Information request and response under the Freedom of Information (Scotland) Act 2002
FOI Reference: FOI/202300364064
Date received: 29 June 2023
Date responded: 26 July 2023
Request
Request for information 1:
Figures on the number of non-GDPR compliant data breaches via Social Security Scotland in the past two years, broken down monthly.
Request for information 2:
The total number of personal profiles which were compromised in these breaches.
Request for information 3:
The total number of breaches affecting residents the addresses of whom are registered within the Lothian Region of the Scottish Parliament.
Response to your request
Request for information 1:
Please note that the information in the table below provides numbers of personal data breaches between the dates of 29 June 2021 and 29 June 2023.
Month |
Number of personal data breaches |
June 2021 |
0 |
July 2021 |
0 |
August 2021 |
4 |
September 2021 |
6 |
October 2021 |
2 |
November 2021 |
3 |
December 2021 |
3 |
January 2022 |
5 |
February 2022 |
13 |
March 2022 |
17 |
April 2022 |
13 |
May 2022 |
19 |
June 2022 |
36 |
July 2022 |
32 |
August 2022 |
23 |
September 2022 |
17 |
October 2022 |
26 |
November 2022 |
34 |
December 2022 |
21 |
January 2023 |
34 |
February 2023 |
23 |
March 2023 |
54 |
April 2023 |
52 |
May 2023 |
70 |
June 2023 |
49 |
Personal data handled by Social Security Scotland has grown significantly in the last year. This is reflected in the increase in personal data breaches which represents an extremely small percentage of data processing undertaken by Social Security Scotland.
For example, in year 2021-22 Social Security Scotland received 520 Adult Disability Payment Part 1 applications. In year 2022-23, Social Security Scotland received more than 85,000 Adult Disability Payment Part 1 applications following its national launch in August.
Requests for information 2 and 3:
While our aim is to provide information whenever possible, in this instance the costs of locating, retrieving and providing the information requested would exceed the upper cost limit of £600. To provide the requested information would require interrogation of each case to establish the number of data subjects affected by a personal data breach and to establish how many affected the information of the residents of the Lothian constituency region of the Scottish Parliament.
We have calculated from a sample that to carry out the necessary location and retrieval of the information requested would take in excess of 81 hours. Under section 12 of FOISA public authorities are not required to comply with a request for information if the authority estimates that the cost of complying would exceed the upper cost limit, which is currently set at £600 by Regulations made under section 12.
You may, however, wish to consider reducing the scope of your request in order that the costs can be brought below £600. For example, you may wish to narrow the timescale to cover data breaches during a particular month or series of months. You may also find it helpful to look at the Scottish Information Commissioner's 'Tips for requesting information under FOI and the EIRs' on his website at:
http://www.itspublicknowledge.info/YourRights/Tipsforrequesters.aspx
About FOI
Social Security Scotland is committed to publishing responses to requests. The Scottish Government also publishes responses to requests. You can view the responses at http://www.gov.scot/foi-responses.