Data breaches

How many data breaches has the council recorded in the past 12 months?

Please provide figures from 1 November 2018 to 31 October 2019, broken down by month if possible.

We have interpreted this request to mean information security incidents involving personal data as defined by Data Protection legislation. The figures are for both digital and non digital breaches.

Year and month Number of incidents
November 2018 32
December 2018 23
January 2019 37
February 2019 24
March 2019 18
April 2019 23
May 2019 25
June 2019 41
July 2019 42
August 2019 34
September 2019 26
October 2019 34

Detailed information about cyber-attacks which the Council may or may not have experienced is exempt from disclosure under Section 31(3) of the Freedom of Information Act 2000 – ‘Law Enforcement’. Disclosure may place the council at risk of fraud and crime. IT networks and systems may hold personal data about individuals and disclosure may put individuals, or the council, at risk of criminal activity. Section 31 is a qualified exemption, meaning we are obliged to carry out a public interest test.  We appreciate there is a general public interest in openness and transparency, because this increases public trust and engagement, this has to be balanced against a very strong public interest in safeguarding the security of personal data held in Council systems. It is not in the interests of the council to provide information about cyber attacks as that information could help malicious actors to work out how successful the council is in detecting these attacks and incurring this risk can be deemed not in the public interest. Section 31 of the Freedom of Information Act 2000 states that there is a very strong public interest in protecting the law enforcement capabilities of public authorities, for these reasons we believe the application of the exemption is justified.