Skip to the content

Breaches of the Data Protection Act 1998
FOI048
Disclosure Date:24 Aug 2010
Categories: IPSA - OPERATIONS
Exemptions Applied: Section 36
Request
  1. Please provide information about the procedure you have for finding and reporting breaches of the Data Protection Act 1998 to the Information Commissioner.
  2. Please provide information about how many times, and why, this procedure has been utilised, in particular in relation to the incident in HC Deb 21 July 2010, c370.
  3. Please provide information about briefing notes and "lines to take" given to the witnesses before the Speaker's Committee on the Independent Parliamentary Standards Authority when it had a public evidence session to consider IPSA estimates. Please also provide information about briefing notes and "lines to take" given to the representative of IPSA on "The Daily Politics" on 22nd July 2010.
Response

Please provide information about the procedure you have for finding and reporting breaches of the Data Protection Act 1998 to the Information Commissioner.

The procedure for finding and reporting breaches of the Data Protection Act 1998 to the Information Commissioner follows the guidance on the management of breaches issued by the Information Commissioner, Notification of Data Security Breaches to the Information Commissioner’s Office Version 4 dated 08/07/2010.   All data controllers have a responsibility under the Data Protection Act 1998 to ensure appropriate and proportionate security of the personal data they hold. (DPA 1998 7th Principle).  If a breach is discovered immediate steps are taken to determine the extent and severity of the breach.  An analysis is undertaken of the type, volume and sensitivity of data released or lost. Consideration will be given to this analysis and if appropriate the Information Commissioner will be informed by email or letter.  The potential harm to individuals is the overriding consideration in deciding whether a breach of data security should be reported to the Information Commissioner’s Office, informed by the volume and sensitivity of the data released.

Please provide information about how many times, and why, this procedure has been utilised, in particular in relation to the incident in HC Deb 21 July 2010, c370.

The procedure has been used once, in the case you cite in your FOI request.  IPSA was advised that an MP was able to see a list of claims in addition to their own.  IPSA acted immediately and removed the report.  It was an internal administrative document, which contained a list of the type of claims by MPs and was viewable only by those who have the security access to enter the system, i.e. MPs and those members of their staff who they nominated as users of the system.  This was caused by human error; a member of staff made it available in the system by mistake. It was available for a short period of time before being removed.  This is something we take very seriously. We conducted a full investigation; we removed the document; and with immediate effect we have restricted the functionality available to systems administrators, thereby preventing any repeat of the error. Following the analysis of the data we informed the Information Commissioner and we await the ICO’s response.

Please provide information about briefing notes and "lines to take" given to the witnesses before the Speaker's Committee on the Independent Parliamentary Standards Authority when it had a public evidence session to consider IPSA estimates. Please also provide information about briefing notes and "lines to take" given to the representative of IPSA on "The Daily Politics" on 22nd July 2010.

Some of the information relevant to these requests engages the exemptions at s.36 (2)(b) (free and frank provision of advice) and s.36 (2)(c) (prejudice to the effective conduct of public affairs) of the Act. The application of these qualified exemptions requires a subsequent public interest balancing test. In this case, the competing public interest arguments are complex and we estimate that we will need an additional 12 working days to reach a decision on disclosure. We therefore intend to write to you no later than 10 September 2010 with a substantive response to this part of your request.