Data breaches
Dear Information Commissioner’s Office,
Did the Information Commissioner's Office suffer from any data breaches during 2017? If so, how many data breaches were there and what were they for?
Yours faithfully,
Bob Bion
Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.
If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply
.
If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.
If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.
If you have requested advice - we aim to respond within 14 days.
If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.
Copied correspondence - we do not respond to correspondence that has been
copied to us.
For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.
If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.
Yours sincerely
The Information Commissioner’s Office
Our newsletter
Details of how to sign up for our monthly e-newsletter can be found at
[2]http://www.ico.org.uk/tools_and_resource...
Find us on Twitter at [3]http://www.twitter.com/ICOnews
References
Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. http://www.ico.org.uk/tools_and_resource...
3. http://www.twitter.com/ICOnews
25 April 2018
Case Reference Number IRQ0734965
Dear Mr Bion
Information request
I write in response to your request of 26 March 2018 in which you
submitted a request for information to the Information Commissioner’s
Office (ICO). Your request has been dealt with in accordance with the
Freedom of Information Act 2000 (FOIA).
Your request
“Did the Information Commissioner's Office suffer from any data breaches
during 2017? If so, how many data breaches were there and what were they
for?”
Our response
I can confirm we hold information in the scope of your request.
As you know, we oversee the Data Protection Act 1998 (DPA) but we also
comply with its requirements. Therefore, in our capacity as a data
controller, we record data protection incidents locally. We record them
regardless of how serious they are. It also means that on occasion we will
have to self-report to ourselves in our capacity as a regulator or deal
with individuals’ complaints raised about us in our capacity as a
regulator.
This means we have an internal reporting process through which staff
report incidents to our Information Security team. A decision is then
taken about whether the incident should be reported to the Information
Commissioner’s Office in our capacity as regulator of the Act. These
decisions are made based on the Commissioner’s published guidance which
you can find on our website here:
[1]https://ico.org.uk/media/for-organisatio....
We understand that you are requesting information about security incidents
that have involved a breach of the DPA (a ‘data breach’).
In the 2017 annual year we recorded 68 incidents that were reported
internally to our Information Security team and that we would consider to
be a ‘data breach’. We have extracted this information from our incident
logs and reports for the 2016/17 and 2017/18 financial years, up to the
end of December 2017.
Of these the majority (60) fall into the category of ‘misaddressed
correspondence’, for example, where a letter or email was sent to the
wrong address due to a typographical error for instance, or an
introductory letter being sent to the incorrect data controller.
The remaining incidents fall into the following categories:
* 1 x accidental deletion
* 2 x physical loss
* 1 x non-secure disposal
* 2 x modification of information
* 1 x published in error
* 1 x accidental disclosure to third party
We monitor all reported incidents and will often follow them up with
recommendations to ensure that we mitigate the risk of the incident
happening again. I can confirm that none of the incidents reported in 2017
were sufficiently serious to warrant being self-reported to the
Information Commissioner’s Office in our capacity as regulator of the Act.
However, we are keen that we are aware of, and learn from them all,
however minor, in order that we mitigate the risks of serious breaches
occurring.
This concludes our response to your request. I hope the information
provided is helpful.
Review Procedure
If you are not satisfied that your request for information has been dealt
with correctly, please write to the Information Access Team at the address
below, reply directly to this email (with the reference number contained
within the square brackets left intact), or email us at
[2][ICO request email], quoting the reference number
IRQ0734965.
Your request for a review should be submitted to us within 40 working days
of receipt by you of this response. Any such request received after this
time will only be considered at the discretion of the Commissioner.
Ultimately if you are not satisfied that your request for information has
been dealt with correctly you have a further right of appeal to this
office in our capacity as the statutory complaint handler under the
relevant legislation. To make such an application, please write to our
Customer Contact Team at the address below, or visit the ‘Report a
Concern’ section of our website.
A copy of our review procedure is available here
[3]https://ico.org.uk/media/about-the-ico/p...
Yours sincerely
Ian Goddard
Senior Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 4146823 F. 01625 524510 [4]ico.org.uk [5]twitter.com/iconews
Please consider the environment before printing this email
References
Visible links
1. https://ico.org.uk/media/for-organisatio...
2. mailto:[ICO request email]
3. https://ico.org.uk/media/about-the-ico/p...
4. http://ico.org.uk/
5. https://twitter.com/iconews
We work to defend the right to FOI for everyone
Help us protect your right to hold public authorities to account. Donate and support our work.
Donate Now