Alleged data breach by PHSO involving thousands of names

D. Moore made this Freedom of Information request to Information Commissioner's Office

This request has been closed to new correspondence. Contact us if you think it should be reopened.

The request was partially successful.

Dear Information Commissioner's Office,

In evidence presented to the Public Administration and Constitutional Affairs Committee (PHSO Scrutiny 2018/19 inquiry), an allegation is made that the PHSO unlawfully published the names of thousands of complainants. Additionally, it is alleged that the names of caseworkers who dealt with the cases involved were also published, as well as the names of MPs who dealt with each case (the latter would greatly assist anyone malevolently inclined e.g. a fraudster purporting to offer legal assistance to rectify an injustice to locate the victims). The allegation is supported by a redacted screenshot and appears credible. The screenshot includes many more details related to each complainant.

1. Can you confirm that the PHSO contacted you relating to the alleged data breach I have outlined above? If so:

2. On what date did the PHSO first contact you about the alleged data breach?

3. If the PHSO has confirmed that a data breach did in fact occur, please provide (i) the date of the data breach and (ii) the date the PHSO first notified you that the data breach had definitely occurred.

4. Please provide copies of all communications (redacted where appropriate) between yourself, the PHSO and any other relevant parties in respect of the alleged or confirmed data breach. Additionally, please provide copies of any high-level documents created as a consequence of the alleged/confirmed data breach which would help shine a light on how you deal with unlawful disclosures of personal information.

For your information, I understand that the allegation refers to a spreadsheet entitled “Complaints about UK government departments and other public organisations” for the year 2018/19. This document no longer appears to be available on the PHSO website, but was referenced in this request concerning ICO complaints dealt with by the PHSO:

https://www.whatdotheyknow.com/request/c...

Yours faithfully,

D Moore

Information Access Inbox, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit:

[1]https://ico.org.uk/about-the-ico/our-inf...

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found
[3]here.

Twitter

Find us on Twitter [4]here.

 

References

Visible links
1. https://ico.org.uk/about-the-ico/our-inf...
2. https://ico.org.uk/global/privacy-notice/
3. https://ico.org.uk/about-the-ico/news-an...
4. http://www.twitter.com/ICOnews

D. Moore left an annotation ()

I have contacted the PHSO about this matter:

https://www.whatdotheyknow.com/request/m...

J Roberts left an annotation ()

Amanda Amroliwala confirmed the data breach at today's PACAC annual PHSO scrutiny hearing. She said it occurred on 5th March and that PHSO was made aware of it on 28 April. It was caused by a combination of human and system errors. She downplayed the extent of the breach (a low risk of malicious use) and said that the ICO had been informed. She further said that the PHSO would be writing to 300 people. The Chairman revealed that MPs were to receive letters as well, so how many of the 300 people include MPs?

ICO Casework, Information Commissioner's Office

19 May 2020

Case Reference: IC-40362-R9W2
Dear D Moore

Acknowledgement of request for information

Thank you for your email to the Information Commissioner’s Office (ICO) of
12 May 2020. This contained a request for information and was passed to
the ICO’s Information Access Team. 

Under statutory timeframes our response to your request is due by 10 June
2020. However, please note that during this pandemic period it may not be
possible to respond to your information request on time. We apologise for
that but during this pandemic period, we have put arrangements in place to
protect our staff and others from the potential spread of Coronavirus
(COVID -19). 

Next steps

If you wish to raise a complaint about the time we have taken to respond
to your information request, this can be sent to this office as the
statutory complaint handler. Please refer to our website at:

[1]https://ico.org.uk/make-a-complaint/

Please note that when considering complaints, we will take into account
any extraordinary circumstances which mean resources have been diverted.  

Our privacy notice explains what we do with the personal data you provide
to us and what your rights are, with a specific entry, for example, for an
information requester. It also includes details of our retention policy.
Please see the link below for further information. 

Yours sincerely

Antonia Swann
Lead Information Access Officer

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6894 [2]ico.org.uk [3]twitter.com/iconews
Please consider the environment before printing this email.

