Calls grow for inquiry into UK data watchdog after MoD leak

insisting the incident was a "one-off" error

All incidents are one-off when they happen. That doesn't make them OK.

insisting the incident was a "one-off" error

Oh really ?

The entire DP regulatory system is toothless

"insisting that cooperation, guidance, and "proportionate" responses achieve better long-term compliance than headline-grabbing penalties"

The expression "headline-grabbing penalties" clearly indicates that the ICO doesn't have a clue about what minimises data breaches. And whether .cooperation, guidance, and "proportionate" responses' deliver useful results depends entirely on the definition of those terms and their applicability to individual cases. (BTW it's revealing that the word proportionate is double quoted, as if it's not to be taken seriously.

Via submissions to several govt. consultations on data protection over the years I have repeatedly suggested that a more effective response would be in three phases: an enforced independent audit of the breach, a set of mandatory remediation actions and an independent post-implementation audit to confirm they were in place and working -- all at the breaching organisation's expense. This would be vastly more effective than fines, which to many organisations are just a cost of doing business (and against which they may even be insured).

So far my suggestion has apparently fallen on deaf ears and the ICO has increasingly ignored pretty much all but high profile data breaches that gain mainstream media attention, even where (in my direct professional experience) the implications of apparently minor infractions have had potentially far reaching consequences. This (underlined by the expression "headline-grabbing penalties") leads me to the (possibly uncharitable but inescapable) impression that the ICO might be at least as concerned about enhancing its public image as it is about fulfilling its ostensible role in protecting the public (a well recognised stage in organisational decline).

_{For reference: I am a 40-odd year veteran in information management with professional involvement in data protection since the 1984 Act}

.

ICO

It's Completely One-off

I purchased a used PC from an auction about 15 year ago and inside the optical drive was a CD-RW which contained a classified MOD document about tank camouflage techniques. Something i am fairly sure shouldn't have ended up in my grubby mits. So the MOD being leaky is nothing new.

Anon for obvious reasons ...

The MoD has a huge number of IT users - I believe in the order of 200k. Few of them are "IT experts" - most are people doing other jobs where IT is a tool for doing that job. And the bulk of the tools provided are ... wait for it ... Microsoft 365 which we all know is [sarcasm]really easy to use[/sarcasm].

Key is that there is no readily available database - so everyone uses Excel which we all know is such a great database with it's lack of any tools an even mediocre database should have. Internally these "Excel databases" can be shared via live access to a OneDrive or Sharepoint site. Once anyone outside fo MoD needs access, then it gets emailed ... which [sarcasm]we all know is never prone to mistakes[/sarcasm].

The only surprise is that there aren't more breaches than there are.

Didn't investigate but can brush off things as a "one-off"?

Information Commissioner John Edwards defended his stance at a DSIT-hosted hearing last month, insisting the incident was a "one-off" error rather than evidence of systemic non-compliance inside the MoD.

Erm, how does he know that it's a "one-off" without investigating it. If there is systematic non-compliance surely it takes an investigation to uncover that, or prove that such an accusation is unfounded?