Social Security Scotland records of personal data breaches: FOI release

Information requested

Under FOISA, I would like to request a copy of all internal records and/or logs of personal data breaches and vulnerabilities within the last 7 days.

I wish to receive as full of an extract of these records as possible (considering that some elements may be redacted) including the nature of the breach, how and when it was discovered, the categories of data involved, if the breaches were reported to the ICO and what immediate and long-term actions were taken in response.

Response

Please find attached a copy of all all internal logs of personal data breaches and vulnerabilities from the seven days prior to your request.

All incidents are reported to the Data Protection team. These incidents are risk assessed, investigated and logged accordingly. When an incident has been identified as a personal data breach, the team establishes the likelihood of the risk to the rights and freedoms of affected individuals. If a risk is likely, a report is sent to the Information Commissioner’s Office (ICO). No personal data breaches identified within the time period were considered to be of sufficiently high enough risk to the rights and freedoms of affected individuals to require notification to the ICO.

As part of the risk assessment and investigation process, practical recommendations in response to personal data breaches are shared with the relevant business areas. The Data Protection team closely monitor trends and where appropriate, work across the Agency, to make long term recommendations in response to personal data breaches. It may be helpful to know that an example of a longer term action taken in response to Social Security Scotland breaches is the recently launched breach minimisation strategy. This strategy is supported by senior colleagues across all divisions in order to help reduce the risk of additional personal data breaches occurring in the future.

Please note a small amount of information has been redacted as it is subject to an exemption under section 38(1)(b) of FOISA (personal information). This is because it is personal data of a third party, ie names, and application numbers, and disclosing it would contravene the data protection principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act 2018. This exemption is not subject to the ‘public interest test’, so we are not required to consider if the public interest in disclosing the information outweighs the public interest in applying the exemption.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at https://www.gov.scot/foi-responses.

FOI - 202400434846 - Information released - Annex A

File type

PDF

File size

56.2 kB