FOI Request - Number of Recorded Data Breaches 2020-2025
Request 101003989643
I am writing to make a request under the Freedom of Information Act. Please provide the following information for each of the below fiscal years (i.e. the annual reporting period 6th April to 5th April each year):
i. 2020-2021
ii. 2021-2022
iii. 2022-2023
iv. 2023-2024
v. 2024-2025
vi. 2025-2026
1. The total number of data security incidents or personal data breaches that were logged internally by the Council (i.e. recorded in your internal incident management or breach log), regardless of whether they were subsequently reported to any external body.
2. The total number of personal data breaches that were reported to the Information Commissioner's Office (ICO)
3. The number of reprimands, enforcement notices and monetary penalty notices issued by the ICO (showing the split by each category)
4. The sum financial total of any monetary penalty notices
Response 21-05-2026
Please note, the information below has been provided per the Information Governance Service’s reporting period, which runs 1st April – 31st March.
1.
i.) 2020-2021 - 1st April 2020 – 31st March 2021: 81 personal data breaches reported and logged internally by the Council.
ii.) 2021-2022 – 1st April 2021 – 31st March 2022: 81 personal data breaches reported and logged internally by the Council. See FOI: http://www.moray.gov.uk/moray_standard/page_154329.html
iii.) 2022-2023 – 1st April 2022 – 31st March 2023: 131 personal data breaches reported and logged internally by the Council See FOI: http://www.moray.gov.uk/moray_standard/page_154329.html . This information is available online within the Information Governance Annual Report 2022 – 2023 available here: https://moray.cmis.uk.com/moray/CouncilandGovernance/Meetings/tabid/70/ctl/ViewMeetingPublic/mid/397/Meeting/2101/Committee/46/Default.aspx
iv.) 2023-2024 – 1st April 2023 – 21st March 2024: 135 personal data breaches reported and logged internally by the Council. This information is available online here: https://moray.cmis.uk.com/moray/CouncilandGovernance/Meetings/tabid/70/ctl/ViewMeetingPublic/mid/397/Meeting/2105/Committee/46/Default.aspx
v.) 2024-2025 – 1st April 2024 – 31st March 2025: 114 personal data breaches reported and logged internally by the Council. This information is online here: https://moray.cmis.uk.com/moray/CouncilandGovernance/Meetings/tabid/70/ctl/ViewMeetingPublic/mid/397/Meeting/2111/Committee/46/SelectedTab/Documents/Default.aspx
vi.) 2025-2026 – 1st April 2025 – 31st March 2026: 134 personal data breaches reported and logged internally by the Council.
2.
i.) 2020-2021 - None
ii.) 2021-2022 – 2
iii.) 2022-2023 – 2. This information is available online within the Information Governance Annual Report 2022 – 2023 available here: https://moray.cmis.uk.com/moray/CouncilandGovernance/Meetings/tabid/70/ctl/ViewMeetingPublic/mid/397/Meeting/2101/Committee/46/Default.aspx
iv.) 2023-2024 – 3. This information is available online here: https://moray.cmis.uk.com/moray/CouncilandGovernance/Meetings/tabid/70/ctl/ViewMeetingPublic/mid/397/Meeting/2105/Committee/46/Default.aspx
v.) 2024-2025 – 3. This information is online within the Information Governance Annual Report 2024 – 2025 available here: https://moray.cmis.uk.com/moray/CouncilandGovernance/Meetings/tabid/70/ctl/ViewMeetingPublic/mid/397/Meeting/2111/Committee/46/SelectedTab/Documents/Default.aspx
vi.) 2025-2026 – 1
3.
i.) 2020-2021 - None
ii.) 2021-2022 – None.
iii.) 2022-2023 – None. This information is available online within the Information Governance Annual Report 2022 – 2023 available here: https://moray.cmis.uk.com/moray/CouncilandGovernance/Meetings/tabid/70/ctl/ViewMeetingPublic/mid/397/Meeting/2101/Committee/46/Default.aspx
iv.) 2023-2024 - None
vii.) 2024-2025 – None. This information is online within the Information Governance Annual Report 2024 – 2025 available here: https://moray.cmis.uk.com/moray/CouncilandGovernance/Meetings/tabid/70/ctl/ViewMeetingPublic/mid/397/Meeting/2111/Committee/46/SelectedTab/Documents/Default.aspx
v.) 2025-2026 – None
4. None - not applicable - see response to question 3