ICO collaboration with Financial Conduct Authority on cyber security

The request was successful.

Dear Information Commissioner’s Office,

I read a news article on Reuters - http://uk.reuters.com/article/us-britain... - which alleges "Britain's banks are not reporting the full extent of cyber attacks to regulators for fear of punishment or bad publicity, bank executives and providers of security systems say."

I was interested to note that there is no mention of the ICO in the article. My questions to you are:

1) Do you have a data sharing agreement or other arrangement with the Financial Conduct Authority (FCA) for that organisation to report cyber-security breaches to the ICO if reported to the FCA?

2) If you have FCA data on reported cyber-security breaches, do these data correlate (within 5%) with breaches that have been self-reported to the ICO by any organisation that is also registered with the FCA? "Yes" or "No" will suffice unless you wish to tell me that this information is not held, in which case, please provide numbers and I'll do the maths - thank you.

3) If you do not have FCA data, how many breaches have been self-reported to the ICO by FCA-regulated organisations?

3) If the answer to 1) is 'No', please would you provide rationale for not having a data sharing agreement with the FCA for mutual reporting arrangements?

Thank you in advance.

Yours faithfully,

Sandre Jones

AccessICOinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

 

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

 

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

 

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

 

If you have requested advice - we aim to respond within 14 days.

 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

 

Copied correspondence - we do not respond to correspondence that has been
copied to us.

 

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

 

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

 

Yours sincerely

 

The Information Commissioner’s Office

 

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[2]http://www.ico.org.uk/tools_and_resource...

 

Twitter

Find us on Twitter at [3]http://www.twitter.com/ICOnews

 

The ICO's mission is to uphold information rights in the public interest.
To find out more about our work please visit our website, or subscribe to
our e-newsletter at ico.org.uk/newsletter.

If you are not the intended recipient of this email (and any attachment),
please inform the sender by return email and destroy all copies without
passing to any third parties.

If you'd like us to communicate with you in a particular way please do let
us know, or for more information about things to consider when
communicating with us by email, visit ico.org.uk/email

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. http://www.ico.org.uk/tools_and_resource...
3. http://www.twitter.com/ICOnews

Information Commissioner's Office

9 November 2016

 

Case Reference Number IRQ0650870

 

Dear Ms Jones,
 

I write in response to your email of 14 October 2016 in which you
submitted an information request to the ICO. Your request has been dealt
with under the Freedom of Information Act 2000 (FOIA). For ease of
reference I have set out each aspect of your request below followed by our
response.
 
Your request

“1) Do you have a data sharing agreement or other arrangement with the
Financial Conduct Authority (FCA) for that organisation to report
cyber-security breaches to the ICO if reported to the FCA?”
 
Our response
 
We have a Memorandum of Understanding (MoU) with the Financial Conduct
Authority (FCA). A copy of this is publically available on our website
here
[1]https://ico.org.uk/media/about-the-ico/d....
 
The MoU doesn’t just cover the reporting of cyber security incidents to us
and it doesn’t impose any specific requirement for the FCA to do so.
However the FCA will sometimes alert us to potential cyber
security incidents under this arrangement.
 
Your request
 
“2) If you have FCA data on reported cyber-security breaches, do these
data correlate (within 5%) with breaches that have been self-reported to
the ICO by any organisation that is also registered with the FCA? "Yes" or
"No" will suffice unless you wish to tell me that this information is not
held, in which case, please provide numbers and I'll do the maths - thank
you.”
 
Our response
 
We don’t hold any information that is a comparison of FCA data and ICO
data regarding data security incidents as the FCA doesn’t provide us with
a list of incidents that is comparable to our own data in the way that you
describe.
 
It may help to explain that the FCA may occasionally alert us to a matter
they have become aware of however the intelligence they provide us will
often be unsubstantiated and it will not at that stage be clear whether
any breach of the Data Protection Act 1998 (DPA) has occurred. We will
consider the information they provide and may make further enquiries as
appropriate.  
 
Equally it is important to note that when a data controller reports an
incident to us it will be necessary for us to investigate the matter
before reaching any conclusion as to whether a breach of the DPA has
occurred. Consequently it is not the case that all incidents self-reported
to us by data controllers are “breaches” of the DPA. 
 
We have directed you below to where you can find further information about
our completed casework in respect of incidents self-reported to us by data
controllers. You may wish to consider asking the FCA if they hold their
own data about cyber security incidents affecting FCA regulated
organisations. It may then be possible for you to compare these two sets
of data.
 
