Data Breach Log

George Foster made this Freedom of Information request to Information Commissioner’s Office

The request was partially successful.

From: George Foster

30 November 2011

Dear Information Commissioner’s Office

I understand you expect data controllers to keep a record of
breaches of data security, especially those involving personal data
(although interestingly I can't actually find this guidance on your
site - if you could point me to it I would appreciate it). I assume
your office also holds a data breach log. Please may I have a copy?

Thank you

Yours faithfully,

George Foster

Link to this

Information Commissioner’s Office

30 November 2011

Link: [1]File-List

30 November 2011

 

Case Reference Number IRQ0426362

 

Dear Mr Foster

 

Request for Information

 

Thank you for your correspondence of 30 November 2011, entitled “Freedom
of Information request - Data Breach Log”.

 

Your request is being dealt with in accordance with the Freedom of
Information Act 2000.  We will respond by 30 December 2011 which is 20
working days from the day after we received your request.

 

Should you wish to respond to this email please be careful not to amend
the information in the ‘subject’ field. This will ensure that the
information is added directly to your case. However, please be aware that
this is an automated process; the information will not be read by a member
of our staff until your case is allocated to a request handler.

 

Yours sincerely

 

 

 

Andrew Walsh

Lead Internal Compliance Officer

01625 545 363

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/radCAD85_files/filelist.xml

Link to this

Information Commissioner’s Office

9 December 2011

Link: [1]File-List

9th December 2011

 

Reference: IRQ0426362

 

Dear Mr Foster,

 

I write further to our correspondence of 30^th November 2011 in which we
acknowledged your request for information from the Information
CommissionerÂ’s Office.

 

As previously explained we are treating your request as a request for
information under the Freedom of Information Act 2000.

 

In your email of 30^th November 2011 you have asked for the following:

 

“I understand you expect data controllers to keep a record of
breaches of data security, especially those involving personal data
(although interestingly I can't actually find this guidance on your
site - if you could point me to it I would appreciate it). I assume
your office also holds a data breach log. Please may I have a copy?”

 

Our Response

 

It is clear from an initial assessment of your request that we will not be
able to reply without seeking some clarification from you concerning the
information you are seeking.

 

You do mention in your request a data breach log and there may be some
information within our disclosure log that may be of interest to you which
can be found via the following page:

 

[2]http://www.ico.gov.uk/about_us/how_we_co...

 

If you scroll down this page to Request reference IRQ0404401, the response
date is 11/08/2011.

 

As you will see this shows the self reported breaches reported to the ICO
by organisations and also provides details of complaints sent to the ICO
concerning compliance with the Data Protection Act 1998.

 

However, if this is not the information you seek in relation to your
request I would be grateful if you could clarify the information you are
looking to receive.

 

With regards to your question about guidance, I can confirm that we do not
hold specific guidance that states organisations must report data breaches
(in general) however you can find the guidance we provide to organisations
about security breaches via the following link:

 

[3]http://www.ico.gov.uk/for_organisations/...

 

and scroll down to the security section where you will find guidance on
security breach management.

 

Once we will receive your clarification we will then be able to process
your request.

 

If you reply to this email, please be careful not to amend the information
in the ‘subject’ field. This will ensure that the information is added
directly to your case.

 

Yours sincerely

 

Hannah Burling

Lead Internal Compliance Officer

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/radC72FA_files/filelist.xml
2. http://www.ico.gov.uk/about_us/how_we_co...
3. http://www.ico.gov.uk/for_organisations/...

Link to this

From: George Foster

12 December 2011

Dear Hannah

Thanks for the reply - I really didn't think my request was
unclear. However...

Your office is registered as a data controller (registration number
Z5347709). As a data controller you have created, I presume, what
would colloquially be called a "data breach log", consisting of
breaches of the DPA involving you as a data controller.

That's what I want please.

Yours sincerely
George Foster

Link to this

From: casework

12 December 2011

Thank you for emailing the Information Commissioner’s Office (ICO).  This
is an automatic acknowledgement to tell you we have received your email
safely.  Please do not reply to this email.

 

If your email was about a new complaint or request for advice it will be
considered by our Customer Contact Department.  One of our case officers
will be in touch as soon as possible. 

 

If your email was about an ongoing case we are dealing with it will be
allocated to the person handling your case.

 

If your email was about a case you have already submitted, but is yet to
be allocated to one of our case officers your email will be added to your
original correspondence and will be considered when your case is
allocated.

