Councillor/MP information security breaches

Michala Liavaag made this Freedom of Information request to Information Commissioner's Office

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was partially successful.

Michala Liavaag

Dear Information Commissioner’s Office,

I am delivering some data protection and information security training to elected Members (local government) and one of the queries was about enforcement action in relation to Councillors.

Please can you provide me with answers to the following?

1. In relation to Information security breaches caused by MPs and/or elected councillors (eg local authority, Town or Parish) for the calendar years 2010, 2011, 2012 and 2013 to date I would like to know:

(a) the number of breaches per calendar year by category (MP vs local Councillor is acceptable).

(b) the nature of these breaches and details where possible, e.g. do they relate to:

a) manual records (especially if stolen / lost from home or on the move)
b) theft or loss of computer, laptop or tablet device
c) theft or loss of portable media (memory sticks/CD/DVDs)
d) use of personal email accounts, eg Yahoo, Hotmail, etc.

(c) For each breach I would like to know the outcome as regards enforcement action. Was any taken, if so what? If not, why not?

(d) For each breach I would like to know the impact on the affected data subject(s)

NOTE: This request applies to ALL breaches whether reported by the Councillor representing their political party, representing their constituents or on behalf of their local authority, by a third party or the affected data subject(s).

I understand that it is possible that these may have been categorised as complaints rather than breaches in which case I am also interested in those.

2. In relation to being registered as a data controller with the ICO I'd like to know (for the same time period):

a) the number of complaints you have received for the same time period regarding the illegal processing of personal data by MPs/elected Councillors (i.e. they have failed to notify);

b) enforcement action taken in relation to these complaints.

c) a copy of any relevant documents explaining the rationale for failing to take enforcement action against MPs/Councillors who have failed to notify.

I will be using this information to tailor the future training sessions for members on the basis that in order to achieve behaviour change I need to demonstrate the negative impact of breaches (whether for them or for the data subjects).

I look forward to your response.

Kind regards,

Michala Liavaag

Information Commissioner's Office

PROTECT

 

20 June 2013

 

Case Reference Number IRQ0502091

 

Dear Ms Liavaag

 
Request for Information
 
Thank you for your correspondence dated 20 June in which you requests
details relating to complaints and enforcement action dealt with by the
ICO in regard to MPs and elected councillors.
 
Your request will be dealt with in accordance with the Freedom of
Information Act 2000 (FOIA). We will respond promptly, and no later than
18 July which is 20 working days from the day after we received your
request.
 
Should you wish to reply to this email, please be careful not to amend the
information in the ‘subject’ field. This will ensure that the information
is added directly to your case. However, please be aware that this is an
automated process; the information will not be read by a member of our
staff until your case is allocated to a request handler.
 
Yours sincerely
 
Trevor Craig
Lead Information Governance Officer – Information Access
01625 545540
Information Commissioner’s Office

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk

Information Commissioner's Office

2 Attachments

PROTECT

 

18th July 2013

 

Case Reference Number IRQ0502091

Dear Ms Liavaag
 
Request for Information
 
Further to our acknowledgement of 20 June 2013 we are now in a position to
provide you with a response to your request for information.
 
As you know we have dealt with your request in accordance with your ‘right
to know’ under section 1(1) of the Freedom of Information Act 2000 (FOIA),
which entitles you to be provided with a copy of any information ‘held’ by
a public authority, unless an appropriate exemption applies.
 
Request
 
In your e-mail of 20 June 2013 you asked us to provide you with the
following:
 
“1. In relation to Information security breaches caused by MPs and/or
elected councillors (eg local authority, Town or Parish) for the  calendar
years 2010, 2011, 2012 and 2013 to date I would like to know:
 
(a) the number of breaches per calendar year by category (MP vs local
Councillor is acceptable).
 
(b) the nature of these breaches and details where possible, e.g. do they
relate to:
 
a) manual records (especially if stolen / lost from home or on the move)
b) theft or loss of computer, laptop or tablet device
c) theft or loss of portable media (memory sticks/CD/DVDs)
d) use of personal email accounts, eg Yahoo, Hotmail, etc.
 
(c) For each breach I would like to know the outcome as regards
enforcement action.  Was any taken, if so what?  If not, why not?
 
(d) For each breach I would like to know the impact on the affected data
subject(s)
 
NOTE: This request applies to ALL breaches whether reported by the
Councillor representing their political party, representing their
constituents or on behalf of their local authority, by a third party or
the affected data subject(s).
 
I understand that it is possible that these may have been categorised as
complaints rather than breaches in which case I am also interested in
those.
 
