Thank you for contacting Luton Council’s Freedom of Information team. We confirm receipt of your request and will contact you in due course.

If you are contacting us about a request you have already made, please ensure you have included the reference number, and please email again if you have not included this.

Note, this email address is for Freedom of Information requests only. If your email is for anything else, we will not be able to assist so please re-direct your request accordingly. You can see our website at www.luton.gov.uk<http://www.luton.gov.uk/>.

IMPORTANT: This message is intended for the addressee only. Any unauthorised copying or distribution may be unlawful. If you have received this email in error please notify the originator of the message and then delete this message from your system, this includes deleted items. Luton Borough Council routinely monitors the content of e-mail sent and received by its e-mail systems, to ensure compliance with its policies and procedures. Messages that breach policy or pose a threat may be quarantined or deleted. Scanning of this message and addition of this footer is performed by MailMarshal Secure Email Gateway in conjunction with virus detection software. The Council is not responsible for any changes made to the message after it has been sent.

Website: www.luton.gov.uk

Reference: LU13953

Dear Jamie Dixon (request-1094655-10136974) 

Your Freedom of Information Request - Acknowledgement. 
​
Thank you for sending your request for information.  We are treating this
as a request under the Freedom of Information Act 2000.

The legislation allows us 20 working days to respond to your request. This
is 28/03/2024. If we require any clarification from you in relation to
your request, we will contact you further.  

Should you have any queries or concerns about how your request is being
handled, please do not hesitate to contact us, quoting the above
reference, by emailing us at [Luton Borough Council request email] or writing to us at the
above address.

Yours sincerely

Sarah Cave 
Complaints and Information Compliance Team

 
IMPORTANT: Luton Borough Council routinely monitors the content of e-mail
sent and received by its e-mail systems, to ensure compliance with its
policies and procedures. Messages that breach policy or pose a threat may
be quarantined or deleted. Scanning of this message and addition of this
footer is performed by MailMarshal Secure Email Gateway in conjunction
with virus detection software. The Council is not responsible for any
changes made to the message after it has been sent. This message is
intended only for the addressee. Any unauthorised copying or distribution
may be unlawful. If you have received this email in error please notify
the originator of the message and then delete this message from your
system.

Sign up to receive important updates on council
services: luton.gov.uk/emailupdates

Follow us on Twitter: @Lutoncouncil
Like us on Facebook: Luton Council
Before printing, please think about the ENVIRONMENT!
  

Dear Jamie Dixon (request-1094655-10136974)
 
Re: Your Freedom of Information Request – LU13953 

I write in response to your Freedom of Information request dated 29
February.
 
Your request asked:

- The number of data breaches your council has been victim to in the 2020,
2021, 2022 and 2023 calendar years.
- How many people were affected by each data breach.
- What type of data breach each one was.

A data breach is when sensitive, protected or confidential data is copied,
transmitted, viewed, stolen, altered or used by an individual who is
unauthorised to do so. It includes:

- Malware attack
- Phishing attack
- Brute force attack
- SQL injection attack
- Business Email Compromise (BEC)
- Stolen information
 
We have considered your request under the Freedom of Information Act 2000
(FOIA).
 
Response
I can confirm we do hold information within the scope of your request.
However, we are applying an exemption to this data under Section 12.
 
Section 12 of the FOIA makes clear that a public authority is not obliged
to comply with an FOIA request if the authority estimates that the cost of
complying with the request would exceed the ‘appropriate limit'. The
‘appropriate limit’ for Luton Council, as determined in the Freedom of
Information and Data Protection (Appropriate Limit and Fees) Regulations
2004 is £450. This would equate to 18 hours work based on the agreed £25
hourly limit.

We changed the system where data breaches are logged during the period
which your request relates to.  For any requests dated prior to April
2022, we would have to refer to the former system which did not record
data breaches under their own heading and we would therefore have to
search through all cases manually to see whether or not they need to be
included in the response.  This would far exceed the 18 hour time limit.

You could consider narrowing the scope of your request to bring it within
the cost limit. For example, you could reduce the time frame for the
request to April 2022 and later only, and ask for the number of data
breaches overall.   You should note that whilst the period since April
2022 is broken down to the extent that we can filter out data breaches and
therefore only need to look at these files, we would still have to
manually review each matter to see if it falls within the remit of your
request should you only want to know where the council has been ‘a
victim’, if it falls within the list at the end of the request, or if you
want to know the type of each data breach or how many people were
affected.  In any of these instances, it is likely that the request will
take over the 18 hours.

This response, therefore, acts as a refusal notice under section 17 of the
FOIA.
 
Next Steps
If you are not satisfied with my response you can ask for an internal
review by contacting us at [Luton Borough Council request email] within 40 working days of the
date of this letter. 
 
Please set out any specific concerns you have. Please quote the reference
number provided above when contacting us.
 
Reuse of Public Sector Information Regulations
You are free to use the information provided for your own purposes,
including any non-commercial research you are doing and for the purposes
of news reporting. Any other re-use, for example commercial publication,
requires the permission of the copyright holder. You may apply for
permission to re-use this information by submitting a request to
[email address]
 
Unsolicited Marketing
Please note that under the Privacy and Electronic Communications (EC
Directive) Regulations 2003 Luton Council asks not to receive unsolicited
marketing communications.
 
Yours sincerely,
 
Sarah Cave
Complaints and information compliance manager.