How many data breaches has the council recorded in the past 12 months?
Please provide figures from 1 November 2018 to 31 October 2019, broken down by month if possible.
We have interpreted this request to mean information security incidents involving personal data as defined by Data Protection legislation. The figures are for both digital and non digital breaches.
|Year and month||Number of incidents|
Detailed information about cyber-attacks which the Council may or may not have experienced is exempt from disclosure under Section 31(3) of the Freedom of Information Act 2000 – ‘Law Enforcement’. Disclosure may place the council at risk of fraud and crime. IT networks and systems may hold personal data about individuals and disclosure may put individuals, or the council, at risk of criminal activity. Section 31 is a qualified exemption, meaning we are obliged to carry out a public interest test. We appreciate there is a general public interest in openness and transparency, because this increases public trust and engagement, this has to be balanced against a very strong public interest in safeguarding the security of personal data held in Council systems. It is not in the interests of the council to provide information about cyber attacks as that information could help malicious actors to work out how successful the council is in detecting these attacks and incurring this risk can be deemed not in the public interest. Section 31 of the Freedom of Information Act 2000 states that there is a very strong public interest in protecting the law enforcement capabilities of public authorities, for these reasons we believe the application of the exemption is justified.