 

If you require any further assistance please contact our Helpline on 0303
123 1133 or 01625 545745 if you prefer to use a national rate number.

 

Thank you for contacting the Information Commissioner’s Office

 

Yours sincerely

 

ICO Customer Contact Department

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

Link to this

Information Commissioner’s Office

13 December 2011

Link: [1]File-List

13th December 2011

 

Reference: IRQ0426362

 

Dear Mr Foster,

 

Thank you for your email of 12^th December 2011 in which you provided
clarification on the information you were seeking to receive.

 

You have clarified that you wish to have:

 

“As a data controller you have created, I presume, what
would colloquially be called a "data breach log", consisting of
breaches of the DPA involving you as a data controller. That's what I want
please.” 

 

Your request is being dealt with in accordance with the Freedom of
Information Act 2000.  We will respond by 13^th January 2012 which is 20
working days from the day after we received your clarification, taking
into account the UK bank holidays.

 

Should you wish to reply to this email, please be careful not to amend the
information in the ‘subject’ field. This will ensure that the
information is added directly to your case. However, please be aware that
this is an automated process; the information will not be read by a member
of our staff until your case is allocated to a request handler.

 

Yours sincerely

 

Hannah Burling

Lead Internal Compliance Officer

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/radC8BB8_files/filelist.xml

Link to this

From: George Foster

16 January 2012

Dear Hannah

I received no response, nor explanation of delay, by the 13
January, as you indicated I would.

I'm amazed that what should be a very simple request for disclosure
of a record which one expects all large data controllers to
maintain, has first been misconstrued and is now delayed beyond the
statutory time limit.

Could you update me please?

Yours sincerely
George Foster

Link to this

From: casework

16 January 2012

Thank you for emailing the Information Commissioner’s Office (ICO).  This
is an automatic acknowledgement to tell you we have received your email
safely.  Please do not reply to this email.

 

If your email was about a new complaint or request for advice it will be
considered by our Customer Contact Department.  One of our case officers
will be in touch as soon as possible. 

 

If your email was about an ongoing case we are dealing with it will be
allocated to the person handling your case.

 

If your email was about a case you have already submitted, but is yet to
be allocated to one of our case officers your email will be added to your
original correspondence and will be considered when your case is
allocated.

 

If you require any further assistance please contact our Helpline on 0303
123 1133 or 01625 545745 if you prefer to use a national rate number.

 

Thank you for contacting the Information Commissioner’s Office

 

Yours sincerely

 

ICO Customer Contact Department

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

Link to this

Information Commissioner’s Office

17 January 2012


Attachment ICOReviewProcedure V8.doc
232K Download View as HTML

Attachment Security Breach spreadsheet.pdf
831K Download View as HTML


17th January 2012

Case Reference Number IRQ0426362

Dear Mr Foster
 
Further to our acknowledgement of 13 December 2011 we are now in a
position to provide you with a response to your original request for
information of 30 November.  Please accept my apologies for the delay in
our response which was due to an incorrect due date being recorded, in
error, on our casework management system.
 
As you know we have dealt with your request in accordance with your ‘right
to know’ under section 1(1) of the Freedom of Information Act 2000 (FOIA),
which entitles you to be provided with a copy of any information ‘held’ by
a public authority, unless an appropriate exemption applies.
 
Request
 
In your clarification you requested:
 
Your office is registered as a data controller (registration number
Z5347709). As a data controller you have created, I presume, what
would colloquially be called a "data breach log", consisting of
breaches of the DPA involving you as a data controller
 
Information Held
 
I can confirm that we hold information which falls within the scope of
your request.  Please find attached a redacted version of our security
incident log which records all compliance incidents (not just security and
data breaches) regardless of whether there has been impact.  It therefore
includes identified vulnerabilities or concerns relating to compliance
that might have been reported. 
 
The redacted information is exempt under Section 36(2)(c) of FOIA 2000.  
This states that:
 
Information to which this exemption applies is exempt information if, in
the reasonable opinion of a qualified person, disclosure of this
information under this Act would otherwise prejudice, or would be likely
to prejudice the effective conduct of public affairs.
 
However, this exemption is not absolute.  When considering whether to
apply it in response to a request for information, there is a ‘public
interest test’.  That is, we must consider whether the public interest
favours withholding or disclosing the information.   
 
