Report on Information security incident that led to undertaking from Information Commissioner's Office

Specifically, you asked for a copy of the report of the investigation into an internal database being left insecure following IT maintenance. I can confirm that IPSA holds the requested information and I attach a copy of the report.

The names of individuals have been redacted from the report as we judge that this constitutes personal information. Section 40(2) provides that personal data about third parties is exempt information if one of the conditions set out in section 40(3) is satisfied. Under the FOI Act disclosure of this information would breach the fair processing principle (Principle 1) of the Data Protection Act 1998 (DPA), where it would be unfair to those persons or is confidential. For further details, please see www.legislation.gov.uk/ukpga/2000/36/contents.

You will note that the report states that “a further report [will] be produced within 24 hours”. In the event, no subsequent report was written as matters were dealt with through a series of meetings and the changes identified in the attached report were made.