ACS:Law data breach

Link: [1]File-List

25 November 2010

Case Reference Number IRQ0361673

Dear Mr Fletcher

Thank you for your email of 24 November 2010 in which you have asked us to
provide you with information relating to the “ACS:Law data breach”.

Your request has been passed to the Internal Compliance Team, and is being
dealt with in accordance with the Freedom of Information Act 2000 under
the reference number shown above.  We will therefore respond to your
request by 22 December 2010 which is 20 working days from the day after we
received your request.

If you wish to add further information to your case please reply to this
email, being careful not to amend the information in the ‘subject’
field. This will ensure that the information is added directly to your
case. However, please be aware that this is an automated process; the
information will not be read by a member of our staff until your case is
allocated to a request handler.

Yours sincerely

Helen Ward

Lead Internal Compliance Officer

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/rad8ACD5_files/filelist.xml

Link: [1]File-List

21 December 2010

Case Reference Number IRQ0361673

Dear Mr Fletcher

Further to our acknowledgment of 25 November 2010 we are now in a position
to provide a response to your request.

Your request read:

“Please provide any information you hold in written or electronic
form pertaining to your investigation of the breach of the Data
Protection Act 1998 (DPA) by ACS:Law in September of this year.

The information requested must include, but not be limited to:

- Information on the progress of the investigation and any proposed
milestones or targets for action and/or public communication.

- The number of complaints and enquiries made to the ICO concerning
potential DPA breaches by ACS:Law which predate the major breach of
September.

- The number of complaints received subsequent to the DPA breach in
relation to the activities of ACS:Law, especially those which led
to the mass release of sensitive personal data of thousands of
individuals.

- Any direction from the ICO to ACS:Law, or offer from ACS:Law to
make a public apology for the poor security attached to sensitive
personal data and ultimately for the breach itself to any person
who's details were compromised by the breach.

- Whether the Solicitors' Regulatory Authority (SRA) have been
notified of the poor data handling of one of their members to
ensure learnings are shared with other members of the profession,
and that any professional disciplinary action appropriate can be
taken.”

I shall address each of your points in turn.

1. Information on the progress of the investigation and any proposed
milestones or targets for action and/or public communication.

Any information relating directly to the investigation we consider is
exempt information under section 31 (1) (g) of the Freedom of Information
Act 2000. This section states that:

“Information…is exempt information if its disclosure under this Act
would, or would be likely to, prejudice – (g) the exercise by any public
authority of its functions for any of the purposes specified in subsection
(2)

The purposes referred to in sections 31(2)(a) and (c) are

(a) the purpose of ascertaining whether any person has failed
to comply with the law

(c) the purpose of ascertaining whether circumstances which
would justify regulatory action in pursuance of any enactment exist or may
arise

This investigation is ongoing and therefore to release information at this
stage could prejudice the ICO’s ability to conduct the investigation in
an appropriate manner; one which encourages frank discussion of the issues
at hand, in order to reach its conclusion.

These purposes apply when the Information Commissioner is determining
whether or not there has been a breach of legislation, and whether to take
action.

However, this exemption is not absolute and we have to consider the public
interest test by weighing up factors in favour of disclosure against those
in favour of maintaining the exemption.

Public interest factors in favour of disclosure:

o Public interest in the ICO investigation procedure being more
transparent
o Public interest in the ongoing ACS Law investigation which has been
widely publicised

Public interest factors in favour of maintaining the exemption:

o Public interest in allowing the ICO to conduct an investigation in a
manner that does not prejudice that investigation
o Public interest in allowing ACS Law and the ICO to engage with each
other and have full and frank communication without these parties
being concerned that their comments will be made public prematurely
or, as appropriate, at all.
o Public interest in enabling the ICO to obtain any information it
requires from ACS Law in order to reach a conclusion,
o Public interest in the ICO maintaining a position which encourages
data controllers to voluntarily report security breaches for
investigation
o The public interest in maintaining trust and confidence that when the
ICO carries out an investigation; replies to the ICO’s enquiries
will be afforded an appropriate level of confidentiality while the
investigation is continuing in this and in any subsequent cases.

