Data Breaches reported by Barclays Bank

The request was successful.

Dear Information Commissioner’s Office,

I require the following information:

Data breach reports submitted by Barclays Bank during Summer 2018, in relation to misdirection of customer bank statements.

Please provide an electronic scan of the original documents. If the report was made via telephone or your website, please provide all information recorded on your computer system about the breaches, including:

a) the date when the breach occurred (as reported by Barclays Bank)
b) nature of the breach
c) the date when the breach was reported to you (the ICO)
d) any other details that you hold in relation to the breaches.

Yours faithfully,

Mr Navartne

AccessICOinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[3]http://www.ico.org.uk/tools_and_resource...

Twitter

Find us on Twitter at [4]http://www.twitter.com/ICOnews

 

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. https://ico.org.uk/global/privacy-notice/
3. http://www.ico.org.uk/tools_and_resource...
4. http://www.twitter.com/ICOnews

Information Commissioner's Office

1 Attachment

7 March 2019

 

Case Reference Number IRQ0819694

 

Dear Mr Navartne

I write further to your 7 February email in which you submitted an
information request to the ICO via the What Do They Know website. We have
dealt with your request under the Freedom of Information Act 2000 (FOIA)
and our response is below.
 
Your request
 
You requested;
 
“Data breach reports submitted by Barclays Bank during Summer 2018, in
relation to misdirection of customer bank statements. Please provide an
electronic scan of the original documents. If the report was made via
telephone or your website, please provide all information recorded on your
computer system about the breaches, including: a) the date when the breach
occurred (as reported by Barclays Bank) b) nature of the breach c) the
date when the breach was reported to you (the ICO) d) any other details
that you hold in relation to the breaches.”

Our response
 
For the purposes of this request we have considered summer to be June,
July and August. We therefore searched our case management systems for
data breach reports submitted by Barclays during those months and I can
confirm that we hold one breach report which falls within the scope of you
request.
 
Please find attached a copy of the breach report.
 
You will see that some of the third party personal data has been redacted.
 
Section 40(2) exempts information in response to a request if it is
personal data belonging to an individual other than yourself and it
satisfies one of the conditions listed in the legislation.[1] The
condition contained in section 40(3A)(a) applies - that disclosure would
breach one of the data protection principles. The principle is that -
 
“Personal data shall be processed lawfully, fairly and in a transparent
manner...” [2]
 
We do not consider that disclosing this information to you, and
consequently the public, is necessary or justified in order to satisfy
your information request and the requirements of the FOIA. In the
circumstances of this request there is no strong legitimate interest that
would override the prejudice to the rights and freedoms of the data
subject/s. We have therefore taken the decision that disclosing this
information to you would be unlawful.
 
We have also redacted a small amount of information in accordance with
section 31(1)(g) of the FOIA. 
 
The exemption at section 31(1)(g) of the FOIA refers to circumstances
where the disclosure of information “would, or would be likely to,
prejudice – … the exercise by any public authority of its functions for
any of the purposes specified in subsection (2).” 
 
In this case the relevant purposes contained in subsection 31(2) are
31(2)(a) and 31(2)(c) which state –
 
“(a) the purpose of ascertaining whether any person has failed to comply
with the law” and
 “(c) the purpose of ascertaining whether circumstances which would
justify regulatory action in pursuance of any enactment exist or may arise
…”    
 
Clearly, these purposes apply when the Information Commissioner is
considering whether or not a data controller has breached data protection
legislation. 
 
This exemption is not absolute. When considering whether to apply it in
response to a request for information, there is a ‘public interest
test’. That is, we must consider whether the public interest favours
withholding or disclosing the information.   
 
In this case the public interest factors in disclosing the information are

 

* increased transparency in the data breaches which are reported to the
ICO.

The factors in withholding the information are –
 

* The public interest in data controllers being open and honest in their
correspondence with the ICO about the way they have handled personal
data, without fear that their comments will be made public prematurely
or as appropriate at all.
* We consider that the disclosure of this information would be likely to
compromise our ability to investigate and therefore affect the
discharge of our regulatory function in vital areas, including our
ability to influence the behaviour of data controllers and to take
formal action. 
* The public interest in the Information Commissioner not disclosing
information into the public domain under FOIA without consent or
without another lawful basis on which to do so

Having considered all of these factors we have taken the decision that the
public interest in withholding the information outweighs the public
interest in disclosing it.
 
