Personal Data Breaches

Roedd y cais yn rhannol lwyddiannus.

Dear South Ayrshire Council,

I am making a request under FOISA in respect of the following information.

The date of the last review of technical and organisational measures in accordance with Section 56 of the DPA2018. In the event that there has been no review since 28/5/18 the date by which such a review will have been made.

The number of staff trained in accordance with Section 71 (c) of DPA18 since 1/6/2018. Please split this into following categories by calendar year from 2017 to 31st September 2020.

Teachers
Manual Workers
Social Work Practitioners
Administration and Clerical
SIRO & IAO

Details of the information governance framework. This should cover duration, method of delivery, topics covered and copies of materials used to deliver data protection, information security and records management training.

Between January 2017 and 31st September 2020 broken down by year , confirm how many breaches of personal data you have been responsible for.

How many of these breaches were reported to the ICO?

In respect of breaches provide details of the circumstances, type of breach, for example what information/system was breached and the relevant cause.
Yours faithfully,

Craig Corrigan

FOI,, South Ayrshire Council

Good Morning

Thank you for your email.

We are obliged under the Freedom of Information (Scotland) Act 2002 to provide any recorded information we hold (subject to exemptions) as quickly as possible and in all cases within 20 working days.

We will respond as soon as possible.

For more information on the Act and to use the response calculator, please visit http://www.itspublicknowledge.info

Kind regards

FOI Team| Chief Executive’s Office | [email address] | 01292 612223 | County Buildings, Wellington Square, Ayr KA7 1DR | www.south-ayrshire.gov.uk

dangos adrannau a ddyfynnir

FOI,, South Ayrshire Council

Good afternoon

 

Thank you for your recent enquiry which was given the above reference
number.

 

1. The date of the last review of technical and organisational measures in
accordance with Section 56 of the DPA2018. In the event that there has
been no review since 28/5/18 the date by which such a review will have
been made.

Section 56 of DPA 2018 refers only to law enforcement purposes under part
three of the Act. The Council main function is not LEP but at times the
Council’s Trading Standards and Environmental Health Departments may be
involved in processing personal data under LEP.

Before GDPR became law the Council implemented at GDPR project group to
ensure all Councils services were able to meet the requirements of the
legislation.

 

An information access register was developed to record assets, systems and
applications used for processing or storing personal data across the
organisation. This is a live system which is updated on an ongoing basis.

 

The Council also introduced a Data Protection Impact Assessment process
which incorporates our obligation to bake in data protection by design and
default.

 

2. The number of staff trained in accordance with Section 71 (c) of DPA18
since 1/6/2018. Please split this into following categories by calendar
year from 2017 to 31st September 2020. Teachers Manual Workers Social Work
Practitioners Administration and Clerical SIRO & IAO

Nil

 

3. Details of the information governance framework. This should cover
duration, method of delivery, topics covered and copies of materials used
to deliver data protection, information security and records management
training.

Data Protection training is undertaken through bespoke online training,
deployed to all staff through the Council’s intranet or in paper format
for staff who do not have PC access.  A copy of the overarching training
for GDPR/Data Protection/Information Security is provided, which clarifies
the topics covered and provides the materials used.  The Council’s DP
Policy is available on our website at:
[1]https://www.south-ayrshire.gov.uk/foi/pe.... Copies of
materials provided to staff are also enclosed relating to Subject Access,
Privacy Notices, DPIAs and Data Breaches.

 

Records Management guidance and training is provided to Council services
on a service-by-service basis. A copy of the Councils Records Management
Policy is available on the Council website at:
[2]https://www.south-ayrshire.gov.uk/foi/po.... This link also
provides a copy of our Records Retention Schedule, our approved Records
Management Plan in response to the Public Records (Scotland) Act 2011
together with the Keeper’s Assessment Report.

 

Records Management Materials are also accessible to staff through the
Council Intranet, in the way of Guides and Policies. Copies of these
documents are also enclosed.

