DHA has complied with enforcement notice from Information Commissioner

Follows series of FOI data breaches earlier this year

The Department of Home Affairs has confirmed it will continue to comply with an enforcement notice issued by the Information Commissioner earlier this year.

It's after a senior officer in Cabinet Office accessed personal data in the system used to record and manage Freedom of Information requests, known as iCasework.

Administration for this system was originally undertaken by Cabinet Office before being transferred to the Office of Cyber Security and Information Assurance (OCSIA) on 1 April 2022.

On 22 May, following the FOI data breaches, this control was transferred to the Department of Home Affairs (DHA).

The enforcement notice was therefore addressed to the department's Chief Executive Officer, Dan Davies, as it was sent in June this year.

It confirmed that the person within Cabinet Office that accessed personal data in the iCasework areas of other public authorities was a "power user" and was advised on 24 February 2023 that their access rights were to be restricted to Cabinet Office only, but was invited to let OCSIA "know of some reason why this would not be appropriate" and OCSIA proposed to then "explain that rationale to the departments and reverse the access permissions".

The person noted the change in access rights; however, as the access rights had not been correctly amended, the person continued to access other public authorities' areas of iCasework for a further month, until access rights were correctly restricted by OCSIA on 23 March 2023.

A further 50 instances of access occurred in that period.

The Information Commissioner stated: "Damage or distress to the individuals is likely as a result of the unauthorised access to personal data.

"Isle of Man residents expect, and should be able to trust, that any personal data submitted to a public authority in connection with their FOI request is available to that public authority for the purposes of responding to their FOI request only."

In June the DHA was asked to comply to certain conditions by 31 July or face a number of penalties.

These conditions included putting into place binding contracts between any of the public authorities using iCasework, and the DHA as processor, to protect those using the system in the future.

A spokesperson for the department told Manx Radio: 'The enforcement notice required the Department of Home Affairs to confirm that they had, and will continue, to comply with the notice – this was confirmed to the Information Commissioner in July 2023 along with an outline of how the department was addressing the order. 

'There has been no further correspondence since then.'