Response times for Personal data breaches since GDPR day

The request was refused by Swansea Council.

Dear Swansea Council,

For all personal data breaches since 25 May 2018, please provide:

a) Date and time the breach was reported to the Council
b) Date and time the Data Breach Panel met
c) Yes or No, whether the Panel met within 72 hours of the breach being discovered as recorded in 2.1 of BR140
d) Yes or No, whether the Panel decided to refer the breach to the ICO as recorded in 2.3 of BR140
e) Yes or No, whether the Panel decided to inform the data subject(s) as recorded in 2.4 of BR140
f) Section/department of the Council responsible
g) General description of each personal data breach (eg. Oracle database deleted requiring all pupil/parent/guardian records to be re-captured and re-entered, diary left on bus containing vulnerable service users, P45 sent to wrong household etc.)
h) the number of individuals affected by each personal data breach

To avoid duplication of your work, please update the previously disclosed/reviewed spreadsheet to add the additional information requested.

Yours faithfully,

D Morris

Freedom of Information (Mailbox), Swansea Council

Bydd y manylion rydych wedi'u darparu'n cael eu trosglwyddo i'r adran
neu'r adrannau perthnasol sy'n cadw'r wybodaeth.

Bydd eich cais yn cael ei brosesu o fewn 20 niwrnod gwaith oni bai bod
angen mwy o fanylion oddi wrthych. Os dyma'r achos, byddwn yn cycylltu â
chi drwy'r manylion rydych wedi'u darparu ar y ffurflen hon.

Ni chodir ffi am wneud cais, os na fydd yr wybodaeth yn costio mwy na £450
i'r Awdurdod ei darparu. Os dyma fydd yr achos, byddwch yn cael eich
hysbysu.

 

 

 

The details you have provided will be passed on to the relevant department
or departments that hold the information.

 

Your request will be processed within 20 working days unless we require
more details from you. If this is the case, you will be contacted via the
details you have given on this form.

 

There is no fee for making a request, provided the information does not
cost the council more than £450 to produce. If this is the case you will
be informed.

show quoted sections

Michael Powney, Swansea Council

2 Attachments

Hello Mr. Morris

Further to your freedom of information request regarding data breaches,
please find our response attached.

Thanks

[1]Council Logo Michael Powney

Uned Llywodraethu Gwybodaeth
Information Governance Unit

 

[2][email address]

 

 

 

show quoted sections

Dear Swansea Council,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of Swansea Council's handling of my FOI request 'Response times for Personal data breaches since GDPR day'.

I was disappointed that Swansea Council waited until the twentieth working day to claim a Section 12 exemption (Cost of compliance would exceed the relevant cost limit) in relation to the FOI I submitted on 21 January 2022. Swansea Council appears to have been unreasonable in not attending to the request promptly and incorrectly claiming the exemption.

Curiously Swansea Council has estimated the time to search each record, noting there are now "approximately 210 records, spending 5 minutes per record to locate, retrieve and extract the information". You also reference that 202 records were searched from the previous request of 3 December 2021. Obviously since the 202 records were searched previously then it is unreasonable to "estimate" the effort needed - Swansea Council should know.

I struggle to believe that "the information you have requested is not regularly reported upon". Does the Information Governance Unit bury the outcomes of each report? Does it not promulgate best practice? Does it never summarise data breaches to other section heads, so as to educate colleagues not to make further mess-ups?

Swansea Council also appears to have grossly inflated the time taken to search each record to form an after-the-fact estimate. A time of 2 minutes per record might have been justified as a reasonable estimate. I base this assessment on the very narrow and well defined dataset, namely:

1) Electronically completed and filed BR140 Personal Data Breach Report form for each data breach
2) BR140 form constrains the data collected into a narrow fields (eg asking for a date and not surveying the populace's general views on how disastrous the bendy-bus was)
3) Person(s) completing the form must have been adequately trained before completing the form
4) BR140 is reviewed/updated multiple times during the databreach investigation by subject specialists
5) Each completed BR140 form is reviewed at Data Breach Panel, and again at a Post Implementation review

