“Sorry”, much like a tooth-loosening toffee, can be one of the hardest words. That didn’t stop the Information Commissioner’s Office from sentencing itself to saying it in the wake of the findings of an internal probe that confirm a rogue employee went a bit trigger happy with the corporate credit card in a luxury chocolate chain last Xmas.
The regulator said it was very disappointed in itself after the unnamed staffer racked up a bill of £6,248.40 at Hotel Chocolat in spending £24.60 on 254 gifts for fellow colleagues – and taxpayers footed the bill, because who wouldn’t want to say thanks to the ICO for holding Big Tech’s feet to the fire.
The UK’s data watchdog was tipped off about itself in February by Insider, which spotted the figure in the ICO’s list of corporate charge payments in excess of £500. The choc-shopping binge reportedly took place on 21 December.
The ICO said in a statement released yesterday:
Around 85 to 90 per cent of the ICO’s annual budget is comprised of the data protection fee paid for by organisations that process personal data, with the remainder coming from an annual grant from the Department of Culture, Media and Sport.
This Hotel Chocolat shocker was the only transaction made outside of ICO policy, the ICO said, and the only example of pressies being bought for staff. Nevertheless, “for this specific transaction, our strict financial controls were not overseen effectively, enabling the transaction to be made despite it not being permitted by ICO policy.”
Sorry is a little word but it takes a big person to say it, and the ICO “want[s] to apologise… we have taken action in response to the investigation’s findings, implementing all recommendations in full, so that this should not happen again.”
As to which controls had been put in place, the ICO told us: “We have reviewed the Corporate Charge Card Budget Holder approval process and spending limits…
“All budget holders are routinely trained in the use of the corporate charge cards, budget management, as well as our procurement policies; and this mandatory training is now repeated annually.”
In its official statement the watchdog added it would be including a “review of our implementation of the recommendations for this investigation in our future internal audit programme.
“Where the investigation highlighted behaviour that fell below the standards the ICO expects, we have also take appropriate steps,” it added. “Those matters are, however, confidential.”
So no choccies for some people this year from the sounds of it?
Oh and the ICO’s hired for a new role: a director of finance to “strengthen the oversight of our financial controls and staff training.”
When we asked about this, the regulator told us the “previous director of finance resigned in May. A new temporary director of finance was appointed in June to lead our work in response to the investigation’s recommendations.”
It added: “A permanent appointment has now also been made to this role and due to join the ICO in October.”
We asked whether the ICO would have to pay back the £6,248.49 spent on chocolate gifts for staff last December and were told: “Given that the transaction was not challenged due to some failures in the oversight of our strict financial controls, we have decided that it would not be appropriate to require any individual budget holder to reimburse the funds.” ®