data protection breach notifications
| Authority | Attorney General's Chambers |
|---|---|
| Date received | 2021-09-13 |
| Outcome | All information sent |
| Outcome date | 2021-10-08 |
| Case ID | 1988913 |
Summary
The request sought monthly statistics on how often the Attorney General's Chambers contacted victims of sensitive data breaches over a 24-month period, along with details on apology policies and reporting strategies. The authority disclosed that only two breaches involving special category data occurred in that timeframe and clarified their policy on issuing apologies without requiring victims to quantify distress.
Key Facts
- Two breaches involving special category data were reported to the Data Protection Officer between September 2019 and August 2021.
- The first breach occurred in January 2021 and the second in March 2021.
- The authority states it is policy to apologize for mistakes without requiring victims to quantify stress or distress.
- Not all data breaches require notification to the Information Commissioner or the affected individuals unless there is a high risk to rights and freedoms.
- The request was received on 13 September 2021 and the response was issued on 8 October 2021.
Data Disclosed
- 2 breaches
- 24 month period
- 31 August 2021
- January 2021
- March 2021
- 13 September 2021
- 8 October 2021
- Article 9
- SD 2018/0143
Original Request
How many times per month in the most recent 24 months up to and including August 2021 has HM AG chambers contacted a victim of a sensitive personal data breach by HM AG chambers by letter, email, telephone etc to summarise for example that (a) HM AG chambers offer an unreserved apology for any distress caused by the breach via either the recipient of your sensitive personal data and/or HM AG chambers contact without any requirement for the victim to quantify any such stress and distress and inconsistent with a policy that victims of other parts of the public sector must quantify any such stress and distress to receive any apology or compensation (b) the breach has been referred internally to the Data Protection Officer for an assessment (c) reassurance the recipient was contacted to return or destroy the sensitive personal data and confirm any dissemination to social media etc to quantify impact (d) the assessment concluded that the breach was not really that important so the breach would not be reported externally to the Information Commissioner as a legal strategy to avoid reasonable process improvements and a regulatory framework fine prompted by the frequency of any such sensitive personal data breaches?
Data Tables (1)
| Mr Graeme Jones |
|---|
| 1 Maple Close |
| Onchan |
| Isle of Man |
| IM33JS |
Full Response Text
Mr Graeme Jones
1 Maple Close
Onchan
Isle of Man
IM33JS
Attorney General's Chambers
2nd floor Belgravia House
Circular Road, Douglas
Isle of Man, IM1 1AE
Telephone: (01624) 685452
E-mail: attgen@gov.im
Our ref: 1988913 8 October 2021
Dear
We write further to your request which was received on 13 September 2021 and which states:
"How many times per month in the most recent 24 months up to and including August 2021 has HM AG chambers contacted a victim of a sensitive personal data breach by HM AG chambers by letter, email, telephone etc to summarise for example that: (a) HM AG chambers offer an unreserved apology for any distress caused by the breach via either the recipient of your sensitive personal data and/or HM AG chambers contact without any requirement for the victim to quantify any such stress and distress and inconsistent with a policy that victims of other parts of the public sector must quantify any such stress and distress to receive any apology or compensation (b) the breach has been referred internally to the Data Protection Officer for an assessment (c) reassurance the recipient was contacted to return or destroy the sensitive personal data and confirm any dissemination to social media etc to quantify impact (d) the assessment concluded that the breach was not really that important so the breach would not be reported externally to the Information Commissioner as a legal strategy to avoid reasonable process improvements and a regulatory framework fine prompted by the frequency of any such sensitive personal data breaches?"
We have taken ‘sensitive’ in the context of your request to mean any breach which involved special category data as described by Article 9 of the Data Protection (Application of GDPR) Order 2018, (SD 2018/0143)(“the Order”) which is available on the Isle of Man Legislation website here: - https://www.legislation.gov.im/cms/.
It may also be helpful to note that the circumstances of a data breach do not always involve a recipient (e.g. data deletion error) and that we encourage our staff to report all suspected data breaches to our DPO for assessment. Some events do not transpire to constitute a breach. Where an event does constitute a breach, in line with the Information Commissioner’s published guidance, it is not always reportable to the Commissioner and it is not always possible or necessary to inform the persons affected, unless the data breach is likely to result in a high risk to the rights and freedoms of the affected individuals.
