Breaches of data protection act that did not result in fines

The request was successful.

Dear Information Commissioner’s Office,

I would like to know how many breaches there have been of the Data Protection Act that did not result in fines or financial penalties, which organisations committed these breaches, the date of the breaches and whether the breach was voluntarily reported by the organisation itself.

Yours faithfully,

Joe Wiggins

Information Commissioner's Office

Link: [1]File-List

12 April 2011

Case Reference Number IRQ0386211

Dear Mr Wiggins

Thank you for your email of todayÂ’s date in which you have made a
request for information to the Information CommissionerÂ’s Office.

Your request has been passed to the Internal Compliance Team, and is being
dealt with in accordance with the Freedom of Information Act 2000 under
the reference number shown above.  We will therefore respond to your
request by 12 May 2011 which is 20 working days from the day after we
received your request.

If you wish to add further information to your request case please reply
to this email, being careful not to amend the information in the
‘subject’ field. This will ensure that the information is added
directly to your case. However, please be aware that this is an automated
process; the information will not be read by a member of our staff until
your case is allocated to a request handler.

Yours sincerely

Helen Ward

Lead Internal Compliance Officer

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/rad76D47_files/filelist.xml

Information Commissioner's Office

2 Attachments

Link: [1]File-List

13 May 2011

Case Reference Number IRQ0386211

Dear Mr Wiggins

I am writing further to our email dated 12 April 2011, in which we
acknowledged your request for information to the Information
CommissionerÂ’s Office (ICO).

I note that our acknowledgement stated that we would respond “by 12
May 2011 which is 20 working days from the day after we received your
request”. As you may have realised, the 20 working days infact expires
today, 13 May 2011. I therefore apologise for the initial administrative
oversight.

In your correspondence of 12 April 2011, you requested:

“how many breaches there have been of the Data Protection Act that did
not result in fines or financial penalties, which organisations committed
these breaches, the date of the breaches and whether the breach was
voluntarily reported by the organisation itself”.

Your request has been considered in accordance with the Freedom of
Information Act 2000.

It might be useful if I firstly clarify that we do not technically record
“breaches” of the DPA.  When we receive a complaint we are
required to make an assessment as to whether the data controller has
complied with the DPA in the situation described. An assessment is
therefore our opinion as to whether it is likely or unlikely that a data
controller has complied with the data protection principles.

For the purposes of this response I have assumed that you are primarily
interested in the number of times we have assessed that compliance with
the data protection principles is unlikely.

As you have asked for the number of breaches that did not result in fines
or financial penalties, I have further assumed that your request relates
to any assessments we have made since 06 April 2010. This is because under
sections 55A and 55B of the Act (introduced by the Criminal Justice and
Immigration Act 2008 which came into force on 06 April 2010) the
Commissioner may, in certain circumstances, where there has there been a
serious contravention of section 4(4) of the Act, serve a monetary penalty
notice on a data controller requiring the data controller to pay a
monetary penalty of an amount determined by the Commissioner. As you will
therefore appreciate, before 06 April 2010, any and all assessments would
not have been considered for a monetary penalty.

From the period 06 April 2010 to 08 May 2011 we have made compliance
unlikely assessments about an organisation on 2580 occasions. As I
explained above, this figure relates to occasions where we have recorded
an outcome of “Compliance Unlikely” against a specific data
controller. It is important to note that case outcomes are fluid, for
example where further information is provided by either party, we may
change our assessment.

In each assessment the case officer has essentially determined that
processing by the complained about organisation (data controller) is
unlikely to be compliant with the data protection principles. I have
attached a document showing the name of the data controller that we
recorded the assessment about. You should be aware that when complaints
are recorded onto our case management system we manually record the name
of the complained about party, which will explain why there are sometime
slight variants about the recording of specific data controllers.

In addition to the above information held on complaints we have received,
we also hold information relating to incidents that have been reported to
us directly by a data controller. This contains a list of incidents that
have been reported to the ICO where a data controller has become aware
that they may have suffered a breach of security in relation to personal
data. In line with our guidance it is considered good practice for data
controllers to inform the ICO of such an incident where a large number of
people are affected, or there are very serious consequences. The
aforementioned guidance can be accessed via the following link:

[2]http://www.ico.gov.uk/upload/documents/l...

