24-25/56

I refer to your request for information dated 27 October 2024 (FOI 24-25/56) in which you asked for “all information held by the GTCS” in relation to a data incident of 3 September 2024 to include “what happened, what action was taken to rectify matters and what action was taken to ensure this type of incident does not happen again” which we have handled under the Freedom of Information (Scotland) Act (FOISA).

We have interpreted this request to be for records since 3 September 2024 relating to a previous Freedom of Information response (FOI 24-25/40) in which we explained that a typographical error caused a named individual’s entry on our online Search the Register functionality to not show when the correct spelling was used.

With regards to your request, I have now conducted a search for the records and have identified relevant records relating to the scope of your request. The relevant records include the following:

• Two data incident reports detailing the cause and remediation taken;
• Email exchanges discussing the incident and actions taken subsequently;

Please find those records for disclosure to you under FOISA labelled “FOI 24-25/56_Records” accompanying this response.

You will note that the documents I have provided have been redacted in line with our obligations under FOISA. Where the redaction is in red, this has been done to protect the personal information of individuals as disclosing this information could enable individuals to be identified. FOISA does not require us to provide this sort of information as it is exempt under section 38(1)(b).

Where the redaction is in black, this has been done under section 30(c)as disclosure is likely to inhibit substantially the effective conduct of public affairs being the operation of GTC Scotland. These records contain internal security considerations and reporting which, if disclosed, would reveal security measures and digital remediation which could compromise our internal systems. This would expose GTC Scotland to digital security risks if disclosed under FOISA. For this reason, we consider the public interest in upholding the exemption to outweigh the public interest in disclosing the information.

Where the redaction is in black, this has also been done under section 30(b)(ii) as disclosure is likely to inhibit substantially the free and frank exchange of views for the purposes of deliberation. These records contain suggestions, analysis and opinions being shared by colleagues following a data incident. The comments have been made with an expectation of confidentiality, sharing with their team openly in order to make improvements. If these were to be disclosed in the public domain it would inhibit substantially the free and frank exchange of views for the purpose of deliberation and would result in contributors refraining from openly engaging in such deliberations and discussions in the future if they knew these could be disclosed under FOISA. While ensuring transparency in organisations such as ours, the impact that it would have on the organisation, and its effective conduct of public affairs, would be significant. For this reason, we consider the public interest in upholding the exemption to outweigh the public interest in disclosing the information.

You may contact informationgovernance@gtcs.org.uk if you are dissatisfied with this response, to request GTC Scotland conduct a review of it. You should describe the original request and explain your grounds of review. You have 40 working days from receipt of this response to submit a review request. When the review process has been completed, if you are still dissatisfied, you may use the Scottish Information Commissioner's guidance on making an appeal to make an appeal.

I refer to your request dated 21 November 2024 for a review of the response you received on the same day to your original information request to GTC Scotland (FOI 24-25/56), dated 27 October 2024.

You have expressed dissatisfaction with our response to your information request. To enable your review request to be considered afresh and by someone who has not responded to your original request, I have been appointed to undertake the internal review on behalf of GTC Scotland.

Your original request

In your original request you asked for the following:

Please provide a copy of all information held by the GTCS in relation to this data incident including what happened, what action was taken to rectify matters and what action has been taken to ensure this type of incident does not happen again.

On 21 November, we provided records related to the data incident and redacted them in line with section 38(1)(b) and section 30(c) under FOISA. On 21 November, you sent an email requesting we review our decision in FOI 24- 25/56 under section 20(1) of FOISA.

Your internal review request

In your review request of 21 November, you state:

I was previously told that both data subjects were informed of the breach. I don't see this as part of the disclosure so please provide it alongside a copy of what was sent to them at the time, i.e., the marketing output for completeness.

‍I would like a copy of the report mentioned in the 23 September and 15 November emails.

Please see our response to your request for an internal review below.

Our response

I have taken part one of your request: “I was previously told that both data subjects were informed of the breach. I don't see this as part of the disclosure so please provide it alongside a copy of what was sent to them at the time, i.e., the marketing output for completeness.” as a review request as necessary, and I have now attached the requested records, labelled FOI Review 24-25/14, redacted in line with section 38(1)(b) to remove personal data of third parties.

I have taken part two of your request -“I would like a copy of the report mentioned in the 23 September and 15 November emails” - as a new request for information, which I will respond to under separate cover. The reference for that request is FOI 24-25/78.

If you are dissatisfied with this response to your review request, you have a right of appeal to the Scottish Information Commissioner within 6 months of this review response. The Scottish Information Commissioner’s guidance on making an appeal describes the process, including the application form. Further information, including relevant contact details is available on the website. If you are dissatisfied with the decision of the Commissioner, following an appeal to the Commissioner, you have a right of appeal to the Court of Session on a point of law.