Breaches of the data protection act commited in England

The request was successful.

Dear Information Commissioner's Office,

Please would you kindly confirm whether it is the duty of the ICO in 2015 to investigate all alleged breaches of the data protection act commited in England without exception.

Kindly provide copies of your procedures in for investigating the above alleged breaches - which would include for instance an elected official leaking sex abuse victims names to the public. Please split these so we can see which procedures were active in 2015 and then which are active as of todays date.

Yours faithfully,

Mr Glynne Powell.

Information Access Inbox, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit:

[1]https://ico.org.uk/about-the-ico/our-inf...

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found
[3]here.

Twitter

Find us on Twitter [4]here.

 

References

Visible links
1. https://ico.org.uk/about-the-ico/our-inf...
2. https://ico.org.uk/global/privacy-notice/
3. https://ico.org.uk/about-the-ico/news-an...
4. http://www.twitter.com/ICOnews

Information Commissioner's Office

13 February 2020

 

Case Reference Number IRQ0903209

 

Dear Mr Powell,

We write in response to your recent request for information. We received
your request on 16 January 2020 and we are now in a position to respond.
 
We have dealt with your request in accordance with your ‘right to know’
under section 1(1) of the Freedom of Information Act 2000 (FOIA).
  
Request
 
In your email you asked:
 
Please would you kindly confirm whether it is the duty of the ICO in 2015
to investigate all alleged breaches of the data protection act commited in
England without exception. Kindly provide copies of your procedures in for
investigating the above alleged breaches - which would include for
instance an elected official leaking sex abuse victims names to the
public. Please split these so we can see which procedures were active in
2015 and then which are active as of todays date.
 
Response
 
Please be advised that we hold some information in scope of your request.
 
By way of advice and assistance we can advise you that under the Data
Protection Act 1998 there was no general obligation to report data
breaches. Therefore, there was no obligation on the ICO to “investigate
all alleged breaches of [DPA98]…without exception”.
 
It was the position of the Information Commissioner that serious breaches
should be brought to the attention of the ICO. The guidance for data
controllers which was available on 2015—Guidance on data security breach
management—can be accessed via the National Archives here:
 
[1]https://webarchive.nationalarchives.gov....
 
The data protection regulatory action policy and procedure for issuing
monetary penalty notice which were current in 2015, set out how the ICO
considered the application of our regulatory powers. These documents are
also available via the National Archives here:
 
[2]https://webarchive.nationalarchives.gov....
 
The National Archives (TNA) has an ‘internet memory’ section within their
own published records in which you can see a snapshot of the ICO’s website
at various stages going back to 2006.  These snapshots are still
searchable, but will not have the full functionality of the original ICO
web page.
 
With the enactment of GDPR and the Data Protection Act 2018 it became
mandatory for organisations to report certain incidents to the ICO.
However, it is important to note that not every breach is considered
reportable. A self-assessment is available on our website to assist
organisations in determining whether a breach is reportable. This tool is
available here:
 
[3]https://ico.org.uk/for-organisations/rep...
 
While the ICO will assess all reported breaches, it is for us to determine
which ones require escalation or further investigation. This determination
will be made in accordance with the Regulatory Action Policy (updated for
GDPR and DPA18), which is available on our website here:
 
[4]https://ico.org.uk/media/about-the-ico/d...
 
As the information we have provided in our response is available online,
it is technically exempt from disclosure pursuant to section 21
FOIA—information accessible to applicant by other means.
 
This concludes our response. We hope the information provided is helpful.
 
Review Procedure
 
If you are dissatisfied with this response and wish to request a review of
our decision or make a complaint about how your request has been handled
you can write to the Information Access Team at the address below or
e-mail [5][ICO request email].
 
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response.  Any such request
received after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation. To make such an application, please write
to our Customer Contact Team at the address given or visit our website if
you wish to make a complaint under the Freedom of Information Act.
 
A copy of our [6]review procedure can be accessed from our website.

Yours sincerely
 

Shannon Keith
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Service
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 313 1636  F. 01625 524510  [7]ico.org.uk  [8]twitter.com/iconews
For information about what we do with personal data see our [9]privacy
notice.
Please consider the environment before printing this email

 
 

References

Visible links
1. https://webarchive.nationalarchives.gov....
2. https://webarchive.nationalarchives.gov....
3. https://ico.org.uk/for-organisations/rep...
4. https://ico.org.uk/media/about-the-ico/d...
5. mailto:[ICO request email]
6. https://ico.org.uk/media/1883/ico-review...
7. http://ico.org.uk/
8. https://twitter.com/iconews
9. https://ico.org.uk/global/privacy-notice/