Wake up and smell the non-trivial data security incidents

by | Jul 5, 2012 | Another bunch of people who will now hate my guts, Christopher Graham, Data Protection, FOI, ICO | 2 comments

You know what it’s like. You’re travelling home on three trains to complete a journey that would take half the time if only the trains went a sensible way. You’re too tired to do anything constructive, you’ve forgotten your Kindle but you’ve afraid to do nothing in case you doze off and miss the stop in Leicester.

It’s occasions like this that make me glad of the Information Commissioner’s Annual Report and Accounts. In the real world, there’s no way I’d bother to read them (yes friends, if you did, that puts you even higher up the anorak tree than me), but as we ploughed lackadaisically the Midlands, it was better than the alternative, which was a damp copy of the Metro on the table or a silent version of ‘Cars 2’ on my neighbour’s laptop.

And while other more sensible people will no doubt mine the document for all manner of worthwhile and revealing nuggets, in my tired state, I found myself drawn to the marginalia. And so, for your edification and enjoyment, I thought I would relate my ten favourites.


Chris Graham sometimes runs out of proper sentences: “No cases more than a year old and the average much less and falling. More Decision Notices than ever before. More enforcement action.


The ICO effectively imposes a target on all public bodies of responding to FOI requests on time in at least 85% of cases. It clears up 83% of its FOI complaints within its own deadline (which is 90%).


If Graham Smith signs off your FOI decision notice, your case is “complex, novel and high-profile.” He hasn’t done any of mine.


6% of the complaints received by the ICO in the report relate to security. 100% of the civil monetary penalties issued by the ICO in the same period related to security.


It sounds like the ICO is not going to get powers to do mandatory audit for local government or the NHS:

In December 2011, we submitted a business case to the Ministry of Justice to extend these powers to the NHS and local government sector. Experience has taught us that sectors where we already have compulsory audit powers are much more likely to consent to an audit. We will continue to push for these powers where the evidence supports it.


Someone in the ICO should learn how to use spell-check e.g. saing (saying), relvance (relevance), knowledeable (knowledgeable) and the occasionally controversial totaling (double l). Try this one: schadenfreude.


The ICO spent £869,000 on communications and external relations. I can’t think of anything better that a regulator could spend the best part of a million pounds on in times of austerity.


The departing Head of Organisational Development (which sounds like ICOSpeak for HR) received a payoff of £94,000.


The first of the listed risks to the ICO is “the possible loss of public confidence in my office as a regulator for information rights legislation”. I’d just like to take this opportunity to say how much I’ve enjoyed my small contribution to making this a reality.


On page 62 (of 83), the ICO mentions having experienced “one non-trivial data security incident” of their own. It took that long for me to find something to do an FOI request on – I suspect they won’t tell me what it was, but you have to admire the chutzpah of an organisation capable of such bombast as ‘wake up and smell the CMP” for everyone else, while preferring euphemisms like ‘non-trivial‘ for their own blunders. Let’s see if I can get Graham Smith’s autograph on the Decision Notice.