Learning from ICO Reprimands - Databasix
A man an a woman looking at a laptop with a concerned expression.

Learning from Reprimands (Public reprimands issued by the ICO)

In this article, we will explain what an ICO reprimand is and highlight different examples of data protection breaches and how the organisations have been reprimanded.

We also want to offer various different ways to ensure that you and your staff are as informed as possible to avoid any data breaches and so escape being reprimanded.

What is an ICO reprimand?

When an organisation fails to comply with regulations set out by the Information Commissioner’s Office (ICO), they will be reprimanded. A reprimand is where organisations are given a formal expression of disapproval and they are advised on how best to avoid any further data breaches, then the reprimand would be published on the ICO website.

Fines and other criminal penalties are only enforced when the data breach is in contravention with data protection regulations. Reprimands, generally, are advisory after a breach from incompetence or lack of training.

Data Subject Access Request failures

A Data Subject Access Request (DSAR) is a request from an individual to an organisation for access to their personal data. Failure to comply with such a request can result in consequences as presented by the ICO.

We will highlight two such failures in compliance with DSARs and the subsequent ICO reprimands:

Reprimand against Norfolk County Council

In this instance, it was decided that Norfolk County Council would be reprimanded after they only responded to 260 out of 511 DSARs within the statutory period of one month (this can be extended a further two months). This took place during the period of 6th April 2021 to 6th April 2022 which puts the Covid-19 pandemic at the top of the factors that led to the reprimand. It was noted that the Council did not have access to manual records located in buildings that were closed due to the pandemic. This contributed to a backlog of DSAR requests.

In response to this reprimand, Norfolk County Council has been recommended to take the following actions to ensure that this does not happen again:

  • The Council should take steps to ensure that DSARs are responded to within the deadlines
  • Adequate staff resources should be put in place to process and respond to DSARs
  • Steps should be taken to enable the Council to keep on top of any backlog

Reprimand against Plymouth County Council

In a similar situation to the above, the ICO took the decision to reprimand Plymouth County Council after they failed to provide information to the data subject without undue delay. Their compliance with responding to DSARs has also not been adequate over the last three years. The ICO has recommended that Plymouth County Council:

  • Take all steps to ensure DSARs are responded to within statutory deadlines
  • Continue to monitor DSAR compliance data
  • Action all remaining DSARs that are due to be completed
  • Consider any additional improvements that could be made to the DSAR handling process
  • Ensure adequate staff resources are put in place to process and respond to DSARs
  • Provide staff with appropriate training

How to ensure you are complying with DSAR requirements

In order to make sure you are complying with DSAR requirements, there are a number of steps you can take.

Accidental disclosure of personal data via email

The ICO understands that accidents happen, so when personal data is accidentally disclosed via email then organisations should act to minimise the data breach.

ICO reprimands resulting from accidental disclosure are mostly for educational purposes. Read about two such reprimands below:

Reprimand against Achieving for Children

This investigation found that AfC inappropriately disclosed personal data, special category data and criminal conviction data in a report. In this instance, the manager concerned did not realise on two occasions that the assessment was being sent to both the birth father and the stepfather and birth mother. This led to personal data which should have been removed or redacted being disclosed in error.

The main factor that led to the reprimand was that the social worker in question had not received training in completing redactions and neither had the manager who reviewed the report. To remedy the reprimand, all social workers must now be trained on redactions and other policies and guidance relevant to this incident.

Reprimand against NHS Highland

An error was made where 37 data subjects received an email that included all recipient email addresses, along with either first names and surnames or part of the name. This placed the data of all 37 people at risk and recipients would have been able to identify all the people on the list as someone who was accessing HIV services. To action this reprimand:

  • All 37 recipients were contacted and asked to delete the email. 19 were successfully contacted by phone and the remaining 17 were emailed.
  • NHS Highland has ceased sending group emails to patients which makes it far less likely that this error will occur again.

