Out-Law News 2 min. read

Data protection laws breached by Government over public consultation security flaw, says ICO

The Department for Education (DfE) was guilty of a breach of UK data protection laws when a "temporary security flaw" meant that personal information belonging to respondents to one of its consultations were "compromised", the UK's data protection watchdog has said.

Email addresses, unencrypted passwords and individuals' answers to questions posed in the consultation, which related to possible parental controls on the internet, were accessible as a result of the flaw, according to a report by The Register. The Register said it had notified the Information Commissioner's Office (ICO) about the data breach after readers had flagged up the problem.

In a statement the ICO said that although it had determined that DfE had been in breach of the Data Protection Act, it determined that the nature of the breach had not been such to merit it issuing the Department with a civil monetary penalty notice.

"We have contacted the Department for Education over a temporary security flaw that was found on their website," the ICO said, according to the Register's report. "The flaw related to a consultation taking place over the course of Thursday 28 and Friday 29 June. The flaw was resolved the following day but resulted in a limited amount of personal information being compromised."

"Following our enquiries we have found that the DfE did breach the Data Protection Act. However, as the personal information compromised was not sensitive and any distress caused is likely to have been minimal, we have decided that no further enforcement action is required at this time. We will be keeping a record of this incident and may revisit it again if further compliance issues come to our attention," the ICO said.

Under the Data Protection Act organisations in control of personal data are required to take "appropriate technical and organisational measures" to prevent "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".

The ICO has the power to issue civil monetary penalties of up to £500,000 against organisations for serious breaches of the Data Protection Act (DPA) they are responsible for.

In order to merit the issuance of a fine the DPA contravention must be of such a nature that it is "likely to cause substantial damage or substantial distress" and organisations must either have known or ought to have known that there was a risk that a breach would have such an effect on individuals but "failed to take reasonable steps" to prevent the breach happening.

The ICO has issued guidance on the procedures it follows when determining whether and how much to fine organisations. The guidance states that the watchdog will only impose a monetary penalty if it is "appropriate" to do so and at a level that is "reasonable and proportionate, given the particular facts of the case and the underlying objective in imposing the penalty".

Whether a penalty is reasonable and proportionate or even appropriate at all depends on "the particular facts and circumstances" of individual cases and the "representations" that organisations are permitted to make to explain the incident.

"We took the site down as soon as we were made aware of a potential breach of the Data Protection Act and informed those who might have been affected immediately," DfE said in a statement, according to the Register. "The problem was detected very quickly so only a very small number of people were affected. We have taken all necessary steps to ensure that this will not happen again."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.