Request for information relating to 2017 data incident

(1) How much money has been paid out by IPSA to settle claims from victims of the March 2017 data breach so far (from March 2017 to current date)? and,

(2) How many victims of the data breach have been compensated in the period March 2017 to the current date?

IPSA holds the information requested.

IPSA settled seven claims made by individuals allegedly suffering distress as a result of the incident. Those claims were commenced shortly after the incident in 2017. Settlement payments of £1,000 were made to each claimant on a commercial and pragmatic basis, without prejudice and with no admission of liability.

(3) Has IPSA concluded its investigation into how the leak happened? Have any staff been dismissed or disciplined as a result?

IPSA has concluded its investigation into the incident. Under section 40(5) of the FOIA, IPSA neither confirms nor denies holding any information relating to disciplinary action resulting from the incident. Further information about section 40(5) is provided below.

Section 40(5) – Personal Data

Section 40(5) of the FOIA states a public authority is not obliged to confirm or deny whether it holds the requested information, where confirming if such information were held would in itself breach the data protection principles.

In the case of Rob Waugh v Information Commissioner and Doncaster College (E/2008/0038, 29 December 2008) the Tribunal found that:

“… there is a recognised expectation that the internal disciplinary matters of an individual will be private.”

Clearly, disclosing whether or not the information was held would in effect reveal whether or not a disciplinary hearing had taken place.

When considering section 40(5), even if the public authority does not hold the requested information, it is entitled to consider what the position would be if it did and consider the theoretical consequences of disclosure. The terms of this exemption mean that we do not have to consider if it would be in the public interest for us to reveal whether or not the information is held.

The fact section 40(5) of the Act has been cited, should not be taken as an indication that the information you requested is, or is not, held by IPSA.

(4) Please provide details of the IPSA investigation as well as any reports into the incident. If the information requested contains sections of confidential information please remove these sections and indicate they have been removed.

IPSA holds the information requested.

IPSA became aware of the incident at 8.20pm on 30th March 2017. During 31st March an investigation was conducted by the then Head of Data Security assisted by the then Head of Business Technology, and a notification was duly sent to the Information Commissioner’s Office (ICO). A letter to MPs (as employers of the staff) was sent at 4.20pm after the full facts had been established. This letter was also released to the media. An email update was sent out to all MPs on the 5th April 2017. That same week, between the 5th and 7th April 2017, tailored letters were posted to each MP’s staff member who had been affected. MPs were provided with an update on Friday, 7th April; this letter was also made public.

The internal investigation was followed by a lessons learnt review by the Director of Regulations. The ICO undertook an investigation and in May 2018 concluded the case with no further regulatory action.

We enclose IPSA’s report into the incident and follow-up lessons learnt report with this response. Certain personal data has been redacted from the reports under sections 40(2) and 40(3A)(a) of the FOIA.

Although outside the scope of your request, in the interests of transparency and to provide you with further context to the incident, we have also attached copies of our notification to the ICO and the ICO’s decision notice.