We don't know whether the most recent response to this request contains information or not – if you are Jonathan Bull please sign in and let everyone know.

Freedom of information

We're waiting for Jonathan Bull to read recent responses and update the status.

Dear Aberdeen City Council,

I am investigating and researching data breaches and cyber crime in the UK.

I am requesting the following information from you:-

How many times have you reported any data breaches in the past 6 years?

If you have.

Did you report these data breaches to the ICO?

For each separate breach case, please tell me the following:-

How many people were affected by the data breach?

Please send me a copy of the correspondence that you sent to the people affected by the data breach to notify them their data had been breached.

What information was breached?

Have you received any complaints about the data breach by victims? If so, how many?

Have you paid out any compensation to any of the victims that made complaints? If so, how many?

If you have paid out compensation, how much have you paid out in total?

Please send me a list of each complaint reference and how much compensation you paid out per complaint.

On a separate matter, I would also like the following information:-

Who is your energy provider?

When is your contract renewal date?

How much do you spend annually on energy?

When you signed your most recent energy contract, did you go through a third party broker who brokered the deal for you?

I look toward to your prompt response!

Yours faithfully,

Mr Jonathan Bull

Foi Enquiries, Aberdeen City Council

Did you know that the quickest way to make a request for information is to
make your request online? Please visit
[1]https://www.aberdeencity.gov.uk/services...
to make a request.

 

IMPORTANT NOTICE: This e-mail (including any attachment to it) is
confidential, protected by copyright and may be privileged. The
information contained in it should be used for its intended purposes only.
If you receive this email in error, notify the sender by reply email,
delete the received email and do not make use of, disclose or copy it.
Whilst we take reasonable precautions to ensure that our emails are free
from viruses, we cannot be responsible for any viruses transmitted with
this email and recommend that you subject any incoming email to your own
virus checking procedures. Unless related to Council business, the
opinions expressed in this email are those of the sender and they do not
necessarily constitute those of Aberdeen City Council. Unless we expressly
say otherwise in this email or its attachments, neither this email nor its
attachments create, form part of or vary any contractual or unilateral
obligation. Aberdeen City Council's incoming and outgoing email is subject
to regular monitoring.

References

Visible links
1. https://www.aberdeencity.gov.uk/services...

Access to Information Team, Aberdeen City Council, Aberdeen City Council

1 Attachment

Reference: FOI-345176222
Date of request: 28/06/2021
Title of request: Data Breaches

Dear Jonathan Bull,

Thank you for your completing your Freedom of Information Request.

We aim to answer all requests within 20 working days.

You will receive a response via email and an update in [1]your self-serve
account.

For information about how we handle your request please see our [2]Freedom
of Information privacy notice.

For information about your appeal rights please see [3]Freedom of
Information reviews and appeals.

Kind regards

Access to Information Team
Aberdeen City Council | Customer Development | Customer Experience |
Customer
Marischal College | Broad Street | Aberdeen | AB10 1AB
[4]www.aberdeencity.gov.uk | Twitter: @AberdeenCC |
Facebook.com/AberdeenCC

Your personal data is very important to us. Please refer to [5]information
on why and how we use your data.

IMPORTANT NOTICE: This e-mail (including any attachment to it) is
confidential, protected by copyright and may be privileged. The
information contained in it should be used for its intended purposes only.
If you receive this email in error, notify the sender by reply email,
delete the received email and do not make use of, disclose or copy it.
Whilst we take reasonable precautions to ensure that our emails are free
from viruses, we cannot be responsible for any viruses transmitted with
this email and recommend that you subject any incoming email to your own
virus checking procedures. Unless related to Council business, the
opinions expressed in this email are those of the sender and they do not
necessarily constitute those of Aberdeen City Council. Unless we expressly
say otherwise in this email or its attachments, neither this email nor its
attachments create, form part of or vary any contractual or unilateral
obligation. Aberdeen City Council's incoming and outgoing email is subject
to regular monitoring.

References

Visible links
1. https://integration.aberdeencity.gov.uk/...
2. https://www.aberdeencity.gov.uk/your-dat...
3. https://www.aberdeencity.gov.uk/services...
4. https://www.aberdeencity.gov.uk /
5. https://www.aberdeencity.gov.uk/your-dat...

Access to Information Team, Aberdeen City Council, Aberdeen City Council

Reference: FOI-345176222
Date of request: 28/06/2021
Title of request: Data Breaches

Dear Jonathan Bull,

Thank you for your information request. We have completed the necessary
search for the information requested. Our response is now detailed below.

How many  times have you reported any data breaches in the past 6
years? If you have.

Did you report these data breaches to the ICO?

Year (June - July No. of breaches reported No. of breaches notified
internally to the ICO
2020-2021 188 5
2019-2020 113 2
2018-2019 135 5
2017-2018 61 1
2016-2017 35 0
2015-2016 30 6

For each separate breach case, please tell me the following:-

How many people were affected by the data breach? 

Please send me a copy of the correspondence that you sent to the people
affected by the data breach to notify them their data had been breached. 

What information was breached? 

Have you received any complaints about the data breach by victims? If so,
how many?

Have you paid out any compensation to any of the victims that made
complaints? If so, how many?

If you have paid out compensation, how much have you paid out in total?

Please send me a list of each complaint reference and how much
compensation you paid out per complaint.  

