FOI2025/00007S Request for information surrounding data loss
Published 14 March 2025
FREEDOM OF INFORMATION ACT 2000 - REQUEST REF: FOI2025/00007S
Thank you for your email of 19 February 2025 asking for information under the Freedom of Information Act (FOIA) 2000. You asked:
I would like to know to what extent you have implemented data encryption and cyber insurance policies and losses that you have incurred specifically covering the following.
1) How many laptops, mobile, tablet or USB devices have been lost or stolen from your organisation in the past year (Jan 2024-Dec 2024)?
Please specify numbers of each device type.
2) How many of these devices were encrypted? Please specify numbers of each device type.
3) Have you had to disclose or inform the ICO of any devices being lost or stolen in the past year (Jan 2024-Dec 2024)?
4) Have you had to disclose or inform the ICO of a data breach for any other reason e.g., insider/employee/user error, cloud breach or supply chain breach in the same period. Please state reason for disclosure.
5) How many data breaches (information has been lost, stolen or taken from a system without the knowledge or authorisation of the department/organisation) have you experienced within your organisation (department) within the past year (Jan 2024-Dec 2024)?
6) Do you have an existing cyber insurance policy in place, and how long have you had it? If not, do you plan to invest in cyber insurance in the coming year?
7) Have you had to claim on an existing cyber insurance policy in the past year (Jan 2024-Dec 2024)? - if so, what was the reason for this i.e. ransomware attack, phishing scam…
8) Other than GDPR, have new and updated compliance regulations such as the proposed ransomware ban; DORA and NIS 2, changed how you store and secure data within your department/organisation over the past year (Jan 2024-Dec 2024) and are you encrypting more data as a result?
I am writing to confirm that we have now completed the search for the information which you requested.
I can confirm that FCDO Services does hold information relevant to your request, as set out below.
FCDO Services is a trading fund of the Foreign, Commonwealth & Development Office (FCDO) and as such uses the technologies (hardware) provided by the FCDO. There are some exceptions to this, as we do procure devices that we own. Therefore, the figures below relate to devices owned by FCDO Services.
Breakdown of department issued equipment type | Number of lost/stolen items (Jan to Dec 2024) |
---|---|
Laptops | 1 |
Mobile Phones | 0 |
Tablets | 0 |
USB Devices | 1 |
2) All government data is encrypted.
3) No.
4) FCDO Services neither confirms nor denies whether we hold information relevant to your request. In considering our response to your request, we have applied the exemption provisions of sections 24 (National Security) and 31 (Law Enforcement) of the Act – see below for further information.
5) See Q4 above.
6) No. Managing Public Money guidance from HMT does not allow for government departments to purchase cyber insurance. The general question of purchasing insurance to protect against risk is covered in section 4.4 and the corresponding annex 4.4 of HM Treasury’s Managing public money guidance. This guidance advises that it is better value for money for central government entities to finance incident recovery from the public purse, rather than by purchasing insurance from a private organisation.
7) No – see Q6 above.
8) We are compliant with all current UK Data Protection Law.
Section 24
To confirm or deny would not be in the interest of the UK’s national security. It is considered that to provide details about specific incidents or vulnerabilities would provide useful information to those who might seek to commit crime by allowing them to potentially hack into and attack FCDO Services IT systems – this is clearly not in the public interest.
Section 31
FCDO Services can neither confirm nor deny that it holds information within the scope of this question as the duty in section 1(1)(a) of the FOIA does not apply under section 31(3). To confirm if the information requested is or is not held would expose FCDO Services to potential threats of a criminal nature. By confirming details about specific incidents or vulnerabilities one way or the other, it puts firm knowledge into the public domain which could prejudice the prevention or detection of crime.
However, this should not be taken as evidence that the information you have requested exists or does not exist.
Once an FOI request is answered, it is considered to be in the public domain. To promote transparency, FCDO Services may now publish the response and any material released on GOV.UK in the FOI releases section. All personal information in the letter will be removed before publishing.
Where copies of information have been supplied to you they will continue to be protected by the Copyright, Designs and Patents Act 1988. You are free to use it for your own purposes, including any non-commercial research you are doing and for the purposes of news reporting. Any other re-use, for example commercial publication, would require the permission of the copyright holder. Most documents supplied by the FCDO will have been produced by government officials and will be protected by Crown Copyright. To re-use Crown Copyright documents please consult the Open Government Licence v3 on the National Archives website.
Information you receive which is not subject to Crown Copyright continues to be protected by the copyright of the person, or organisation, from which the information originated. You must ensure that you gain their permission before reproducing any third party (non-Crown Copyright) information.
If you would like to request a review of our decision, you should write to the Data Protection Officer (DPO), Knowledge and Information Management (KIM) Team, FCDO Services, Hanslope Park, Milton Keynes, England, MK19 7BH (e-mail: FCDOServices.DataProtectionOfficer@fcdo.gov.uk). Please note you have 40 working days to do so from the date of this letter. Please quote the reference number above in any future communications.
If you are not content with the outcome of your complaint, you may then apply directly to the Information Commissioner for a decision. Generally, the Information Commissioner cannot make a decision unless you have exhausted the complaints procedure provided by the FCDO. The Information Commissioner can be contacted at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, or online at: https://ico.org.uk/make-a-complaint/
Yours sincerely,