Dear Information Commissioner’s Office,

Please could you advise the instances of biometric databases that been stolen, compromised or breached in any way in the UK.

My primary interest is with school biometric systems, that have been in place since 2001, but I would be grateful for information on non-education instances too.

Many thanks for your time on this.

Yours faithfully,

Pippa King

Information Commissioner’s Office

30th May 2014

 

Case Reference Number IRQ0541836

 

Dear Ms King

Thank you for your email of 21 May 2014 in which you have made a request
for information to the Information Commissioner’s Office.
 
Your request is being dealt with in accordance with the Freedom of
Information Act 2000.  We will respond promptly, and no later than 19 June
2014 which is 20 working days from the day after we received your request.
 
Should you wish to reply to this email, please be careful not to amend the
information in the ‘subject’ field. This will ensure that the information
is added directly to your case. However, please be aware that this is an
automated process; the information will not be read by a member of our
staff until your case is allocated to a request handler.
 
 

Yours sincerely

Joanne Crowley
Lead Information Governance Officer

____________________________________________________________________

The ICO's mission is to uphold information rights in the public interest,
promoting openness by public bodies and data privacy for individuals.

If you are not the intended recipient of this email (and any attachment),
please inform the sender by return email and destroy all copies.
Unauthorised access, use, disclosure, storage or copying is not permitted.
Communication by internet email is not secure as messages can be
intercepted and read by someone else. Therefore we strongly advise you not
to email any information, which if disclosed to unrelated third parties
would be likely to cause you distress. If you have an enquiry of this
nature please provide a postal address to allow us to communicate with you
in a more secure way. If you want us to respond by email you must realise
that there can be no guarantee of privacy.
Any email including its content may be monitored and used by the
Information Commissioner's Office for reasons of security and for
monitoring internal compliance with the office policy on staff use. Email
monitoring or blocking software may also be used. Please be aware that you
have a responsibility to ensure that any email you write or forward is
within the bounds of the law.
The Information Commissioner's Office cannot guarantee that this message
or any attachment is virus free or has not been intercepted and amended.
You should perform your own virus checks.
__________________________________________________________________

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk

hide quoted sections

Information Commissioner’s Office

18th June 2014

 

Case Reference Number IRQ0541836

 

Dear Ms King

I am writing further to our email dated 30 May in which we acknowledged
your request for information to the Information Commissioner’s Office
(ICO).
 
As previously explained we are treating your request as a request for
information under the Freedom of Information Act 2000 (FOIA).
 
Specifically your request stated;
“Please could you advise the instances of biometric databases that been
stolen, compromised or breached in any way in the UK.

My primary interest is with school biometric systems, that have been in
place since 2001, but I would be grateful for information on non-education
instances too.”
 
You have referred to instances of biometric databases that have been
‘breached in any way’. We understand ‘breaches’ to mean both where an
incident has been ‘self-reported’ to the ICO by the data controller (that
is the organisation) or where a complaint has been brought to us by a
member of the public.
 
Unfortunately we are unable to provide you with the information which you
have requested.  We will explain why this is the case in more detail below
however we have conducted preliminary searches and consulted with the
relevant parts of the ICO in regard to your request.
 
Firstly it would appear helpful if I explain that the ICO uses an
electronic case management system to administer all the complaints and
enquiries we receive.  In line with the ICO’s retention periods our system
only holds cases going back two years.  Therefore as you will appreciate
we do not hold case information going back as far as 2001.
 
The system allows us to search for the cases we have dealt with in a
number of different ways, such as by the unique reference number the case
was given, the name and address of the person who contacted us and the
name of any organisation that has been complained about.  We can also
search for cases on the basis of the broad nature of the complaint, but we
can only search on a limited number of fixed criteria which are structured
around the main sections of the legislation which we oversee.  
 
Unfortunately we are unable to conduct an electronic search of our system
using the term ‘biometric’.  Therefore in order to ascertain if any data
protection cases related to concerns about biometric databases we would
need to search on each of the cases and read the correspondence to see if
there was any mention of the topic you are interested in. 
 
To give you an idea of the numbers of such cases in the last financial
year alone the ICO received over 15,000 data protection complaints.  Of
these cases 662 have been assigned the sector of ‘education’ on our
system. 
 
Section 12 of the FOIA makes clear that a public authority (such as the
ICO) is not obliged to comply with an FOIA request if the authority
estimates that the cost of complying with the request would exceed the
‘appropriate limit'.  The ‘appropriate limit’ for the ICO, as determined
in the ‘Freedom of Information and Data Protection (Appropriate Limit and
Fees) Regulations 2004’ is £450.  We have determined that £450 would
equate to 18 hours work. 
 
Therefore, assuming that each search and consideration of the
correspondence on each of these education sector cases alone would take
approximately 5 minutes to complete (and it is certain that some searches
would take much longer than that), this would equate to over 26 hours
worth of searching.  As you will appreciate to perform the same searches
in relation to all the 15,000 cases would take many hundreds of hours. 
This is well in excess of the 18 hours which would accrue a charge of
£450.  It is for this reason, and in accordance with section 12 of the
FOIA, that we are not obliged to comply with your request for information.
 