In this case the public interest factors in disclosing the information
within the scope of the request are –

* increased transparency in the way in which the ICO ensures the
security of the information it generates and is provided.
* To demonstrate that ICO complies with information security best
practice by logging all incidents or vulnerabilities and dealing with
them appropriately.

 
The factors in withholding the information are –

* the public interest in withholding the details of incidents or
concerns so that known vulnerabilities in the ICO security are not
exploited in the future.
* the public interest in ensuring that the ICO is secure and that all
risks to security are appropriately managed.
* that staff continue to fully report all areas of concern without those
details being released into the public domain.
* that staff investigating the incidents or concerns can record full and
frank details to be able to fully investigate and record any relevant
point to ensure the log is a complete record of the incident, without
those details being released into the public domain

It is also necessary to consider the prejudice or harm that disclosure may
cause, and its likelihood.  It is important to remember that a disclosure
under FOIA is to the world at large rather than to the requester and this
is an important factor when looking at the prejudice or harm that could be
caused by the release of this information. It is probable that the
disclosure of the redacted details of past incidents and vulnerabilities
could be used to compromise the ICO’s security controls. This would result
in the potential damage or loss to the availability, integrity and
confidentiality, of the information held in our offices on our network or
theft or loss of any assets.
 
Having considered all of these factors we have taken the decision that the
public interest in withholding the information outweighs the public
interest in disclosing this information.  I am sorry, therefore, that in
this instance we are unable to provide you with the details redacted from
the copy of the incident log.
 
I hope this information is useful.  If however If you are dissatisfied
with the response you have received and wish to request a review of our
decision or make a complaint about how your request has been handled you
should write to the Internal Compliance Department at the address below or
e-mail [1][email address]
 
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response.  Any such request
received after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation.  To make such an application, please write
to the First Contact Team, at the address below or visit the ‘Complaints’
section of our website to make a Freedom of Information Act or
Environmental Information Regulations complaint online.
 
A copy of our review procedure is attached.
 
Yours sincerely

Charlotte Powell
Internal Compliance Manager

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. mailto:[email address]

Link to this

From: George Foster

19 January 2012

Dear Information Commissioner’s Office,

Please pass this on to the person who conducts Freedom of
Information reviews.

I am writing to request an internal review of Information
Commissioner’s Office's handling of my FOI request 'Data Breach
Log'.

Firstly, and on a minor point, your response was late, as you
acknowledge. The Freedom of Information Act 2000 requires you to
reply within twenty working days, and you failed to do that. This
is a breach of section 10(1) of the Act, and I'm surprised, that as
a regulator, you don't acknowledge that. In passing, I would also
say that I am surprised that you say that the delay was "due to an
incorrect due date being recorded, in error, on our casework
management system" - the fact that this was not identified until
after the twentieth day suggests either that you didn't begin
drafting the response until very close to the deadline, or,
alternatively, that you delayed sending the response until the
deadline. Perhaps you could clarify this?

Secondly, you have redacted certain information from the disclosed
spreadsheet. It is always going to be difficult for an applicant to
question why something has been disclosed, because, axiomatically,
they do not what it consists of. Nonetheless, I am surprised that
information relating to two "high risk" incidents has been redacted
in total. I would ask you to review this, to consider whether some
information can be disclosed. I acknowledge that my request was for
a copy of the log, but I presume that further information is held
relating to these two incidents. Your own guidance says "If a
public authority is unable to provide an applicant with the
information they have requested in the manner which they have
specified, it should discuss with the applicant whether the
information can be provided in another format which is acceptable
to the applicant". The total redaction of this information, and the
absence of advice and assistance suggests to me that you are in
breach of section 16 of the Act.

To the extent that it is necessary to do so, I now make a further
request for information held by your office relating to the two
high risk incidents on your data breach log.

Thirdly, the exemption you have applied is section 36(2)(c). As you
correctly say, this applies if, in the reasonable opinion of a
qualified person, disclosure would prejudice, or would be likely to
prejudice the effective conduct of public affairs. However, you
make no further reference to the qualified person. Section 36, as
the law, your own guidance and the authorities make clear, requires
that the qualified person take this decision: a public authority
cannot delegate the authority to someone else. You say, however, in
your response, "WE must consider whether the public interest
favours withholding or disclosing the information" and "WE have
taken the decision that the public interest in withholding the
information outweighs the public interest in disclosing this
information". This suggests that some delegation of the decision
has taken place (unless the section 36 person is using the royal
"we"). Please confirm that your section 36 person (who is the
Information Commissioner himself, I understand) considered this
request and gave an opinion.

