Breaches of the Data Protection Act by IPSA


Details of incidents when the Data Protection Act has been breached, including data lost, by your employees and contractors over the past three years

For clarity, you broke your request down into four areas:

  1. The total number of times there has been a breach of the Data Protection Act including data loss in the period,

  2. The total number of employees that have been disciplined internally for breaches of Data Protection Act in the period

  3. Please also provide details of each breach of the Data Protection Act, for example the type of Data that was involved and the number of people affected.

  4. Details of action taken, including whether each breach was reported to the Information Commissioner’s Office


IPSA holds the information that you request.

In your email, you specified that the request should cover the period from 1 July 2009 to 1 July 2012.  Our records began when IPSA came into existence on 7 May 2010 and, therefore, the information will cover the period from 7 May 2010 to date.

Annex A lists two events that resulted in breaches of the Data Protection Act.  The first item in Annex A was recognised by IPSA as a serious breach and was reported by IPSA to the Information Commissioner’s Office (ICO).  Undertakings were agreed between IPSA and the ICO to address the breach.  Further details of this can be viewed via this link to the ICO’s website.

The remaining item in Annex A describes a non-serious breach, where encrypted data was contained in a secured device.  As per the ICO’s guidance, breaches that do not fall into the definition of serious are not required to be reported to the ICO. 

The information that you have requested has been provided in the format you requested in your email.

Annex A - Breaches of the Data Protection Act

OrganisationDescriptionData affectedDisciplinary action takenAction taken including notification to ICO
IPSAInternal IPSA report containing expense claim details made available to 11 MPs via the online expenses systemBank account details, car registrations, details of MPs’ expense claims and names of claimantsImmediate dismissal of contractorNotification made to the ICO and an undertaking carried out. Further details can be viewed on the ICO website
IPSATheft of IPSA Blackberry during household burglaryEncrypted business emails contained on a security protected Blackberry, which may have contained names, business telephone numbers and business email addresses of IPSA employeesNoneNone

13 August 2012
Exemptions Applied: