In July this year the Information Commissioner’s Office (ICO) disclosed within their annual report that they had themselves experienced
one non-trivial data security incident. The incident was treated as a self-reported breach. It was investigated and treated no differently from similar incidents reported to us by others. We also conducted an internal investigation. It was concluded that the likelihood of damage or distress to any affected data subjects was low and that it did not amount to a serious breach of the Data Protection Act. A full investigation was carried out with recommendations made and adopted.
This got a fair amount of attention, (even I, who rarely have anything to say on such matters, blogged about it) in a way which hadn’t happened when the ICO had reported a similar-sounding incident two years previously. I understand that there were several freedom of information (FOI) requests made to the ICO, and, I notice, they have now published their response, in their disclosure log.
I wasn’t hugely surprised to find that they are totally refusing disclosure. In their statement to me (and others) in July they had said
We are unable to provide details of the breach at this stage, as the information involved is linked to an ongoing criminal investigation
and this remains the position. Some information is exempt because it is the personal data of staff involved, and they do not have a reasonable expectation of disclosure. But primarily they invoke the exemption at section 30 of the FOI Act, which provides in terms an exemption to disclosure if the information is held for the purposes of an investigation to establish whether someone has committed an offence, or which may lead to a decision to bring criminal proceedings. As this is a qualified exemption, the ICO has considered whether the public interest in disclosure outweighs the public interest in maintaining the exemption, and finds that it doesn’t:
It is of the utmost importance that ICO is able to carry out its statutory duty and conduct investigations into potential criminal offences confident that information will not be inappropriately disclosed
However, the ICO have indicated that when the criminal investigation is completed “the ICO will make a clear public statement about what occurred and the action taken”.
As I say, none of this is particularly surprising: when one heard in July that there was an ongoing criminal investigation it was apparent that little further information would emerge until that was complete. We will have to be patient.