To the extent that it is necessary to do, I now make a further
request for information held by your office consisting of the
reasonable opinion of the qualified person given when considering
my initial request.

A full history of my FOI request and all correspondence is
available on the Internet at this address:
http://www.whatdotheyknow.com/request/da...

Yours faithfully,

George Foster

Link to this

Information Commissioner’s Office

20 January 2012

20th January 2012

Case Reference Number RCC0431703

Dear Mr Foster
  
Thank you for your email yesterday.
 
This correspondence will now be treated as a request for review of your
recent request for information under the Freedom of Information Act 2000.
 
We will respond by 16 February 2012 which is 20 working days from the date
we received your email.  This is in accordance with our internal review
procedures.
 
Yours sincerely

Charlotte Powell
Internal Compliance Manager

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

Link to this

Information Commissioner’s Office

20 January 2012

20th January 2012

Case Reference Number IRQ0431733

Dear Mr Foster

I write further to your email yesterday and further to our acknowledgement
of your request for an internal review.

We are aware that you have also made further requests for information in
your email.  These will be dealt with in accordance with the Freedom of
Information Act 2000.  We will respond by 16 February 2012 which is 20
working days from the day after we received your request.
 
Should you wish to reply to this email, please be careful not to amend the
information in the ‘subject’ field. This will ensure that the information
is added directly to your request.

Yours sincerely

Charlotte Powell
Internal Compliance Manager

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

Link to this

Information Commissioner’s Office

9 February 2012


Attachment ICOReviewProcedure V8.doc
232K Download View as HTML

Attachment Section 36 QP Security breach Log Sheet.pdf
241K Download View as HTML


9th February 2012

Case Reference Number IRQ0431733

Dear Mr Foster
 
I write with reference to your two requests for information contained in
your correspondence of 19 January 2012 and further to our acknowledgement
of 20 January 2012.
 
As you know we have dealt with your requests in accordance with your
‘right to know’ under section 1(1) of the Freedom of Information Act 2000
(FOIA), which entitles you to be provided with a copy of any information
‘held’ by a public authority, unless an appropriate exemption applies.
 
Your request for an internal review of the response you received to your
previous request is currently being considered.  This is being dealt with
under reference RCC0431703 and a response is due by the 16 February 2012.
 
Request
 
You requested:
 
To the extent that it is necessary to do so, I now make a further
request for information held by your office relating to the two
high risk incidents on your data breach log.
 
To the extent that it is necessary to do, I now make a further
request for information held by your office consisting of the
reasonable opinion of the qualified person given when considering
my initial request.
 
Information Held
 
I can confirm that we hold additional information in relation to both the
two incidents redacted from our security breach log recently released
under FOIA.  This information is exempt under Section 36(2)(c) of FOIA. 
 
This states that:
 
Information to which this exemption applies is exempt information if, in
the reasonable opinion of a qualified person, disclosure of this
information under this Act would otherwise prejudice, or would be likely
to prejudice the effective conduct of public affairs.  On consultation
with the qualified person, who in this case is the Information
Commissioner, he has concluded that Section 36 is engaged.
 
However, this exemption is not absolute.  When considering whether to
apply it in response to a request for information, there is a ‘public
interest test’.  That is, we must consider whether the public interest
favours withholding or disclosing the information.   
 
In this case the public interest factors in disclosing the information
within the scope of the request are –

* increased transparency in the way in which the ICO ensures the
security of the information it generates and is provided.
* To demonstrate that ICO complies with information security best
practice by logging all incidents or vulnerabilities and investigating
and addressing them appropriately.

The factors in withholding the information are –

* the public interest in withholding the details of high risk incidents
or concerns so that known vulnerabilities in the ICO security are not
exploited in the future.
* the public interest in ensuring that the ICO is secure and that high
risk security vulnerabilities or incident are appropriately managed.

It is also necessary to consider the prejudice or harm that disclosure may
cause, and its likelihood.  It is important to remember that a disclosure
under FOIA is to the world at large rather than to the requester and this
is an important factor when looking at the prejudice or harm that could be
caused by the release of this information. It is probable that the
disclosure of the redacted details of these past high risk incidents and
vulnerabilities could be used to compromise the ICO’s security controls.
This would result in the potential damage or loss to the availability,
integrity and confidentiality, of the information held in our offices on
our network or theft or loss of any assets.
 