We hold the information to respond to your main question fully, however some of your supplementary sections labelled a) to d) are not necessarily clear requests for
information, but requests for me to summarise. I hope that the following information is helpful.
Your Main Questions is:
“How many times per month in the most recent 24 months up to and including August 2021 has HM AG chambers contacted a victim of a sensitive personal data breach by HM AG chambers by letter, email, telephone etc.”
Our Response to your main question is:
There have been 2 breaches involving special category data reported to the DPO during the 24 month period ending on 31 August 2021: The first was in January 2021 and the second was in March 2021.
Your further question asked how many times (a):
“…..HM AG chambers offer an unreserved apology for any distress caused by the breach via either the recipient of your sensitive personal data and/or HM AG chambers contact without any requirement for the victim to quantify any such stress and distress and inconsistent with a policy that victims of other parts of the public sector must quantify any such stress and distress to receive any apology or compensation”
Our Response to Question Part (a):
It is our policy at the Attorney General’s Chambers to apologise if we make any mistake. An unreserved apology for any distress caused by the breach was not appropriate in the instances above, however an unreserved apology was issued in a case which did not involve special category data. We do not require persons affected by any error on our part to quantify any such stress and distress before receiving an apology and we do not believe that this is inconsistent with any public sector policies relating to apologies or compensation claims.
Your further question asked whether (b):
“The breach has been referred internally to the Data Protection Officer for an assessment.”
Our Response to Question Part (b):
All detected data breaches are reported to the AGCs Data Protection Officer and logged as required by Article 33 (5) of the Order.
Your further question asked (c):
“reassurance the recipient was contacted to return or destroy the sensitive personal and confirm any dissemination to social media etc. to quantify impact.”
Our Response to Question Part (c):
Where a breach may have occurred which involved a third party inappropriately receiving personal data of another data subject, the third party would be contacted and asked to return or destroy any personal data they may have received. This did not apply to either of the cases cited above which included special category data.
Your further question asked (d):
“The assessment concluded that the breach was not really that important so the breach would not be reported externally to the Information Commissioner as a legal strategy to avoid reasonable process improvements and a regulatory framework fine prompted by the frequency of any such sensitive personal data breaches?"
Our Response to Question Part (d):
We consider all personal data that we hold to be of the utmost importance and take our responsibilities in this regard very seriously. If a breach has occurred, the AGCs DPO uses the recommended ENISA scoring methodology to assess the severity of any data breach (link provided below). The AGC follows the guidance and where the nature of a breach is assessed as meeting the criteria for reporting, such that it poses a risk to a data subject’s rights and freedoms, a breach would be reported to the ICO.
Legal strategy to avoid reasonable process improvements or a regulatory framework fine play no part in the assessment process. Any data breach is taken seriously and steps are taken to mitigate a repeat of a similar nature.
The ENISA Methodology can be found here: https://www.inforights.im/media/1526/enisa_data-breach-risk_severity- methodology_10.pdf
Please quote the reference number 1988913 in any future communications.
Your right to request a review
If you are unhappy with this response to your freedom of information request, you may ask us to carry out an internal review of the response, by completing a complaint form and submitting it electronically or by delivery/post.
An electronic version of our complaint form can be found by going to our website at https://services.gov.im/freedom-of-information/Review . If you would like a paper version of our complaint form to be sent to you by post, please contact me and I will be happy to arrange for this. Your review request should explain why you are dissatisfied with this response, and should be made as soon as practicable. We will respond as soon as the review has been concluded.
If you are not satisfied with the result of the review, you then have the right to appeal to the Information Commissioner for a decision on;
- Whether we have responded to your request for information in accordance with Part 2 of the Freedom of Information Act 2015; or
- Whether we are justified in refusing to give you the information requested.
In response to an application for review, the Information Commissioner may, at any time, attempt to resolve a matter by negotiation, conciliation, mediation or another form of alternative dispute resolution and will have regard to any outcome of this in making any subsequent decision. More detailed information on your right to a review can be found on the Information Commissioner’s website at www.inforights.im. Should you have any queries concerning this letter, please do not hesitate to contact me. Further information about freedom of information requests can be found at www.gov.im/foi.
I will now close your request as of this date.
Yours sincerely
xxxxxxxxxxxxxx