Chocgate: The fallout. Partially taxpayer-funded £6k+ staff luxury treats land ICO in lukewarm water

But it's OK. What's it gonna do – fine itself?

"Sorry", much like a tooth-loosening toffee, can be one of the hardest words. That didn't stop the Information Commissioner’s Office from sentencing itself to saying it in the wake of the findings of an internal probe that confirm a rogue employee went a bit trigger happy with the corporate credit card in a luxury chocolate chain last Xmas.

The British regulator said it was very disappointed in itself after the unnamed staffer racked up a bill of £6,248.40 at Hotel Chocolat in spending £24.60 on 254 gifts for fellow colleagues - and taxpayers footed the bill, because who wouldn’t want to say thanks to the ICO for holding Big Tech’s feet to the fire.

The UK’s data watchdog was tipped off about itself in February by Insider, which spotted the figure in the ICO’s list of corporate charge payments in excess of £500. The choc-shopping binge reportedly took place on 21 December.

The ICO said in a statement released yesterday:

An independent internal investigation, commissioned by the ICO in February, confirmed that a single payment of £6248.40 was made on an ICO corporate charged card in December 2020 for identical £24.60 gifts for 254 members of ICO staff.

While the spending was intended to acknowledge the hard work of these staff across a challenging year, the investigation confirmed it was not in line with our staff recognition or spending policies to purchase gifts for staff using public funds.

Around 85 to 90 per cent of the ICO’s annual budget is comprised of the data protection fee paid for by organisations that process personal data, with the remainder coming from an annual grant from the Department of Culture, Media and Sport.

This Hotel Chocolat shocker was the only transaction made outside of ICO policy, the ICO said, and the only example of pressies being bought for staff. Nevertheless, "for this specific transaction, our strict financial controls were not overseen effectively, enabling the transaction to be made despite it not being permitted by ICO policy."

Sorry is a little word but it takes a big person to say it, and the ICO "want[s] to apologise… we have taken action in response to the investigation’s findings, implementing all recommendations in full, so that this should not happen again."

As to which controls had been put in place, the ICO told us: "We have reviewed the Corporate Charge Card Budget Holder approval process and spending limits...

"All budget holders are routinely trained in the use of the corporate charge cards, budget management, as well as our procurement policies; and this mandatory training is now repeated annually."

In its official statement the watchdog added it would be including a "review of our implementation of the recommendations for this investigation in our future internal audit programme.

“Where the investigation highlighted behaviour that fell below the standards the ICO expects, we have also take appropriate steps,” it added. "Those matters are, however, confidential."

So no choccies for some people this year from the sounds of it?

Oh and the ICO's hired for a new role: a director of finance to "strengthen the oversight of our financial controls and staff training."

When we asked about this, the regulator told us the "previous director of finance resigned in May. A new temporary director of finance was appointed in June to lead our work in response to the investigation's recommendations."

It added: "A permanent appointment has now also been made to this role and due to join the ICO in October."

We asked whether the ICO would have to pay back the £6,248.49 spent on chocolate gifts for staff last December and were told: "Given that the transaction was not challenged due to some failures in the oversight of our strict financial controls, we have decided that it would not be appropriate to require any individual budget holder to reimburse the funds." ®

Similar topics

Other stories you might like

  • Minimal, systemd-free Alpine Linux releases version 3.16
    A widespread distro that many of its users don't even know they have

    Version 3.16.0 of Alpine Linux is out – one of the most significant of the many lightweight distros.

    Version 3.16.0 is worth a look, especially if you want to broaden your skills.

    Alpine is interesting because it's not just another me-too distro. It bucks a lot of the trends in modern Linux, and while it's not the easiest to set up, it's a great deal easier to get it working than it was a few releases ago.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading

Biting the hand that feeds IT © 1998–2022