However, if you are able to narrow the scope of your request we may be in
a position to provide the information free of charge, if it will cost us
less than the appropriate limit to do so.  For example, if you can name
any of the specific schools that you want information about , then we may
be able to conduct further searches and provide the information you seek. 
I should point out that any reformulated request you may wish to make to
the ICO will be treated as a new FOI request, and the 20 working day time
limit will begin again.
 
We are sorry that we are unable to be of further assistance to you on this
occasion.  If you are dissatisfied with the response you have received and
wish to request a review of our decision or make a complaint about how
your request has been handled you should write to the Information
Governance Department at the address below or e-mail
[1][ICO request email]
 
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response.  Any such request
received after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation.  To make such an application, please write
to the Customer Contact department, at the address below or visit the
‘Complaints’ section of our website to make a Freedom of Information Act
or Environmental Information Regulations complaint online.
 
A copy of our review procedure is available [2]here.
 

Yours sincerely

Joanne Crowley
Lead Information Access Officer

____________________________________________________________________

The ICO's mission is to uphold information rights in the public interest,
promoting openness by public bodies and data privacy for individuals.

If you are not the intended recipient of this email (and any attachment),
please inform the sender by return email and destroy all copies.
Unauthorised access, use, disclosure, storage or copying is not permitted.
Communication by internet email is not secure as messages can be
intercepted and read by someone else. Therefore we strongly advise you not
to email any information, which if disclosed to unrelated third parties
would be likely to cause you distress. If you have an enquiry of this
nature please provide a postal address to allow us to communicate with you
in a more secure way. If you want us to respond by email you must realise
that there can be no guarantee of privacy.
Any email including its content may be monitored and used by the
Information Commissioner's Office for reasons of security and for
monitoring internal compliance with the office policy on staff use. Email
monitoring or blocking software may also be used. Please be aware that you
have a responsibility to ensure that any email you write or forward is
within the bounds of the law.
The Information Commissioner's Office cannot guarantee that this message
or any attachment is virus free or has not been intercepted and amended.
You should perform your own virus checks.
__________________________________________________________________

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk

References

Visible links
1. mailto:[ICO request email]
2. http://www.ico.gov.uk/about_us/~/media/d...

hide quoted sections

Dear Joanne Crowley,

Thank you for your reply. Given that biometric data is the most personal data a human has, would it not be prudent to start to include biometric, highly personal data, as a searchable field on your records? If a persons biometric data, or data held against a person's biometrics, is compromised this could have potential detrimental effect on them.

Our biometrics will be increasingly used to authenticate and identify ourselves in the future. It would be good to know how robust these newly emerging databases are, and companies who will be handling our data, and how often they are breached if we are to have confidence in us, and our children, using our biometrics.

Would this be something the Information Commissioner could consider please?

Yours faithfully,

Pippa King

casework, Information Commissioner’s Office

Thank you for contacting the Information Commissioner’s Office (ICO). This
message is to confirm that we have received your correspondence. Please do
not reply to this email.

 

If you have submitted a new complaint

We aim to provide an initial response and case reference number within 30
days.

 

If you have requested advice

We aim to respond to requests for advice within 14 days.

 

If your correspondence relates to an existing case

This will be added to your case and considered on allocation to a case
officer.

 

Copied correspondence

Please note that we do not respond to copied correspondence. If you have a
matter you would like to discuss please call our helpline on 0303 123 1113
(local rate) or 01625 545745 if you prefer to use a national rate number.

 

 

Yours sincerely,

 

 

ICO Customer Contact Department

 

 

 

 

[1]Making a request for information held by the ICO

For more information about the ICO’s handling of requests for information
please visit [2]http://ico.org.uk/about_us/how_we_comply

 

[3]Our e-newsletter

Details of how to sign up for our monthly e-newsletter can be found at

[4]http://ico.org.uk/news/e-newsletter

 

[5]Twitter

Find us on Twitter at

[6]https://twitter.com/iconews

 

____________________________________________________________________

The ICO's mission is to uphold information rights in the public interest,
promoting openness by public bodies and data privacy for individuals.

If you are not the intended recipient of this email (and any attachment),
please inform the sender by return email and destroy all copies.
Unauthorised access, use, disclosure, storage or copying is not permitted.
Communication by internet email is not secure as messages can be
intercepted and read by someone else. Therefore we strongly advise you not
to email any information, which if disclosed to unrelated third parties
would be likely to cause you distress. If you have an enquiry of this
nature please provide a postal address to allow us to communicate with you
in a more secure way. If you want us to respond by email you must realise
that there can be no guarantee of privacy.
Any email including its content may be monitored and used by the
Information Commissioner's Office for reasons of security and for
monitoring internal compliance with the office policy on staff use. Email
monitoring or blocking software may also be used. Please be aware that you
have a responsibility to ensure that any email you write or forward is
within the bounds of the law.
The Information Commissioner's Office cannot guarantee that this message
or any attachment is virus free or has not been intercepted and amended.
You should perform your own virus checks.
__________________________________________________________________

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. http://ico.org.uk/about_us/how_we_comply
3. http://ico.org.uk/news/e-newsletter
4. http://ico.org.uk/news/e-newsletter
5. https://twitter.com/iconews
6. https://twitter.com/iconews

hide quoted sections

Looking for an EU Authority?

You can request documents directly from EU Institutions at our sister site AskTheEU.org . Find out more .

AskTheEU.org