2.  In relation to being registered as a data controller with the ICO I'd
like to know (for the same time period):
 
a) the number of complaints you have received for the same time period
regarding the illegal processing of personal data by MPs/elected
Councillors (i.e. they have failed to notify);
 
b) enforcement action taken in relation to these complaints.
 
c) a copy of any relevant documents explaining the rationale for failing
to take enforcement action against MPs/Councillors who have failed to
notify.”
 
Information Held
 
Firstly I can confirm that we do hold information relating to your
request. Taking each point/question in turn:
 
1. In relation to Information security breaches caused by MPs and/or
elected councillors (eg local authority, Town or Parish) for the  calendar
years 2010, 2011, 2012 and 2013 to date I would like to know:
 
(a) the number of breaches per calendar year by category (MP vs local
Councillor is acceptable).
 
Firstly, it might be helpful to explain how our electronic case management
system works (CMEH). All our complaints/enquiries/self-reported breaches
are held on CMEH. The system allows us to search for the cases we have
dealt with in a number of different ways, such as by the unique reference
number the case was given, the name and address of the person who
contacted us and the name of any organisation or individual that has been
complained about.  We can also search for cases on the basis of the broad
nature of the complaint, but we can only search on a limited number of
fixed criteria which are structured around the main sections of the DPA.  
 
Following a search of our electronic records we have established the
following:
 
The information we hold about Data Protection complaint casework completed
in the financial year 2010-11 and 2011-12 with the sector recorded as
‘MPs’ and the nature ‘security’ and ‘disclosure of data’ is as follows:
 
In 2010-11 we received 4 complaints under ‘security’ however, 2 did not
meet the assessment criteria and were closed on that basis; whilst the
other 2 were not recommended for enforcement. There were 3 complaints
under ‘disclosure of data’ that were ‘compliance unlikely’. ‘Compliance
unlikely’ means that we have assessed that a breach is likely to have
occurred.
 
In 2011-12 there was 1 ‘security’ complaint which was closed due to
‘insufficient information’. There were 4 complaints under ‘disclosure of
data’ that were ‘compliance unlikely’. 
 
If the sector is not recorded as ‘MPs’ it will not be included in the
reports. Please note also that we maintain management information for
reporting purposes that is not necessarily still held on our electronic
case management system due to our retention policy.
 
The information about DP complaint casework finished in the financial year
2012-13 and 2013-14 (year to date) with the sector recorded as ‘MPs’ and
the nature ‘security’ is as follows:
 
From 2012 to the date of the request there have been 2 complaints which
were both assessed as ‘compliance unlikely’. See below for the type of
breach that occurred.  In the same period there were 2 cases under
‘disclosure of data’ assessed as ‘compliance unlikely’.
 
Unfortunately in response to question 1(a) regarding councillors we are
not able to provide you with the information you have requested. I will
explain in more detail below why this is the case, but in brief, section
12 of the FOIA makes clear that a public authority (such as the ICO) is
not obliged to comply with an FOIA request if the authority estimates that
the cost of complying with the request would exceed the ‘appropriate
limit’. The ‘appropriate limit’ for the ICO, as determined in the ‘Freedom
of Information and Data Protection (Appropriate Limit and Fees)
Regulations 2004’ is £450. We have determined that £450 would equate to 18
hours work.
 
Whilst some of the information you have requested is likely to sit within
our electronic case management system, this system is not set up to easily
provide us with the type of information you have requested.
 
With particular reference to question 1(a) I can confirm that the
information you have requested is not recorded as a sector on our
electronic case management system, therefore we cannot set MPs  against
councillors as you requested.

In order to ascertain whether the complaint had been about a councillor we
would need to check cases manually. The reason for this is that we do not
have a specific sector category for ‘councillors’ that we can search on.
Therefore RFAs (requests for assessment) and DPA compliance requests
concerning complaints about councillors can be recorded under several
sectors – ‘local government’; ‘other’; ‘other individuals’ or ‘political
parties’, depending on the context in which the personal data was being
processed by the councillor. There are 305 cases currently held on our
electronic case management system between 1 January 2010 and the date of
the request.  We estimate it would take at least 2 minutes to check each
case. However, it may take considerably longer than this to identify
whether a councillor was the subject of such a complaint.  To conduct a
search under these sectors with the nature ‘security’ would take in excess
of 10 hours. However, for accuracy (in line with your request) we would
need to look at ‘disclosure of data’ as a ‘nature’. Looking solely at the
‘local government’ sector produces 892 results for this time period
requested. This would take us well above the 18 hours stipulated by the
legislation.
 
In the interests of providing advice and assistance, we may well be able
to provide a response regarding councillors if you can specify a more
restricted timeframe or advise us of any data breaches by councillors that
you are aware of that may have been brought to the attention of the
Commissioner. 
 
