Data security spend, training and security – 2020-2021

I would like to ask for information on Devon County Council’s data security spending & training

Council name
Devon County Council

Region – please select from the following: South East, London, North West, East of England, West Midlands, South West, Yorkshire and the Humber, East Midlands, North East, Wales, Scotland, Northern Ireland
South West

The total number of full-time and part-time employees employed by your organisation (as of 1st January 2021 or latest figures available)
This information is published on the council’s website and is available online via the link below:

Human Resources Dashboard

The total number of full-time and part-time employees employed by your organisation with professional data security / cybersecurity qualifications (as of 1st January 2021 or latest figures available) – Common qualifications may include any cyber or IT security related qualifications such as CISSP, SSCP, CSA, CEH, CISA, CISM, Security+
We confirm that information is held which meets the scope of this request. However, it is considered that the disclosure of this information could have the potential to place the council at increased risk of targeted cyber-crime and as such, is exempt from disclosure under Section 31 (1) of the Freedom of Information Act.

The total number of full-time and part-time employees employed by your organisation who have completed cyber security training between 1stJanuary 2020 and 31stDecember 2020 (or latest annual figures available)
We confirm that information is held which meets the scope of this request. However, it is considered that the disclosure of this information could have the potential to place the council at increased risk of targeted cyber-crime and as such, is exempt from disclosure under Section 31 (1) of the Freedom of Information Act.

How much money (in pounds sterling) has been spent on cyber security training between 1stJanuary 2020 and 31stDecember 2020 (or latest annual figures available) this may include GDPR-related training
We do not hold this data, as our training records are not categorised or centrally recorded in a way which would allow the collation of this information.

How many data breaches did your organisation report to the ICO between 1st January 2019 and 1st January 2020
There were seven data breaches reported to the ICO between 1st January 2019 and 1st January 2020.

How many data breaches did your organisation report to the ICO between 1st January 2020 and 1st January 2021
There were nine data breaches reported to the ICO between 1st January 2020 and 1st January 2021.

Was your organisation victim to a successful ransomware attack between 1st January 2020 and 31st December 2020? As for the definition of a ‘successful ransomware attack’, please include any incident in which an attacker requesting a ransom/payment managed to successfully encrypt, steal or leak any data/systems/assets that your organisation processes/holds.
We believe that information relating to any successful cyber-attacks which the Council may or may not have experienced is exempt from disclosure under Section 31(3) of the Freedom of Information Act 2000 – ‘Law Enforcement’. This is because disclosure places the organisation at risk of fraud and crime. Council networks and systems hold information about individuals and, therefore, the possible chain of events resulting from releasing this information could put individuals, and authorities, at risk of criminal activity.

If you answered yes to the previous question, did your organisation agree to pay a ransom? Yes/No
Please see previous response.

Did your organisation suffer a cyber security incident between 1st January 2020 and 31st December 2020 which resulted in disruption to the council’s services? This refers to any cyber incident that forced usual services to go offline or become unavailable. Yes/No
We believe that information relating to any successful cyber-attacks which the Council may or may not have experienced is exempt from disclosure under Section 31(3) of the Freedom of Information Act 2000 – ‘Law Enforcement’. This is because disclosure places the organisation at risk of fraud and crime. Council networks and systems hold information about individuals and, therefore, the possible chain of events resulting from releasing this information could put individuals, and authorities, at risk of criminal activity.