Having considered all of these factors we have taken the decision that the
public interest in withholding the information outweighs the public
interest in disclosing this information.  I am sorry, therefore, that in
this instance we are unable to provide you with the additional recorded
information drafted and collated during the reporting and investigation of
these two incidents.
 
I can also confirm that we hold additional information, recording the
request handler’s consultation with the qualified person, on your previous
request. Whilst the consultation took the form of a verbal discussion
during which he was shown the recorded information, there is a note of his
considerations.  This is attached in full.  

I hope this information is of help and assistance.  However, if you are
dissatisfied with the response you have received and wish to request a
review of our decision or make a complaint about how your request has been
handled you should write to the Internal Compliance Department at the
address below or e-mail [1][email address]
 
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response.  Any such request
received after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation.  To make such an application, please write
to the First Contact Team, at the address below or visit the ‘Complaints’
section of our website to make a Freedom of Information Act or
Environmental Information Regulations complaint online.
 
A copy of our review procedure is attached.

Yours sincerely

Charlotte Powell
Internal Compliance Manager

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. mailto:[email address]

Link to this

Information Commissioner’s Office

16 February 2012

16th February 2012

Case Reference Number RCC0431703

Dear Mr Foster

I write further to your email of 19 January 2012 requesting a review of
the handling of your FOI request (reference IRQ0426362) and our
acknowledgement of the following day.
 
I have been asked to review the handling of your FOI request and the
application of section 36(2)(c) of the Freedom of Information Act 2000
(FOIA) and consideration of the public interest test.
 
I am the principal policy adviser on FOI and can confirm that I have had
no prior involvement in the handling of your request.
 
With regard to your comment about the response to your request being late,
as you note, this was acknowledged in the response but there was no
reference to a breach. You are correct that by responding two days outside
of the 20 working day time limit there was indeed a technical breach that
being a breach of section 10(1) of FOIA. Again, I apologise for this delay
and can assure you that the ICO does take such matters seriously and
strives hard to comply with its obligations under the legislation.
 
I have looked into the reason for the response being late and consulted
with the Internal Compliance Team and have satisfied myself that the delay
was indeed due to an incorrect ‘due date’ being input into the case
management system. The ‘due date’ that was input into the system was
actually Friday 20 January; it should have been Friday 13 January. This,
however, is not necessarily definitive that the drafting of a response had
not begun before 17 January, or indeed the assessment of the information
contained within the log and consideration of exemptions.
 
The second point you raise relates to the redacted information and in
particular the information relating to two ‘high risk’ incidents. This
redacted information was redacted on the basis of the application of
section 36(2)(c) of FOIA. You ask that this decision be reviewed.
 
I can confirm that in accordance with the ICO’s guidance at:
 
[1]http://www.ico.gov.uk/Global/Search.aspx...
 
the qualified person has reconsidered his opinion taking account of your
comments and concludes that it is still a reasonable opinion and that
section 36(2)(c)) properly applies to the information covered by your
request.
 
In light of that decision it now falls to me to review the public interest
considerations along with the comments you make. My review will consider
the public interest test factors both for and against disclosure and
whether in all the circumstances of this case any further information can
be disclosed.
 
In support of disclosure of the redacted information, as was mentioned in
the response, disclosure of the information would provide greater
transparency in how the ICO ensures the security of the information it
holds, how it deals with security incidents and that it complies with
information security best practice. There is also a general public
interest in greater openness and accountability.
 
However, this has to be weighed against the public interest factors in
favour of maintaining the exemption. These were set out fully, on the
second page, in the response of 17 January, and essentially set out the
risks that would be faced by the ICO should the redacted information be
disclosed.
 
In terms of balancing the public interest factors, I consider that the
significant disclosures already made within the log go a long way towards
addressing the openness, transparency and accountability factors referred
to above.
 
Having carefully reviewed all the information contained in the log,
including the two ‘high risk’ incidents, and bearing in mind the specific
circumstances, including the nature of the incidents I have concluded that
the public interest in this instance is clearly in favour of maintaining
the exemption and the redacted information has been correctly withheld. I
also consider that the disclosures which have already taken place
demonstrate the ICO’s transparency and that it takes the security of its
information seriously, that it encourages its staff to report incidents
and that where appropriate it takes the necessary corrective and
preventative measures.
 
