We don't know whether the most recent response to this request contains information or not – if you are D. Moore please sign in and let everyone know.

Massive data breach - Did you publish thousands of complainants' names?

We're waiting for D. Moore to read recent responses and update the status.

Dear Parliamentary and Health Service Ombudsman,

I have been alerted to a serious and credible allegation that you broke data protection laws by publishing on your website the full names of thousands of individuals who complained to you in 2018/19. The names of possibly hundreds of caseworkers were also published. The allegation was contained in a submission to PACAC in relation to the PHSO scrutiny inquiry 2019. It was supported by a redacted screenshot.

Can you confirm that the alleged data breach did in fact occur. If so:

1. On what date did it occur?

2. How many complainants names did you publish?

3. How many PHSO staff names did you publish?

4. On what date did you become aware that it had occurred?

5. Has PACAC contacted you about the matter? If so, please provide a copy of all relevant communications.

6. If you have contacted the ICO about the matter, on what date did you do so?

7. Please provide a copy of any information communicated to the ICO about the data breach.

8. If you have contacted either the complainants or staff concerned, please provide a copy of any standard communication you sent to them.

9. If you have contacted the MPs concerned, please provide a copy of any standard communication you sent to them.

10. If you have contacted PACAC about the matter, please provide a copy of the information you have provided to it.

Additionally:

11. Please provide a copy of your current guidance related to the protection of complainants' personal information. I am also interested in the training materials provided to staff who publish information online.

Yours faithfully,

D Moore

InformationRights, Parliamentary and Health Service Ombudsman

Thank you for contacting the Parliamentary and Health Service Ombudsman’s
(PHSO) Freedom of Information and Data Protection Team. This is to confirm
we have received your request.

If you have made a request for information under the Freedom of
Information Act 2000 or Environment Information Regulations 2004, we will
respond to your request within 20 working days in accordance with the
statutory time frames set out in both Acts.

If you have made a request for personal information held by the PHSO, your
request will be processed as a Subject Access Request under the provisions
of the Data Protection Act 2018 and will be responded to within one
calendar month in accordance with the statutory time frame set out in the
Act.

We may contact you before this time if we require further clarification or
if we need to extend the time required to complete your request.

For Subject Access Requests, we will send any personal information via
secure email, unless you instruct us differently. To access the
information on the email we send, you will need to sign up to our secure
email service. Details can be found on our website using the link below:
www.ombudsman.org.uk/about-us/being-open...

If you require us to post your personal information to you instead you
will need to inform us of this and confirm your current address as soon as
possible.

Angharad Jackson
Data Protection Officer & Assistant Director Information Assurance
Office of the Parliamentary and Health Service Ombudsman
PHSO CityGate
47-51 Mosley Street
Manchester
M2 3HQ
[email address]

D. Moore left an annotation ()

I have contacted the ICO about this matter:

https://www.whatdotheyknow.com/request/a...

J Roberts left an annotation ()

This is deeply concerning. I made a request to the PHSO about its data security some time ago that may be of interest:

'The ICO's data protection audit of March 2018 concluded that your organisation was in a poor state:

https://ico.org.uk/media/action-weve-tak...

"There is a limited level of assurance that processes and procedures are in place and delivering data protection compliance. The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with the DPA."

Please provide all recorded information to confirm that the PHSO has taken steps to correct the specific weaknesses identified by the ICO's audit - papers, reports etc. Please also conduct a search of the email account of the person responsible for ensuring PHSO compliance with the DPA using the term 'Data protection audit report' and provide me with copies of all relevant emails.'

https://www.whatdotheyknow.com/request/d...

It would appear that data security at the PHSO has got worse. I'm not sure whether the ICO ever imposes penalties on public authorites who publish thousands of names in the manner described in the request, or simply tells delinquent authorities to make improvements. If it is confirmed that thousands of complainants' names were unlawfully published, the reputation of the PHSO will undoubtedly suffer. The information could already be available to buy on the dark web.

M Boyce left an annotation ()

Yes this is very concerning. I wonder whether the PHSO will mention this at their annual PACAC 'scrutiny' shindig this coming Monday 18th May?

We can expect a lot of virtual backslapping and fulsome praise from PACAC to PHSO.

And no, the PHSO are not announcing their big day on their site.

J Roberts left an annotation ()

Amanda Amroliwala confirmed the data breach at today's PACAC annual PHSO scrutiny hearing. She said it occurred on 5th March and that PHSO was made aware of it on 28 April. It was caused by a combination of human and system errors. She downplayed the extent of the breach (a low risk of malicious use) and said that the ICO had been informed. She further said that the PHSO would be writing to 300 people. The Chairman revealed that MPs were to receive letters as well, so how many of the 300 people include MPs?

