The Information Commissioner has issued an unprecedented reprimand to 20 public authorities following a Freedom of Information data breach.

An investigation was launched last month after a senior figure in the Cabinet Office accessed the personal data of island residents contained in more than 540 FoI requests on more than 1,200 separate occasions.

Every government department was affected, as well as the police, the Attorney General’s Chambers and Manx Care, among others.

The Office of Cyber Security, which since April last year has handled the administration of the FoI system, had initially described the data breach as being of ‘low level’ as the information had not been released to anyone outside of the public service.

But the Information Commissioner has taken the unusual step of publishing the reprimands it has issued to the 20 public authorities involved, saying there was a ‘clear public interest in doing so’, given the extent of the access, the breadth of bodies affected and the fundamental right to request access to information under the Freedom of Information Act.

Deputy Commissioner Nicola Whiting said that while the investigation into the 20 public authorities was complete, an ‘investigation into other matters remains ongoing’.

Anyone who submitted an FoI request between April 1, 2022, to March 22, 2023, has been invited to contact the relevant public authority to find out if they have been impacted by the data breach.

The reprimands remain in force for two years.

Public bodies affected have been given until July 28 to comply with a series of actions including implementing appropriate technical and organisational measures to ensure security of personal data.

The reprimand explains that an officer in the Cabinet Office had an arrangement to provide ‘administrative assistance’ in respect of iCasework – the software used to submit FoI requests – but the administration of iCasework had been transferred to the Office of Cyber Security in April 2022.

After the date of transfer, it notes, there was ‘no lawful purpose for that person to access personal data in iCasework, and any such access was incompatible with the purpose for which the personal data had been obtained by i.e. responding to FoI requests.’