THE leak that saw the Brexit department pass an MSP's constituent case to a Tory MP has not been reported to the data watchdog, The National can reveal.

Keith Brown has urged the head of the civil service to investigate the sharing of MSPs' correspondence by Westminster departments after a matter raised by him on behalf of a local businessman was passed to the office of Luke Graham MP.

The businessman had not contacted Graham's office and Clare Moriarty, Permanent Secretary to the Department for Exiting the European Union (DExEU), said a member of her staff was responsible. She said action has been taken and Graham – who argued Brown should have told him about the matter anyway – has been asked to delete all records relating to the case.

READ MORE: SNP call for data breach probe after leak to Scottish Tory MP

Now The National can reveal that DExEU did not report the matter to the independent Information Commissioner's Office (ICO), which can issue fines for data breaches.

Data controllers within organisations are responsible for reporting these to the ICO on a case-by-case basis, depending on the perceived risk to the public.

The ICO said: “Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people’s rights and freedoms.

"If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.

"If anyone has concerns about how their data has been handled, they can report these concerns to us."