Add `/help/report-a-data-breach`

[garethrees]

From a process perspective, it would be helpful to collect all the information we need for the initial assessment of a data breach at the point we are first made aware of a potential issue. We want to create a dedicated contact form that we can point authorities to in an attempt to get better up front information.

The page will be a combination of help page and contact form.

Contact Form

The contact form should ask the public authority to:

• Provide a link to the request/attachment in question[^1].
• Identify why they consider the incident to be a serious data breach (text area).
• Confirm if the response contains Special Category information or Criminal Offence data (checkboxes).
• Provide the name and contact details for the Data Protection Officer (if any) (text area?).

It should submit to the configured CONTACT_EMAIL (i.e. our usual inbox). It should include something that allows us to easily identify that the message has come via this form (to auto-label it, etc).

We should be mindful of spam. We might want to consider preventing external indexing of it.

It should be linked to from /help/contact via a bubble along the lines of "I work for a public authority and I'm reporting a data breach".

We might also want to link to it from a custom section of the "report a request" page (via the "report" button on requests, messages, comments, etc)

Help Page

This help page should:

• explain what we consider a serious data breach to be;
• informs authorities about the information we need to process a report; and
• outlines what they can expect to happen when they report a serious data breach to us.

We should not presume that people using the form will know what Special Category information or Criminal Offence data are. We should ensure that this is clearly explained on the page where reports can be made.

Layout

I think a good structure for the page would be in 3 core sections:

1. High level description of what this page is about, and the key things to know about how we process these reports
2. The contact form
3. The extra help information that might get a bit verbose

[^1]: Could use/integrate the existing "last request viewed" mechanics here, but we'd need to make sure that it's not the only way to submit links to the right content.

[mdeuk]

This sounds great - it'll help us get key data more quickly.

Polite request: so that we can process these using our support tooling a wee bit faster, can we write some metadata into the message headers, much in the same way as the volunteer form?

That could look something like:

X-WDTK-Contact: wdtk-report-a-breach
X-WDTK-RequestId: [request id]

[WilliamWDTK]

This certainly sounds like a potential big improvement which can ultimately improve how quickly and how well we respond to serious issues.

We should also consider in the forms design how to deal with cases where the authority can't find the request on our site, either because it is embargoed, has reduced prominence, hasn't been indexed, or is otherwise hard/impossible to find. In this situation, the best thing to ask for is the request's email address.

I think it would also be good to signpost what to do for:

• Other people reporting an authority's data breaches (either requester or third party)
• Reports of data breaches we've made
• Reports of data breaches made by requesters in outgoing messages
• Reports of data breaches in annotations

Some users may otherwise use the form if they end up on it, and it may not be asking appropriate questions.

I wouldn't say we'd necessarily have to deal with these on the form, though it might be good, but we should signpost it. The last three aren't very common, I don't think, but I think the first is important to deal with.

We'll want to encourage as much precision as possible as to where the alleged breach is. (I.E. not just request X, but message Y, attachment Z, line/page α, even if described by dates/times etc.)

[mdeuk]

We should also consider in the forms design how to deal with cases where the authority can't find the request on our site, either because it is embargoed, has reduced prominence, hasn't been indexed, or is otherwise hard/impossible to find. In this situation, the best thing to ask for is the request's email address.

+1 - we could, perhaps, then pattern match it, once the form is submitted, so we can render relevant links in the message. That wouldn't be compulsory, of course.

It might also be handy to link to the advice on recall messages - many public bodies use MS Exchange, and will often try to recall an email. It's a bad thing to do in these cases, as it often just magnifies the fact there is a problem. Letting the team know promptly is a better solution.

As for the suggested signposting - also a +1, some boilerplate would probably help FOI / DP officers who use the form to understand what we can and can't give them right away, and what the next steps are, after a report is made.

[garethrees]

Just linking to https://github.com/mysociety/whatdotheyknow-theme/pull/1208 as potential implementation inspiration, though may be easier/cleaner to create a new POST endpoint for the form.

[RichardTaylor]

explain what we consider a serious data breach to be;

We now, following the adoption of a new policy on dealing with reports of "serious data breaches", have two different definitions for "serious data breach".

We have:

1. A breach which we think should be reported to the ICO (example)
2. A breach involving special category or criminal offence data

I suggest not using the term "serious data breach" publicly if we mean something specific and instead say eg. "a data breach which a public body is required to report to the ICO" and "a data breach involving special category or criminal offence data".

[RichardTaylor]

---

The contact form should ask the public authority to:

Is this form just for public bodies, or for everyone?

I think it's for everyone, but we will point public bodies specifically to it?

---

Consider making this a form which records if the user was logged in when they submitted it, this would enable us to know if the report was from a public body account.

A question on the form could ask if the submission was being made on behalf of the public body responsible for the data breach.

---

name and contact details for the Data Protection Officer

What we really want is just an email address for contacting the Data Protection Officer. We don't need their name, and we don't really want their phone number.

---

It should be linked to from /help/contact

Can it also be linked from the "report this request" form linked from request pages?

---

Potentially related:

• https://github.com/mysociety/alaveteli/issues/41

[JenMysoc]

@chrismytton where are we at with this? Do we have an update?

[chrismytton]

@JenMysoc Apologies for the radio silence!

Managed to get some time to work on this last week. Code is mostly working now, just need to tidy things up a bit and add some tests. Hoping to have something to share later this week.

[chrismytton]

Well it took a bit longer than predicted, but there's now a pull request for this change here: https://github.com/mysociety/whatdotheyknow-theme/pull/1696.

All feedback welcome!

@mdeuk Data breach emails will include a X-WDTK-Contact: wdtk-data-breach-report header. I haven't included the request ID header at this point, as we may not know what it is if the user supplies the request's email instead, as @WilliamWDTK suggests.

@RichardTaylor I've added a question about the type of data breach, based on your two definitions. We're also asking if they're reporting on behalf of the public body, and as you suggest we're just asking for the DPO's email, rather than name etc.

As you can see the page still needs some copy adding to it, so any input or suggestions on that would be appreciated.