An embarrassing data breach at The Department for International Trade has exposed its shocking Freedom of Information (FOI) practices.
The breach, which has been dubbed a 'human error', showed the department to be in breach of multiple rules surrounding Freedom of Information.
What happened?
A journalist at the news website and intelligence platform Politico was sent an email from the Department of International Trade that contained the entire FOI caseload for the government branch.
Quite remarkably, this happened not once, but twice over a two-week period. All the files sent to the journalist were marked with a government security classification, which a follow-up email from the department pointed out.
The breach did not contain names but did reveal which entities the requests came from, including NGOs, campaign groups, and media organizations including the Guardian and the BBC.
What did the breach expose?
The breach exposed the Department for International Trade's shocking FOI practices, showing that a Cabinet Office 'Clearing House' stopped information from being handed over to journalists against the wishes of the Department's information officers.
The Clearing House, a wing of the Cabinet Office that ultimately decides how each FOI request is handled, has recently lost a legal battle regarding the opaque nature of their operations, and that it keeps a note of who makes the requests.
This is troubling because FOI requests are, legally, supposed to be devoid of reference to the interested party's identity, or 'applicant-blind'.
As many on the Labour front benches have already pointed out, evidence of these practices means Michael Gove lied to parliament and, in turn, broke the ministerial code when he denied this sort of thing didn't exist whilst giving evidence to the house.
What was the response?
According to Politico, The Department for International Trade said in their follow-up email that they would fulfill their obligation to report the incident to the Information Commissioner's Office. However, as it stands, The ICO is yet to receive a report about this incident.
When a data breach occurs, public bodies have 72 hours to report it to the ICO if it does not pose a threat to people's freedoms. The Department argues that it does not fulfill the requirements to report it in this time period.
Shadow Secretary of State for International Trade Emily Thornberry said of the breach:
What we are seeing revealed here is something deeply dangerous and corrosive to our democracy: evidence of a government department breaching the FOI guidelines, categorizing information according to its sensitivity and the person requesting it, and taking advice on handling requests from the secret Cabinet Office Clearing House
The Shadow Secretary went on to say that it was vital to determine whether this was being done to "circumvent or delay the government's obligations under the law".
Data breaches aren't always attacks
The important takeaway from stories like this is that although data breaches are often a result of an attack on a network, server, or system by some malicious actor, they can easily arise from human error.
Thousands upon thousands of emails are sent to the wrong recipient every single year, by companies big and small.
Clearly, even government departments aren't immune.
This data breach is, in an odd way, a virtuous one because it's exposed the bad practices going on at the Department for International Trade, and it was sent to a reputable media organization that has not used the information for malicious purposes, rather, have just reported on it. Luckily for the Department for International Trade, Politico complied with an order to delete the documents.
It is, however, also a reminder that sometimes the biggest security vulnerabilities in an organization can be employees slipping up, or not taking enough care when handling sensitive information.