A guest post by @foimonkey

The accidental release of a substantial amount of personal data by Newcastle Citizens Advice Bureau has already been quite widely reported in the media, but as the person responsible for spotting that Newcastle CAB had made this mistake and reporting it to the ICO, I feel it is appropriate to comment on the nature of the breach, the aftermath and what wider lessons can be learnt from this incident.

On 17 September 2013, I came across a spreadsheet whilst searching Google that contained sensitive personal information belonging to a sizeable number of individuals. It was apparent from the nature of the document that this was not intended for release and should not have been made available online. What was less clear was who owned the document (no organisation name was mentioned) so I modified my search to see what other files were hosted on the same ftp server to try to establish who was responsible and who to contact about the incident. To my horror, I found literally thousands of documents containing highly sensitive information that had been hosted on a public ftp server that was accessible via two different ip addresses. It didn’t take much detective work to figure out that this data belonged to the Newcastle branch of the Citizens Advice Bureau.

Citizens Advice Bureaux nationwide provide a valuable source of assistance to vulnerable people and great importance is placed on the confidentiality of their advice. It was troubling to discover that something had gone so horribly wrong at this particular branch of the CAB that meant that client files were not only publicly available on the internet to those who knew where to look, but had also been indexed, cached and made fully searchable. The potential for harm and distress to be caused to individuals who have had the most intimate details of their lives made available to all who cared to look for them should not be underestimated.

In total, Google showed that over 12,000 files from 55 directories had been indexed whilst the FTP server was publicly accessible. These appear to date from 2004 up until the first half of 2013. As well as the obvious risks associated with bank details and other financial information being published online, the files contained, amongst other things, information about suicide attempts, domestic violence, criminal activity, drug use, distressing family breakdowns,detailed medical reports from doctors for benefits appeals hearings and a list of sufferers of post-traumatic stress disorder who had been referred from the Royal British Legion – information that couldn’t be more sensitive or more private.

The files themselves show that this was not even the first data loss incident by Newcastle CAB. In 2010 client files that had been taken out of their office were left in a shop. It is unclear whether they notified the ICO about that incident.

After an initial attempt to get in touch with the CAB on 17 September, I finally managed to alert the CAB and the ICO early on 18 September. You would think that the first priority of Newcastle CAB, in conjunction with the ICO, would be to ensure that this information was removed from the internet as soon as possible. In my email to the CAB I included a link to Google’s help pages on how to remove personal data that had been included in the cache. This process is automatic and usually takes 24 hrs to complete. I personally submitted the urls of several hundred of the most sensitive files for removal from the cache that day and by the next day they were gone, so it is clear that the process works. Astonishingly, cached copies of these files were still accessible as late as yesterday(30 September), close to a fortnight after the breach was initially reported. I can not understand why there has been such a delay in acting, a delay that I believe may have put the victims of this breach at greater risk. As others have already written, an explanation as to why this information has taken so long to be taken offline has yet to be forthcoming, but I believe that one is certainly owed to those affected by the breach.

Sadly, this breach by Newcastle CAB is not the only breach that has occurred by the means of confidential files being uploaded to an open ftp server. On the same day as this breach came to light, I also contacted the ICO about a small company who had made confidential information available via an open FTP server in the same way. This time, the sensitive personal data of current and former employees was exposed including their bank account details and passport numbers. As yet, neither the company concerned, nor the ICO has acknowledged this incident and the data (contained in over 5000 files) remains online today.

There are other companies/organisations that currently have or have previously had client and employee data exposed online, including a law firm, a haulage firm, a photographer, a firm of lobbyists, a clothing company, an engineering firm, a vets, an investment fund, several charities, a medical database provider to the NHS, a recruitment agent, a parish council and even a data protection trainer. It currently takes less than 5 minutes to find copies of bank account information, credit card details, scans of driving licences and passports and other information of use to fraudsters that UK organisations have leaked online. I even found a copy of the unedited electoral roll listing postal and proxy voters in Epsom West that had been uploaded to the public ftp server of a local firm.

