Sony Freedom Of Information (FOI) Request

On the 14th of January the UK Information Commissioner's Office (ICO) sent Sony Computer Entertainment Europe Limited a monetary penalty notice of £250,000 following 'a serious breach of the Data Protection Act'.

To be able to quantify how much the ICO was fining Sony for individual user's data the exact number of UK PSN users would need to be known. A couple of sources put this number at 3 million but I'm not sure where the original 3 million figure came from nor how accurate it really is [0][1].

If we were to take this 3 million figure at face value, the ICO fined Sony (£250,000 / 3,000,000) £0.000083 per user's data. According to the ICO, £250,000 is 'reasonable and proportionate' in this case. To get a more accurate figure I sent the ICO a FOI request to ask for the redacted figure in the monetary penalty notice document which simply states "The Network Platform was used by an estimated REDACTED million customers in Europe, the Middle East, Africa, Australia and New Zealand with REDACTED million of those customers based in the UK.".

Here is the ICO's response in which my request was rejected:

[code wraplines="true"]
I am writing further to our 7 February acknowledgement of your request for information about the civil monetary penalty notice served on Sony. As you know, we are treating this as a request for information under the Freedom of Information Act 2000 (FOIA). We are now in a position to provide our response.

You asked:

“I would like to request the estimated number of UK Sony Playstation Network users which was redacted in the 'Sony Computer Entertainment Europe Limited - Monetary Penalty Notice' document under section 4 titled 'Background' which can be found on page 3 dated 14 January 2013
[…]
I want to request the second redacted number within that sentence which relates to UK Network Platform users.”

Unfortunately, we are unable to disclose the information you have requested. We can confirm that within the redacted text is the word ‘millions’, however the number which precedes that text is refused.

The information was provided to the ICO by Sony for the purposes of the ICO’s investigation prior to the serving of the monetary penalty notice. Sony has made clear that the information provided to the ICO for this investigation was given in confidence, and is commercially sensitive. Information was redacted from the public copy of the monetary penalty notice on that basis. Subsequent to receiving your request we consulted with Sony to see whether it continues to regard the requested information as confidential and commercially sensitive. It has now confirmed that it does, and will therefore not give its consent for the figure to be disclosed; consequently the ICO is unable to disclose it.

This information has been withheld under the provisions of Section 44 of the FOIA which places prohibitions on disclosure.

Section 44(1)(a) of the FOIA states:

‘(1) Information is exempt information if its disclosure (otherwise than under this Act) by the public authority holding it -
(a) is prohibited by or under any enactment’

The enactment in question is the Data Protection Act 1998 (DPA) and specifically Section 59 of the DPA.

Section 59 states that neither the Commissioner nor his staff shall disclose:

“any information which :

has been obtained by, or furnished to, the Commissioner under or for the purposes of the information Acts.
relates to an identified or identifiable individual business, and
is not at the time of disclosure, and has not been available to the public from other sources,
unless the disclosure is made with lawful authority.”

This prevents us from disclosing the information which has been collected in the course of our investigations unless we have lawful authority to do so.

We do not have lawful authority on the basis that this information was provided to us in confidence and Sony has confirmed that it does not consent to the disclosure of the figure. We have considered whether, irrespective of Sony’s expressed position, we might override its refusal on the grounds that lawful authority could be attained under section 59(2)(e) of the DPA which provides that

[disclosure of information is made with lawful authority only if, and to the extent that -]

“(e) having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest.”

In other words, if disclosure of this information was necessary in the public interest, and this public interest were sufficient to override the rights and legitimate interests of Sony, then disclosure could be made with lawful authority.

We consider that knowing the scale of the security breach is in the public interest, hence the disclosure of the word ‘millions’. (For the avoidance of doubt, Sony has also indicated that it does not object to the disclosure of the word ‘millions’). However, this does not require the precise figure to be disclosed and disclosure is therefore not 'necessary' in the public interest. Given Sony’s continued position that the figure is commercially sensitive, any public interest in disclosure of the actual figure is insufficient to override the rights of Sony to have its confidentiality respected, and its legitimate interests maintained.

Furthermore, there is public interest in the ICO being able to rely on openness and candour from parties which it investigates. If information obtained in confidence is subsequently disclosed, contrary to the wishes of the confider, this would be likely to make it more difficult to obtain the full co-operation of data controllers and public authorities in future.

For these reasons, we have concluded that there are no grounds to overrule Sony’s expressed position on the grounds of the public interest, and the prohibition on disclosure under section 59 of the DPA must apply. Therefore, under section 44(1)(a) of FOIA, the figure you have requested is refused.

If you are dissatisfied with the response you have received and wish to request a review of our decision or make a complaint about how your request has been handled you should write to the Information Governance Department at the address below or e-mail informationgovernance@ico.gsi.gov.uk

Your request for internal review should be submitted to us within 40 working days of receipt by you of this response. Any such request received after this time will only be considered at the discretion of the Commissioner.

If having exhausted the review process you are not content that your request or review has been dealt with correctly, you have a further right of appeal to this office in our capacity as the statutory complaint handler under the legislation. To make such an application, please write to the First Contact Team, at the address below or visit the ‘Complaints’ section of our website to make a Freedom of Information Act or Environmental Information Regulations complaint online.
[/code]

Although I believe that the information is in the public's interest, as it would be useful to gauge the cost of fines that the ICO may dish out in future to other companies that suffer breaches and to also know the percentage of the UK population which was affected by this breach, I won't be taking it any further. The amount the ICO fined Sony per individual user is quite ridiculous, putting UK individual's Personal Identifiable Information's worth at £0.000083. If this is the case, why should organisations spend more than this per user in protecting that data (aside for the reputational loss in which Sony's share price showed this was low).

[0] http://www.telegraph.co.uk/technology/news/8475728/Millions-of-internet-users-hit-by-massive-Sony-PlayStation-data-theft.html
[1] http://www.dailymail.co.uk/sciencetech/article-2267502/Sony-fined-250-000-hacker-attack-exposed-details-77-MILLION-users--prevented.html