by | Aug 24, 2014 | Data Protection, Data Security, DPA, ICO | 1 comment

At the end of July, the Information Commissioner issued a Civil Monetary Penalty on Think W3, an online travel company. Think W3 had flawed security and audit processes, and when a hacker gained access to Think W3’s customer data via a subsidiary company, the ICO (I think reasonably) concluded that the flawed framework was to blame. Think W3 received a Civil Monetary Penalty of £150,000.

When the ICO published the notice on their website, on page 3 of the notice, a sentence or two was tantalisingly redacted. My friend and fellow blogger Jon Baines wrote about the case at the time, noting in particular that Think W3 were not a random small travel company, but a wholly owned subsidiary of Thomas Cook. Thomas Cook bought the company in 2010 and sold it in January this year. The ICO made no mention of Thomas Cook, but Jon made short work of identifying the connection. He suggested to me that perhaps the missing sentence in the CMP was a reference to the parent company, and so I decided to make an FOI request to the Commissioner to find out whether he was right.

The ICO responded (by remarkable coincidence, on the last of the available 20 working days) by providing me with the redacted information:

Both companies were part of the Thomas Cook Group at the time of the below mentioned incident until they were sold on 24 January 2014.

As always, the ICO was unable to leave it at a bald answer (hint to FOI officers, less is often more). They explained the redaction as follows:

“The information was redacted following concerns raised by Thomas Cook, about its inclusion. The concerns focused on the fact that Thomas Cook considered it to be irrelevant and potentially prejudicial. They have said that Think W3 Ltd operated independently of other companies in the Thomas Cook Group and the system that was the subject of the security breach was in no way connected to the systems used in any other part of the Thomas Cook Group. Further, that the Essential Travel computer system that was the subject of the security breach was a legacy system that was used by Think W3 Ltd/Essential Travel before those companies became part of the Thomas Cook Group in 2010 and that system has at no time been connected to the systems used by any other part of the Thomas Cook Group.

As these concerns were only raised at a time when the civil monetary penalty notice was final and could not be altered the information could not be removed, but had to be redacted”

My request was made on the same day that the notice was published, and the response was provided to me within a calendar month. If disclosure is not prejudicial now, it was not prejudicial then. As I said above, it took Mr Baines minutes to make the connection between Think W3 and Thomas Cook, so any notion of prejudice is fanciful. Moreover, Thomas Cook’s claim that their ownership of the company at the time of the breach is “irrelevant” is twaddle. For one thing, Thomas Cook owned the errant company during the time of the incident and more importantly, during the period when their security was inadequate. They also paid the CMP, which makes their claim of irrelevance an insult to our collective intelligence.

Crucially, no matter how independently Thomas Cook allowed Think W3 to operate, what happened in Think W3 reflects on Thomas Cook. The public – providing their data to the range of companies owned by the group – are entitled to know that Thomas Cook do not check whether proper controls are in place in its members. The ICO should have rejected these wholly spurious claims out of hand, and instead, they meekly complied: the information “had to be redacted“.

There are two important reasons why these redactions run entirely counter to what the ICO should be about. Firstly, there are quite a few of us who believe that the ICO’s enforcement of the Data Protection Act is unfairly skewed against the public sector. Out of dozens of Data Protection CMPs since 2010, only a handful have been against private sector companies. Nevertheless, senior figures in the ICO cling to the idea that ‘market forces’ play a part in deterring organisations from misuing our data. Personally, I don’t believe them, but editing the notice prevents the ICO’s own pet theory from being tested. Market forces cannot be influenced as the ICO wishes if they themselves hide the information.

The other problem is that the ICO is not just the regulator of Data Protection, but also of Freedom of Information. Instead of championing openness and transparency, the ICO cravenly removed the Thomas Cook reference when there was no reason to do so other than Thomas Cook’s (pointless) sensitivities. There was no exemption under FOI (as my request demonstrated), just a regulator all too keen to accommodate big data controllers. Indeed, although they have told me what they removed, the redacted notice is, at the time of writing, still on the website.

This is far from the first time the ICO has issued a redacted CMP notice, and it probably won’t be the last. But this one demonstrates that the reasoning behind such censorship is flawed, and we should be quick to ask questions when they do it again.