Publication - FOI/EIR release

Social Security Scotland security incidents and breaches: FOI release

Published: 7 May 2019

Information request and response under the Freedom of Information (Scotland) Act 2002.

Published:
7 May 2019
Social Security Scotland security incidents and breaches: FOI release
FOI reference: FOI/19/00764
Date received: 14 Mar 2019
Date responded: 24 Apr 2019
Information requested

 

1.   The number and nature of IT security incidents (computers going offline, system crashes or otherwise) in regards to the new benefits system since September 2018.

2.   Full details (and any relevant documents) on the number and nature of personal data/GDPR breaches at Social Security since September 2018, broken down by month.

Response

 

1. The number and nature of IT security incidents (computers going offline, system crashes or otherwise) in regards to the new benefits system since September 2018 - see attached document

Since Social Security Scotland started delivering benefits in September 2018, there have been 19 security incidents, none of which have resulted in the service going offline, or systems crashing.  The nature of those incidents are generally associated with system configuration or human error. The internal cyber security team have implemented a variety of security systems and methods to detect, investigate and respond to incidents swiftly. On top of this, there is a robust security education and awareness programme to equip staff with the knowledge and tools they need to help keep the organisation and it’s data secure.  

 

2. Full details (and any relevant documents) on the number and nature of personal data/GDPR breaches at Social Security since September 2018, broken down by month - see attached document

 

While our aim is to provide information whenever possible, in this instance we are unable to provide the relevant documents you have requested because an exemption under section 38(1)(b) of FOISA applies to that information. We have however included a summary of the incident to provide more detail about it.  The reasons why that exemption applies are explained in the Annex

 

ANNEX

REASONS FOR NOT PROVIDING INFORMATION

An exemption applies

 

Section 38(1)(b) – applicant has asked for personal data of a third party

 

An exemption under section 38(1)(b) of FOISA (personal information) applies to some of the information requested because it is personal data of a third party, i.e. names, email addresses and contact details of individuals, and disclosing it would contravene the data protection principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act 2018.  

 

This exemption is not subject to the ‘public interest test’, so we are not required to consider if the public interest in disclosing the information outweighs the public interest in applying the exemption.

 

 

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses.

 

 

Contact

Please quote the FOI reference
Central Enquiry Unit
Email: ceu@gov.scot
Phone: 0300 244 4000

The Scottish Government
St Andrews House
Regent Road
Edinburgh
EH1 3DG