26 June 2020
Ms Srinidhi Vasudevan
By email only:
xxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxxxxx.xxx
Ref: IC-41821-P1R7
Dear Ms Vasudevan,
We write in response to your recent request for information, which we
received on 30 May 2020. We are now in a position to provide a response.
We have dealt with your request in accordance with your ‘right to know’
under section 1(1) of the Freedom of Information Act 2000 (FOIA).
Request In your correspondence you asked us:
I would like to know the following details about security/data breaches
reported to the ICO by organisations from February 01, 2020 (COVID19
period):
1. How many breaches were reported?
2. For the reported breaches, could you please provide the details
including the name of the organisation, the industry/sector, the
financial impact and the remedial actions taken?
Response
We can confirm that we hold information in scope of your request.
In relation to your first request, between 1 February and 30 May 2020 the
ICO received 2950 breach reports from controllers.
In relation to your second request, of the 2950 breach reports received,
2237 have been closed as requiring no remedial action but advice given.
Our assessment or investigation of the remaining 713 breach reports has
not yet concluded – therefore there are no ‘remedial actions’ or outcome
that we can report on.
The number of breach reports by sector, for the same period is provided
in the following table:
Sector
Total reports
Central Government
71
Charitable and voluntary
146
Education and childcare
430
Finance, insurance and credit
332
General business
181
Health
457
Justice
62
Land or property services
141
Legal
231
Local government
260
Marketing
9
Media
13
Membership association
52
Online Technology and Telecoms
77
Political
9
Regulators
7
Religious
13
Retail and manufacture
286
Social care
69
Transport and leisure
83
Utilities
21
Grand Total
2950
We should advise you that the ICO cannot report on the financial impact
of data protection breached sustained by controllers—this is not
information we require for our business needs.
You may be aware that the ICO publishe
s datasets of our completed
casework on our website. These both our FOI and DP casework—including
both individual data protection complaint and breaches reported by
controllers.
We acknowledge that there is a data set publication gap from September
2018 to present, where information is held, but has not yet been
published by the ICO online. We are actively working to bring these
datasets up to date, however, the ICO continues to manage an
unprecedented number of information requests. This is having an effect
on our ability to keep up to date with our proactive disclosure regime.
We are withholding the remaining information in scope of your request—
the names of individual controllers—under section 22 of the FOIA because
this is information intended for future publication. We explain this
exemption further below.
Information withheld - section 22 FOIA
Section 22 of the FOIA states that information is exempt from disclosure
in response to an information request if:
“(a) the information is held by the public authority with a view to its
publication, by the authority or any other person, at some future date
(whether determined or not), (b) the information was already held with a view to such publication at
the time when the request for information was made, and
(c) it is reasonable in all the circumstances that the information should be
withheld from disclosure until the date referred to in paragraph.” The exemption at section 22 is qualified by the public interest test,
meaning that the information should be disclosed if the public interest in
the maintenance of the exemption does not outweigh the public interest
in disclosure.
In this case the public interest factors in disclosing the information are:
• Transparency in the number and nature of data breaches reported
to the ICO, and our assessment of these reports.
The factors in withholding the information are:
• The ICO has a history of publishing this information on a periodic
basis and has committed to publishing relevant data sets—at which
point the information will be in the public domain.
• To prepare this information for disclosure earlier than intended, in
response to individual requests we receive, would be time and
resource intensive, and would not be an efficient use of resources
when we intend to publish this information in due course in any
case.
• Earlier disclosure is not necessary to satisfy any pressing public
interest at the present time.
Having considered the public interest arguments, we consider it
reasonable in the circumstances to withhold this information under
section 22 of the FOIA.
That concludes our response to your information request, we trust that
the information we have been able to provide proves helpful.
Review Procedure
If you are dissatisfied with this response and wish to request a review of
our decision or make a complaint about how your request has been
handled you can write to the Information Access Team at the address
below or e-mai
l xxxxxxxxxxxxxxxxxxxx@xxx.xxx.xx. Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request
received after this time will only be considered at the discretion of the
Commissioner.
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint handler
under the legislation. To make such an application, please write to our
Customer Contact Team at the address given or visit our website if you
wish to make a complaint under the Freedom of Information Act.
A copy of ou
r review procedure can be accessed from our website.
Yours sincerely
Shannon Keith
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Service
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9
5AF
T. 0330 313 1636 F. 01625 524510
ico.org.uk twitter.com/iconews
For information about what we do with personal data see our
privacy notice. Please consider the environment before printing this email