed correspondence

Misaddressed annual pension statements as a result of process failure by payroll provider.

Storage media sent off-site for repair with data

Notebook lost in transit

Wrong file sent to recipient

Data exposed on shared device

Incorrect permissions

Business email compromise attack

Data sent to wrong address

Data sent in error

Data exposed on EDRM

Casebook unaccounted for

All of these were recorded as medium severity except one which was a ‘system failure’ in May 2015. This was a high severity incident but The ICO failed to provide any more detail on what happened.

I admire the honesty of the ICO in recording all the data slip-ups that have taken place – all 564 of them. There’s no hint of them trying to cover up or minimise their seriousness.

But I’m alarmed at the sheer volume of mistakes and errors that the ICO is making. It strikes me as sloppy to be making these types of errors on such a massive, almost industrial scale.

Related articles

ICO still failing to collect fines as 74% of fines remain unpaid ICO’s fine collection troubles continue

Guide to opting out of marketing texts  Detailed report on the rules for SMS marketing

Is SMS Encrypted? Is SMS safe or could it be hacked?

author avatar
Henry Cazalet Managing Director
Co-founder and Director of The SMS Works, a low cost and powerful SMS API for developers. About Henry