With regard to the point you raise regarding advice and assistance,
section 16 of FOIA states “….it is the duty of a public authority to
provide advice and assistance, so far as it is would be reasonable to
expect the authority to do so…”. In relation to your particular request it
is not possible to provide the redacted information because it is exempt
from disclosure, therefore, there is no advice and assistance which could
be offered which would make the information disclosable. Consequently,
there is no breach of section 16 of FOIA.
 
For completeness, the guidance to which you refer regarding “If a public
authority is unable to provide an applicant with the information they have
requested in the manner in which they have specified, it should discuss
with the applicant whether the information can be provided in another
format which is acceptable to the applicant.”, relates to information
which the authority is content to disclose and, in particular, the format
in which it might be provided. The guidance does not relate to information
which is not disclosable because it exempt under FOIA.   
 
I hope that you find this response helpful.
 
However if you are dissatisfied with the outcome of this review you may
make a section 50 complaint to the ICO. 

How to complain

Information on how to complain is available on the ICO website at:

[2]http://www.ico.gov.uk/complaints/freedom...

By post: If your supporting evidence is in hard copy, you can fill in the
Word version of our complaint form, print it out and post it to us with
your supporting evidence. A printable Freedom of Information Act
complaints form is available from the ICO website. Please send to:

First Contact Team
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

By email: If all your supporting evidence is available electronically, you
can fill in our online complaint form. Important: information included in
the form, and any supporting evidence will be sent to us by email.
 
 
Yours sincerely,
 
 
Gerrard Tracey
 
Principal Policy Adviser FOI

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. http://www.ico.gov.uk/Global/Search.aspx...
2. http://www.ico.gov.uk/complaints/freedom...

Link to this

From: George Foster

20 February 2012

Dear Information Commissioner’s Office,

ref: IRQ0431733

Thank you for Ms Powell's response of 9 February. I am quite amazed
that Ms Powell says that NO information relating to the two
high-risk security incidents can be disclosed. It stretches the
bounds of belief to suggest that it is not possible to redact
information (even a great deal of information) so that something
might be disclosed, even if only a category heading (such as "loss
of manual data", or "theft of hardware" or "IT system compromised
by hackers").

Please conduct an internal review of Ms Powell's refusal.

Yours faithfully
George Foster

Link to this

From: new casework

20 February 2012

Thank you for emailing the Information Commissioner's Office (ICO).  This
is an automatic acknowledgement to tell you we have received your email
safely.  Please do not reply to this email.

 

If your email was about a new complaint or request for advice it will be
considered by our Customer Contact Department.  One of our case officers
will be in touch as soon as possible. If you have sent us a complaint we
may need specific information from you before we are able to consider it. 
You can find out the type of information we would need from the
[1]complaints section of our website.

 

If your email was about an ongoing case we are dealing with it will be
allocated to the person handling your case.

 

If your email was about a case you have already submitted, but is yet to
be allocated to one of our case officers your email will be added to your
original correspondence and will be considered when your case is
allocated. Please note that further correspondence may not be viewed until
your case is allocated to a case officer.

 

If you require any further assistance please contact our Helpline on 0303

123 1113 or 01625 545745 if you prefer to use a national rate number.

 

Thank you for contacting the Information Commissioner's Office

 

ICO Customer Contact Department

 

Making a request for information held by the ICO?

For more information about the ICO’s handling of requests for
information please visit our [2]Information about us section of our
website.

 

Equality and Diversity

The Information Commissioner’s Office is committed to providing equality
for all and opposes all forms of unlawful or unfair discrimination. We
have produced a questionnaire to help us to produce a profile of our
customers. The questionnaire can be found on our [3]Equality and
Diversity webpage.

 

Our newsletter

Details of how to sign up for our quarterly newsletter can be found at
[4]Information Commissioner's Office enewsletter.

 

Twitter

Find us on Twitter at [5]http://www.twitter.com/ICOnews

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. http://www.ico.gov.uk/complaints.aspx
2. http://www.ico.gov.uk/about_us.aspx
3. http://www.ico.gov.uk/about_us/how_we_wo...
4. http://www.ico.gov.uk/tools_and_resource...
5. http://www.twitter.com/ICOnews

Link to this

Information Commissioner’s Office

22 February 2012

22nd February 2012

Case Reference Number RCC0436577

Dear Mr Foster
  
Thank you for your correspondence dated 20 February 2012.
 
This correspondence will now be treated as a request for review of your
recent request for information under the Freedom of Information Act 2000.
 
