Out-Law News 1 min. read

ICO to investigate marathon data publication


The Information Commissioner's Office is to investigate an apparent breach of data protection laws after personal information belonging to runners of the London Marathon was accidentally published on the organisers' website.

Details of the home and email addresses of the 38,000 participants in the race were inadvertently made available and could be accessed throughout Monday by anyone logging onto the site, according to a report by the BBC. The ICO, the UK's data protection watchdog, told Out-Law.com that it was looking into the matter.

“We’re aware of a possible data breach involving the website of the organisers of the London Marathon," an ICO spokesperson said. "We will be investigating this, before deciding what action, if any, needs to be taken.”

The Data Protection Act (DPA) requires that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data" by organisations in control of personal data.

The ICO can issue fines of up to £500,000 for serious personal data breaches.

Organisers were not aware of the data publication until notified by the BBC, according to the broadcaster's report.

"We apologise for this error, and are grateful to the BBC for bringing it to our attention," Nick Bitel, the chief executive of the London Marathon, said. "We immediately made sure that the glitch was corrected."

"We do not believe that this has led to a substantial number of individuals' details being accessed by members of the public."

The DPA states that the ICO can issue monetary penalty notices when a "serious contravention" of the data protection principles has occurred that was "likely to cause substantial damage or substantial distress" and was either carried out deliberately or by an organisation or person who knew or should have known about the risk of the breach and the damage or distress it could cause but did not take "reasonable steps to prevent the contravention" happening.

The data protection principles require, among other things, that organisations processing personal data do so fairly and lawfully and that they take "appropriate technical and organisational measures" to protect against "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".

The ICO has issued guidance on the procedures it follows when determining whether and how much to fine organisations. The guidance states that the watchdog will only impose a monetary penalty if it is "appropriate" to do so and at a level that is "reasonable and proportionate, given the particular facts of the case and the underlying objective in imposing the penalty".

Whether a penalty is reasonable and proportionate or even appropriate at all depends on "the particular facts and circumstances" of individual cases and the "representations" that organisations are permitted to make to explain the incident.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.