The Freedom of Information Act (FOIA) 2015 enables residents of the Isle of Man to obtain access to information held by public authorities.
To make it easier to submit a request for information, this can be made in an electronic format and is available as part of the online services provided by the Isle of Man Government.
As each public authority is a separate legal entity, the electronic system has been built to provide each public authority with their own separate area.
Staff from individual public authorities will then access the system to respond to requests for information that they receive. In order to support the operation of the online service it was necessary for a ‘general administration role’ to be created. This role supports the adding and removing of ‘staff user’ accounts on behalf of public authorities as well as setting up levels of system access permissions.
In performing the general administration role, it provides those responsible with an elevated level of system access and, if requested by the relevant public authority, will allow access to any requests for information that have been submitted.
The Isle of Man Government has been notified of an information breach relating to its Freedom of Information system. This low level breach relates to access by an individual from a public authority with administration rights to information requests submitted to other public authorities.
In response to a request by the Information Commissioner, all public authorities have carried out audits of their access logs and have identified a number of occasions where their information requests were viewed by a third party from another public authority.
The information viewed relates to both the detail of the request and the name, address and contact details of the requester.
The Office of Cyber Security and Information Assurance has confirmed that no personal information has been viewed by any individual outside of the public service or transferred outside of the Government network. This has led to the assessment that the risks to the rights and freedoms of data subjects is low.
The administration of the FOI system is now handled by OCSIA and all other administration rights have been revoked. In addition, the public authority from which the breach originated is undertaking an independent investigation of the breaches.
If anyone has any concerns, they can get in touch with a dedicated email address: OCSIA-Secretariat@gov.im