The risk doesn’t only come from unsecure company servers themselves, but also from automatic file backups to personal cloud servers by individual employees who have taken their work home with them. Whilst there may be benefits to having a copy of all your files backed up online in case of system failure, it may be wise to make sure that you know exactly what data you are putting online and who has access to it. Whilst a lot of the ICO’s enforcement activity has thus far concentrated on hard copy breaches from public sector organisations, online breaches such as this by private sector organisations could, if properly investigated, keep them busy in the years to come.

From: <casework@ico.gsi.gov.uk>
Date: Tue, Jul 6, 2010 at 6:24 PM
Subject: Response to your correspondence to the Information Commissioner’s Office[Ref. ENQ0307303]
To: [email address]

6 July 2010

Case Reference Number ENQ0307303

Dear Mr Cross

Thank you for your correspondence dated 15 April, 6 and 20 June regarding the approach taken by the House of Commons and the House of Lords to requests under the Freedom of Information Act 2000 (FOIA) made prior to and during the dissolution of Parliament. We would also like to thank you for the detailed arguments that you have raised regarding this matter.

Firstly we would like to apologise for the delay in responding to your correspondence. However, sometimes there are circumstances outside our control that prevent us from providing a response as quickly as we would like, and one of these is the volume of complaints and enquiries we receive. Over the last few months we have seen a large increase in the correspondence sent to us, and we are implementing changes that should help us to meet improved service standards in future.

We did consider the status of the House of Commons and the House of Lords under the FOIA before the previous election in 2005 and did again before the election this year.

Prior to the recent election we were in communication with both Houses in regard to their status under the FOIA during dissolution and the measures that they were taking in regard to advising requestors of this. Both Houses had taken their own legal advice before contacting us which concluded that they are not legal entities during the election period when Parliament is dissolved and therefore no duty exists to respond to FOIA requests during this time. Upon receiving this view we took our own legal advice, and based upon this we accept the position set out by both Houses is correct. This is also consistent with the position we came to in 2005.

The ‘House of Commons’ and the ‘House of Lords’ are described in paragraphs 2 and 3 of Schedule 1 to the FOIA as a public authority within the meaning of section 3(1)(a) of the Act. The ‘House of Commons’ and the ‘House of Lords’ as listed in Schedule 1 cease to exist when Parliament has been dissolved and they do not come into existence again until the day named in Her majesty’s summons. There are a number of statutory provisions which, in relation to the House of Commons and the House of Lords, maintain certain offices and functions during dissolution; however these do not maintain the ‘House of Commons’ or the ‘House of Lords’ as such. Because the specific public authorities set out in Schedule 1 of the Act do not exist during dissolution they have no duty to comply with FOIA requests during this time, and by extension there is no duty to comply with the timescale for response set out in the Act. While the entities subject to the FOIA did not technically exist during dissolution we did encourage both Houses to still be helpful to requestors.

As you are aware, in regard to FOIA request made within 20 working days of dissolution and those made during dissolution there were measures put in place to advise requestors of the affect of dissolution on the time for responding to their request. Requestors who made a request before Parliament was dissolved were advised that the time remaining on their request would resume on the day Parliament met. Requestors who have made a request while Parliament was dissolved were advised that the 20 working days would start when Parliament met.

From the link you provided in your email it is clear that you have now received responses from both the House of Commons and the House of Lords in regard to this matter. Because we do not consider that either House has a duty to respond to FOIA requests during dissolution we consider that both responses have been provided within the 20 working day timescale. In the case of the House of Commons the response was provided only a couple of days after Parliament met. For this reason we will not be taking your complaint any further.
Finally, we are not in a position to advise the House of Commons or the House of Lords in regard to ‘The Seven Principles of Public Life’. In regard to these we would suggest that you contact the Committee on Standards in Public Life, and more details can be found on their website using the following link:

http://www.public-standards.gov.uk/index.html.

I hope this information is helpful, and again we would like to apologise for the delay in responding to your correspondence. If we can be of any further assistance please contact our Helpline on 0303 123 1113 quoting your case reference number. You may also find some useful information on our website at www.ico.gov.uk.