Please be aware we are often asked for copies of the correspondence we
exchange with third parties. We are subject to all of the laws we deal
with, including the data protection laws and the Freedom of Information
Act 2000. You can read about these on our website ([4]www.ico.org.uk).
Please say whether you consider any of the information you send us is
confidential. You should also say why. We will withhold information where
there is a good reason to do so.
For information about what we do with personal data see our privacy notice
at [5]www.ico.org.uk/privacy-notice.

References

Visible links
1. https://ico.org.uk/make-a-complaint/
2. https://ico.org.uk/
3. https://twitter.com/iconews
4. https://www.ico.org.uk/
5. https://www.ico.org.uk/privacy-notice

J Roberts left an annotation ()

The ICO's 'Parliamentary and Health Ombudsman Data protection audit report' dated March 2018 concluded:

“There is a limited level of assurance that processes and procedures are in place and delivering data protection compliance. The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with the DPA.”

https://ico.org.uk/media/action-weve-tak...

Two years later and the PHSO's processes and procedures are still found wanting.

J Roberts left an annotation ()

Here's what the ICO has said about the massive Easyjet breach:

"People have a right to expect that organisations will handle their personal information securely and responsibly. When that doesn't happen, we will investigate and take robust action where necessary."

https://www.bbc.com/news/technology-5272...

Fraudsters could easily contact PHSO complainants whose details have been published and claim that their case was in fact upheld and that they are entitled to compensation. Some unfortunate complainants could be caught out by the phishing scam and hand over their bank details.

J Roberts left an annotation ()

PACAC tweet:

"The Deputy Ombudsman Amanda Amroliwala has apologised for a data breach that occurred when spreadsheet with hidden tabs was included in a recent report. The breach has been reported and all involved are being contacted."

https://twitter.com/CommonsPACAC/status/...

It is interesting that the tweet refers to "all involved being contacted". Ms Amroliwala said that around 300 people would be contacted, which suggests the breach involved 300 complainants.

J Roberts left an annotation ()

Just over 5% of complainants affected are to be written to. Here is the statement on the PHSO website:

"We regret to report that on 5 March, a list of complainants’ names and some information about their complaints were published in error on our website. The names of the caseworkers who worked on these complaints were also published.

The data did not include any contact details such as telephone numbers, emails or addresses, nor personal information such as age or date of birth.

The information was removed on 28 April 2020. If you have downloaded or otherwise obtained a copy of the spreadsheet, please delete it in whatever form you hold it.  

How many people were affected?

The names of just over 5,300 complainants and 197 members of PHSO staff were published. For the vast majority, we are satisfied that no issues arise which require action beyond publishing this notice. However, we are taking a cautious approach by notifying 311 people individually where inferences could be drawn from the data.

Where was the data?

The information was in a spreadsheet published alongside the Ombudsman’s Annual Casework Report 2019. The spreadsheet showed the number of complaints received about each organisation. The information was not visible to readers unless they clicked to reveal hidden tables. 

What did the data include?

The information published was: 

the names of the complainants
the date a complainant contacted us 
how they contacted us (by telephone or using the web form) 
the organisation(s) complained about
the name of the caseworker and whether the case was upheld, partly upheld or not upheld. 

What are the risks?

Having investigated the information that was published, we believe the risk of someone using this information maliciously is very low.
What action has PHSO taken?

As soon as we became aware of the situation, we removed the information from the website and reported the data breach to the Information Commissioner. We are investigating what went wrong and have reviewed and changed our processes to make sure this does not happen again.

We are very sorry that this happened and any for any worry it may cause our service users and colleagues.

I downloaded and saved a copy of the spreadsheet while it was available on the website. What should I do?

If you have downloaded or otherwise obtained a copy of the spreadsheet, please delete it in whatever form you hold it.  

If you want to contact us

If you have any questions or would like to discuss this further, please contact our Data Protection Officer at privacy@ombudsman.org.uk. If you are unhappy with our response, you can complain to the Information Commissioner’s Office."

https://www.ombudsman.org.uk/notice-data...