It is also necessary to consider the prejudice or harm that disclosure may
cause, and its likelihood. As already touched upon, it is probable that
any disclosure at this stage would discourage full and frank discussions
between the ICO and ACS Law and may damage our ability to conduct the
investigation fairly and proportionately. It could also jeopardise the
ICO’s ability to obtain information either relating to this case or
others in the future. I would conclude that the harm with relation to
discouraging discussion is highly likely as releasing such information is
likely to lead to both parties being approached by individuals with
specific questions. This is likely to result in a reluctance to engage
with the ICO in the future. In the absence of an overarching conclusion,
information released at this stage could be misinterpreted which could
distract from the investigation process.

Having considered all of these factors we have taken the decision that the
public interest in withholding the information outweighs the public
interest in disclosing it.  I am sorry, therefore, that in this instance
we are unable to provide you with the information from the investigation
that you have requested. 

There are no specific targets or milestones for action or public
communication. The investigation is ongoing but we do anticipate that any
final decision will be made public.

2. The number of complaints and enquiries made to the ICO concerning
potential DPA breaches by ACS:Law which predate the major breach of
September

The record regarding this investigation was started on 27 September 2010.
Therefore, I have checked our casework management system for the number of
complaints and enquiries regarding ACS Law prior to 27 September 2010.

We have 34 recorded complaints and 27 recorded enquiries

3. The number of complaints received subsequent to the DPA breach in
relation to the activities of ACS:Law, especially those which led to the
mass release of sensitive personal data of thousands of individuals.

Again, I have checked our case management system and between 27 September
2010 and 15 December 2010 the ICO received 35 complaints and 4 enquiries.
Two of the records have been closed; one as a duplicate and one because
the documents were pasted into an existing case.

We have understood your reference to ‘those which led to the mass
release of sensitive personal data of thousands of individuals’ to mean
that you are interested in the complaints that centred around the
potential breach of the DPA. Therefore for the remaining 33 complaints we
have also provided the nature of those complaints. I should explain that
when we record complaint files our case management system provides options
to the case officer to record the ‘nature’ of the complaint. These are
broad categories.

Nature

Security                     13

Disclosure of data       17

Use of data                1

Total                         31

These cases have all been closed (with the exception of one, which is
‘Open’); their recorded status is ‘Closed-advice given’. An
explanatory letter/email was sent to complainants explaining that the
matter was under investigation. 

Two further cases are currently ‘Open’ and do not yet have a recorded
nature.

4. Any direction from the ICO to ACS:Law, or offer from ACS:Law to make a
public apology for the poor security attached to sensitive personal data
and ultimately for the breach itself to any person who's details were
compromised by the breach.

It is not within the remit of the ICO to order organisations to make a
public apology and therefore we do not hold any recorded information
regarding this. Further, we do not hold any information indicating that
ACS Law intends to do this although in light of the above it is not
necessarily a matter ACS Law would discuss with the ICO. The function of
the ICO is to assess potential breaches of the Data Protection Act 1998
and take action as appropriate.

5. Whether the Solicitors' Regulatory Authority (SRA) have been
notified of the poor data handling of one of their members to
ensure learnings are shared with other members of the profession, and that
any professional disciplinary action appropriate can be taken.”

The ICO did not notify the Solicitors Regulatory Authority (SRA) of the
breach and so we do not hold any recorded information with regard to this
element of your request. However, we are aware that the SRA knows of the
matter.

I hope this information is of use to you, however, if you are dissatisfied
with the response you have received and wish to request a review of our
decision or make a complaint about how your request has been handled you
should write to the Internal Compliance Department at the address below or
e-mail [2][email address]

Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request
received after this time will only be considered at the discretion of the
Commissioner.

If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation.  To make such an application, please write
to the First Contact Team, at the address below or visit the
‘Complaints’ section of our website to make a Freedom of Information
Act or Environmental Information Regulations complaint online.

 

A copy of our review procedure is attached.

Yours sincerely

Helen Ward

Lead Internal Compliance Officer

       

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/radE8938_files/filelist.xml
2. mailto:[email address]