Security incident report

Helen Cross made this Freedom of Information request to Information Commissioner's Office

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was partially successful.

Dear Information Commissioner’s Office,

I am writing to request an unredacted copy of the security incident report previously provided in response to IRQ0455968 (https://www.whatdotheyknow.com/request/n...). This related to the non-trivial data security incident that was referred to on pg 62 of the ICO annual Report 2011/12.

I note that sections of the report were previously withheld under sections 31(g) and 31(2)(a) and (c) of the Freedom of Information Act, but I believe that these exemptions will no longer apply as the ICO investigation into this matter has now concluded.

Yours faithfully,

Helen Cross

AccessICOinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

 

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

 

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

 

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

 

If you have requested advice - we aim to respond within 14 days.

 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

 

Copied correspondence - we do not respond to correspondence that has been
copied to us.

 

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

 

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

 

Yours sincerely

 

The Information Commissioner’s Office

 

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[2]http://www.ico.org.uk/tools_and_resource...

 

Twitter

Find us on Twitter at [3]http://www.twitter.com/ICOnews

 

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. http://www.ico.org.uk/tools_and_resource...
3. http://www.twitter.com/ICOnews

Information Commissioner's Office

18 July 2014

 

Case Reference Number IRQ0548274

 

Dear Ms Cross

Request for Information
 
Thank you for your correspondence dated 16 July 2014. You requested:
 
“an unredacted copy of the security incident report previously provided in
response to IRQ0455968.[…] This related to the non-trivial data security
incident that was referred to on pg 62 of the ICO annual Report 2011/12.”
 
 
Your request is being dealt with in accordance with the Freedom of
Information Act 2000. We will respond promptly, and no later than 14
August which is 20 working days from the day after we received your
request.
 
Should you wish to reply to this email, please be careful not to amend the
information in the ‘subject’ field. This will ensure that the information
is added directly to your case.
 
Yours sincerely
 
Steven Dickinson                 Lead Information Access Officer
 
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF.
T. 01625 545676 F. 01625 524510 [1]www.ico.org.uk
 
 

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk

References

Visible links
1. http://www.ico.org.uk/

Information Commissioner's Office

2 Attachments

23 July 2014

 

Case Reference Number IRQ0548274

 

Dear Ms Cross
 
I am writing further to our 18 July acknowledgement of your correspondence
dated 16 July 2014, in which you requested:
 
“an unredacted copy of the security incident report previously provided in
response to IRQ0455968.[…] This related to the non-trivial data security
incident that was referred to on pg 62 of the ICO annual Report 2011/12.”
 
 
As you know, we have dealt with your request in accordance with the
Freedom of Information Act 2000. We are now in a position to provide our
response. Please find the information you have requested attached. A small
amount of information remains withheld, I shall explain the reasons for
this, below.
 
You may also be interested to know that we have put some additional
information about this incident on our website. This provides information
which is not included in the security incident report and covers events
after 26 April 2012 which is the date of the report. The report should
therefore be read in conjunction with the information on the website:
 
[1]http://ico.org.uk/about_us/research/~/me...
 
A copy of this information is also attached, for your convenience.
 
Information which has been withheld
 
A small amount of information has been withheld (ie redacted) under
section 40(2) of the Freedom of Information Act (FOIA) which allows a
public authority to withhold information when the information requested is
personal data relating to someone other than the requestor, and its
disclosure would contravene one of the data protection principles. Since
there would be no expectation that this personal data would be disclosed
and taking account of the specific circumstances relating to this case we
consider that such a disclosure would be unfair and in breach of the first
data protection principle which states that – ‘personal data shall be
processed fairly and lawfully…’
 
Information has also been withheld under section 30(1) (a) –
investigations and proceedings conducted by public authorities. This
refers to Appendix B to the Security Incident Report in full, and some
material in Appendix A.
 
Section 30(1) (a) sets out the following:
 
‘30(1) Information held by a public authority is exempt information if it
has at any time been held by the authority for the purposes of-
(a) Any investigation which the public authority has a duty to conduct
with a view to it being ascertained-
(i) whether a person shall be charged with an offence, or
(ii) whether a person charged with an offence is guilty of it,
(b) any investigation which is conducted by the authority and in the
circumstances may lead to a decision by the authority to institute
criminal proceedings which the authority has power to conduct, or
(c) any criminal proceedings which the authority has power to conduct’
 
The Information Commissioner has powers to investigate potential criminal
offences under section 55 of the Data Protection Act. The withheld
information has been held for the purposes of an investigation into
whether or not offences had been committed under section 55 of the Data
Protection Act.   
 
As the additional information provided explains, this incident was
connected to the investigation relating to ICU Investigations Ltd. In
November 2013 two individuals who ran the company were convicted. Five
employees had previously pleaded guilty.
 
Section 30 (1) (a) does not require us to consider any prejudice but we do
have to balance the public interest. We consider the relevant public
interest factors to be as follows:
 
In favour of disclosure:

* greater scrutiny of the ICO investigation process, in relation to this
or other investigations into possible section 55 offences

 
In favour of maintaining the exemption:
 

* protecting the ability of the ICO as statutory regulator and the
authority with the power to conduct such investigations to do so as it
sees fit
* maintaining the confidentiality of information and evidence considered
as part of the criminal proceedings
* not discouraging witnesses or other participants in the investigation
process

 
We find that the balance of public interest lies with maintaining the
exemption. It is of the utmost importance that ICO is able to carry out
its statutory duty and conduct investigations into potential criminal
offences confident that information will not be inappropriately disclosed.
 