Between 06 April 2010 and 08 May 2011 we received 657 self reported
incidents.

We do also hold the names of the data controllers that reported the
incident. However, this information has been withheld under the provisions
of Section 44 of the FOIA which places prohibitions on disclosure. 
Section 44(1)(a) of the FOIA states;

‘(1) Information is exempt information if its disclosure (otherwise
than under this Act) by the public authority holding it -

(a) is prohibited by or under any enactmentÂ’

The enactment in question is the Data Protection Act 1998 (DPA) and
specifically Section 59 of the DPA. Section 59 states that neither the
Commissioner nor his staff shall disclose;

“any information which :

(a)has been obtained by, or furnished to, the Commissioner under or for
the purposes of the information Acts.

(b)relates to an identified or identifiable individual business, and

(c) is not at the time of disclosure, and has not been available to the
public from other sources,

unless the disclosure is made with lawful authority.”

This prevents us from disclosing the information which has been collected
in the course of our investigations unless we have lawful authority to do
so. We do not have lawful authority to disclose information about self
reported incidents on the basis that this information was provided to us
in confidence. 

It is important to understand that there is no legal obligation on data
controllers to report incidents of security which result in loss, release
or corruption of personal data however the Commissioner believes that
serious incidents should be brought to the attention of his Office.  If
we were to release all the information which we receive from data
controllers about a security incident this is likely to deter data
controllers from reporting such matters to us.  Therefore we do not
believe it would be in the public interest to release the information.

As stated above, we have made 2580 assessments and received 657 self
reported incidents – a total of 3237 cases. We can consider a monetary
penalty for both a complaint case (assessment) and a self reported
incident, if we consider there has been a significant contravention of the
DPA. As you might already be aware, there have been 4 cases where we
issued a monetary penalty between 06 April 2010 and 08 May 2011, so 3234
cases did not result in a fine or financial penalty.

In relation to each “breach”, you have also asked for information
on the “date of the breach”. Whilst the information you have
requested is likely to sit within our electronic case management system,
this system is not set up to easily provide us with this type of
information. To ascertain when the incident that led to a breach of the
principles occurred, we would need to search each case to determine the
subject of the complaint.

A public authority (such as the Information CommissionerÂ’s Office) is
not obliged to comply with an FOIA request if the authority estimates that
the cost of complying with the request would exceed the ‘appropriate
limit'. The ‘appropriate limit’ for the Information
Commissioner’s Office, as determined in the ‘Freedom of
Information and Data Protection (Appropriate Limit and Fees) Regulations
2004’ is £450. We have determined that £450 would equate to 18
hours work.

As mentioned above we would need to search each case to determine the
subject of the complaint.  As I have explained, for the period 06 April
2010 to 08 May 2011, we have made 2580 assessments and received 657 self
reported breaches. If it took on average 5 minute to establish the reason
for each complaint, this would equate to over 269 hours which would be
well in excess of the 18 hours which would accrue a charge of £450 or
less. It is for this reason, and in accordance with section 12 of the
FOIA, that we are not obliged to comply with this aspect of your request
for information.

I do hope this response is useful. I am mindful of the detailed
explanations I have provided outlining both my understanding of your
request and the ways in which the ICO operates and records information. As
you may appreciate, I thought it was important to be clear about the
information I have provided and the basis of my response. If you feel a
conversation would facilitate a better understanding of the response then
please free to contact me on 01625 545 363.

If you are dissatisfied with the response you have received and wish to
request a review of our decision or make a complaint about how your
request has been handled you should write to the Internal Compliance Team
at the address below or e-mail [3][email address]

Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request
received after this time will only be considered at the discretion of the
Commissioner.

If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation.  To make such an application, please
write to the Case Reception Team, at the address below or visit the
‘Complaints’ section of our website to make a Freedom of
Information Act or Environmental Information Regulations complaint online.

 

Yours sincerely

Andrew Walsh

Lead Internal Compliance Officer

Information CommissionerÂ’s Office, Wycliffe House, Water Lane,
Wilmslow, Cheshire, SK9 5AF.

T. 01625 545363 [4]www.ico.gov.uk

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/radA5FE3_files/filelist.xml
2. http://www.ico.gov.uk/upload/documents/l...
3. mailto:[email address]
4. blocked::http://www.ico.gov.uk/
http://www.ico.gov.uk/