Ensure your staff understand their responsibilities under UK GDPR

As a company owner, it is your responsibility to ensure that your staff are familiar with and up to date on the latest GDPR laws. In order to ensure that this is the case, Databasix has a number of courses to offer you and your company. These include:

Access is available right away
Access is available every 5 weeks
  • For staff who have trained on GDPR before but just need to update their knowledge and understanding of it, we have a refresher course available which can be found here:
    GDPR Refresher Course
  • We have a blog post that covers the subject:
    5 Top Tips for Safer Email Communication
  • If you require assistance reviewing your data protection policies, we can help here:
    Support for Creating or Reviewing Policies
  • If your organisation has suffered a data breach, you have 72 hours to determine the severity of the breach and whether or not to report it to the ICO. Our Rapid Response service acts fast on your behalf to investigate the breach and recommend the correct course of action. Learn more about the service here:
    Databasix Rapid Response
  • For staff who have trained on GDPR before but just need to update their knowledge and understanding of it, we have a refresher course available which can be found here:
    GDPR Refresher Course
  • We have a blog post that covers the subject:
    5 Top Tips for Safer Email Communication
  • If you require assistance reviewing your data protection policies, we can help here:
    Support for Creating or Reviewing Policies
  • If your organisation has suffered a data breach, you have 72 hours to determine the severity of the breach and whether or not to report it to the ICO. Our Rapid Response service acts fast on your behalf to investigate the breach and recommend the correct course of action. Learn more about the service here:
    Databasix Rapid Response

Other high-profile or interesting reprimands

The following reprimands highlight just how easy it is to fail to comply either due to laziness, lack of training or lack of concentration. Some organisations may not even be aware that a breach has occurred if they lack the necessary knowledge needed to comply successfully. That is why it is so vital for you and your staff to be as up to date as possible with GDPR.

Thames Valley Police

Thames Valley Police were reprimanded for releasing witness details to suspected criminals. This led to suspected criminals learning the address of a witness (the data subject). The release had huge implications as the data subject had to move addresses and even then, the risk to them remained high. This error occurred because:

  • The appropriate measures were not in place to ensure officers were aware of existing guidance around disclosure and redactions.
  • Thames Valley Police have been unable to evidence whether the officer who made the error had received redaction training or was aware of policies around sharing information.
  • Officers had not been proactively made aware of the necessary policies and instead were just pointed towards the policy library as part of their induction.

To correct the issue, Thames Valley Police have taken the following steps:

  • The officer in question has now completed the relevant training.
  • Operational guidance has been updated to provide more detail about when information can be shared.
  • Policy documents have been updated to provide greater detail on how, what and when to make redactions.

Sussex Police and Surrey Police

Both forces were reprimanded in June 2020 when the ICO became aware that both Sussex Police and Surrey Police had access to an app that recorded all incoming and outgoing phone calls. This meant that more than 200,000 recordings of phone conversations with victims, witnesses and perpetrators were saved automatically.

In response to this:

  • The app was withdrawn from use and the recordings were destroyed.
  • It has been decided that the consideration of any new app should be assessed by a specific team with adequate and appropriate thought given to the method and means of processing.

Ministry of Justice

When a shredder lorry failed to arrive at a prison to collect the waste, 14 bags of confidential information were left in an unsecured holding area which was accessible to staff and prisoners for a period of 18 days. During this time, up to 44 individuals viewed the information, and some of it was removed.

To rectify this situation, the Ministry of Justice has put the following changes in place:

  • A new process has been implemented to ensure all confidential waste is collected within an allocated time slot.
  • Secure areas have been identified for confidential waste and staff are aware of the new procedure.
  • Sufficient shredders have been brought on-site to ensure prior shredding of confidential waste can be completed.

Why does the ICO issue reprimands and publish them publicly?

Since 6th December 2022 it has been decided that all reprimands will be published regardless of any enforcement action unless there is a good reason not to. Prior to this, the ICO only published enforcement notices, fines and summaries.

This policy has been introduced as a reminder to all organisations that every reprimand is representative of the ICO taking action when there has been an issue with data protection standards. It will serve as an example to all organisations of what is done when data protection breaches are made.

Take one action today which could help protect you from ICO reprimands

Databasix have a whole range of content on our website to support you in complying with data protection laws including but not limited to:

Get in touch with us today to find out how we can best support you.

The information and remarks provided in this article represent insight and guidance for best practice which is correct or valid or appropriate at time of publication.

Latest News & Events

What Is a Data Leak and How Do They Happen?

Data leaks are a serious problem for organisations and individuals. In this day and age, individuals freely provide personal information to organisations, therefore a data leak can have a significant impact on both the company and the person. They often involve the exposure of personal data (such as name, address and financial details), with additional damage to the company or organisation in terms of potential financial loss and reputational damage.

Read more

Contact Databasix

Email info@dbxuk.com
Tel 01865 346080

Get Data Protection Services t/a Databasix
is a registered company in England & Wales.
Registration No. 15292208

Unit B Oakwood
Oakfield Industrial Estate
Eynsham
Witney
OX29 4TH

Supported by Business Resilience secured by OxLEP Business
Supported by Business Resilience secured by OxLEP Business