The ICO Fails to Take Action over the Post Office Horizon Scandal
The ICO has just applied its public sector approach and issued a reprimand to the Post Office for their Horizon IT scandal data breach. In short, the Post Office unlawfully published the identities of Horizon’s victims, and the ICO reckons this is not too bad after all.
ORG Legal and Policy Officer, Mariano delli Santi said:
“The ICO assessment that the Post Office data breach would not qualify as “egregious” is ludicrous. The Horizon scandal was a human tragedy where thousands of innocent people faced unjust convictions, imprisonments and bankruptcies, leading at least thirteen people to commit suicide. The Post Office failure to protect the identities of these victims adds insult to that injury.”
“This reprimand is a go ahead for public organisations in the UK to keep inflicting harm, knowing that the ICO will leave them off the hook. As reprimands lack the force of law, the Post Office can rest assured that they will not face consequences if they fail to address their shortcomings, and another data breach happens in the future. The ICO should have, at the bare minimum, issued an enforcement notice that legally binds the Post Office to take action.”
“The behaviour of the ICO is unacceptable, and an insult to the human cost that victims of the Horizon scandal have suffered. We reiterate our call to the Select Committee for Science, Innovation and Technology to open an inquiry into the Information Commissioner’s Office.”
Collapse of enforcement at the ICO
In November, more than 70 civil society organisations, academics and data protection experts urged the Chair of the Select Committee for Science Information and Technology to open an inquiry into the collapse in enforcement activity by the Information Commissioner’s Office (ICO).
The organisations’ demand for an inquiry was made more urgent by the data regulator’s decision to not formally investigate the Ministry of Defence (MoD) after the most serious data breaches in British history – the leaking of a spreadsheet containing the details of over 19,000 people who were fleeing the Taliban.
As the open letter reported, the Afghan data breach is not an isolated case, but part of a broader trend which has seen the ICO shying away from using its enforcement powers. Evidence shows a correlation between the ICO’s lack of formal regulatory action and a surge in, sometimes egregious, data breaches in the UK.
Issuing a reprimand to the Post Office is further evidence that the ICO’s approach is failing to protect people’s data protection rights.
