To expect the ICO to care about individuals.

[Hedgehogfriend]

ICO = information commissioners office

In January I complained to the ICO about my university not protecting my data. I finally got the following response...

“the breach was first brought to the University’s attention on 10 January 2020, when an e-mail was received from a —————, which informed them that a link to your personal data had been discovered on an obscure hacking website; we have seen a screen shot of this which you provided to us;
• the link was a copy of a One Drive site that the University had sent direct to you and your lawyer on 18 December 2019; the link is usually disabled once the recipient has confirmed that they have had time to assimilate the information provided;
• on receiving the alert, the link was immediately disabled and the University’s IT assurance team took steps to investigate the provenance of the breach;
• following a thorough and forensic examination, the team confirmed that the computer and account from which the e-mail containing the link had been sent had not been hacked or otherwise compromised, nor was there any indication of user error; the team concluded that there was no evidence to suggest that the University had itself breached the data;
• the data included sensitive medical information, relevant to the ongoing proceedings; access to the material was very much restricted to you and your lawyer.

The University has confirmed that a further layer of protection has been implemented by ensuring that any links sent in the manner described above are also password protected.

From the information provided to us it does not appear that the University have breached the legislation because the IT investigation does not suggest that they were responsible for the breach in question.”

I can’t believe it’s ok to store sensitive personal information on a site with out password access.

Is it unreasonable to expect passwords as a bare minimum?

The ico does care about individuals, it just doesn't think it's the university's fault

@Shoxfordian

The ico does care about individuals, it just doesn't think it's the university's fault

I know they don’t think it’s the universities fault...however it is the university that used an unprotected hyperlink to share lots of my personal information.

Gdpr guidance also says information needs to be stored securely

It does sounds a bit like the University investigated itself and found it did nothing wrong...

However, the excerpt you've provided reads like the ICO has only looked into whether there was the data breach caused by the University's actions/inaction/security measures, and is satisfied that there wasn't.
I'm not having a go at you on any level OP, but did you include a complaint about not using appropriate level of security to hold data (even though it didn't cause the data breach)?

It's not totally clear what actually happened here?

Well they have found that there hasn’t been a breach by the university, so taken no action. The university have already strengthened the protection by adding a password, and therefore that specific element of your complaint has been resolved for future use (otherwise the ICO probably would have required it). What more are you looking for OP?

I'm a bit confused. The data was on OneDrive? Only you and the university would have access, I believe it's encrypted. It's password protected in that you need to be in the account to view. How did the hacker obtain the information?

Could it have been picked up by the hackers without an intrusion on the Uni's Onedrive?

eg. if you or someone who worked for the Uni or the lawyer's opened it using free wifi in a cafe, train or hotel or if they opened it on a home wifi /laptop that wasn't secure

Of course YANBU. It's obvious that such a system is vulnerable; you can brute force it by guessing URLs if there is no password.

So yes, they were at fault and the ICO should care. But they don't.

I complained to them because an organisation wouldn't give me the notes they took on me at interview (I asked for them because it was clear from the feedback that I was discriminated against). They claimed they'd deleted them (after a couple of weeks), even though their own data protection policy said they keep them at least 6 months (and in my case it should have been nearer 2 years).

So they were either lying because they didn't want to hand them over (which is a breach because they won't give me my own data), or they'd broken their own data protection policy (which is also a breach), but the ICO just said "They say they've deleted them" and wouldn't investigate any further. Yes, I know they say that; that's what I'm complaining about!

I made a complaint to the ICO as an individual which was upheld and they agreed with my reasoning, so I’m not sure it’s fair to say they don’t care about individuals.
But I’m sorry you didn’t get the answer you wanted.

@tabernacles if it's post GDPR you could try an article 82 claim, that could enable some digging into why the records were deleted so quickly and an explanation. No win no fee lawyers are starting to attempt article 82 claims.

Same goes for op of course article 82 is essentially suing them for either financial or emotional distress, sounds a bit dramatic but it's new under GDPR, very few people have done it yet and it's had very little testing, DPOs are desperate for some case law. You just complain quoting article 82 of GDPR and explain what distress you have obtained.

The problem with the ICO is they're ridiculously overwhelmed, the amount of breaches they get reported to them are at insane levels and they simply can't handle the case work, they underestimated the impact. They haven't even managed to get the money from BA or Marriot yet they historically fined them for, which isn't helping their clout. It isn't a functioning regulator, they can't handle organisation wide breaches, never mind individual complaints.

@notheragain4

I'm a bit confused. The data was on OneDrive? Only you and the university would have access, I believe it's encrypted. It's password protected in that you need to be in the account to view. How did the hacker obtain the information?

It was a non protected hyperlink. Anyone could click on the link to gain access. It was not nessesary to be logged into any account.

I wouldn’t have minded as much if it was nessary to log-in in order to view the information.

I do not know how the hacker got hold of the information

@Hedgehogfriend I'm with you, well it was a breach and I would deem the university at fault because they didn't have the security measures in place, the fact it's a special category data breach makes it a bigger issue. I'd definitely try the article 82 complaint.

Anyone could click on the link to gain access.

No, only people with the link could have clicked onto it. You had to know the link - that's the protection.

Having worked for a firm that was on the wrong end of an ICO investigation, I can assure you they do care about individuals.

No, only people with the link could have clicked onto it. You had to know the link - that's the protection.

Err no, there’s a reason why we have passwords and using only passwords are outdated, as they are usually the weakest link.

What outcome are you expecting though? They’ve investigated and changed policy as a result. That’s generally the sort of thing the ICO orders.

You complained. That investigated and found the breach was not the fault of the university but there has been a policy change after a weakness was found.

What did you want to happen?

What more Were you expecting?

"You complained. That investigated and found the breach was not the fault of the university but there has been a policy change after a weakness was found."

This - what do you want?

The OP has a right to disagree and appeal. The ICO are notoriously awful, there are elements of their own guidance that completely contradicts the legislation. They're one of the reasons it's increasingly likely we won't get adequacy status from the EU.

Anyway op, as I say, I'd try an article 82 complaint, the option is there for a reason.

@Jargo it really isn't. The reason Zoom was under such scrutiny was due to the lack of end to end encryption and the fact the links could be intercepted, they had to change. The fact the OP had special category data for me demonstrates the lack of security, it was breached after all so it clearly wasn't secure enough or we wouldn't be talking about it now.

@CarlottaValdez

What outcome are you expecting though? They’ve investigated and changed policy as a result. That’s generally the sort of thing the ICO orders.

An apology. My course mates shared the link, and now several people know my medical history and the fact I was sexually assaulted

If they are completely faultless, they why would they need to change policies.

How did your course mates get the link? It sounds awful and I can see why you’re angry though.

@CarlottaValdez

How did your course mates get the link? It sounds awful and I can see why you’re angry though.

They got the link from reddit.....(some idiot posted the link all over the internet)

By the time it was posted on the hackers forum it was along the lines of~ “Here is someone’s medical information,can you guys find an email address so that I can tell them their stuff is online.”

I accept that the university did not intend to cause a data leak.

But after it happened they should have

A-told me about it (a stranger contacted them on 10 January 2020)

and

B-apologised- despite what they say, non password protected hyperlinks are not a secure form of storage

If they are completely faultless, they why would they need to change policies.

Because they found a flaw in their existing policy. It's possible for that to happen without them being to blame for what happened to your data.
OP you are clearly, understandably, angry but you need to look at it rationally, you can appeal or further your complaint but be clear about what you want out if it rather than blindly finger pointing.