This concludes our response to your request. I hope the information
provided is helpful.

Next steps
 
If you are dissatisfied with the response you have received and wish to
request a review of our decision or make a complaint about how your
request has been handled you should write to the Information Access team
at the address below or e-mail [1][ICO request email].

Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request received
after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation. To make such an application, please visit
the ‘Concerns’ section of our website to make a Freedom of Information Act
or Environmental Information Regulations complaint online.
 
A copy of our review procedure is available here
[2]https://ico.org.uk/media/1883/ico-review....
 
Yours sincerely
 
Joanne Wright
Senior Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6664   F. 01625 524510 
 
 

------------------------

[1] Amendments to the Freedom of Information Act 2000 contained in the
Data Protection Act 2018.
[2] GDPR EU2016, Article 5(1)(a).

References

Visible links
1. mailto:[ICO request email]
2. https://ico.org.uk/media/1883/ico-review...

Dear Information Commissioner's Office,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of Information Commissioner's Office's handling of my FOI request 'Data Breaches reported by Barclays Bank'. My reasons are as follows:

Initially, I contacted you (ICO) using my personal email on 21 September 2018 with the following request:

“I was wondering if you've had any reports of data breaches from Barclays Bank. Breach having occurred on or around 20 June 2018.”

You requested clarification on 15 October 2018 (Your case reference: IRQ0788104):

"...1) Please tell us about the general circumstances of the breach or breaches that you are interested in and may have been reported to us.
2) Please provide more detail about your own involvement, for example; how were you alerted to the breach occurrence?...."

I then responded on 09 January 2019 with the following:

“I'm interested in breaches where Barclays Bank had sent a Subject Access Data requesting customer his/her personal data as well as data belonging to another customer. 

That is what happened when I made a Subject Access Request to Barclays Bank on 10 May 2018. Barclays Bank sent my personal data via courier on or around 26 June 2018. Along with my personal data, Barclays also sent another customer's data, including copies of his bank statements for a number of accounts spanning several years, documents about freezing/unfreezing his bank accounts, a child saver account acceptance letter as well as notification of closure of his accounts.
 
Hence, my query was to ask you if this incident and similar incidents had been reported to you by Barclays.”

You responded to this clarification on 31 January 2019:

"In response, we searched our electronic casework management system and consulted internally with our Personal Data Breach reporting team. As a result we are in a position to confirm that we do hold some information within the scope of your request.

IN SUMMER 2018 WE RECEIVED TWO BREACH REPORTS[*] from Barclays relating to the misdirection of customer bank statements. Both breach reports relate to ‘similar incidents’. From the information held, we are not able to verify if they relate to the exact incident described in your request wording.

Where someone has been affected by a contravention of data protection legislation they can raise a complaint with the ICO. Please follow the link below for more information:

https://ico.org.uk/make-a-complaint/your...

That concludes our response to your information request."

Your response to the current FOI (Case Reference Number IRQ0819694) request states:

'For the purposes of this request we have considered summer to be June, July and August. We therefore searched our case management systems for data breach reports submitted by Barclays during those months and I can confirm that WE HOLD ONE BREACH REPORT[*] which falls within the scope of you request.'

As part of the internal review, kindly establish if you hold ONE REPORT or TWO REPORTS. If you hold two reports, please also provide a copy of the second report - the report not yet provided as part of your response dated 07 March 2019.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/d...

Yours faithfully,

Nr Navartne

[*] - Capitalization mine, for emphasis.

Information Access Inbox, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit:

[1]https://ico.org.uk/about-the-ico/our-inf...

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found
[3]here.

Twitter

Find us on Twitter [4]here.

 

References

Visible links
1. https://ico.org.uk/about-the-ico/our-inf...
2. https://ico.org.uk/global/privacy-notice/
3. https://ico.org.uk/about-the-ico/news-an...
4. http://www.twitter.com/ICOnews

Information Commissioner's Office

8 May 2019

 

Case Reference Number IRQ0819694

 

Dear Mr Navartne,

Thank You for your email of 1 May 2019.

I have reviewed the cases and I can confirm that there were 2 data
breaches which were reported to us by Barclays in June 2018. These
breaches were very similar and were closed through one case. I
unfortunately mistook the second case for a duplicate due to the similar
nature and therefore discounted it. Having reviewed the information I can
confirm that they are two separate breach reports.

