Response to FOI request says it would take 237 hours to find out. How can ICO have confidence lessons have been learnt?
Anyone who’s ever had been responsible for compiling or overseeing a data breach log will know that one of the commonest incidents is the inadvertent disclosure of personal data. And since the time spreadsheets could first be sent via, or uploaded to, the internet people have mistakenly left personal data in them which should have been removed or otherwise masked. It’s not a new phenomenon: as long ago as 2013 I wrote for the Guardian about the risks, and what I perceived then as a lack of urgency by the Information Commissioner’s Office in addressing, and educating about, those risks.
So it might be found surprising that, two years after the most catastrophic data breach in UK history, in which the information of thousands of Afghan citizens was mistakenly disclosed, putting many lives directly at risk, the Ministry of Defence appears to have no process for identifying when or whether there have been recurrences of the issue.
Section 12 of the Freedom of Information Act 2000 permits a government department not to comply with a request where locating and retrieving any information held would take more than 24 hours. It’s not uncommon for it to be invoked where requests are formulated in too general a manner.
But when I made a request to the MoD for
the number of personal data breaches recorded between April 2023 to date which involved: a) disclosure of personal data to the wrong recipient; b) inadvertent disclosure of personal data contained in a spreadsheet
I imagined that this would be relatively easily located and extracted. Most data breach logs I’ve seen would be categorised in such a way as to enable this. However, the MoD instead informed me that it would take over 237 hours to do so.
Helpfully, the MoD said that if I restricted my request just to the first part (“disclosure of personal data to the wrong recipient”) they might be able to comply. But what this appears to indicate is that no, or no clear, record is being taken of whether there have been repeats of the spreadsheet error involving Afghan citizens.
The Information Commissioner’s Office (ICO) has come under some criticism – including from the leading academics, the Science, Innovation and Technology Committee, and me – for failing even to conduct a formal investigation into the Afghan spreadsheet data breach. Justifying that decision, the Commissioner himself said that
MoD has briefed us on the measures it has adopted since the breach, which seek to mitigate risk of such an incident occurring in future
But if the MoD cannot say (without it taking more than 237 hours) whether there have been further such incidents, how can they reassure themselves that the risk has been indicated?
And perhaps more pertinently, how can the ICO be satisfied of this?
The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.
informationrightsandwrongs 
Did the MOD say they have a central data breach log and that it would take 237 hours to search it for this information, or are they saying it will take 237 hours to compile this information, i.e. searching for emails sent to the wrong person etc (in practice contacting relevant staff and compiling local records of data breaches)?
In my experience as a former FOI practitioner it sounds like they might be doing the latter (although a govt dept not having a central log of data breaches is a bit of a red flag!)
If the former, would a solution be for you to request their entire log and search through it yourself?
It’s a fair question James. They didn’t go into that sort of detail, so it’s not clear. I suspect they have a breach log, but have not set aside “spreadsheet” as a specify category or required keyword, so they’d have to go beyond the log and look into each individual case to determine whether a spreadsheet was involved.
Ohhh… great questions – well deserving of answers 👏🏻🤞🏻
Disturbing 🥺