J Roberts left an annotation ()

Request concerning what steps the PHSO has taken to assist victims of the data breach to get in touch. Amanda Amroliwala told PACAC that dedicated web and email addresses have been set up:

https://www.whatdotheyknow.com/request/c...

The Chair of PACAC, William Wragg, disclosed that he would be writing to the Ombudsman with further questions. Here is his letter:

https://committees.parliament.uk/publica...

J Roberts left an annotation ()

PACAC tweet:

"The Deputy Ombudsman Amanda Amroliwala has apologised for a data breach that occurred when spreadsheet with hidden tabs was included in a recent report. The breach has been reported and all involved are being contacted."

https://twitter.com/CommonsPACAC/status/...

It is interesting that the tweet refers to 'all involved' being contacted. Ms Amroliwala said that around 300 people would be contacted. The tweet suggests that the breach involved 300 complainants in total.

J Roberts left an annotation ()

Just over 5% of complainants affected are to be notified:

https://www.ombudsman.org.uk/notice-data...

"We regret to report that on 5 March, a list of complainants’ names and some information about their complaints were published in error on our website. The names of the caseworkers who worked on these complaints were also published.

The data did not include any contact details such as telephone numbers, emails or addresses, nor personal information such as age or date of birth.

The information was removed on 28 April 2020. If you have downloaded or otherwise obtained a copy of the spreadsheet, please delete it in whatever form you hold it.

How many people were affected?

The names of just over 5,300 complainants and 197 members of PHSO staff were published. For the vast majority, we are satisfied that no issues arise which require action beyond publishing this notice. However, we are taking a cautious approach by notifying 311 people individually where inferences could be drawn from the data.

Where was the data?

The information was in a spreadsheet published alongside the Ombudsman’s Annual Casework Report 2019. The spreadsheet showed the number of complaints received about each organisation. The information was not visible to readers unless they clicked to reveal hidden tables.
What did the data include?

The information published was:

the names of the complainants
the date a complainant contacted us
how they contacted us (by telephone or using the web form)
the organisation(s) complained about
the name of the caseworker and whether the case was upheld, partly upheld or not upheld.

What are the risks?

Having investigated the information that was published, we believe the risk of someone using this information maliciously is very low.
What action has PHSO taken?

As soon as we became aware of the situation, we removed the information from the website and reported the data breach to the Information Commissioner. We are investigating what went wrong and have reviewed and changed our processes to make sure this does not happen again.

We are very sorry that this happened and any for any worry it may cause our service users and colleagues.

I downloaded and saved a copy of the spreadsheet while it was available on the website. What should I do?

If you have downloaded or otherwise obtained a copy of the spreadsheet, please delete it in whatever form you hold it.

If you want to contact us

If you have any questions or would like to discuss this further, please contact our Data Protection Officer at privacy@ombudsman.org.uk

If you are unhappy with our response, you can complain to the Information Commissioner’s Office."

InformationRights, Parliamentary and Health Service Ombudsman

Dear D Moore

Unfortunately we are not be able to respond to your request within the 20 working day deadline. We are currently aiming to get the response out by the end of the week.

Please accept our apologies for this failure to comply with Section 10(1) of the Freedom of Information Act 2000.

Regards,

Freedom of Information/Data Protection Team
Parliamentary and Health Service Ombudsman
E: [email address]
W: www.ombudsman.org.uk

J Roberts left an annotation ()

The Ombudsman has responded to PACAC's written questions. The PHSO has a team of 'change champions':

"2. As explained on p.44, you “invested £353,000 in new ICT capabilities and technical infrastructure”. Were there any teething issues with this new ICT provision? And were there any write-offs under this investment?"

"Delivering the replacement of our ICT infrastructure and the first phase ofreplacing our Case Management System during 2019 were major undertakings. Both projects were delivered on time and within budget, and in the context of continuous consultation with case handlers. As with any project of this nature, the ICT team and a team of change champions were on hand to provide support to staff following implementation to work through any post go-live issues. These were addressed quickly and effectively."

https://committees.parliament.uk/publica...

InformationRights, Parliamentary and Health Service Ombudsman

1 Attachment

Dear D Moore

 

PHSO reference R0001226

Your request for information

 

Thank you for your correspondence of 11^th May 2020 in which you requested
information from the PHSO.

 

Please accept my apologies for the delay in responding to your request.
This is a breach of Section 10(1) of the Freedom of Information Act 2000,
and may be reported to the ICO using the details at the bottom of this
email.