We will respond by 19 March 2012 which is 20 working days from the date we
received your recent correspondence.  This is in accordance with our
internal review procedures.
 
Yours sincerely

Charlotte Powell
Internal Compliance Manager

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

Link to this

Information Commissioner’s Office

16 March 2012

16th March 2012

Case Reference Number RCC0436577

Dear Mr Foster

 
I write further to your email of 20 February 2012 requesting a review of
the handling of your FOI request (reference IRQ0431733) and our
acknowledgement of the same day.
 
This internal review has been passed to me to provide you with a response.
I have considered the scope of your request, the recorded information held
which falls within the scope of your request, the response sent to you by
Charlotte Powell on 9 February 2012 and the points you have made in your
email of 20 February 2012.
 
You requested the following information:
 
‘To the extent that it is necessary to do so, I now make a further request
for information held by your office relating to the two high risk
incidents on your data breach log.
 
To the extent that it is necessary to do, I now make a further request for
information held by your office consisting of the reasonable opinion of
the qualified person given when considering my initial request.’
 
The information which we hold relating to the reasonable opinion of the
qualified person, given when considering your initial request, was
provided to you in full.
 
You have expressed concern that all of the recorded information relating
to the two high risk security incidents has been withheld. You query
whether some redactions could be made so that something might be
disclosed.
 
The information was withheld in reliance on section 36(2)(c) of FOIA and I
have reviewed this decision.
 
I can confirm that the qualified person has reconsidered his opinion in
response to your request for an internal review. He has taken account of
the comments which you have made and has concluded that it is still a
reasonable opinion and that section 36(2)(c) does apply to the information
covered by your request. 
 
Following that decision I have reviewed the public interest considerations
both for and against disclosure and considered whether, as you suggest,
any information can be disclosed.
 
Factors which were considered to support disclosure of the withheld
information were set out in Charlotte Powell’s response of 9 February
2012. It was argued that disclosure would result in increased transparency
about how the ICO ensures the security of the information it holds, how it
manages security incidents and compliance with information security best
practice. There is a general public interest in greater openness and
accountability.
 
The public interest factors in favour of maintaining the exemption were
also set out in the response to your request of 9 February 2012. These
factors centred on withholding details of high risk incidents or concerns
so that known vulnerabilities are not exploited in the future and the
public interest in ensuring that ICO is secure and that high risk security
vulnerabilities or incidents can be managed.
 
I have reviewed all of the recorded information relating to the two high
risk security incidents. I have taken account of the nature of the
incidents, the nature of the information held, the circumstances relating
to those incidents and the fact that they have been categorised as “high
risk” and concluded that the public interest is clearly in favour of
maintaining the exemption.    
 
As you are aware the security incident log records information about any
security vulnerabilities or security concerns which have been identified
and which may require action as well as any security incidents. Taking
account of the comments you have made and bearing in mind that this does
not form part of the recorded information held, I can confirm that the two
entries recorded on the log as high risk were in the areas of IT security
and physical security and that no adverse impact, or harm was caused.
 
I hope that you find this response helpful.
 
However, if you are dissatisfied with this outcome, you have the right to
make a complaint in writing to the Information Commissioner under section
50 of the FOIA.  In that event, your complaint would be investigated
independently by ICO staff who have not been involved so far in
considering your request. 
 
How to complain

Information on how to complain is available on the ICO website at:

[1]http://www.ico.gov.uk/complaints/freedom...  

By post: If your supporting evidence is in hard copy, you can fill in the
Word version of our complaint form, print it out and post it to us with
your supporting evidence. A printable Freedom of Information Act
complaints form is available from the ICO website. Please send to:

First Contact Team
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

By email: If all your supporting evidence is available electronically, you
can fill in our online complaint form. Important: information included in
the form, and any supporting evidence will be sent to us by email.
 
Yours sincerely
 
 
 
Lesley Bett
Head of Internal Compliance
 
 
               

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. blocked::http://www.ico.gov.uk/complaints/freedom...
http://www.ico.gov.uk/complaints/freedom...

Link to this

Things to do with this request

Anyone:
Information Commissioner’s Office only:

Follow this request

There are 2 people following this request

Offensive? Unsuitable?

Requests for personal information and vexatious requests are not considered valid for FOI purposes (read more).

If you believe this request is not suitable, you can report it for attention by the site administrators

Report this request

Act on what you've learnt

Similar requests

More similar requests

Event history details

Are you the owner of any commercial copyright on this page?