The Information Commissioner's Office ("ICO") has issued a reprimand to a recruitment company for infringements of Article 5(1)(f) and 32(1)(b) of the UK GDPR.
The action was taken because the company failed to implement adequate security measures, resulting in personal data in the form of 12,000 records belonging to 3,000 workers being publicly accessible without requiring authentication. The inadequacy of the security measures resulted in compromised confidentiality and security of the processing in this particular case.
What is a reprimand?
The ICO has the power, under Article 58 of the UK GDPR to issue a reprimand if a processing operation contravenes the provisions of the UK GDPR. A reprimand can be issued in the form of a simple letter, and can be against both a controller and a processor.
In the above case, the reprimand was issued as the ICO's investigation revealed that the company mishandled the personal data of its workers by failing to implement sufficient security measures, which resulted in the records of 3,000 workers being publicly accessible.
What are the practical implications for organisations that receive a reprimand?
Under the current Commissioner the use of reprimands has increased, as the number of fines has decreased. However concerns have been raised about whether there is a lack of consistency or clarity in the process of issuing or challenging of reprimands. As the ICO normally publishes reprimands on its website, this means that they carry the risk of reputational damage for the reprimanded organisation, but with no obvious way to contest them.
The ICO's Director of Investigations recently published a blog post indicating that the move to publishing all reprimands was part of a drive to "provide certainty to businesses and organisations in what the law requires from them".
However, if the ICO's current "reprimand-only" approach continues against the recent background of serious data breaches, and if those reprimands continue not to have an associated (and published) policy of guidance (whilst not being amenable to appeal), then there will surely be calls for a rethink.