Yours sincerely,

Trevor Craig

Lead Case Officer (Advice)

Information Commissioner’s Office
____________________________________________________________________

The ICO’s mission is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

If you are not the intended recipient of this email (and any attachment), please inform the sender by return email and destroy all copies. Unauthorised access, use, disclosure, storage or copying is not permitted.
Communication by internet email is not secure as messages can be intercepted and read by someone else. Therefore we strongly advise you not to email any information, which if disclosed to unrelated third parties would be likely to cause you distress. If you have an enquiry of this nature please provide a postal address to allow us to communicate with you in a more secure way. If you want us to respond by email you must realise that there can be no guarantee of privacy.
Any email including its content may be monitored and used by the Information Commissioner’s Office for reasons of security and for monitoring internal compliance with the office policy on staff use. Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you write or forward is within the bounds of the law.
The Information Commissioner’s Office cannot guarantee that this message or any attachment is virus free or has not been intercepted and amended. You should perform your own virus checks.
__________________________________________________________________

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

Dear Sirs
I am writing to complain about the House of Commons Commission’s failure to answer my request for environmental information:

http://www.whatdotheyknow.com/request/environmental_information_in_min

The House of Commons Commission have stated that:

“For the avoidance of doubt the House of Commons Commission is not a public authority within the meaning of the Environmental Information regulations.”

I believe the House of Commons Commission is a public authority by virtue of regulation 2(2)(c) (“any other body or other person, that carries out functions of public administration”). I note the following facts in support of my argument:

(1) “The House of Commons Commission is the overall supervisory body of the House of Commons Administration.”
http://www.parliament.uk/mps-lords-and-offices/offices/commons/house-of-commons-commission/

(2) The House of Commons is part of the United Kingdom legislature and is itself a public body which is publicly funded.

(3) “Its [the House of Commons Commission’s] responsibilities include:

  • appointing staff of the House
  • preparing and laying before the House the Estimates for the House of Commons Service
  • allocating functions to House departments
  • keeping staff pay and conditions broadly in line with those of the Civil Service.

The Commission was established by the House of Commons (Administration) Act 1978.”
http://www.parliament.uk/mps-lords-and-offices/offices/commons/house-of-commons-commission/

(4) I consider the House of Commons Commission’s functions to be public because they relate the pay and conditions of public officials and the work of publicly funded House departments in support of a key part of UK legislature.

(5) I consider the House of Commons Commission’s functions to be administrative because of its supervisory role in relation to the House of Commons Administration and its appointment of public officials but also because the House of Commons Commission was established by the House of Commons (Administration) Act 1978 [“An Act to make further provision for the administration of the House of Commons.”]

I believe I have presented a concise, referenced and persuasive argument in my email above and therefore I urge to issue a Decision Notice which makes clear that the House of Commons Commission is a public authority and as such must comply with the Environmental Information Regulations 2004.

regards,

“…I am upholding the original decision, and we will not be supplying you with a copy of the full Register. Instead, as you are aware, you will be able to access it via our website.

However I fully understand the frustration expressed in your recent email as a result of our handling of your original request. In view of this I have decided to send you a file which includes the registration numbers of all organisations currently registered with us. In order to access the
organisations’ details you will need to cut and paste each registration number into the search facility on the Register, this will return the full details for that organisation.”

I welcome this disclosure it is a small step towards increase transparency but I really don’t see why they could not have released much more.

ICO response

The Department of Communities and Local Government told to improve its handling of Freedom of Information requests after delays of up to 400 days.

http://www.lgcplus.com/News/2008/11/dclg_rapped_over_information_delays.html

“In accordance with his enforcement strategy, the Information Commissioner has conducted
an audit of a number of section 50 complaints concerning the Department for Communities
and Local Government (the ‘Department’). As a result, the Commissioner is of the view that
the Department’s procedures do not conform to the following Code of Practice issued by the
Secretary of State for Constitutional Affairs in November 2004:…”

Practice Notice