So will the £500,000
be paid out of government coffers for ICO to deposit the fine back into same?
The UK's Information Commissioner's Office (ICO) has fined the Cabinet Office because it failed to put appropriate technical and organisational measures in place to prevent the unauthorised disclosure of recipients of New Year's honours. Twice a year, the government dishes out a mixed bag of honours – knighthood and Order of …
I thought that HMG did not fine itself.
So I am bewildered (and STILL awaiting my richly (un)deserved knighthood for services to procrastination).
More seriously, a tad worrying that Cabinet Office is responsible for running Government security policy (including IT security). There was a Register article recently, I recall, about how much they were spending on training their staff in IT security.* Clearly someone is in need of a refresher:
The government take care to protect government secrets e.g. cups of tea served per day. But it seems the Treasury refuse to allocate money to protect personal data. This incident is just one of many. I hope, forlornly, that some Treasury official gets sacked and loses their pension.
> I hope, forlornly, that some Treasury official gets sacked
Don't worry, every organization includes "fuse" subordinates who are there to get fired if the bloodthirsty crowds demand a human sacrifice. You identify them easily by the fact they don't do anything important, so their sudden departure won't disrupt operations.
I'm amazed to see this happen, especially to a government agency. As I posted in the past day in another ICO-related article:
ICO are a complete waste of space
Just received the final response from ICO on a case I raised about 6 months ago.
Once again whilst the ICO indicated that they agree the government agency did not comply with GDPR and PECR the case is now closed with their usual waffle along the lines of them telling the agency to ensure staff attend mandatory training annually and that the agency's policies and procedures must be updated to reflect GDPR.
This for a complaint that was specifically regarding the agency's Data Protection Officer failing to adequately perform their duties (as defined in GDPR) and of their DPO failing to get actively involved in my original direct complaint to the agency (at the time the agency's DPO simply passed my complaint on to the "relevant team", did not get involved in the issue at all, and did not even acknowledge receipt of my complaint). The DPO even had the audacity to claim that PECR was nothing to do with them as their DPO duties only covered GDPR compliance.
For the various cases I've raised with ICO over the past couple of years the ICO has yet to take *any* significant action as a result of any of the complaints, even when they agree, for the majority of these cases, that GDPR/PECR has been broken.
In typical data breaches, amount of fine per persons details leaked is tiny
In this case, by ICO standards, its huge
They obviously deem honours recipients as a higher calibre of person than your average pleb.
Or can we see this as a start of a new approach and ICO fines actually exceeding a weedy slap on the wrist*
* No, its one rule for them and one for the rest of us yet again