Download original attachment
(PDF file)
This is an HTML version of an attachment to the Freedom of Information request 'Compliance with Freedom of Information and Data Protection Acts'.
Information Access Team
Ground Floor, Seacole Building, 2 Marsham Street, London, SW1P 4DF 
Switchboard 020 7035 4848    Direct Line 020 7035 1022 
 [email address] [email address]
www.homeoffice.gov.uk 
Mr John Walker 
[FOI #22252 email]
Date: 16 November 2009    
Dear Mr Walker 
 
Freedom of Information request (our ref. 13201) 
 
Thank you for your e-mail of 30 October, in which you ask for information about Home 
Office compliance with the Data Protection and Freedom of Information Acts.  Your 
request has been handled as a request for information under the Freedom of 
Information Act 2000.  
 
The information which you requested, where it is held, is set out in the attached Annex.  
If you are dissatisfied with this response you may request an independent internal 
review of our handling of your request by submitting a complaint within two months to 
the address below, quoting reference 13201. If you ask for an internal review, it would 
be helpful if you could say why you are dissatisfied with the response.  
 
Information Access Team 
Home Office 
Ground Floor, Seacole Building 
2 Marsham Street 
London SW1P 4DF 
e-mail: [email address]
As part of any internal review the Department's handling of your information request wil  
be reassessed by staff who were not involved in providing you with this response. If you 
remain dissatisfied after this internal review, you would have a right of complaint to the 
Information Commissioner as established by section 50 of the Freedom of Information 
Act.  
 
Yours sincerely 
Adrian Brook 
Information Access Team 
Annex 
 
FoI request from Mr John Walker (13201) 
 
1. 
http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx states: 
 
"22 January 2009. The ICO has required the Home Office to sign a formal undertaking 
after a contractor employed by the Home Office, PA Consulting, lost an unencrypted 
memory stick holding sensitive personal details of thousands of individuals in August 
2008. The Undertaking has been signed on behalf of the Home Office by Sir David 
Normington, the Permanent Secretary." 
 
1a. What was the nature of this "formal undertaking" [please supply a copy] 
 
We believe that the information you have requested is already reasonably accessible to 
you.  The undertaking can be found on the website of the Information Commissioner’s 
Office at the fol owing link: 
http://www.ico.gov.uk/upload/documents/library/data_protection/notices/home_office_un
dertaking.pdf.
1b. What steps did you take to ensure this undertaking was complied with? 
 
Swift action was taken by the Home Office to respond to this incident, as described in 
the formal undertaking.  An Information Assurance Programme was in place in the 
Home Office at the time of this data loss and much of the work needed was already in 
hand. Steps to ensure that this undertaking is being complied with include: 
 
• Clarification of roles and responsibilities â€“ identifying and defining the roles of 
Senior Information Risk Owners and Information Asset Owners. 
• Establishment of the above roles and the associated governance. 
• Establishing and strengthening cross-government links both with the Cabinet 
Office as Government Lead for Information Assurance and with other 
Government Departments. 
• Development and rollout of a self-assessment tool (HADRIAN) for suppliers to 
complete in which suppliers declare both the sensitivity of data being handled 
and the extent to which policies and procedures are in place to mitigate data loss 
risks for relevant goods and services.  The self-assessment is supplemented by 
process which reviews the outputs to decide on audit activity and to feed back 
results to Commercial Managers with recommendations for improvement.  This is 
currently a work-in-progress project and wil  deliver further improvements in 
terms of secure data handling during 2010. 
• Contract terms and conditions relating to information security are currently being 
reviewed for inclusion in new contracts and are expected to be completed shortly. 
• Providing Information Assurance training for all Home Office staff â€“ by educating 
our staff who in sponsoring business units, we are hopefully strengthening their  
ability to ensure services provided by third parties are being delivered securely. 
• Production and implementation of policies and guidance around information 
security and incident response. 
• Annual security checks of IT systems and networks approved for holding 
sensitive personal information. 
 
2. The Home Office habitually breaks the law relating to the Freedom of Information Act 
2000 (the FOIA). The Information Commissioner's Office (ICO) has received hundreds 
of complaints about the Home Office's refusal to comply with FOIA. 
http://www.whatdotheyknow.com/request/home_office_reported_to_the_info_2 states: 
 
"We have issued 28 Decision Notices in relation to complaints about the Home Office" 
(with over 50 complaints in total upheld) 
 
2a. What action have you taken to ensure that you comply with the FOIA? 
 
The Home Office has recognised that it needs to improve its performance in relation to 
Freedom of Information requests.  We have or shortly wil  implement the following: 
 
• Improved awareness of FoI among all parts of the Department, particularly in 
relation to the requirement to answer FoI requests within 20 working days. 
• Improved guidance on FoI on the Home Office internal website. 
• Revised procedures, enabling staff in the Information Access Team and 
Information Access Practitioners in policy areas to track progress of FoI requests 
more effectively. 
• Increased resources in the Information Access Team, including additional 
temporary staff to deal with backlogs and more permanent staff on an ongoing 
basis. 
• A dedicated e-mail address for FoI requests, enabling the progress of requests to 
be monitored more effectively. 
 
2b. What has been the cost to the taxpayer of your arrogant and repeated refusal 
to comply with this law? 
 
The Home Office does not refuse to comply with the law and does not hold this 
information. 
 
2c. Are these breaches of the FOIA the result of a deliberate policy of law 
breaking by the Home Office or the result of incompetence and negligence? 
 
Neither. 
 
2d. If these breaches are the result of a deliberate policy of law breaking, what 
actions are you taking to ensure that the law is complied with in the future? 
 
The Home Office does not have such a policy, but the measures which we have 
undertaken or are undertaking to improve FoI performance are set out in the response 
to question 2a. 
 
2e. If these breaches are the result of incompetence and negligence, what 
disciplinary action is taken against those civil servants responsible? 
 
Since we do not accept that any breaches are the result of incompetence or negligence, 
this information is not held.