Your request

“3) If you do not have FCA data, how many breaches have been self-reported
to the ICO by FCA-regulated organisations?”
 
We publish data sets on our website listing our completed data protection
casework. These include cases where incidents have been self-reported to
us by data controllers and will include incidents self-reported to us by
FCA regulated organisations.
 
The datasets are published on our website here
[2]https://ico.org.uk/about-the-ico/our-inf...
in a reusable format and include:

* Our reference number for the work completed;
* the type of work and legislation it falls under;
* the name of the organisation responsible for the processing of
personal information;
* the sector the organisation represents;
* the nature of the issues involved;
* the date the work was completed; and
* the outcome following our consideration of the issues.

You can currently view a dataset listing our completed casework in the
financial year 2014/15 using the link above. The name of the data
controller will help you identify those FCA regulated organisations that
are of interest to you.

We intend to publish a similar dataset covering our completed casework in
the 2015/16 financial year in the near future. We will then begin updating
the reports each month with the information relating to work completed
three months earlier.

For this reason we find that the exemption to disclosure at section 22 of
the FOIA applies to the information we hold about our 2015/16 and 2016/17
casework as this is information intended for future publication.
 
As you may be aware section 22 of the FOIA states:
 
“Information is exempt information if—

(a) the information is held by the public authority with a view to its
publication, by the authority or any other person, at some future date
(whether determined or not),

(b) the information was already held with a view to such publication at
the time when the request for information was made, and

(c) it is reasonable in all the circumstances that the information should
be withheld from disclosure until the date referred to in paragraph (a).”

The process of preparing the datasets for publication is currently
underway and we consider that it is reasonable in all the circumstances
that this information should be withheld until the time this information
is published by us.  

Your request

“3) If the answer to 1) is 'No', please would you provide rationale for
not having a data sharing agreement with the FCA for mutual reporting
arrangements?”

Our response
 
Please see our response at 1) above.
 
This concludes our response to your request. I hope that the information
provided is helpful.
 
Next steps / review procedure
 
If you are dissatisfied with the response you have received and wish to
request a review of our decision or make a complaint about how your
request has been handled you should write to the Information Access team
at the address below or e-mail [3][ICO request email].

Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request received
after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation.  To make such an application, please visit
the ‘Concerns’ section of our website to make a Freedom of Information Act
or Environmental Information Regulations complaint online.
 
A copy of our review procedure is available here
[4]https://ico.org.uk/media/about-the-ico/p...

Yours sincerely
 
Steven Johnston
Lead Information Access Officer
 

The ICO's mission is to uphold information rights in the public interest.
To find out more about our work please visit our website, or subscribe to
our e-newsletter at ico.org.uk/newsletter.

If you are not the intended recipient of this email (and any attachment),
please inform the sender by return email and destroy all copies without
passing to any third parties.

If you'd like us to communicate with you in a particular way please do let
us know, or for more information about things to consider when
communicating with us by email, visit ico.org.uk/email

References

Visible links
1. https://ico.org.uk/media/about-the-ico/d...
2. https://ico.org.uk/about-the-ico/our-inf...
3. mailto:[ICO request email]
4. https://ico.org.uk/media/about-the-ico/p...

Dear Steven,

Thank you very much for your comprehensive response. I sent a complementary request to the FCA at the same time via this website, if their response (pending) would be of interest to you.

Best wishes

Sandre Jones

AccessICOinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

 

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

 

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

 

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

 

If you have requested advice - we aim to respond within 14 days.

 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

 

Copied correspondence - we do not respond to correspondence that has been
copied to us.

 

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

 

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

 

Yours sincerely

 

The Information Commissioner’s Office

 

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[2]http://www.ico.org.uk/tools_and_resource...

 

Twitter

Find us on Twitter at [3]http://www.twitter.com/ICOnews

 

The ICO's mission is to uphold information rights in the public interest.
To find out more about our work please visit our website, or subscribe to
our e-newsletter at ico.org.uk/newsletter.

If you are not the intended recipient of this email (and any attachment),
please inform the sender by return email and destroy all copies without
passing to any third parties.

If you'd like us to communicate with you in a particular way please do let
us know, or for more information about things to consider when
communicating with us by email, visit ico.org.uk/email

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. http://www.ico.org.uk/tools_and_resource...
3. http://www.twitter.com/ICOnews