However, since the autumn of 2007 we have been entering the details of any reports we receive which indicate that a breach of security has resulted in the loss or disclosure of personal data, onto a specific spreadsheet. As you may be aware, the Information Commissioner encourages organisations to report serious data breaches to this office, and although there is no legal obligation requiring them to do so, the large majority of these breaches are reported to us by the organisations themselves.

Therefore, in response to your request I am able to inform you that since October 2007 the details of 155 possible breaches of security have been added to this spreadsheet, the first of these occurring in November 2006. However, it is worth pointing out that in several cases the data were subsequently recovered. The data controllers concerned have been –

Government Departments - 34
Other public sector - 72
Private sector - 44
Third sector – 5 (included in this are housing associations, charities and religious bodies).

The extent of the additional information we hold in relation to each potential security breach will vary, according to the level of detail that has been provided to us by the organisation concerned, or the person who has reported the matter to us. However we are unable to provide this information to you, as it is being withheld under the exemptions in section 31 and 44 of the FOIA.

Section 31 of the FOIA refers to circumstances where a disclosure of information in response to a request under the FOIA would be likely to prejudice the exercise of a public authority’s functions. The exemption refers to functions where “the purpose of ascertaining whether circumstances which would justify regulatory action in pursuance of any enactment exist or may arise”.

As I have indicated above, in the majority of cases these security breaches are reported by the organisations themselves, on a voluntary basis. This assists us in enforcing the requirements of the DPA by taking formal regulatory action where this is appropriate, or by providing advice and assistance to the organisation in order to prevent any recurrence of what has occurred. However, if we were to make the details of these breaches public in response to requests for information under the FOIA, it is extremely unlikely that organisations would continue to report these breaches to us. Clearly, this would prejudice the ICO’s regulatory activity.

In applying this exemption we must consider the public interest. It is clearly in the public interest for the Information Commissioner to be as open and transparent as he can be in discharging his statutory functions. Also, there is particular public interest where a security breach has resulted in a disclosure of personal data relating to a large number of individuals.

However it is also in the public interest to ensure that the Commissioner, as the public official responsible for regulating compliance with the DPA, is able to maintain a degree of confidentiality with regard to the content of communications between the ICO and regulated organisations. That confidence, and the associated spirit of co-operation with those who are seeking, with our help, to meet their obligations, would be likely to be undermined were the Commissioner to disclose information in circumstances which are likely to be prejudicial to the discharge of his statutory functions. It is not in the public interest for that confidence to be undermined. If it were, the organisations concerned would cease to notify the
Commissioner of these breaches. As a result the Commissioner would no longer be in a position to take action in relation to those breaches, and thus to prevent further similar breaches from occurring in the future.

As I have indicated above, section 44 of the FOIA is also relevant in this case. Information may be withheld under this exemption if “any enactment” prohibits its disclosure. Section 59 of the DPA prevents the ICO from disclosing information which has furnished to the Information Commissioner for the purposes of the DPA, unless the disclosure is made with lawful authority. In this case we do not have the lawful authority to make the disclosure. Thus section 59 prohibits the disclosure, and section 44 of the FOIA also exempt the information from being included in a response to an FOIA request.

Whilst we are unable to provide you with any additional information in relation to these breaches, you may be interested to read the advice we have produced for individuals or organisations who wish to report them. The link from our website is http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/breach

Also, details of all of the regulatory action which has been taken by the ICO in relation to breaches of the DPA can be found on our website via the link http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx As you will see, some of this action has been taken in relation to security breaches.

If you would like to provide us with the names of any government departments which are of specific interest to you we could carry out searches to establish on how many occasions we have made assessments that those departments have breached the DPA since 2004.

 Copyright © 2010 Simply Belfast . All Rights Reserved.