 

 

PHSO response

 

1.  On what date did it occur?

 

5^th March 2020.

 

2.  How many complainants names did you publish?

 

5,305.

 

3.  How many PHSO staff names did you publish?

 

197.

 

4.  On what date did you become aware that it had occurred?

 

28^th April 2020.

 

5.  Has PACAC contacted you about the matter?  If so, please provide a
copy of all relevant communications.

 

Not held.

 

6.  If you have contacted the ICO about the matter, on what date did you
do so?

 

28^th April 2020.

 

7.  Please provide a copy of any information communicated to the ICO about
the data breach.

 

PHSO holds information relevant to this request. However, this information
is exempt from disclosure under Section 31(1)(g) of the Freedom of
Information Act 2000, and the balance of the public interest test favours
maintaining the exemption. Please see the section below the questions for
details explaining why this information is exempt from disclosure.

 

8.  If you have contacted either the complainants or staff concerned,
please provide a copy of any standard communication you sent to them.

 

Not held.

 

9.  If you have contacted the MPs concerned, please provide a copy of any
standard communication you sent to them.

 

Not held.

 

10.  If you have contacted PACAC about the matter, please provide a copy
of the information you have provided to it.

 

Not held.

 

11.  Please provide a copy of your current guidance related to the
protection of complainants' personal information.  I am also interested in
the training materials  provided to staff who publish information online.

 

Guidance for the protection of complainant’s personal data can be found on
PHSO’s website - [1]link. As this information is reasonably accessible to
you PHSO is exempt from communicating a copy to you as per Section 21(1)
of the Freedom of Information Act 2000.

 

Please see attached for a copy of the material that instructs staff on how
to publish information online. Redactions have been made to the document
under Sections 31(1)(a), and the screenshots that accompany the text have
been removed under 40(2) of the Freedom of Information Act 2000.

 

Please note that Rob Behrens name should appear in some of the
screenshots. However, PHSO’s redaction software is not capable of removing
other names from the images whilst leaving his in. His name should appear
on pages 17, 18, & 40 in relation to text about blogs that have been
published on PHSO’s website under his name. Please accept my apologies for
this.

 

 

Section 31(1)(g)

 

Section 31(1)(g) of the Freedom of Information Act 2000 states:

 

“Information which is not exempt by virtue of section 30 is exempt
information if its disclosure under this Act would, or would be likely to,
prejudice –

(g) the exercise by any public authority of its functions for any of the
purposes specified in subsection (2)”

 

The purposes referred to in sections 31(2)(a) and (c) are –

 

(a) the purpose of ascertaining whether any person has failed to comply
with the law,

(c) the purpose of ascertaining whether circumstances which would justify
regulatory action in pursuance of any enactment exist or may arise,  

 

In this instance, disclosure would be likely to prejudice the ICO’s
function to determine whether PHSO has failed to comply with the Data
Protection Act 2018. At the time of your request the ICO’s investigation
into PHSO was ongoing, and there was still further work required before
any decision could be reached on the data breach. At such a critical time
it is important that ICO can pursue its regulatory function in a way that
isn’t prejudiced through premature disclosure of information pertaining to
its investigation. For these reasons PHSO considers that Section 31(1)(g)
of the Freedom of Information Act 2000 is engaged.

 

Section 31 is a qualified exemption, so PHSO is required to consider the
balance of the public interest. PHSO considered the following arguments
for disclosing the information:

 

o Disclosure would increase transparency over how PHSO notified the ICO
about the breach. This breach had an impact on the privacy rights of a
large number of individuals and this would help them have a greater
understanding of what happened to cause the breach, and what steps the
ICO were taking to address it.
o Organisations that receive public funds are accountable to the public
for their actions. Disclosure would help provide insight into the
members of staff involved in handling the breach and show what they
were doing.

 

PHSO considered the following arguments for maintaining the exemption:

 

o The ICO’s investigation into the breach was ongoing, and it has a
right to consider its processes without premature disclosure of the
facts it was considering. The right to transparency is not absolute
and public bodies are afforded space so they may fulfil their
functions without undue interruption.
o PHSO considers that the information given to ICO was done in
confidence, and disclosure of any facts would only be considered once
the ICO had reached its decision about the breach and announced its
decision to the public. Disclosure at this stage would undermine this,
and PHSO considers that this would not be in the public interest.
o The information is exempt at per Section 31(1)(g) of the Freedom of
Information Act 2000. This exemption was devised for a reason and it
is important that this is only overturned where there is a compelling
argument to do so which clearly outweighs the factors in maintaining
the exemption. 

