Improve outcomes arising from our reporting of of data breaches by public bodies to the ICO

[RichardTaylor]

Currently we put significant effort into making reports, including administration relating to:

• Assessing the severity of breaches, and taking a decision on if to make a report to the ICO.
• Creating a summary of what has happened to include in our reports.
• Holding data securely for 4 weeks in-case the ICO need it to support their investigation.

Typically we get no substantive response from the ICO, and often the ICO appear confused by our position as a third party making a report.

We have already improved our reporting templates to try to pre-empt potential misunderstandings, this has led to the current text:

We would like to stress to the Information Commissioner that we are a third party raising a concern here. We are not seeking to report a data breach on behalf of a public body. We are providing information about a breach to assist the Commissioner in their role. We have no relationship with those whose personal data is involved, and are not in a position to contact them en-masse. While we have alerted the public body to what has happened we have not asked them to treat our correspondence as a complaint, and we wouldn't expect them to treat it as such.

Possible actions:

• Improve our reporting template (Data Breach Notification Complex) still further eg. making clear the circumstances in which we will provide copies of accidentally released data to them.
  • We do already say: "We would expect the commissioner to be able to deal with this matter without additional material from us, assuming the cooperation of the data controller responsible for the breach. If material is requested from us, we would expect reasoning for the request to be provided."
• Improve our transparency in relation to these reports. Initially we could blog about how many we've made, and their outcomes.
• Improve our tracking of these reports to cover
  • If we provided the released data to the ICO (We currently log if the ICO made a request for the data)
  • If we're happy lessons have been learned / appropriate action has been taken
• Do some research [via FOI if required] on the scale of the issue of data breaches reported by third parties / ICO performance in responding to them.
• Seek to discuss this matter with the ICO at a policy level, with a view to the ICO providing better guidance to their caseworkers on the subject, with an aim of them taking more effective action, and giving us the assurance they're taking effective action on our reports.

[RichardTaylor]

cc @ajparsons

[ajparsons]

Have taken note of last point as something to bring up with ICO.

[RichardTaylor]

Consider making complaint to ICO in relation to their handling of GDPR/BR/20220213-1

[FOIMonkey]

We should complain to the ICO about their handling of GDPR/BR/20220605-1. This was a serious incident, and it was clear from their response, treating it as a complaint by an affected data subject, that they did not read the correspondence. They have not yet responded substantively to our challenge to that approach.

[garethrees]

I don't think this thread should be about individual cases. While it may be useful to reference specific examples as "classes of problem" we have, I don't think this issue is the place for pushing forward action on any individual case. It's more about what larger picture to build over a longer timespan to demonstrate that there is a systemic issue.

[FOIMonkey]

The reason for referencing the individual case, was that it is very representative of the systemic issue eg ICO being slow to respond, misunderstanding correspondence, appearing to communicate with us via the public authority etc. An individual service complaint, with all the other evidence to back it up, could be more effective than a general concern letter

There is a limited time period in which they will accept complaints on any particular issue. In pausing to collate yet more data, we will lose the chance to pursue some of these cases, so it is something I think we need to be aware of.

[RichardTaylor]

We should complain to the ICO about their handling of GDPR/BR/20220605-1.

We have twice asked the ICO to reconsider their response. Under the ICO complaints policy we'd expect our first concern to be acknowledged at the latest by today, as they promise to acknowledge complaints within 14 calendar days. I'll add a scheduled message to chase, citing the complaints policy, tomorrow.

[garethrees]

The next transparency report would be a good vehicle for this (https://github.com/mysociety/whatdotheyknow-theme/issues/1170).

• Why we care - makes it harder to run our service
• Hard to resolve data breach - hard to redact - have to take materiala down - requester and public ends up without the data.
• If breaches aren’t dealt with .. FOI could be damaged if GDPR isn’t handled properly - data is released when it should be and not when it shouldn’t.

[FOIMonkey]

Noting here that on 22 September, in response to the complaint, the ICO said they would be reviewing how they have handled these types of cases and they acknowledged that their "handling of these matters has not been consistent." It might be interesting to look at whether things have got any better since then.

[RichardTaylor]

Noting here that on 22 September, in response to the complaint, the ICO said they would be reviewing how they have handled these types of cases

If the WhatDoTheyKnow team were permitted to use WhatDoTheyKnow then a FOI request in public might be one way to follow-up on this and find out what, if anything, has changed. This could be seen as too pushy and antagonistic though. Ideally the ICO's policies would be proactively published so we could see any changes without having to ask.

[garethrees]

Linking to https://github.com/mysociety/whatdotheyknow-theme/issues/1243#issuecomment-1207226533.

[RichardTaylor]

As of 1 November 2022 we received a typical standard response stating just:

Thank you for your concerns regarding [body name]. The issues that you have raised have been logged. Please be aware that it is unlikely you will hear anything further from us regarding this. However, if you have any additional information or evidence regarding this matter, please do provide it to us using this case reference.

Any action we take against organisations is published on our website.

The ICO did not engage with the detail of our report at all, we explained we were holding the released data for four-weeks in-case they required it to inform their investigation, and invited them to propose a secure means of encrypted transmission if they did want it.

[RichardTaylor]

The ICO have tweeted reporting the Information Commissioner has announced "new plans for our data breach reporting system." Stating: "This will allow us to better support both organisations and potential vulnerable victims of data breaches."

One change mentioned in the accompanying image is the classification of reports to enable determination of if vulnerable people are affected.

https://twitter.com/ICOnews/status/1633414390744600576?s=20

I don't know if details of the new plans are available.

[HelenWDTK]

The tracking that we have done on this has of limited use. Things have moved on following post-PSNI work so I am closing this as stale.