Information Commissioner’s ‘Today’ Interview 13/12/23

The breach, though ‘very serious’, was caused by a simple oversight which occurs frequently in many British organisations – failing to use email’s ‘blind copy’ or ‘BCC’ feature to hide the personal email addresses of individuals to whom a bulk ‘circular’ email was being sent.  Many email addresses contain people’s names or other details (such as nicknames) from which they can be identified.  This makes the addresses ‘personal data’, protected by law.

The reason why the MOD’s error was particularly grave in this case was that the addresses CC’d (not BCC’d) on its email were 265 individuals who had assisted UK forces in Afghanistan and who were therefore potentially subject to life-threatening reprisals by the Taliban regime.  In other words, the MOD’s mistake had not only compromised the email recipients’ privacy, but also endangered their lives.

The Information Commissioner’s remarks, as well as being a stark reminder of the possible ramifications of seemingly ‘minor’ data security breaches, were interesting because of the insight they gave into the ICO’s process for assessing the level of fines which they issue.  The Commissioner explained how, based on the seriousness alone of the breach, the ICO in its ‘Notice of Intention to Fine’ which it served on the MOD suggested an initial penalty amount of £1m (this figure Mr Edwards referred to as the ‘tariff’ for the infringement).

Having set this proposed tariff, the ICO then allowed the MOD to make representations.  As a result of these representations (which included the MOD’s willingness to cooperate with the ICO’s investigation, and the remedial steps – such as reviewing their methods of communication - which the Ministry took immediately after becoming aware of the breach), the ICO reduced the fine by £300,000.

Mr Edwards then went on to explain that the remainder of the discount applied to the tariff to arrive at the eventual fine of £350,000 was accounted for by what he called the ICO’s ‘public sector stance’.  This stance, first announced in the summer of 2022, dictates that monetary penalties are not the primary means that the regulator prefers to enforce public sector bodies’ compliance (and to punish their non-compliance) with DP laws.  Since then, the ICO has favoured the ‘public accountability’ of issuing reprimands naming public authorities who break the law as a more effective deterrent than fines which, ultimately, the taxpayer picks up the tab for.

When asked why he wasn’t concerned that the Ministry might just ‘brush off’ a fine of this figure (which is relatively low, in terms of government department budgets), Mr Edwards replied that the MOD had convinced him they appreciated the gravity of their security breach, exacerbated as it was by the fact that it went to the heart of their mission in respect of the individuals involved – which was to protect them.

The final, very useful, takeaways from the Information Commissioner’s interview were the changes which he described the MOD as having made to their means of communicating as a result of the breach (and which had led him to be confident that the set of circumstances which gave rise to it would not recur in future):

• not relying on fallible humans to use BCC in the first place;
• instead, using volume-send email and mail merge services which automatically conceal individual email addresses from other recipients; and
• having policies and staff procedures in place to support the use of such tools.

These are measures which organisations of all kinds – not just those in the public sector – can adopt to control against this common data security risk, and hopefully use to avoid repetition of the kind of situation in which the Ministry of Defence failed to defend some very vulnerable individuals.