 

4. Between January 2017 and 31st September 2020 broken down by year,
confirm how many breaches of personal data you have been responsible for.

01 January to 31 December 2017      -           05 breaches

01 January to 31 December 2018      -           39 breaches

01 January to 31 December 2019      -           60 breaches

01 January to 30 September 2020     -           27 breaches

 

5. How many of these breaches were reported to the ICO?

2017    -           2

2018    -           5

2019    -           4

2020    -           0

 

6. In respect of breaches provide details of the circumstances, type of
breach, for example what information/system was breached and the relevant
cause.

2017

+------------------------------------------------------------------------+
|Breach Type |  |Number|
|---------------+-------------------------------------------------+------|
|Confidentiality|Unauthorised disclosure of personal data by email|3 |
|---------------+-------------------------------------------------+------|
|Availability |Misplaced document containing personal data |1 |
|---------------+-------------------------------------------------+------|
|Integrity |Collection of personal data not required |1 |
+------------------------------------------------------------------------+

 

2018

+------------------------------------------------------------------------+
|Breach Type |Circumstances |Number|
|---------------+-------------------------------------------------+------|
|Confidentiality|Personal data shared unnecessarily/without|5 |
| |consent | |
|---------------+-------------------------------------------------+------|
|Availability |Misplaced documentation containing personal data |2 |
|---------------+-------------------------------------------------+------|
|Confidentiality|Unauthorised disclosure of personal data on|1 |
| |internal Council website | |
|---------------+-------------------------------------------------+------|
|Confidentiality|Unauthorised disclosure of personal data by email|5 |
|---------------+-------------------------------------------------+------|
|Confidentiality|Unauthorised disclosure of personal data by|1 |
| |over-writing pro-forma | |
|---------------+-------------------------------------------------+------|
|Confidentiality|Unauthorised disclosure of personal data in|1 |
| |newsletter | |
|---------------+-------------------------------------------------+------|
|Confidentiality|Unauthorised disclosure of personal data by|14 |
| |letter | |
|---------------+-------------------------------------------------+------|
|Confidentiality|Unauthorised disclosure of personal opinions and|1 |
| |comments to family member | |
|---------------+-------------------------------------------------+------|
|Confidentiality|Unauthorised disclosure of personal data by text |1 |
|---------------+-------------------------------------------------+------|
|Availability |Unencrypted laptop stolen during burglary |1 |
|---------------+-------------------------------------------------+------|
|Confidentiality|Unauthorised disclosure of CCTV footage |1 |
|---------------+-------------------------------------------------+------|
|Confidentiality|Unauthorised internal access to|2 |
| |system/spreadsheet | |
|---------------+-------------------------------------------------+------|
|Confidentiality|Unauthorised access to personal data due to|1 |
| |incorrect password details issued | |
|---------------+-------------------------------------------------+------|
|Integrity |Incorrect telephone contact details stored on|1 |
| |client file | |
|---------------+-------------------------------------------------+------|
|Technical |Secure transfer of personal data by email outwith|1 |
| |the EU (SNSA platform not used) | |
|---------------+-------------------------------------------------+------|
|Confidentiality|Personal data scanned internally in error due to|1 |
| |change of scan settings | |
+------------------------------------------------------------------------+

 

