Data breach notifications received as a result of the breach at data aggregator 'Apollo'

John Elliott made this Freedom of Information request to Information Commissioner's Office

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was successful.

Dear Information Commissioner’s Office,

Recently a large US data enrichment company - Apollo - suffered a data breach of 200 million records. (see https://www.wired.com/story/apollo-breac... for reference).

In responding to requests under GDPR Article 15, Apollo has claimed it is merely a processor and can not therefore respond to data subject's Article 15 requests.

Can the ICO provide the number of individual notifications under GDPR Article 33 received by the ICO from controllers as a result of the breach at their processor, Apollo.

For the avoidance of doubt, this request is not asking for the names or identity of the controllers, just the total number of notifications received.

Yours faithfully,

John

AccessICOinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[3]http://www.ico.org.uk/tools_and_resource...

Twitter

Find us on Twitter at [4]http://www.twitter.com/ICOnews

 

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. https://ico.org.uk/global/privacy-notice/
3. http://www.ico.org.uk/tools_and_resource...
4. http://www.twitter.com/ICOnews

Information Commissioner's Office

7 November 2018

 

Case Reference Number IRQ0798218

 

Dear Mr Elliott

I write in reply to your request via What Do They Know on 28 October, in
which you submitted a request for information to the Information
Commissioners Office (ICO).
 
We have dealt with your request in accordance with the Freedom of
Information Act 2000 (FOIA) and we are now able to provide you our
response.  
 
Your request
 
You requested: “Can the ICO provide the number of individual notifications
under GDPR Article 33 received by the ICO from controllers as a result of
the breach at their processor, Apollo.”
  
Our response
 
I cannot confirm that we hold information within scope of your request as
doing so would exceed the cost limit laid out in section 12 of the FOIA.
 
As you may be aware section 12 of the FOIA makes clear that a public
authority (such as the ICO) is not obliged to comply with an FOIA request
if the authority estimates that the cost of complying with the request
would exceed the ‘appropriate limit'. The ‘appropriate limit’ for the ICO,
as determined in the Freedom of Information and Data Protection
(Appropriate Limit and Fees) Regulations 2004 is £450. We have determined
that £450 would equate to 18 hours work.
 
The ICO receives a large number of potential breach reports each year. The
ICO records details of these in our electronic case management system.
 
Unfortunately there is no way for us to electronically retrieve the
information you requested from our records. In order to provide you this
information it would be necessary for us to manually access each
individual casework record to find and extract the information you have
requested. This is because the information you have requested, if it
exists, is not collated electronically in a searchable way but would only
be found on the report documents submitted by controllers when reporting a
breach.
 
We would estimate that it would take an average of 3 minutes per case to
do this. Given that there are over 7,000 items of casework for the time
period you have specified, completing this task would take well in excess
of 18 hours of work.
 
I have given some consideration to how you may be able to narrow the scope
of your request to try and bring this with the section 12 FOIA cost limit.
Due to the high number of reports to the ICO it would be necessary in the
first instance to significantly reduce the time frame your request covers.
This alone is unlikely to bring your request within the cost limit as even
a time frame of a few weeks will still encompass a large amount of
casework to be checked manually.
 
You may be aware that the ICO classifies breach reports it receives by
sector, for example a breach report from a hospital would be classified as
belonging to the ‘Health’ sector. In addition to reducing the time frame
your request covers you could limit your request further by focusing it on
a specific sector which may, depending on the number of reports remaining
in scope, bring your request within the cost limit.
 
It would almost certainly help to bring the cost down if you knew which UK
controllers engage Apollo as a processor.
 
I can confirm that no party by the name of ‘Apollo’ are listed as the
submitting party in relation to any breach reports received by the ICO
since 25 May 2018.
 
   
This concludes our response to your request. I understand that this
response may be disappointing however if you are able to reduce the scope
of your request in some way we would be happy to consider any new request.
 
