Area 4C, Nobel House
17 Smith Square
London
T: 03459 33 55 77
xxxxxxxx@xxxxx.xxx.xxx.xx
SW1P 3JR
www.gov.uk/defra
Mr Jonathan Mantle
Our ref:
RFI
8330
By email:
xxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxxxxx.xxx
20 June 2016
Dear Mr Mantle
REQUEST FOR INFORMATION: DATA PROTECTION BREACHES REGISTERED
WITH THE INFORMATION COMMISSIONER’S OFFICE SINCE 1 JANUARY 2015
Thank you for your request for information, which we received on 23 May 2016, about data
protection breaches registered with the Information Commissioner’s Office (ICO) since
1 January 2015. As you know, we have handled your request under the Freedom of
Information Act 2000 (FOIA).
You made your request in the following terms:
“Please can you tell me how many times [Defra has] had to [register] a Data
Protection Breach with the ICO since 01/01/15 until time of writing?”
In line with central government policy, Defra reports any serious data related incidents (i.e.
serious data protection breaches) to the Information Commissioner, details of which are
published in Defra’s Annual Report and Accounts. Defra’s Annual Report and Accounts
for 2015-16 are due to be published in July. However, in response to your request, I can
inform you that Defra
* has not reported any data protection incidents of this nature to the
ICO.
In addition to reporting serious data protection breaches to the ICO in line with the central
government policy as mentioned above, Defra may report data protection breaches to the
ICO outside that policy. During the period covered by your request (i.e. from 1 January
2015 to 23 May 2016 (the date of your request)), Defra holds information in respect of
these other breaches that you have requested (i.e. the number of times Defra has had to
register such data protection breaches with the ICO). However, as the number of any of
these breaches reported to the ICO is small, information about them, including the number
of such breaches, constitutes other individuals’ personal data as defined in section 1(1) of
the Data Protection Act 1998 (DPA) and we are of the view that disclosure of the
________________
* “Defra” means the core department of Defra and the four Executive Agencies (APHA (Animal and Plant
Health Agency), Cefas (Centre for Environment, Fisheries and Aquaculture Science), RPA (Rural Payments
Agency) and VMD (Veterinary Medicines Directorate)
information would breach the DPA. Consequently, we are withholding this information
under sections 40(2) and 40(3)(a)(i) of the FOIA, which exempts from disclosure
information consisting of personal data relating to individuals other than the requester in
cases where such disclosure would breach any of the data protection principles in Part I of
Schedule 1 to the DPA. We consider that disclosure of this information is likely to breach
the first data protection principle in the DPA, which relates to the fair and lawful processing
of personal data. Public disclosure of the information would not constitute ‘fair’ processing
of the personal data because the information, when coupled with other information about
the incident(s) which is known to some persons, would enable the information to be
identified as relating to particular individuals and people would be able to discern personal
data that they are not entitled to know.
We attach an annex giving contact details should you be unhappy with the service that you
have received.
If you have any queries about this letter please contact me.
Yours sincerely,
David Waller
EIRs/FOIA case officer
Information Rights Team xxxxxxxxxxxxxxxxxxx@xxxxx.xxx.xxx.xx
Annex
Complaints
If you are unhappy with the service you have received in relation to your request you may
make a complaint or appeal against our decision under section 17(7) of the FOIA or under
regulation 18 of the EIRs, as applicable, within 40 working days of the date of this letter.
Please write to Nick Teall, Head of Information Rights, Area 4C, Nobel House, 17 Smith
Square, London, SW1P 3JR (email
: xxxxxxxxxxxxxxxxxxx@xxxxx.xxx.xxx.xx) and he will
arrange for an internal review of your case. Details of Defra’s complaints procedure are on
ou
r website. If you are not content with the outcome of the internal review, section 50 of the FOIA and
regulation 18 of the EIRs gives you the right to apply directly to the Information
Commissioner for a decision. Please note that generally the Information Commissioner
cannot make a decision unless you have first exhausted Defra’s own complaints
procedure. The Information Commissioner can be contacted at:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF