Data breaches that affected individuals listed in response FOI/18/02622: FOI release

Information request and response under the Freedom of Information (Scotland) Act 2002.


FOI reference: FOI/18/02622
Date received: 21 September 2018  
Date responded: 19 October 2018
 
Information requested
 
Thank you for your request dated 12 September 2018 under the Freedom of Information (Scotland) Act 2002 (FOISA) for “Additional details of the ‘Minor: other technical or organisational failure’ data breaches that affected 93 and 200 people, listed in the response to FOI:2018-002265. Information should include specific details of the breach, which directorate and/or department this affected, if the people affected were civil servants or members of the public, why it was not reported to the ICO, how the data was compromised, exactly how GDPR laws were broken, and any other possible information on those two data breaches, including any relevant documents.”
 
Response
 

Additional details of the ‘Minor: other technical or organisational failure’ data breaches that affected 93 and 200 people.”

The correspondence between the business area and the Data Protection and Information Assets Team is exempt from release under section 30(b)(i) - the free and frank provision of advice. Further details of the requested cases is attached below.

93 People

Email addresses were uploaded unnecessarily to a supplier's secure server. Candidates for a Scottish Government HR recruitment exercise were to be invited to complete an online test. A unique link to each candidate's test was generated by uploading a unique reference number to a secure server. The uploading process required a pro-forma spreadsheet to be completed. The spreadsheet contained a field for candidate email addresses which did not need to be completed for the process to work. Names and email addresses were mistakenly added to the sheet and uploaded to the system. 

Access to the system is restricted to a number of approved users in the Civil Service. Government Recruitment Services notified us of the mistake by email on 18/07/18 and stated that the personal data would be removed.

The GDPR’s data protection principles were breached in relation to “(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)” as the email address and name of the candidates were not required for the processing to take place. 

Due to the limited nature of the personal data involved (name and email address) and the fact that it remained within a controlled environment with limited access, the incident was regarded as a minor breach following an investigation by the Data Protection and Information Assets Team and therefore not reported to ICO.

200 people

Scotland House provides a base for Scottish businesses from which to conduct business in London. One of the procured services used by Scotland House was subject to a cyber attack. This resulted in 197 businesses having information accessed through unauthorised means. The information accessed was information that is required, under Business Names Legislation to be public when a business is registered. The only information that was accessed which was not covered by that legislation was VAT registration numbers, which may or may not be public for each business (e.g. on cheques, invoices etc.). While the majority of the information related to businesses the details of 2 sole traders were accessed. As sole trader information is classified as personal data this was reported to the Scottish Government as a security incident which included personal data.

The GDPR’s data protection principles were breached in relation to (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).” As the number of individuals whose personal data may have been accessed was restricted to 2 sole traders the incident was regarded as a minor breach following an investigation by the Data Protection and Information Assets Team.

While, for the reasons outlined above, the Scottish Government did not report the incident the platform provider notified the ICO and contacted the affected individuals to let them know their information may have been accessed.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses

Contact

Please quote the FOI reference
Central Enquiry Unit 
Email: ceu@gov.scot
Phone: 0300 244 4000

 
The Scottish Government 
St Andrew's House 
Regent Road 
Edinburgh 
EH1 3DG

Back to top