ICO reports security failures across all sectors as fines continue to ramp up in 2019

Since May 2018 when GDPR kicked, the ICO has been progressively investigating data breaches identified to them and no-one has been spared in their enforcements.  From local Government officials illegally accessing personal data, to public bodies (including HMRC for data harvesting), to the Metropolitan Police (responding to Subject Access Requests), the NHS (for illegally accessing medical records), to regulated industries and small businesses carrying out unsolicited communications by email or telephone (affecting up to 4.5 million unsuspecting contacts).  Even in one extraordinary case, a Council employee shared unredacted data about alleged gang members profiled on a police intelligence ‘Gang Matrix’ database to other Council staff and external organisations. This ended up on social media and was then used by the gang members themselves.  Unbelievable, but sadly true.

Amicus ITS Director of Technology, Security & Governance, JP Norman commented:  “The ICO are striking a balance between the severity of a breach individually, the volume of data affected and the harm and distress caused by the breach of security and lack of protocol.   We can see from the  enforcement notices published across 2018-19, the huge variety of cases that the ICO have dealt with in the last 18 months and ultimately this illustrates data responsibility is in the hands of every individual, with fallout picked up by the organisation/company directors”.

Big headliner fines this Summer featured the £183.4m fine published to British Airways following the 2018 cyber incident where users logging in to BA’s website were diverted to a fraudulent site where their personal details, payment information and travel plans were harvested.  This represented 1.5% out of a total possible fine of 4% of global turnover.  Plus, the £99.2m fine to Marriott International hotels group for a data breach whereby 339 million guest records globally were exposed over several years following a merger and lack of due diligence and security measures being adopted.  Both organisations are seeking to defend their position. Other big names included: Equifax (£500,000), Uber (£385,000), and Yahoo! (£250,000) for cyber security failures.

Against this backdrop, the ICO Annual Report for March 2018-19 published in July 2019 recognised that 82% of personal data breaches investigated had been closed with no further action, as corrective measures to avoid a repeat had been taken or were being acted upon, which we should take as positive news as organisations learn to manage their data more responsibly.

JP Norman adds:  “All organisations face the same responsibilities around data management and data security.  At the heart of good practice is education and staff training. This can identify what is appropriate when sharing data and that if approved, it is done lawfully and safely.   Organisations, institutions and businesses of any size must have a Data Protection Officer (DPO), who may also be the Data Controller if appropriate. These representatives need ready access to policies and guidance around data security and measures to be taken in the event of any breach, which can be evidenced and practised as part of a smart Business Continuity Plan.  This can be intimidating for businesses of even medium size to get to grips with and act confidently so we often see the DPO function outsourced”.

Amicus ITS recognises the challenges organisations face and earlier this year published our new Virtual Data Protection Officer service on G-Cloud 11 for public sector customers.  Notably, this service is equally available to SMEs.  Any organisation that is unsure if it has the right security policies and security measures in place can contact Amicus ITS in confidence.  If the service is taken up, this security consultancy could not only save you £000s but also help protect against reputational damage which can be priceless.  Call our Sales team today for a free initial discussion on +44 2380 429429.

Amicus ITS’ privacy policy can be found here

This week’s technology news – 9th January 2015

MP calls out to end ‘redundant’ email disclaimers
UK Member of Parliament, Alan Duncan has put forward a Ten Minute Rule Bill to the House of Commons for the removal of legal disclaimers on emails.

The MP made an impassioned bid to relieve UK government departments, councils and companies from the frustrating and often lengthy email disclaimers that litter the footers on our email traffic.  The impact of this is immediately felt when email conversations get printed out, but it is also a frustrating distraction for users trawling through email chains on a computer screen.  Alan Duncan comments that the waiver is essentially unenforceable as presented, over lengthy and often incomprehensible.

Email disclaimers often range in length from 100-200 words.  Reviewing Parliamentary disclaimers, the MP noted the Conservative party disclaimer stands at 183 words, Labour’s at less than 50 words and Parliament’s own disclaimer at 60 words. The Honorable Member for Rutland and Melton was very proud to have got his ministerial department’s disclaimer down to 17 words.

The bill will get a second reading on Friday 6th March.  Despite this well considered initiative to think ‘green’ in 2015, the bill may nonetheless fail to get on the Statute book for lack of time.  Nonetheless, it should be on the consciousness of all organisations to take this opportunity to voluntarily review what is absolutely necessary, rather than just adopting common practice – and make a difference.

Amicus ITS seeks to support this bill and will be reviewing its own open text disclaimers to seek possible improvements in 2015.


Sir Alan Duncan MP
Sir Alan Duncan MP