FOI Request - Breaches of the Data Protection Act

Request 101001195576

I am writing under the Freedom of Information Act 2000 to request details of breaches of the Data Protection Act within in your organisation; specifically I am asking for:

1a. Approximately how many members of staff do you have?
1b. Approximately how many contractors have routine access to your information?

2a. Do you have an information security incident/event reporting policy/guidance/management document(s) that includes categorisation/classification of such incidents?
2b. Can you provide me with the information or document(s) referred to in 2a? (This can be an email attachment of the document(s), a link to the document(s) on your publicly facing web site or a 'cut and paste' of the relevant section of these document(s))

3a. Do you know how many data protection incidents your organisation has had since April 2011? (Incidents reported to the Information Commissioners Office (ICO) as a Data Protection Act (DPA) breach)
Answer: Yes, No, Only since (date):
3b.  How many breaches occurred for each Financial Year the figures are available for?
Answer FY11-12:   FY12-13:   FY13-14:  FY14-15:  

4a. Do you know how many other information security incidents your organisation has had since April 2011? (A breach resulting in the loss of organisational information other than an incident reported to the ICO, eg compromise of sensitive contracts or encryption by malware.  )
Answer: Yes, No, Only since (date):
4b. How many incidents occurred for each Financial Year the figures are available for?
Answer FY11-12:   FY12-13:   FY13-14:  FY14-15:  

5a. Do you know how many information security events/anomaly your organisation has had since April 2011? (Events where information loss did not occur but resources were assigned to investigate or recover, eg nuisance malware or locating misfiled documents.)
Answer: Yes, No, Only since (date):
5b. How many events occurred for each Financial Year the figures are available for?
Answer FY11-12:   FY12-13:   FY13-14:  FY14-15:  

6a. Do you know how many information security near misses your organisation has had since April 2011? (Problems reported to the information security teams that indicate a possible technical, administrative or procedural issue.)
Answer: Yes, No, Only since (date):
6b. How many near-misses occurred for each Financial Year the figures are available for?
Answer FY11-12:   FY12-13:   FY13-14:  FY14-15:  

If the specific answers to 4, 5 and 6 are not readily available, I am content for these questions to be modified/replaced with similar questions that are derived from your organisations categorisation/classification system within the documents requested in question 2.  I would need to first make an FoI request for question 2 in order to frame suitable questions 4, 5 and 6, then make a second request.  If you are considering a manual review of all incidents to satisfy 4, 5 and 6, please re-read this section and interpret it as latitude to reuse information that you are currently recording (manual review may be the best for some organisations).  Similarly calendar year can replace financial year.  Please state in the reply if this option has been implemented.  My preferred format to receive this information is electronically, but if that is not possible I will be willing to accept hard copy.  I would be grateful if you could include my reference
Ref: 106956

Response 15-06-2016

1.a)  Approx. 5000

b) We do not have accounts for 3rd party contractors on our system who would therefore have routine access to data held on our servers.

2. a) and b) This document is now available on our website here

Information and Data Breaches are handled on a case by case basis and are not categorised.

3.a) and b) This information is exempt under Section 25(1) of the Freedom of Information (Scotland) Act 2002 as it is already publicly available on the Moray Council website. For ease of reference please find a link to this page here

No new breaches have been reported to the ICO since the above information was released.          

4.a) and b) This information is exempt under Section 25(1) of the Freedom of Information (Scotland) Act 2002 as it is already publicly available on the Moray Council website (please see link in question 3).

No new breaches resulting in the loss of information since the above information was released         

5.a) and b) This information is exempt under Section 25(1) of the Freedom of Information (Scotland) Act 2002 as it is already publicly available on the Moray Council website (please see link in question 3).

FY13-14: 1

6.a) Only since FY14-15    

b) FY14-15:  1

Rate this Page