I will be interested to see how the ICO react to this. Normally they seem to give priority and reserve the large penalties for the major data losses - like the British Airways data breach - although with a good data protection lawyer on side to explain mitigating circumstances sanctions normally get reduced. I'm told that oftent individuals complaining about a single data privacy issues rather than a mass loss of data, which this essentially is, get stuck in a queue for months and then the result is usually "yes, we agree your rights were breached, you should take civil action for compensation" but the ICO doesn't issue a financial penalty, although they might issue an instruction to a company compelling them to tighten up some process. (That's what I've been told by my data protection contacts who consider the ICO a bit toothless.) I wonder if Mr F will get to jump the queue and get preferential treatment? Of course, he might find the ICO are busy with dealing with the fallout from incidents like the recent Capita breach …
Michael Ixer ● 693d