Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
Freedom of information request reference no: 01.FOI.22.027324
I note you seek access to the following information:
The number of data breaches reported to your force data protection officer, or equivalent, for each of the following years:
2018
2019
2020
2021
2022
Please provide a breakdown for each year including:
i) the month/year of the breach
ii) a summary of the nature of the breach including a description of the data involved, including whose data it was compromised, e.g. Police officer/civilian employee, members of the public, witnesses etc.
iii) details of the circumstance of the breach and any subsequent risks arising from the breach
iv) whether or not the breach was reported to the Information Commissioner Office (ICO) and what the repercussions of that was, i.e., any fines from the ICO.
I have today decided to disclose some of the requested information. Some data has been withheld as it is exempt from disclosure and therefore this response serves as a Refusal Notice under Section 17 of the Freedom of Information Act 2000 (the Act) by virtue of the following exemptions:
Section 24(2) - National Security
Section 31(3) - Law Enforcement
In addition, the Metropolitan Police Service can neither confirm nor deny whether any other information is or is not held relevant to this request as the duty in Section 1(1)(a) of the Freedom of Information Act 2000 (the Act).
Reason for decision
Before I explain the reasons for the decisions I have made in relation to your request, I thought that it would be helpful if I outline the parameters set out by the Act within which a request for information can be answered. The Act creates a statutory right of access to information held by public authorities. A public authority in receipt of a request must, if permitted, confirm if the requested information is held by that public authority and, if so, then communicate that information to the applicant.
The right of access to information is not without exception and is subject to a number of exemptions which are designed to enable public authorities to withhold information that is not suitable for release. Importantly, the Act is designed to place information into the public domain, that is, once access to information is granted to one person under the Act, it is then considered public information and must be communicated to any individual should a request be received.
You have asked questions regarding Data Breaches reported to the Data Protection Officer including a breakdown of the Month and year, the nature of the breach with a description, details of the circumstance of the breach and any subsequent risks arising from the breach and whether or not the breach was reported to the Information Commissioner Office (ICO) and what the repercussions of that was, i.e., any fines from the ICO.
The MPS can provide overall figures for Data breaches.
The response is a disclosure is relevant only to non-cyber related Data Breaches, with the addition of a partial NCND s24(2) and 31(3) as to whether any other information is held relevant to any cyber-related Data Breaches (regardless as to whether any information is or is not actually held)
To confirm or deny would provide actual knowledge that where an attempt has been made, it has or has not been successful. Confirming that such information is not held may assist potential attackers by indicating that an attack had gone undetected. Equally, confirming information is held would enable understanding of where attacks have been successful, and possible weaknesses exist. Attackers may then be able to tailor their methods to increase their chances of success.
To confirm or deny whether information is held in respect of any leaked data as a result of an attack would, in effect, confirm that there had been successful cyber-attacks made against the force, which would present harm as detailed above.
Furthermore, in order to counter criminal and terrorist behaviour it is vital that the police and other agencies have the ability to work together, where necessary covertly, in order to obtain intelligence within current legislative frameworks to ensure the arrest and prosecution of offenders who commit or plan to commit acts of terrorism, whereby their modus operandi may involve cyber-attacks on secure databases. In order to achieve this goal, it is vitally important that information sharing takes place with other police forces and security bodies within the United Kingdom in order to support counter-terrorism measures in the fight to deprive terrorist networks of their ability to commit crime. To confirm or deny specific details of any breaches of information technology and security would be extremely useful to those involved in terrorist activity as it would enable them to map vulnerable information security databases.
Section 24(2) - National Security - Security measures are put in place to protect the community we serve. As evidenced within the harm to confirm whether any cyber-attacks have been successful would highlight to terrorists and individuals intent on carrying out criminal activity vulnerabilities within the MPS which could be further exploited.
Taking into account the current security climate within the United Kingdom, no information (such as the citing of an exemption which confirms information pertinent to this request is held, or conversely, stating ‘no information is held’) which may aid a terrorist should be disclosed. To what extent this information may aid a terrorist is unknown, but it is clear that it will have an impact on a force’s ability to monitor terrorist activity.
Irrespective of what information is or isn’t held, the public entrust the Police Service to make appropriate decisions with regard to their safety and protection and the only way of reducing risk is to be cautious with what is placed into the public domain.
The cumulative effect of terrorists gathering information from various sources would be even more impactive when linked to other information gathered from various sources about terrorism. The more information disclosed over time will give a more detailed account of the tactical infrastructure of not only a force area but also the country as a whole.
Any incident that results from such a disclosure would, by default, affect National Security.
Section 31(3) - Law Enforcement - Confirmation or denial that information is held in this case would suggest the MPS take their responsibility to protect information and information systems from unauthorised access, destruction, etc., dismissively and inappropriately.
The points above highlight the merits of confirming or denying the requested information exists. The Police Service is charged with enforcing the law, preventing and detecting crime and protecting the communities we serve. As part of that policing purpose, information is gathered which can be highly sensitive relating to high profile investigative activity. Weakening the mechanisms used to monitor any type of criminal activity, and specifically terrorist activity would place the security of the country at an increased level of danger.
In addition anything that places that confidence at risk, no matter how generic, would undermine any trust or confidence individuals have in the Police Service. Therefore, at this moment in time, it is our opinion that for these issues the balance test favours neither confirming nor denying that information is held.
It should not be surmised that we are applying Sections 31 & 24 to the same pieces of information.
Disclosure
Please find attached a spreadsheet in pursuant to your request for information.
This disclosure relevant only to non-cyber related Data Breaches.
The harm of disclosure is reduced by not providing a specific breakdown per month.
The MPS is unable to provide the requested data for 2018. The MPS response for 2018 is No Information Located.