Referring to the request of 3 December 2021, and the fields on the BR140 form, the initial FOI request required the following workflow:

$ localc & #setup spreadsheet to record
$ cd directory_BR140_forms
$ for ii in BR140*docx; do lowriter ${ii}; done #loop to open each file in turn then:

#a) read 4 words (max) from 1.2 (eg Thirty First Month Year); record 8 digits & 2 punctuation
#b) read 3 words (max) from Part 1 Section heading (eg Payroll) ; record <=3 words
#c) read 300 words (max) from 1.3; record <=10 word summary
#d) read 4 digits (max) from 1.6; record <= 4 digits
#e) close BR140 form under examination (press Alt-F4/Ctrl-Q etc)

Even assuming an average reading speed of just 200 words per minute then the inspection and recording for each form should have taken no more than two minutes. I've also reasonably assumed that the BR140 files are named in a logical sequence (ISO 8601 inspired or perhaps a unique serial number?), are stored in some form of modern word processor format, and in my example workflow have used the Libre Office suite of tools (downloadable at no charge) from a command prompt (to avoid wasting time navigating and tracking files to open from a graphical interface).

My own personal experience of establishing and optimising production lines in high volume consumer manufacturing would also lead me to expect that the time taken to review each record would decrease as the operator improves through the duration of the task. It is also unlikely that the whole of the field 1.3 would need to be read. Again, I'm surprised that a summary was not already tracked. The time taken to open the word processing program is negligible after the PC has cached the program after the first invocation. Navigation within the file under examination is minimal as information is grouped on first two pages, and LibreOffice Writer will remember the viewing preference to apply to subsequent files (zoom & layout etc). I've also assumed that Swansea Council will have spent some of its annual billion pound budget on providing a decently sized screen and ergonomic workstation for the operator.

Plugging your absolute number of records into a more reasonable estimate of the task to comply with the FOI request of 3 December 2021 would give us 419 minutes as:

5 minutes to setup new spreadsheet
1 minute to locate the BR140 forms
2*202 minutes to perform the review & record
5 minutes to write a covering letter
5 minutes to email back to WhatDoTheyKnow.com

A "reasonable" estimate is therefore less than seven hours of total effort, not the "approximately seventeen hours" you now claim, after the event, in your section 12 exemption notice.

Iterating through the request of 21 January 2022 in a similar manner:

$ localc & #tweak spreadsheet to record
$ cd directory_BR140_forms
$ for ii in BR140*docx; do lowriter ${ii}; done #loop to open each file in turn then:

#a) read 4 words (max) from 1.2 (eg four twenty three pm); record 4 digits and a colon
#b) read 8 words (max) from Part 2 Date & time; record 12 digits & 3 punctuation
#c) read 1 words (max) from 2.1; record 1 word
#d) read 1 words (max) from 2.3; record 1 word
#e) read 1 words (max) from 2.4; record 1 word
#f) close BR140 form under examination (press Alt-F4/Ctrl-Q etc)

The task for each file under examination should take some tens of seconds, but let's be generous and say this takes a full minute per file, then we now have a more reasonable estimate of:

5 minutes to tweak original spreadsheet
1 minute to locate the BR140 forms
1*"approximately 210" minutes to perform the review & record
5 minutes to write a covering letter
5 minutes to email back to WhatDoTheyKnow.com

We also need to add in the time for the first sweep to the "approximately" eight records (ie new breaches between 3 December 2021 and 21 January 2022). Again one could reasonably expect that to be streamlined into the last few examinations, but for simplicity's sake let's use 2 minutes each again for the "approximately 8". In total that now gives an estimate of approximately 242 minutes, a tad over four hours.

Clearly "less than seven" plus "a tad over four" hours is around eleven hours, significantly short of exceeding the eighteen hours Swansea Council claimed the Section 12 exemption for.

I trust that the internal review will be completed promptly, and I hope to receive the information without further intervention from the Information Commissioner's Office. I again re-iterate my disappointment at the time taken to claim a Section 12 exemption and find the justification was not 'sensible, realistic and supported by cogent evidence', per the guidance published by the ICO here:

https://ico.org.uk/media/for-organisatio...