I have contacted Barclays to seek their views on the disclosure of the
second breach report and I will provide you with this information as soon
as possible.

Please accept my apologies for the error and thank you for bringing this
to my attention.
 
Yours sincerely
 
Joanne Wright
Senior Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6664   F. 01625 524510 

 

Information Commissioner's Office

1 Attachment

13 May 2019

 

Case Reference Number IRQ0819694

 

Dear Mr Navartne,

Further to my email of 8 May 2019, I am now in a position to provide you
with the second report which falls within the scope of your request. As
you will see, this information has been redacted in a similar way to the
report that was previously provided to you.

As per my previous response, the reasons for the redactions are as
follows:
 
Section 40(2) exempts information in response to a request if it is
personal data belonging to an individual other than yourself and it
satisfies one of the conditions listed in the legislation.[1][1] The
condition contained in section 40(3A)(a) applies - that disclosure would
breach one of the data protection principles. The principle is that -
 
“Personal data shall be processed lawfully, fairly and in a transparent
manner...” [2][2]
 
We do not consider that disclosing this information to you, and
consequently the public, is necessary or justified in order to satisfy
your information request and the requirements of the FOIA. In the
circumstances of this request there is no strong legitimate interest that
would override the prejudice to the rights and freedoms of the data
subject/s. We have therefore taken the decision that disclosing this
information to you would be unlawful.
 
We have also redacted a small amount of information in accordance with
section 31(1)(g) of the FOIA. 
 
The exemption at section 31(1)(g) of the FOIA refers to circumstances
where the disclosure of information “would, or would be likely to,
prejudice – … the exercise by any public authority of its functions for
any of the purposes specified in subsection (2).” 
 
In this case the relevant purposes contained in subsection 31(2) are
31(2)(a) and 31(2)(c) which state –
 
“(a) the purpose of ascertaining whether any person has failed to comply
with the law” and
 “(c) the purpose of ascertaining whether circumstances which would
justify regulatory action in pursuance of any enactment exist or may arise
…”    
 
Clearly, these purposes apply when the Information Commissioner is
considering whether or not a data controller has breached data protection
legislation. 
 
This exemption is not absolute. When considering whether to apply it in
response to a request for information, there is a ‘public interest
test’. That is, we must consider whether the public interest favours
withholding or disclosing the information.   
 
In this case the public interest factors in disclosing the information are

 

* increased transparency in the data breaches which are reported to the
ICO.

The factors in withholding the information are –
 
 

* The public interest in data controllers being open and honest in their
correspondence with the ICO about the way they have handled personal
data, without fear that their comments will be made public prematurely
or as appropriate at all.
* We consider that the disclosure of this information would be likely to
compromise our ability to investigate and therefore affect the
discharge of our regulatory function in vital areas, including our
ability to influence the behaviour of data controllers and to take
formal action. 
* The public interest in the Information Commissioner not disclosing
information into the public domain under FOIA without consent or
without another lawful basis on which to do so

Having considered all of these factors we have taken the decision that the
public interest in withholding the information outweighs the public
interest in disclosing it.
 

I apologise once again for initially failing to provide you with this
information and any inconvenience this may have caused you.

Next steps
 
If you remain dissatisfied with the response you have received and would
still like us to undertake a review of our decision or make a complaint
about how your request has been handled you should write to the
Information Access team at the address below or e-mail
[3][ICO request email].

Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request received
after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation. To make such an application, please visit
the ‘Concerns’ section of our website to make a Freedom of Information Act
or Environmental Information Regulations complaint online.
 
A copy of our review procedure is available here
[4]https://ico.org.uk/media/1883/ico-review....
 
Yours sincerely
 
Joanne Wright
Senior Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6664   F. 01625 524510 
 
 
 
 

------------------------

[5][1] Amendments to the Freedom of Information Act 2000 contained in the
Data Protection Act 2018.
[6][2] GDPR EU2016, Article 5(1)(a).

References

Visible links
1. https://v-whcwcmeh03.child.indigo.local/...
2. https://v-whcwcmeh03.child.indigo.local/...
3. mailto:[ICO request email]
4. https://ico.org.uk/media/1883/ico-review...
5. https://v-whcwcmeh03.child.indigo.local/...
6. https://v-whcwcmeh03.child.indigo.local/...