Last week the Information Commissioner’s Office(ICO) issue a GDPR reprimand to the Electoral Commission.
In August 2023 the Electoral Commission revealed, in a public notice issued under Article 33 and 34 of the UK GDPR, that it had been the victim of a “complex cyber-attack” potentially affecting millions of voters. It had discovered in October 2022 that unspecified “hostile actors” had managed to gain access to copies of the electoral registers, from August 2021. Hackers also broke into its emails and “control systems”.
The Commission said the information it held at the time of the attack included the names and addresses of people in the UK who registered to vote between 2014 and 2022. This included those who opted to keep their details off the open register, which is not accessible to the public but can be purchased. The data accessed also included the names, but not the addresses, of overseas voters. The Commission further explained that it was difficult to predict exactly how many people could be affected, but it estimated the register for each year contains the details of around 40 million people.
The ICO reprimand reveals that the Commission did not take basic security steps to ensure the protection of personal data. The ICO said:
“If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened.”
Many have criticised the ICO for issuing a “slap on the wrist” rather than a fine for an entirely preventable cyberattack that exposed the personal data of 40 million UK voters. But the reprimand is in line with the ICO’s approach to public sector enforcement which has been the subject of a two year trial since June 2022.
Explaining the approach at the time, the Information Commissioner wrote:
“I am not convinced large fines on their own are as effective a deterrent within the public sector. They do not impact shareholders or individual directors in the same way as they do in the private sector but come directly from the budget for the provision of services. The impact of a public sector fine is also often visited upon the victims of the breach, in the form of reduced budgets for vital services, not the perpetrators. In effect, people affected by a breach get punished twice.”
In June the ICO announced that it will now review the two-year trial before making a decision on the public sector approach in the Autumn.
The Act Now Advanced Certificate in GDPR Practice is designed for experienced Data Protection Officers seeking to develop their skills and confidence to tackle the most challenging data protection projects within their organisation.
Please subscribe to this blog and help us to get to 10,000 subscribers.
