We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - FOI/EIR release

Reporting of four specific data security incidents 2016/17: FOI release

Published
1 November 2017
Directorate
Digital Directorate
Topic
Public sector

Information request and response under the Freedom of Information (Scotland) Act 2002.

FOI reference: FOI/17/02322
Date received: 3 October 2017
Date responded: 17 October 2017

Information requested

  1. Details of the four significant data security incidents in 2016-2017

  2. Reason why only three of the incidents were reported to the information commissioner's office.

  3. Reason why only three of these data security incidents were reported in FOI 17/01932

Response

1. Details of the four significant data security incidents in 2016-2017

I. Disclosure Scotland. An email was sent out to users of a system, but addresses were put into the CC field instead of the BCC field. This meant users of the system could see email addresses and names of other users of the system.

II. Scottish Public Pensions Agency. Sensitive information was emailed to an incorrect, external address due to accidental concatenation of a legitimate recipient's personal and work email addresses.

III. Agriculture & Rural Environment. An email was sent out to users of a system, but addresses were put into the CC field instead of the BCC field. This meant users of the system could see email addresses and names of other users of the system.

IV. Scottish Government. Sensitive information was accidentally emailed to an external email address.

2. Reason why only three of the incidents were reported to the information commissioner's office

Three of the four incidents involved personal information being disclosed in error, so these three incidents were reported to the ICO. As there was no personal data disclosed in error in the fourth incident, although this was a loss of information, it was not considered a breach of the Data Protection Act and therefore there was no requirement to report this incident to ICO.

3. Reason why only three of these data security incidents were reported in FOI 17/01932

In FOI 17/01932 you requested details of cyber attacks on the Scottish Government in 2016/17. The information in the URL you provided http://www.gov.scot/Resource/0052/00525249.pdf refers to data security incidents in 2016/17. These are two different types of event.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses

Contact

Please quote the FOI reference

Central Enquiry Unit
Email: ceu@gov.scot
Phone: 0300 244 4000

The Scottish Government
St Andrew's House
Regent Road
Edinburgh
EH1 3DG

Back to top