Aberdeen City Council has kept a central register of information security
incidents since May 2018, which also records where these incidents also
constitute data protection breaches. This central register gives high
level information about each incident but does not record information on
how many people were affected by each data protection breach, whether or
not data subjects were notified (to allow us to retrieve any relevant
correspondence), exactly what information was breached, whether affected
data subjects complained about the data protection breach (to allow us to
easily retrieve complaint information you have requested) or whether
compensation was paid out (to allow us to retrieve compensation
information you have requested).

To collate the information you have requested for the time period June
2015 – June 2021, a member of the team would need to go into each separate
record to collate any information falling within the scope of your
request. In some cases, based on what information is held for an incident,
retrieving the information may also involve retrieving information held by
other teams (for example, the Council’s Customer Feedback Team, and the
Council’s Insurance Team). This would take approximately 15 minutes on
average for each incident.

Where each case file did hold information falling within the scope of your
request (correspondence with affected data subjects, for example) it is
likely that this information would require to be redacted to remove
personal information exempt from release under FOISA which would increase
this calculation of average officer time to be spent on each incident.

As you will see from the information provided in response to Question 1,
above, across the time period you are interested in, there were 562
breaches. Locating and retrieving the information you have requested would
therefore take at least 140.5 hours. Based on this task being undertaken
by a G11 Paralegal, who is paid in excess of £15 an hour, but with the
cost for calculation being capped at £15 per hour, we estimate that this
would cost £2107.50. 

This is in excess of the £600 maximum cost of compliance, and so ACC has
assessed the information you have requested under Question
3 as being exempt from release.

The Council’s Audit Risk and Scrutiny Committee has received annual
reports on Information Governance since 2017 which include additional
information about data protection breaches which may be of interest to
you. From 2015 until 2017, the Council’s Audit Risk and Scrutiny Committee
received quarterly reports on data protection compliance which also
contain information about data protection breaches. We thought these
reports may also be of interest to you, and they are available on the
Council’s webpages here as part of the records of the Audit, Risk &
Scrutiny Committee:

[1]https://committees.aberdeencity.gov.uk/i...

We are unable to provide you with information on a copy of the
correspondence that you sent to the people affected by the data breach to
notify them their data had been breached, What information was
breached, Have you received any complaints about the data breach by
victims? If so, how many, Have you paid out any compensation to any of the
victims that made complaints? If so, how many, If you have paid out
compensation, how much have you paid out in total, Please send me a list
of each complaint reference and how much compensation you paid out per
complaint. as the cost of providing it has been calculated as being in
excess of the statutory maximum (£600). 

In order to comply with its obligations under the terms of Section 16 of
the FOISA, we are refusing your request under the terms of Section 12 -
Excessive Cost of Compliance - of the FOISA.

The Access to Information Team would be happy to discuss ways in which you
may refine your request, so we can provide some information of interest to
you within the maximum cost limits. Please do contact the Access to
Information team on 01224 522166, who will be happy to advise you, if this
is something you would like to pursue.

Who is your energy provider? 

Aberdeen City Council has a contract with:

EDF Energy for electricity supply for non-domestic properties and landlord
supplies. 

TOTAL Energies for gas supply for non-domestic properties. 

When is your contract renewal date? 

The energy contracts are not due for renewal until 2025 

How much do you spend annually on energy? 

Aberdeen City Council spends approximately £6m annually on energy. 

When you signed your most recent energy contract, did you go through a
third party broker who brokered the deal for you? 

Aberdeen City Council as with other Scottish Local Authorities, use
Scottish Procurement to undertake procurement of energy contracts. 

We handled your request for information in accordance with the provisions
of the Freedom of Information (Scotland) Act 2002.

If you are dissatisfied with the way we have handled your request or the
content of it, you are entitled to ask for an appeal. You can do this from
your [2]Aberdeen City Council self service account.

For more information on your right to review, please visit [3]Freedom of
Information Review and Appeals.

We hope this helps with your request.

Kind regards

Access to Information Team
Aberdeen City Council | Customer Development | Customer Experience |
Customer
Marischal College | Broad Street | Aberdeen | AB10 1AB
[4]www.aberdeencity.gov.uk | Twitter: @AberdeenCC |
Facebook.com/AberdeenCC

Your personal data is very important to us. Please refer to [5]information
on why and how we use your data.

IMPORTANT NOTICE: This e-mail (including any attachment to it) is
confidential, protected by copyright and may be privileged. The
information contained in it should be used for its intended purposes only.
If you receive this email in error, notify the sender by reply email,
delete the received email and do not make use of, disclose or copy it.
Whilst we take reasonable precautions to ensure that our emails are free
from viruses, we cannot be responsible for any viruses transmitted with
this email and recommend that you subject any incoming email to your own
virus checking procedures. Unless related to Council business, the
opinions expressed in this email are those of the sender and they do not
necessarily constitute those of Aberdeen City Council. Unless we expressly
say otherwise in this email or its attachments, neither this email nor its
attachments create, form part of or vary any contractual or unilateral
obligation. Aberdeen City Council's incoming and outgoing email is subject
to regular monitoring.

References

Visible links
1. https://committees.aberdeencity.gov.uk/i...
2. https://integration.aberdeencity.gov.uk/...
3. https://www.aberdeencity.gov.uk/services...
4. https://www.aberdeencity.gov.uk /
5. https://www.aberdeencity.gov.uk/your-dat...

We don't know whether the most recent response to this request contains information or not – if you are Jonathan Bull please sign in and let everyone know.