Data breaches 273/2025

FOI Reference: 273/2025

Request:

Data Breaches:

1. The number of data breaches recorded by your force in the past 10 years.
2. The agencies or external bodies involved, if any.
3. The type of data compromised.
4. The departments or units within your force affected.
5. The impact of these data breaches.
6. Whether any of these breaches were reported in the media (if so, please specify).
7. Whether the breaches were made public by the force.

Clarification Q:

The type of data compromised. - Please can you advise what is meant by "type"

The impact of these data breaches. - how is “impact” defined, we would not record this as an category of information

Clarification A:

We are asking about the category of data: crime, person (victim, offender, suspect, witness), incident, intelligence, organisational (HR, finance, etc).

About the impact – what was the effect of the data breach, e.g., did it result in a referral to the Information Commissioner's Office / Police and Crime Commissioner, was it reported in the media.

Response:

Section 1 of the Freedom of Information Act 2000 places two duties on public authorities. Unless exemptions apply, the first duty at Section 1(1)(a) is to confirm or deny whether the information specified in a request is held. The second duty at Section 1(1)(b) is to disclose information that has been confirmed as being held.

Dyfed-Powys Police are unable to confirm or not whether we hold information relevant to your request, since we consider that the Section 12(2) exemption the Cost of Compliance exceeds the Appropriate Limit applies to it.

Where exemptions are relied upon Section 17 of the Freedom of Information Act 2000 requires Dyfed-Powys Police, when refusing to provide such information (because the information is exempt) to provide you the applicant with a notice which: (a) states that fact, (b) specifies the exemption in question and (c) states (if that would not otherwise be apparent) why the exemption applies.

Section 12(2) – The cost of compliance exceeds the Appropriate Limit

Section 12(2) states: “…Subsection (1) does not exempt the public authority from its obligation to comply with paragraph (a) of section 1(1) unless the estimated cost of complying with that paragraph alone would exceed the appropriate limit.”

The cost of providing you with the information requested in respect of Questions 1, 2, 4 & 7 of your request is above the amount to which we are legally required to respond i.e. the cost of locating and retrieving the information exceeds the “appropriate level” as stated in the Freedom of Information (Fees and Appropriate Limit) Regulations 2004. It is estimated that it would exceed 18 hours (i.e. minimum of 130.65 hours) to comply with this part of your request. The regulations can be located @ https://www.legislation.gov.uk/uksi/2004/3244

The Freedom of Information Unit has been advised by the relevant department that in order to establish what information, if any, is recorded in relation to Questions 1, 2, 4 & 7 would exceed the appropriate time limit i.e. 18 hours. In light of this and in order to accurately obtain the information relative to your request for the time frame stipulated would involve Dyfed Powys Police manually reviewing each record and reading each email and document to find the relevant answers.

Time estimate to complete task 2022-2025 = 130.65 hours

Please note the following additional information provided by the relevant department:

Question 1 – Please note that prior to 2022 there are some records held in archive however that may not all be reported breaches, just some that required extra work, a manual review of these records would be required which would add to the time estimate detailed above.

Question 3 – Dyfed Powys Police does not specifically record this information. We only record personal data breaches – so none would be just organisational or financial. They are all investigated in the same way – to identify exactly what data was involved would require, looking at the emails/documentation individually.

Question 5 – Dyfed Powys Police does not record the “impact” of each breach. Clarification simply changed the word “impact” to “effect” – which is not recorded. We would not know, for example, the impact on data subjects, staff involved etc.

In relation to the clarification given: “what was the effect of the data breach, e.g., did it result in a referral to the Information Commissioner's Office /Police and Crime Commissioner, was it reported in the media…”

1. We can advise how many were referred to the ICO – however, that is done automatically when a threshold is reached – it does not reflect “impact”. It does not tell you if the ICO required further action – if action was taken by the ICO that would be publicly available via the ICO website.
2. None would be referred to the OPCC, as this is not required.
3. Was it reported to the media – duplication of question 6.

Question 6 – Dyfed Powys Police does not record what the media publish and may not even know if it was a member of the public that reported it to them, or a national matter.

In accordance therefore with the Freedom of Information Act 2000, this letter acts as a Refusal Notice for the Whole of this request under Section 17(5) A public authority which, in relation to any request for information, is relying on a claim that section 12 or section 14 applies must, within the time for complying with section 1(1), give the applicant a notice stating that fact.

You may wish to refine and resubmit your request so that it reduces the time shown above to fall within the 18 hours, should you require any further advice in relation to this matter please don’t hesitate to contact the Freedom of Information Unit. Please also be advised that should the request be refined, it does not remove the public authorities right to cite exemptions if relevant.                                             

(This is a response under the Freedom of Information Act 2000 and disclosed on 09/04/2025)