 
Next steps
 
If you are dissatisfied with the response you have received and wish to
request a review of our decision or make a complaint about how your
request has been handled you should write to the Information Access team
at the address below or email [1][ICO request email]
 
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response.  Any such request
received after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation.  To make such an application, please write
to the Customer Contact department, at the address below or visit the
‘Complaints’ section of our website to make a Freedom of Information Act
or Environmental Information Regulations complaint online.
 
A copy of our review procedure is available [2]here.
 
For information about what we do with personal data see our [3]privacy
notice.
 
Yours sincerely,
 
 

Frederick Aspbury
Lead Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6397 F. 01625 524510  [4]ico.org.uk  [5]twitter.com/iconews
Please consider the environment before printing this email
For information about what we do with personal data see our [6]privacy
notice

 

  
 
 
 

References

Visible links
1. mailto:[ICO request email]
2. https://ico.org.uk/media/about-the-ico/p...
3. https://ico.org.uk/global/privacy-notice/
4. http://ico.org.uk/
5. https://twitter.com/iconews
6. https://ico.org.uk/global/privacy-notice/

Dear Information Commissioner’s Office,

Thank you for your reply. I understand your problem and would respectfully offer some advice, that you include any related processors in your breach record management system because when a large processor has a breach (as one will) being able to track all affected controllers will be invaluable. I make this observation based on practical experience in another field.

To my specific request, please can you restrict it to:
a) Breach reports received by the Commissioner between 1st and 7th October 2018
b) Exclude all public-sector entities

I hope that this will be sufficient to narrow the scope to fit within the cost limit.

Yours faithfully,

John Elliott

AccessICOinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[3]http://www.ico.org.uk/tools_and_resource...

Twitter

Find us on Twitter at [4]http://www.twitter.com/ICOnews

 

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. https://ico.org.uk/global/privacy-notice/
3. http://www.ico.org.uk/tools_and_resource...
4. http://www.twitter.com/ICOnews

Information Commissioner's Office

8 January 2019

 

Case Reference Number IRQ0806617

 

Dear Mr Elliott

Thank you for making a request for information from the Information
Commissioner’s Office (ICO), which we received on 5 December; we are now
in a position to respond to this request.
 
We have considered your request under the Freedom of Information Act 2000
(FOIA).
 
Your request
 
You originally asked us on 28 October: “Can the ICO provide the number of
individual notifications under GDPR Article 33 received by the ICO from
controllers as a result of the breach at their processor, Apollo.”
 
ON 7 November I responded to your request by citing s12 of the FOIA (cost
of compliance) and recommending your refine your request.
 
In your email of 5 December you refined your original request and asked us
to: “restrict it to: a) Breach reports received by the Commissioner
between 1st and 7th October 2018 b) Exclude all public-sector entities”
 
 
Our response 
 
Having performed reasonable searches for records of ‘security’ breaches
reported within the timeframe specified and not relating to the public
sector, I can confirm that we do not hold information within scope of your
request.
 
This concludes our response.
 
                        
Next steps
 
If you are dissatisfied with the response you have received and wish to
request a review of our decision or make a complaint about how your
request has been handled you should write to the Information Access team
at the address below or email [1][ICO request email]
 
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response.  Any such request
received after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation.  To make such an application, please write
to the Customer Contact department, at the address below or visit the
‘Complaints’ section of our website to make a Freedom of Information Act
or Environmental Information Regulations complaint online.
 
A copy of our review procedure is available [2]here.
 
For information about what we do with personal data see our [3]privacy
notice.
 
Yours sincerely,
 
 

Frederick Aspbury
Lead Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6397 F. 01625 524510  [4]ico.org.uk  [5]twitter.com/iconews
Please consider the environment before printing this email
For information about what we do with personal data see our [6]privacy
notice

 
 

References

Visible links
1. mailto:[ICO request email]
2. https://ico.org.uk/media/about-the-ico/p...
3. https://ico.org.uk/global/privacy-notice/
4. http://ico.org.uk/
5. https://twitter.com/iconews
6. https://ico.org.uk/global/privacy-notice/