2019

+------------------------------------------------------------------------+
|Breach Type |Circumstances |Number|
|---------------+-------------------------------------------------+------|
|Confidentiality|Personal data shared unnecessarily/without|4 |
| |consent | |
|---------------+-------------------------------------------------+------|
|Confidentiality|Unauthorised disclosure of personal data by|14 |
| |letter | |
|---------------+-------------------------------------------------+------|
|Confidentiality|Unauthorised disclosure of personal data by email|11 |
|---------------+-------------------------------------------------+------|
|Confidentiality|Unauthorised disclosure of personal data by text |1 |
|---------------+-------------------------------------------------+------|
|Availability |Disposal in error of documentation containing|1 |
| |personal data | |
|---------------+-------------------------------------------------+------|
|Confidentiality|Personal data scanned and sent in error to|2 |
| |internal recipient | |
|---------------+-------------------------------------------------+------|
|Confidentiality|Unauthorised disclosure of personal data by email|5 |
| |to internal recipient | |
|---------------+-------------------------------------------------+------|
|Availability |Release of master copy of personal data |1 |
|---------------+-------------------------------------------------+------|
|Technical |Coding defect resulting in data subjects names|1 |
| |being disclosed | |
|---------------+-------------------------------------------------+------|
|Confidentiality|Unauthorised disclosure of personal data by|2 |
| |telephone call | |
|---------------+-------------------------------------------------+------|
|Availability |Loss of document containing personal data |4 |
|---------------+-------------------------------------------------+------|
|Availability |Personal data found in internal office area |4 |
|---------------+-------------------------------------------------+------|
|Confidentiality|Personal data made available temporarily to|1 |
| |internal staff | |
|---------------+-------------------------------------------------+------|
|Availability |Loss of personal data in unencrypted pen drive |2 |
|---------------+-------------------------------------------------+------|
|Availability |Personal data left in service users home|1 |
| |temporarily | |
|---------------+-------------------------------------------------+------|
|Technical |Personal data temporarily disclosed during|1 |
| |migration of data | |
|---------------+-------------------------------------------------+------|
|Technical |Personal data saved to internal drive/area|2 |
| |temporarily | |
|---------------+-------------------------------------------------+------|
|Availability |Personal data lost in the post |1 |
|---------------+-------------------------------------------------+------|
|Availability |Unencrypted laptop(s) stolen during burglary |2 |
+------------------------------------------------------------------------+

 

2020

+------------------------------------------------------------------------+
|Breach Type |Circumstances |Number|
|---------------+-------------------------------------------------+------|
|Confidentiality|Unauthorised disclosure of personal data by email|13 |
|---------------+-------------------------------------------------+------|
|Confidentiality|Unauthorised disclosure of personal data by email|5 |
| |to internal recipient(s) | |
|---------------+-------------------------------------------------+------|
|Confidentiality|Unauthorised distribution of personal data |1 |
|---------------+-------------------------------------------------+------|
|Confidentiality|Personal data shared unnecessarily/without|3 |
| |consent | |
|---------------+-------------------------------------------------+------|
|Confidentiality|Unauthorised disclosure of personal data in|1 |
| |online presentation | |
|---------------+-------------------------------------------------+------|
|Confidentiality|Unauthorised disclosure of personal data by|4 |
| |letter | |
+------------------------------------------------------------------------+

 

If you are dissatisfied with the handling of your request you can ask for
a review. A request for a review must be submitted within 40 working days
and should be put in writing to Deborah McVey, Information Governance Team
Leader, South Ayrshire Council, County Buildings, Wellington Square, Ayr
KA7 1DR, Tel: 01292 612223, Email: [3][South Ayrshire Council request email]. If you
remain dissatisfied after a review, you have the right to apply to the
Scottish Information Commissioner for a decision. This must be submitted
within 6 months after the review and should be put in writing to the
Scottish Information Commissioner at Kinburn Castle, Doubledykes Road, St.
Andrews, Fife KY16 9DS, Tel: 01334 464610 Email:
[4][email address] or use the online portal
[5]http://www.itspublicknowledge.info/YourR...

 

Kind regards

Andrew

 

FOI Team | Information Governance | Chief Executive’s Office | County
Buildings | Wellington Square | Ayr, KA7 1DR | Tel: 01292 612223 | E-mail:
[6][South Ayrshire Council request email] | [7]www.south-ayrshire.gov.uk

 

 

 

 

dangos adrannau a ddyfynnir