City of York data breach notification

The request was refused by Information Commissioner's Office.

Dear Information Commissioner’s Office,

I have read that the ICO have received a data breach notification from the City of York regarding personally identifiable information being released by their app "One Planet York". I would like to see a copy of the information provided by the City of York to the ICO as part of the data breach notification and I'd like to know when this information was provided. If there are multiple revisions of any documents I would like to see each revision.

Yours faithfully,

Stephen Paulger

AccessICOinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[3]http://www.ico.org.uk/tools_and_resource...

Twitter

Find us on Twitter at [4]http://www.twitter.com/ICOnews

 

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. https://ico.org.uk/global/privacy-notice/
3. http://www.ico.org.uk/tools_and_resource...
4. http://www.twitter.com/ICOnews

Information Commissioner's Office

21 December 2018

 

Case Reference Number IRQ0805559

 

Dear Mr Paulger

Further to your information request to the Information Commissioner’s
Office (ICO) of 27 November 2018, relating to a data security breach
involving City of York Council and their ‘One Planet York’ app, we can now
respond. 
 
We have dealt with your request in accordance with your ‘right to know’
under section 1(1) of the Freedom of Information Act 2000 (FOIA), which
entitles you to be provided with any information ‘held’ by a public
authority, unless an appropriate exemption applies.
 
Your request
 
You have asked for the following information:
 
“I have read that the ICO have received a data breach notification from
the City of York regarding personally identifiable information being
released by their app "One Planet York". I would like to see a copy of the
information provided by the City of York to the ICO as part of the data
breach notification and I'd like to know when this information was
provided. If there are multiple revisions of any documents I would like to
see each revision.”

Our response
 
We can confirm that we do hold information within the scope of your
request, as the council have provided us with information relating to this
data breach. 
 
We are currently investigating the circumstances surrounding this breach
and the actions of the council.  Our consideration of the issues raised by
this incident are ongoing, and as yet no conclusion has been reached or
outcome decided.
 
Once our investigation is complete we will decide whether regulatory
action is appropriate or not in accordance with our current Data
Protection Regulatory Action Policy, which is available on our website
[1]here.
 
Because of this we consider all the information that we hold relating to
this data breach, including the notification we have received from the
council, is exempt from disclosure under section 31(1)(g) of the FOIA.
This section states:
 
“Information… is exempt information if its disclosure under this Act
would, or would be likely to, prejudice – (g) the exercise by any public
authority of its functions for any of the purposes specified in subsection
(2)
 
The purposes referred to in sections 31(2)(a) and (c) are
 
 
 

 1. the purpose of ascertaining whether any person has failed to comply
with the law

 3. the purpose of ascertaining whether circumstances which would justify
regulatory action in pursuance of any enactment exist or may arise

 
The purposes at section 31(2)(a) and (c) apply when the Information
Commissioner is determining whether or not there has been a breach of the
legislation we regulate, and whether any further action is appropriate.
 
The exemption at section 31 is not absolute, and we need to consider the
public interest test by weighing up the factors for and against disclosure
of the information we hold at this time, as well as any prejudice or harm
which may be caused by disclosure.
 
As our investigation into the actions of the council and its impact on the
data subjects affected is still being considered, and no decision about
formal regulatory action has been made, we take the view that disclosure
of the information you have asked for would be likely to prejudice the
ongoing co-operation between the ICO and the council, and discourage any
future discussions. This in turn would be likely to damage our ability to
conduct and conclude the investigation thoroughly, fairly and
proportionately.
 
We have also considered the public interest test for and against
disclosure. In this instance the public interest factors in favour of
disclosure are:
 
 
 

* Openness and transparency in the way in which data security incidents
are reported to the ICO and how the ICO deals with those incidents in
the early stages of an investigation.
* The understandable interest of the public, and particularly the
affected data subjects, in being able to see and understand the nature
and detail of this incident.

The public interest factors in favour of maintaining the exemption are:
 
 
 

* The need for the ICO to continue to encourage organisations to report
data security incidents where necessary, and co-operate with the ICO
with any investigation undertaken.
* To allow the ICO to maintain the trust and confidence of organisations
under investigation that their correspondence and communication with
the ICO will be given an appropriate level of confidentiality while
our enquiries continue.
* Allowing the ICO a ‘safe space’ in which to consider the information
provided by those organisations which is free from external
influences, and to ensure the confidentiality of our own enquiries and
analysis of the incident so far, and
* Premature disclosure of information provided in confidence, or
considered to be confidential, would be likely to have a long term
detrimental effect on the self-reporting of data security incidents
and the co-operation of controllers with the ICO in the future.
 

Having considered all of these factors we have taken the decision that the
public interest in withholding the information outweighs the public
interest in disclosing it, and the information you have asked for is
exempt from disclosure under s31(1)(g) of the FOIA.

In closing we would also mention that under the new General Data
Protection Regulations (GDPR) controllers are assured of a higher level of
confidentiality relating to any data protection breaches that are reported
to the relevant supervising authority.  The ICO’s Data Protection
Regulatory Action Policy (referred to above) is currently under review by
Parliament with a view to being updated to reflect the new position under
GDPR, and when this review is complete our Communicating Regulatory Action
Policy (also available on our website [2]here) will also be revised to
reflect any appropriate changes.
 
This concludes our response to your request. 

Review Procedure
 
If you are dissatisfied with this response and wish to request a review of
our decision or make a complaint about how your request has been handled
you should either reply directly to this email, write to the Information
Access Team at the address below or email
[3][ICO request email].
 
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response.  Any such request
received after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request for review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation.  To make such an application, please write
to our Customer Contact Team at the address given or visit our website if
you wish to make a complaint under either the Freedom of Information Act
or Environmental Information Regulations.
 
A copy of our review procedure can be accessed from our website [4]here.
 
Yours sincerely
 
 
 
 

Antonia Swann
Lead Information Access Officer
Risk & Governance Department
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6894  [5]ico.org.uk  [6]twitter.com/iconews
Please consider the environment before printing this email
For information about what we do with personal data see our [7]privacy
notice

 
 
 

References

Visible links
1. https://ico.org.uk/media/about-the-ico/p...
2. https://ico.org.uk/media/about-the-ico/p...
3. mailto:[ICO request email]
4. https://ico.org.uk/media/about-the-ico/p...
5. http://ico.org.uk/
6. https://twitter.com/iconews
7. https://ico.org.uk/global/privacy-notice/