The missing courage of the ICO

The missing courage of the ICO

I note from Jim Killock’s pinned repost of a post by David Erdos on X, that the media and the ICO have issued a report, dated March 2024, on journalistic practices and the Data Protection Act 2018. This was produced as part of response to the Leveson Report, itself, spawned by the Millie Dowler & celebrity phone hacking scandal. Erdos makes the point that the ICO did not make use of its investigatory powers, which he refers to as §17 powers nor that the story was followed by … err! … the Press.

Additionally, over the last week, the ICO announced its report into its investigations into the Labour Party and its compliance with GDPR/DPA. Again, they weren’t asking the big questions and say more about the mitigation actions than the compliance failures. This allows the Guardian to run a headline focusing on the failure to respond to DSARs, in fact the Guardian focuses only on late response, and not on failure and everyone is silent on the refusals.

I would like to know what measures the Party took to ensure that their IT sub-contractors met their obligations as data processors, what measures the Party took to ensure their DPO was qualified[1] according to Article 37 of the GDPR, why no compensation has been offered/mandated to victims of the breach, what measures Labour took to ensure the completeness of any DSARs, what measures the Labour Party took to ensure that only appropriate staff had access to personal data and what measures the Party took to ensure that democratic rights of members weren’t adversely effected by the breach? It would seem the ICO have not asked these questions; this is exceedingly disappointing.

Regulatory capture is a well-studied phenomenon. However, it’s simpler if one is the government rather than a private business or an NGO. It seems pretty clear that the ICO is frightened of the major political parties which since human rights law is designed to protect citizens from governments, rather spoils the point of having one. NB the GDPR has a lot to say about the importance of the independence of both Data Protection Officers and also the national data protection supervisory authority.


[1] The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices … n.b. Data Protection practices require an expertise in cyber security. …

Lightening never strikes twice

Lightening never strikes twice

In my blogs on the Track & Trace failure [blog | linkedin], I make the throwaway comment that Govt. IT often fails repeatedly because no-one is accountable, nor punished and thus they fail to learn but in this case it’s not true; Dido Harding the CEO of the Track & Trace was CEO of Talk Talk when it was fined £ ½m for another data protection breach caused by another failure to in this case close down an application running on an out of date & unpatched version of MySQL, making it vulnerable to a SQL injection attack, one of the OWASP top 10 vulnerabilities.  How unlucky can you get? …

Bosses & CCTV

I wrote a piece on my linkedin blog called, “Reusing CCTV in employee relations“. I rang the ICO and was told that employers can reuse CCTV, “if they come across something they cannot reasonably ignore”. The linkedin article looks at the ramifications of this and points to the ICO document, “the employment practices code“, which states that cameras may not be covert and may not be used for general monitoring. …