Manx Radio uncovers potential data breach in government FOI system

FOI search tool allows users to identify individuals and organisations behind requests

A potential data breach has been uncovered within the Isle of Man Government’s Freedom of Information system, raising serious questions about data privacy and the protection of individuals who submit information requests.

An investigation by Manx Radio has revealed that the FOI platform currently allows any member of the public to retrieve FOI requests submitted by specific individuals, organisations, or addresses.

By using the search platform’s ‘keywords’ function, users are able to input names, organisation titles, or even postcodes in order to identify who submitted particular requests.

For example, entering a person’s name in quotation marks (such as “Christian Jones” or “Tessa Hawley”) brings up all FOI requests submitted by that individual.

Similarly, searching for the name of an organisation (for instance, “Manx Radio”, “Business X”) or a specific postcode returns all requests linked to that entity or location.

This means individuals - whether private citizens, journalists, or representatives of organisations - can be directly linked to specific FOI requests.

In cases where the information sought could expose potential wrongdoing or draw political attention, this capability could lead to increased scrutiny or even personal risk for the requester.

Additionally, Manx Radio's analysis suggests that some redacted FOI documents still contain personal information within their metadata.

One such case involves a redacted email where, although the visible text does not name an individual, it is possible to identify them by linking the metadata to the associated Freedom of Information request.

This information, while not directly searchable or visible on the page, is still accessible via the keyword search function.

Under the Isle of Man Government’s own published Data Privacy Notice, personal data associated with FOI submissions should be deleted after 12 or 36 months, depending on whether an internal review was requested.

However, Manx Radio has found that requests submitted as far back as 2018 - more than 84 months ago - can still be linked to individuals through the current system.

On government’s website, under its GDPR section, it declares that it is “committed to high standards of privacy, including transparency and information security”, and that it seeks to comply fully with GDPR through a programme led by the Cabinet Office.

That initiative includes data protection training, improvements to information governance, and adherence to international standards.

Part of the government’s stated approach includes enhancing data integrity, building secure information management systems, and ensuring personal data is processed in a lawful and transparent manner.

Despite these commitments, the apparent vulnerability of the FOI system could represent a contradiction of these principles, particularly regarding the transparency of personal data handling, and the safeguarding of individuals who may reasonably expect anonymity in relation to their information requests.

Manx Radio has contacted the Isle of Man Government for a response and has also approached the Information Commissioner’s Office, which has confirmed it's launched an investigation.

Government has disabled access to the Freedom of Information search system and the Director of the Office of Cyber Security and Information Assurance Mike Haywood issued a statement:

"We are currently working with stakeholders and the ICO to investigate issues that have recently been highlighted to us, and we will provide an update in due course.

"Once the root cause has been identified we will look at possible solutions, and work towards testing and deploying a fix, in the meantime the page in question has been taken down.”