(b) the nature of these breaches and details where possible, e.g. do they
relate to:
 
a) manual records (especially if stolen / lost from home or on the move)
b) theft or loss of computer, laptop or tablet device
c) theft or loss of portable media (memory sticks/CD/DVDs)
d) use of personal email accounts, eg Yahoo, Hotmail, etc.
 
Regarding the information from January 2012 to the date of the request.
One of these breaches related to a) as they involved a lost personal file.
Two breaches relate to d) and involved the use of a personal email
address. The fourth does not involve any of the listed categories but
involved the disclosure of personal data. 
 
 
(c) For each breach I would like to know the outcome as regards
enforcement action.  Was any taken, if so what?  If not, why not?
 
 
No enforcement action was taken with regard to these more recent
breaches.  Our regulatory action policy is set out at the link below; this
explains our approach to enforcement:
[1]http://www.ico.org.uk/what_we_cover/taki...
 
However, during the period requested Enforcement action in the form of an
undertaking was taken concerning Oliver Letwin MP. You can access this
undertaking at the link below:
 
[2]http://www.ico.org.uk/enforcement/~/medi...

(d) For each breach I would like to know the impact on the affected data
subject(s)
 
 
I should clarify that we are only aware of the impact on a data subject(s)
if they describe it in their complaint – some individuals do not outline
the impact a data breach has had on them.  In order to make an assessment
we do not formally record the ‘impact’ in a searchable way but rather the
breach that has occurred. Inevitably the impact is sometimes mentioned
when describing the complaint/incident.
 
Providing ‘impact’ regarding data breaches concerning the figures from
2010-12 would be incomplete for the reasons given previously and the fact
that this is not a searchable criteria. However, the four complaints
recorded from 2012 to the date of the request do describe the impact to
some extent. The loss of the personal file resulted in correspondence that
had not been copied and personal data being lost in an unknown manner when
entrusted to an MP. The loss of confidence and the lack of communication
when trying to trace the file is clear. The use of a private email address
in the second complaint resulted in puzzlement on the part of the data
subject as to how the email address (which was restricted) had been
obtained. The data subject wanted assurance that this would not occur
again but did not provide many details of the impact.  One of the
remaining two complaints about ‘disclosure of data’ was a self-reported
breach about emails sent out to individuals who had not given permission.
There was no impact recorded. The second was a disclosure made of
information that had clearly upset and annoyed the individual in a
significant manner.  
 
 
2.  In relation to being registered as a data controller with the ICO I'd
like to know (for the same time period):
 
a) the number of complaints you have received for the same time period
regarding the illegal processing of personal data by MPs/elected
Councillors (i.e. they have failed to notify);
 
b) enforcement action taken in relation to these complaints.
 
c) a copy of any relevant documents explaining the rationale for failing
to take enforcement action against MPs/Councillors who have failed to
notify.”
 
 
2a) We have consulted with colleagues in our non-notification department
and they do not hold information concerning any complaints regarding
failure to notify by MPs/elected councillors.
 
It is possible that some information regarding the non-notification of
councillors is held within our CMEH system. However, for the same reason
stated above, any search would exceed the ‘appropriate limit’ for the ICO,
as determined in the ‘Freedom of Information and Data Protection
(Appropriate Limit and Fees) Regulations 2004’ of £450 (equating to 18
hours’ work). 
 
b) We are not aware of any complaints received about MPs not being
notified. 
 
c) However, there was a project that came about from the last election to
make new MPs aware of the requirement to notify. We did this by writing to
them and explaining notification. Please find attached the letter that was
sent at the time.
 
Our non-notification department also wrote to the Information Governance
Manager at each council in order to get the message across that
councillors needed to register in order to be compliant with the DPA.
Please find attached the letter which explains the requirements in more
detail. 
 
Review Procedure
 
I hope this provides you with the information you require.  However, if
you are dissatisfied with this response and wish to request a review of
our decision or make a complaint about how your request has been handled
you should write to the Information Governance Department at the address
below or e-mail [3][ICO request email]
 
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response.  Any such request
received after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation. To make such an application, please write
to our First Contact Team, at the address given or visit the ‘Complaints’
section of our website to make a Freedom of Information Act or
Environmental Information Regulations complaint online.
 
A copy of our review procedure can be accessed from our website [4]here .
 
 
Yours sincerely
 
Janine Gregory      Lead Information Governance Officer
 
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF.
T. 01625 545770  F. 01625 524510  [5]www.ico.org.uk
 
 
 
 

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk

References

Visible links
1. http://www.ico.org.uk/what_we_cover/taki...
2. http://www.ico.org.uk/enforcement/~/medi...
3. mailto:[ICO request email]
4. blocked::http://www.ico.gov.uk/about_us/~/media/d...
http://www.ico.gov.uk/about_us/~/media/d...
5. http://www.ico.org.uk/