|Title and link to statistical output||DCMS Sponsored Museums and Galleries Annual Performance Indicators 2019/20|
|Name of producer organisation||Department for Digital, Culture, Media and Sport|
|Name and contact details of person|
dealing with report
|Alex Bjorkegren firstname.lastname@example.org|
|Name and contact details of Head of Profession for Statistics or Lead Official||Sarah Lasher email@example.com|
|Link to published statement about the breach (if relevant)||N/A|
|Date of breach report||27 January 2021|
|Relevant principle(s) and practice(s)||Orderly release, T3.4|
|Date of occurrence of breach||27 January 2021|
Early on 27 January, the lead statistician set up a scheduled email using gmail’s ‘schedule send’ feature. This was due to be sent to a small number of policy and press colleagues at 9.30am, 24 hours before planned release. The email would also grant access to the statistical release and submission which were stored as shared google documents. Unfortunately, the time was accidentally set wrong, and this was sent at around 8:50am (40 mins earlier than it should have been).
The team lead noticed around 10 minutes later. Access was revoked immediately, the press/policy colleagues were contacted and the issue was escalated to the Head of Profession. During this short window, at least two colleagues accessed the statistics before the 24 hour pre-release period.
The impact of the breach is negligible. A small number of colleagues were able to access the figures for a very short time before the pre-release period. The statistical report is mostly based on published data / management information that policy colleagues already had access to. The only information policy colleagues hadn’t seen was aggregate information which could have been calculated using the data they already had available.
The statistics team at Department for Digital, Culture, Media and Sport take our responsibilities under the Code of Practice for Statistics seriously and report this for transparency, rather than because we expect there to be any material impacts.
This breach was due to human error and the implications are very limited. All staff involved in the breach understand the importance of the pre-release period and their responsibilities under the Code of Practice for Statistics. As above, they reacted quickly and appropriately as soon as the error was noticed.
We will trial two amendments to our process and keep these under review:
- After the sender has set up the scheduled email, they will always explicitly review the time and date that the email has been scheduled to go at. This should reduce the chance that the email has been scheduled to be sent at a time other than 9.30am.
- Staff using scheduled emails for pre-release materials will also add themselves to the copy list. This means they will be alerted immediately if this inadvertently sent too soon and can immediately revoke access.