- 23 Oct 2018
Date received: 21 September 2018
Date responded: 19 October 2018
Additional details of the ‘Minor: other technical or organisational failure’ data breaches that affected 93 and 200 people.”
The correspondence between the business area and the Data Protection and Information Assets Team is exempt from release under section 30(b)(i) - the free and frank provision of advice. Further details of the requested cases is attached below.
Email addresses were uploaded unnecessarily to a supplier's secure server. Candidates for a Scottish Government HR recruitment exercise were to be invited to complete an online test. A unique link to each candidate's test was generated by uploading a unique reference number to a secure server. The uploading process required a pro-forma spreadsheet to be completed. The spreadsheet contained a field for candidate email addresses which did not need to be completed for the process to work. Names and email addresses were mistakenly added to the sheet and uploaded to the system.
Access to the system is restricted to a number of approved users in the Civil Service. Government Recruitment Services notified us of the mistake by email on 18/07/18 and stated that the personal data would be removed.The GDPR’s data protection principles were breached in relation to “(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)” as the email address and name of the candidates were not required for the processing to take place.
Due to the limited nature of the personal data involved (name and email address) and the fact that it remained within a controlled environment with limited access, the incident was regarded as a minor breach following an investigation by the Data Protection and Information Assets Team and therefore not reported to ICO.
Scotland House provides a base for Scottish businesses from which to conduct business in London. One of the procured services used by Scotland House was subject to a cyber attack. This resulted in 197 businesses having information accessed through unauthorised means. The information accessed was information that is required, under Business Names Legislation to be public when a business is registered. The only information that was accessed which was not covered by that legislation was VAT registration numbers, which may or may not be public for each business (e.g. on cheques, invoices etc.). While the majority of the information related to businesses the details of 2 sole traders were accessed. As sole trader information is classified as personal data this was reported to the Scottish Government as a security incident which included personal data.
The GDPR’s data protection principles were breached in relation to “(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).” As the number of individuals whose personal data may have been accessed was restricted to 2 sole traders the incident was regarded as a minor breach following an investigation by the Data Protection and Information Assets Team.
While, for the reasons outlined above, the Scottish Government did not report the incident the platform provider notified the ICO and contacted the affected individuals to let them know their information may have been accessed.
The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses
Please quote the FOI reference
Central Enquiry Unit
Phone: 0300 244 4000
The Scottish Government
St Andrew's House