Of all people to accidentally publish personal details, you wouldn’t have thought it’d be an independent watchdog…
Following news reports form the BBC, the expenses watchdog has been left red-faced and has issued an apology for their disastrous error where approximately 3,000 MPs’ employees and their salaries were mistakenly published.
The Independent Parliamentary Standards Authority (IPSA) was created by Parliament in 2009 to independently oversee and regulate MPs’ business costs and expenses, and in this instance, they have found themselves at the centre of a scandal themselves.
What was disclosed?
Through their apology, the IPSA noted what private information was published:
- Employees’ names;
- Employees’ salaries and bonuses;
- Employees’ disabilities and their allowances;
- Employees’ details about their working and holiday patterns;
- Details of the employees’ wives and family members.
The IPSA confirmed that no addresses, bank account details, national insurance numbers, or phone numbers were published. However, they acknowledged that the personal information disclosed was extremely personal.
ISPA’s CEO, Marcial Boo, tried to reassure the employees involved that none of the information would put their security in jeopardy. But how can he make such an assurance?
Data breach inquiry
Following the error, the IPSA launched an inquiry in order to get to the bottom of the matter. They believe that “extremely sensitive” information stored on 3 files was publicly available for approximately 4 hours.
The IPSA was notified of the breach by a Conservative MP, Karl McCartney, and the information was taken down within an hour. As the information was publicly accessible for 4 hours, it could have been circulated to thousands or millions of people. The initial findings of the inquiry found that it was mistakenly uploaded onto an old version of its website, which will be archived.
Embarrassing
Mr McCartney is, understandably, highly embarrassed by the incident and posted his opinion on Twitter that whoever posted the files online, “really needs some IT training before their next job”. We’re with you there, Mr McCartney. Not only is it embarrassing for an independent public authority, but it also disregards data protection rights and principles afforded under the Data Protection Act.
ICO’s involvement
As with most data breach cases, the Information Commissioner’s Office (ICO) has been notified to provide their comments and findings on whether they believe a breach of the law has occurred. It’s quite clear to there is a data breach of the employees’ personal data in or view, as their information was published without their knowledge or consent. Though the ICO’s findings aren’t legally binding, they can be useful, and fines can be issued for punishment.
The bottom line is that sensitive data was disclosed to the public, and that amounts to a data breach, given that consent wasn’t given. Labour MP Chris Bryant notes the distress is may cause to those involved:
“…staff will be more worried than anyone else because they’ve done nothing to bring themselves into the public domain in this way.”