J Roberts left an annotation ()

This new Insight and Compliance Department might be asked to look into things if " serious failures to take proper steps to PRODUCT personal data" are identified (I think PRODUCT [my emphasis] should be PROTECT).

"Objective 2:  To be effective, proportionate, dissuasive and consistent in our application of sanctions, targeting our most significant powers; (i) for organisations and individuals suspected of repeated or wilful misconduct or serious failures to take proper steps to PRODUCT personal data, and (ii) where formal regulatory action serves as an important deterrent to those who risk non-compliance with the law."

Insight and Compliance Approach (7.):

https://www.whatdotheyknow.com/request/i...

The ICO, after all, was critical of the PHSO's data security policies and procedures two years ago.

ICO Casework, Information Commissioner's Office

1 Attachment

5 June 2020

Case Reference: IC-40362-R9W2

Dear D Moore

Further to your information request to the Information Commissioner's
Office of 12 May 2020, please find our response attached.

Yours sincerely

Antonia Swann
Lead Information Access Officer
Information Commissioner's Office

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6894 [1]ico.org.uk [2]twitter.com/iconews
Please consider the environment before printing this email.

Please be aware we are often asked for copies of the correspondence we
exchange with third parties. We are subject to all of the laws we deal
with, including the data protection laws and the Freedom of Information
Act 2000. You can read about these on our website ([3]www.ico.org.uk).
Please say whether you consider any of the information you send us is
confidential. You should also say why. We will withhold information where
there is a good reason to do so.
For information about what we do with personal data see our privacy notice
at [4]www.ico.org.uk/privacy-notice.

References

Visible links
1. https://ico.org.uk/
2. https://twitter.com/iconews
3. https://www.ico.org.uk/
4. https://www.ico.org.uk/privacy-notice

J Roberts left an annotation ()

Recent ICO survey: 'Information Rights Strategic Plan: Trust and Confidence':

https://ico.org.uk/media/about-the-ico/d...

'Q1. How much trust and confidence do you have in companies and organisations storing and using your personal information?

Net low trust and confidence

2019 - 38%

2020 - 28%'

A significant fall.

christina evans left an annotation ()

There is not a lot of trust at all. Data breeches are happening to people. It is not right. Also data about people are sometimes incorrect and misleading. Causing a lot of harm especially to people who are unaware of misinformation about them and also to people who are unable to make sure their data is not breeched due to vulnerability or illness.

christina evans left an annotation ()

There is not a lot of trust at all. Data breeches are happening to people. It is not right. Also data about people are sometimes incorrect and misleading. Causing a lot of harm especially to people who are unaware of misinformation about them and also to people who are unable to make sure their data is not breeched due to vulnerability or illness. Is it professional to get random phonecalls from pHSO?. I am worried about a phonecall I recieved from them. I Phoned PHSO up afterwards to ask for information about who exactly called me. They admitted I had recieved a call from them but would not divulge who the person was.

J Roberts left an annotation ()

Christina,

I am sorry to hear about your unfortunate experience:

' I am worried about a phonecall I recieved from them. I Phoned PHSO up afterwards to ask for information about who exactly called me. They admitted I had recieved a call from them but would not divulge who the person was.'

It seems strange that they would not divulge the identity of the person who phoned you. This incident will provide cynics with ammunition: why don't they reveal the name of the caller if the phone call really was from the PHSO? Refusing to divulge the name of the caller is no antidote to the unlawful disclosure of thousands and thousands of complainants' names.

J Roberts left an annotation ()

The PHSO has finally published the table showing the complaints about government departments/public bodies etc that it handled in 2018/19:

https://www.ombudsman.org.uk/sites/defau...

It received 173 enquiries about the IC, but none of its investigations were either fully upheld or partly upheld.

J Roberts left an annotation ()

Regarding my annotation of 11/11/20, here is a further PHSO disclosure:

'We received 242 complaints regarding ICO in 2019/20'

https://www.whatdotheyknow.com/request/s...