 

Based on the factors above PHSO considers that the balance of the public
interest supports maintaining Section 31(1)(g) of the Freedom of
Information Act 2000.

 

 

Section 31(1)(a)

 

Section 31(1)(a) of the Freedom of Information Act 2000 states:

 

“Information which is not exempt information by virtue of section 30 is
exempt information if its disclosure under this Act would, or would be
likely to, prejudice –

(a)the prevention or detection of crime,”

 

The guidance contains instructions on how to login to PHSO’s website so
that a user may make alterations to the site or post new pages. This could
be used be certain individuals to try and gain unauthorised access to
PHSO’s website in malicious ways to try and commit crime such as fraud.
PHSO is an official public body, and there is an expectation that
information on its website should be trustworthy, which means that
information relating to safety measures for controlling information on the
website should be protected from disclosure to the public domain to
prevent the risk of it being used for crime.

 

Section 31 is a qualified exemption, so PHSO is required to consider the
balance of the public interest. PHSO considered the following arguments
for disclosing the information:

 

o There is an inherent argument for transparency on any information that
is held by public authorities. In this instance, it would show the
security processes PHSO staff follow, and members of the public could
check to see if these were adequate.

 

PHSO considered the following arguments for maintaining the exemption:

 

o Disclosure of information which would likely lead to a greater risk of
criminal activity is clearly not in the public interest, and it is
obvious that information of this nature should be withheld from a wide
audience.  
o PHSO has an obligation to ensure that its resources are not used to
assist individuals commit criminal acts. PHSO is an official body and
should do all it can to ensure that the law is upheld. 

 

Based on these factors, PHSO considers the balance of the public interest
favours maintaining the exemption.

 

 

Section 40(2)

 

The information removed under Section 40(2) of the Freedom of Information
Act 2000 is names of staff members who either are listed in the guide as
contacts, or whose names appear in the accompanying screenshots. PHSO is
satisfied that this is personal data as per Section 3(2) of the Data
Protection Act 2018.

 

PHSO considers that disclosure would contravene the data protection
principles outlined in Article 5 of the General Data Protection
Regulations. Specifically, principle 1(a):

 

“Personal data shall be processed lawfully, fairly and in a transparent
manner in relation to the data subject”

 

In order to assess whether this lawful basis is engaged I have considered
key questions:

 

(i) Purpose: what is the legitimate interest in the disclosure of the
information?

(ii) Necessity: is disclosure necessary for that purpose?

(iii) Balancing test: does the legitimate interest outweigh the interests
and rights of the individual?

 

Regarding purpose – PHSO believes that there is a legitimate interest in
knowing the staff names that appear in the guide. It shows the members of
staff responsible for helping staff publish information on PHSO’s website,
and those who write articles for the website.

 

Regarding necessity – PHSO works on the basis that “necessity” means more
than desirable but less than indispensable or absolute necessity. Based on
this disclosure is necessary for the outlined purpose, as their names are
not available to the requester through any other means.

 

Regarding the balancing test – PHSO considers that the legitimate
interests do not outweigh the rights of the individuals concerned. It is a
relatively limited legitimate interest that is served by providing the
names of staff concerned, as the staff are not senior members of staff or
publicly facing. Whilst some of the staff do place information onto PHSO’s
website they are not named in the process, and so are not already known
for their work at PHSO. Based on this PHSO does not consider that it
should infringe on their privacy rights and disclose their names.

 

 

Right of appeal

 

If you have any queries about this response, please contact the
Information Rights Team. Please remember to quote the reference number
above in any future communications. If you are unhappy with the service
you have received in relation to your request or wish to request an
internal review, please respond to this email and explain why you are
dissatisfied.

 

If you are not content with the outcome of your internal review, you may
apply directly to the Information Commissioner’s Office for a decision.
Generally, the Commissioner will not make a decision unless you have
exhausted the complaints procedure provided by the PHSO. The Information
Commissioner’s Office can be contacted at:

 

The Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

 

[2]https://ico.org.uk/

 

Regards,

 

Freedom of Information/Data Protection Team

Parliamentary and Health Service Ombudsman

E: [3][email address]

W: [4]www.ombudsman.org.uk

 

References

Visible links
1. https://www.ombudsman.org.uk/about-us/co...
2. https://ico.org.uk/
3. mailto:[email address]
4. http://www.ombudsman.org.uk/
http://www.ombudsman.org.uk/

We don't know whether the most recent response to this request contains information or not – if you are D. Moore please sign in and let everyone know.