Finally, information has been withheld under section 44(1) (a) of the
FOIA. Information is exempt information if its disclosure (otherwise than
under the FOIA) is prohibited by or under any enactment. The enactment in
question is the DPA 1998 and specifically section 59 of the DPA. Section
59 states that neither the Commissioner nor his staff shall disclose any
information unless the disclosure is made with lawful authority. We do not
consider that we have lawful authority to disclose information which has
been obtained in the course of our investigation and in this case seized
under a warrant using our formal powers.
 
Section 44 of the FOIA places prohibitions on disclosure and is an
absolute exemption which does not require a consideration of the public
interest test of the type required by the qualified exemptions.

Section 44(1)(a) of the FOIA states;

‘(1) Information is exempt information if its disclosure (otherwise than
under this Act) by the public authority holding it -
(a) is prohibited by or under any enactment’

The enactment in question is the Data Protection Act 1998 (DPA) and
specifically Section 59 of the DPA.

Section 59(1) DPA is worded as follows:

(1) No person who is or has been the Commissioner, a member of the
Commissioner’s staff or an agent of the Commissioner shall disclose any
information which
(a) has been obtained by, or furnished to, the Commissioner under or for
the purposes of the information Acts,
(b) relates to an identified or identifiable individual or business, and
(c) is not at the time of the disclosure, and has not previously been,
available to the public from other sources,
unless the disclosure is made with lawful authority.

Section 59(2) explains that there are five circumstances when the ICO
could have lawful authority to disclose; this is an exhaustive list. The
circumstances are:

“(a) the disclosure is made with the consent of the individual or of the
person for the time being carrying on the business,
(b) the information was provided for the purpose of its being made
available to the public (in whatever manner) under any provision of this
Act,
(c) the disclosure is made for the purposes of, and is necessary for, the
discharge of –
(i) any functions under this Act, or
(ii) any Community obligation,
(d) the disclosure is made for the purposes of any proceedings, whether
criminal or civil and whether arising under, or by virtue of, this Act or
otherwise, or
(e) having regard to the rights and freedoms or legitimate interests of
any person, the disclosure is necessary in the public interest.”

I will set out how each provision is made out in this case.

Section 59 (1) (a) is satisfied because the information was obtained by
the ICO for the purposes of the Information Acts. The Information Acts
consist of the Data Protection Act 1998 and by amendment the Freedom of
Information Act 2000.  

Section 59 (1) (b) is satisfied because the information relates to an
identifiable business – ICU investigations.

In relation to section 59 (1) (c), the information has not been disclosed
to the public and therefore this does not provide a route to disclosure.

Section 59 (2) (b) provides circumstances where lawful authority could be
achieved. We can say that in relation to (a) we do not have consent to
disclose this information and in relation to (b) the information was not
provided to the ICO for the purpose of being made public.

In relation to (c) we must consider whether this applies in any way
without reference to the ICO having received an information request
because section 44 (1) FOIA sets out that ‘Information is exempt
information if its disclosure (otherwise than under this Act)’. We find
that we are not required to disclose this information in order to
discharge a function under the information Acts or a Community obligation.

Further, in relation to (d) a disclosure to you in response to your
request would not be for the purposes of proceedings.

Finally, we turn to (e). We should clarify that the public interest
threshold here is very high, not least because disclosure in contravention
of section 59 by the Information Commissioner or his staff may constitute
a criminal offence (s.59 (3)). We do not consider that threshold is met
here.

The requested information was seized by the ICO in the course of carrying
out its function as regulator of the Data Protection Act 1998 and we do
not see that we have lawful authority to disclose it here. We do not
consider that giving access for the purposes of a freedom of information
request provides us the lawful authority we require to disclose it.
 
Although we are unable to provide you with all of the information within
the scope of your request we have been able to provide significantly more
than had been disclosed for the previous request you refer to and can also
provide additional information, which you have not requested, providing
important background, context and clarification relating to the incident.
I hope that this is of help to you, and that our reasoning for withholding
a limited amount of information is clear.
 
If you are dissatisfied with the response you have received and wish to
request a review of our decision or make a complaint about how your
request has been handled you should write to the Information Access team
at the address below or e-mail [2][ICO request email]
 
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response.  Any such request
received after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation. To make such an application, please write
to the Customer Contact department, at the address below or visit the
‘Complaints’ section of our website to make a Freedom of Information Act
or Environmental Information Regulations complaint online.
 
A copy of our review procedure is available [3]here.
 
Yours sincerely

Steven Dickinson                 Lead Information Access Officer
 
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF.
T. 01625 545676 F. 01625 524510 [4]www.ico.org.uk
 
 
 

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk

References

Visible links
1. http://ico.org.uk/about_us/research/~/me...
2. mailto:[ICO request email]
3. http://www.ico.gov.uk/about_us/~/media/d...
4. http://www.ico.org.uk/