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/r...

Yours,
D Morris

Freedom of Information (Mailbox), Swansea Council

Bydd y manylion rydych wedi'u darparu'n cael eu trosglwyddo i'r adran
neu'r adrannau perthnasol sy'n cadw'r wybodaeth.

Bydd eich cais yn cael ei brosesu o fewn 20 niwrnod gwaith oni bai bod
angen mwy o fanylion oddi wrthych. Os dyma'r achos, byddwn yn cycylltu â
chi drwy'r manylion rydych wedi'u darparu ar y ffurflen hon.

Ni chodir ffi am wneud cais, os na fydd yr wybodaeth yn costio mwy na £450
i'r Awdurdod ei darparu. Os dyma fydd yr achos, byddwch yn cael eich
hysbysu.

 

 

 

The details you have provided will be passed on to the relevant department
or departments that hold the information.

 

Your request will be processed within 20 working days unless we require
more details from you. If this is the case, you will be contacted via the
details you have given on this form.

 

There is no fee for making a request, provided the information does not
cost the council more than £450 to produce. If this is the case you will
be informed.

show quoted sections

Freedom of Information (Mailbox), Swansea Council

Good morning,

Please can you provide the reference number of the FOI that you would like reviewed.

Regards

Julie Williams
Swyddog Cwynion Cynorthwyol
Assistant Complaints Officer

A 01792 637345
0 [email address]
J [email address]

show quoted sections

Dear Freedom of Information (Mailbox),

"A full history of my FOI request and all correspondence is available on the Internet at this address:
https://www.whatdotheyknow.com/request/r...

Swansea Council assigned it a reference of FOI 00264208 Daniel Morris Data Breaches.docx

Yours sincerely,

Daniel Morris

Freedom of Information (Mailbox), Swansea Council

Bydd y manylion rydych wedi'u darparu'n cael eu trosglwyddo i'r adran
neu'r adrannau perthnasol sy'n cadw'r wybodaeth.

Bydd eich cais yn cael ei brosesu o fewn 20 niwrnod gwaith oni bai bod
angen mwy o fanylion oddi wrthych. Os dyma'r achos, byddwn yn cycylltu â
chi drwy'r manylion rydych wedi'u darparu ar y ffurflen hon.

Ni chodir ffi am wneud cais, os na fydd yr wybodaeth yn costio mwy na £450
i'r Awdurdod ei darparu. Os dyma fydd yr achos, byddwch yn cael eich
hysbysu.

 

 

 

The details you have provided will be passed on to the relevant department
or departments that hold the information.

 

Your request will be processed within 20 working days unless we require
more details from you. If this is the case, you will be contacted via the
details you have given on this form.

 

There is no fee for making a request, provided the information does not
cost the council more than £450 to produce. If this is the case you will
be informed.

show quoted sections

Freedom of Information (Mailbox), Swansea Council

Good afternoon

Thank you for getting back to me, I have now logged your review and a response will be sent to you in due course.

Regards

Julie Williams
Swyddog Cwynion Cynorthwyol
Assistant Complaints Officer

A 01792 637345
0 [email address]
J [email address]

show quoted sections

Rhodri Jones, Swansea Council

3 Attachments

Dear Daniel Morris

Please find attached my response on your request for an internal review of
your Freedom of Information request.

 

Regards

 

Rhodri

 

 

 

[1][IMG]Rhodri Jones

Pennaeth y Tîm Perfformiad

Head of Performance Team

 

* [2][email address]

* [3][email address]

 

Croesewir gohebiaeth yn y Gymraeg a byddwn yn ymdrin â gohebiaeth Gymraeg
a Saesneg i'r un safonau ac amserlenni.

We welcome correspondence in Welsh and will deal with Welsh and English
correspondence to the same standards and timescales

 

 

 

 

 

 

show quoted sections

Daniel Morris left an annotation ()

29 March 2022
ICO confirm under investigation and waiting for allocation to a case officer.