ICO won't take action against Department for Education over data breach

Breach exposed personal data - including passwords - of respondents to consultation

The Information Commissioner's Office (ICO) has decided not to take action against the Department for Education after it broke the Data Protection Act over a consultation exercise on parental controls on internet access.

The breach of the Data Protection Act occurred after the department accidentally exposed email addresses of respondents to the consultation, which took place over summer.

Exposed data included email addresses, unencrypted passwords and people's answers to the questions posed by the consultation.

The exposure - over 28 and 29 June - occurred due to poor security on the Department for Education's website during the 10-week process.

However, the ICO, while finding that the department did breach the Data Protection Act, has decided against taking the matter further, as "the personal information compromised was not sensitive".

"The ICO has the power to issue civil monetary penalties of up to £500,000 against organisations for serious breaches of the Data Protection Act," said law firm Pinsent Masons on its Outlaw.com website.

It added: "In order to merit the issuance of a fine, the Data Protection Act contravention must be of such a nature that it is 'likely to cause substantial damage or substantial distress' and organisations must either have known or out to have known that there was a risk that a breach would have such an effect on individuals, but 'failed to take reasonable states' to prevent the breach happening."