The Information Commissioner has launched an investigation after a senior figure in the Cabinet Office accessed islanders’ personal data on more than 1,200 separate occasions.

Every government department has been affected, as well as the Police, the Attorney General’s Chambers and Manx Care, amongst others.

The Information Commissioner said it understands that the Cabinet Office is also undertaking its own internal investigation.

Its investigation commenced following receipt of a personal data breach report, made in accordance with Article 33 of the Applied GDPR, from the DHSC. The personal data breach report is also a protected disclosure under the Employment Act 2006.

A statement said: ‘Whilst the news item published on June 15, 2023, would appear to be premature, presumptive and potentially prejudicial to the ongoing investigations, the Commissioner considers it is necessary to confirm that, between April 1, 2022, and March 22, 2023, the senior officer accessed the personal data contained in over 540 FOI requests, made to 20 separate public authorities, on more than 1,200 occasions.’

That original publication on June 15 described the data breach as ‘low level’ and said the information had not been released to anyone outside of the public service.

The government said it has been notified of a data breach relating to access by an individual from a public authority with administration rights to information requests submitted to other public authorities.

In response to a request by the Information Commissioner, all public authorities carried out audits of their access logs and identified a number of times where their information requests were viewed by a third party from another public authority.

Administration of the FoI system is now handled by the Office of Cyber Security and all other administration rights have been revoked.

The Information Commissioner said its investigation is ongoing and added: ‘At present, the purpose for which the personal data was accessed and further processed is unknown, nor is it known why the breaches went undetected by the system administrator.

‘If you submitted an FoI request to any of the affected public authorities between April 1, 2022, to March 22, 2023, and wish to find out whether you have been impacted, you should contact the public authority to which you submitted your request (i.e. the controller responsible for the processing of your personal data).’

The public authorities affected are:

Department of Education, Sport and Culture

Department for Enterprise

Department of Environment, Food and Agriculture

Department of Health and Social Care

Department of Home Affairs

Department of Infrastructure

Treasury

Isle of Man Office of Fair Trading

Isle of Man Financial Services Authority

Isle of Man Post Office

Manx Utilities Authority

Isle of Man Gambling Supervision Commission

Public Sector Pensions Authority

Manx Care

HM Attorney General’s Chambers

Isle of Man Constabulary/Chief Constable

Clerk of Tynwald

General Registry

Manx Museum and National Trust

Road Transport Licensing Committee