Dear Sir or Madam,

In
http://www.whatdotheyknow.com/request/to...
you provided a copy of some threatening words from solicitors
acting for a company accused of collaborating with torture and
which you have given a contract to for the census. Please provide
the following information.

The threatening letter asserts that you, "carefully evaluated the
commitment of CACI UK to protect the confidentiality of the
personal data collected during the Scottish census project". Please
provide copies of the evaluations which were undertaken on this. If
there are no written evaluations please provide a note of the
thought process involved in this "evaluation".

The threatening letter asserts that, "strict protections
safeguarding the handling of data collected pursuant to the
contract", have been put in your contract with the torturers.
Please provide a copy of these "strict protections" in the
contract.

Please provide a copy of your strategy to ensure, if the project
goes ahead, that these "strict protections" are not just empty
waffle.

Please provide a copy of your strategy to ensure, if the project
goes ahead, that the assertion that, "At all times, the census data
will be securely held in Scotland", is not just empty waffle. This
strategy presumably includes an enforceable prohibition on all
removable devices and telecommunications with the building(s) in
which the data is held. If there are telecommunications with the
building please explain the magic by which the data will be
restricted just to Scotland.

Please also note that "replies" which involve attachments in
proprietary file formats are not acceptable. A reply which is not
in plain text format will be deemed to be a refusal to answer. In
view of the diverse nature of the enquiry if you are unable to
produce some items in plain text format then please contact me to
explain the particular difficulty with some cases if information so
that we can agree a suitable format.

Yours faithfully,

David Hansen

Dear Mr Hansen

I acknowledge receipt of your request which was received in our office
today.

yours sincerely

G Drysdale

General Register Office for Scotland
Ladywell House
Ladywell Road
Edinburgh
EH12 7TF

show quoted sections

Dear Mr Hansen,

Thank you for your request for information under the Freedom of
Information (Scotland) Act 2002 (FOISA).  
 
We have provided plain text electronic copies of all information held by
the General Register Office for Scotland (GROS) answering the questions
raised under the 4 headings below: 

1. … letter asserts that you " carefully evaluated the commitment of
CACI UK to protect the confidentiality of the personal data collected
during the Scottish census project". Please provide copies of the
evaluations which were undertaken on this.

2. … letter asserts that, "strict protections safeguarding the
handling of data collected pursuant to the contract to the contract", have
been put in your contract…. Please provide a copy of these "strict
protections" in the contract.

3. Please provide a copy of your strategy to ensure, if the project goes
ahead, that these "strict protections" are not just empty waffle.

4. Please provide a copy of your strategy to ensure, if the project goes
ahead, that the assertion that, "at all times, the census data will be
securely held in Scotland", is not just empty waffle. This strategy
presumably includes an enforceable prohibition on all removable devices
and telecommunications with the building(s) in which the data is held. If
there are telecommunications with the building please explain the magic by
which the data will be restricted just to Scotland.

The information is summarised in the bulleted list below, with the
information itself following in the order shown:

* A. Extract from evaluation process describing evaluation scoring
model (note that weight system applied was 1 to 5, with 5
reflecting the highest importance)
* B. Extract from the final moderated evaluation scores.
* C. Extract from CACI UK bid presentation to illustrate their bid
response, relevant to security.
* D. Extract from the recommendation of preferred bidder paper for
Scotland’s 2011 Census Programme Board.
* E. Extract from contract - A. AnnexC-1: Standards and Policies -
General (C).
* F. Extract from contract - B. Schedule 2-1; Service Requirements -
General (C).
* G. Extract from contract - Appendix A Census Confidentiality
Undertaking.
* H. Extract from contract - Schedule 3-1: Authority
Responsibilities - General (C).
* I. Extract from contract - Schedule 4-1: The Solution - General
(C).
* J. Extract from contract - Schedule 5 - Service Levels (C).
* K. Extract from contract - Terms and Conditions.
* L. Extract from Services and Systems for the Census in Scotland
(SaSCinS) Statement of Requirements v1.0.
* M. Response to telecommunications question.
* N. Protections in place to safeguard the handling of data

The information supplied to you continues to be protected by the
Copyright, Designs and Patents Act 1988. You are free to use it for your
own purposes, including any non-commercial research you are doing and for
the purposes of news reporting. Any other re-use, for example commercial
publication, would require the permission of the copyright holder. Most
documents supplied by the General Register Office for Scotland will have
been produced by government officials and will be Crown Copyright. You
can find details on the arrangements for re-using Crown Copyright material
on the OPSI website ([1]http://www.opsi.gov.uk/click-use/index.htm).

Information you receive which is not subject to Crown Copyright continues
to be protected by the copyright of the person, or organisation, from
which the information originated. You must ensure that you gain their
permission before reproducing any third party (non Crown Copyright)
information.

If you are unhappy with this response to your request, you may ask us to
carry out an internal review, by writing to:

Mr Eddie Turnbull
Head of Corporate Services
General Register Office for Scotland
Ladywell House
Ladywell Road
Edinburgh
EH12 7TF

Your request should explain why you wish a review to be carried out, and
should be made within 40 working days of receipt of this letter, and we
will reply within 20 working days of receipt. If you are not satisfied
with the result of the review, you then have the right to make a formal
complaint to the Scottish Information Commissioner.

Yours sincerely,

Peter Scrimgeour
Census Director

show quoted sections

C. Extract from CACI UK bid presentation to illustrate their bid response,
relevant to security.
<<Scottish Census CACI Presentation extract.pdf>>

________________________________________________________________________________________________________________________________________

D. Extract from the recommendation of preferred bidder paper for
Scotland's 2011 Census Programme Board

5.5.1 …….Slight legal issue due to CACI being a US firm and thus
potentially subject to Patriot Act, although the bid here is from CACI UK,
a wholly British subsidiary which we believe mitigates any risk. CACI
proposed acquiring a Privacy Impact Assessment which would further
mitigate any risk. ……...

________________________________________________________________________________________________________________________________________

E. Extract from contract - A. AnnexC-1: Standards and Policies - General
(C).
Description: CACI UK Ltd (CACI) are required to conform directly to the
Standards and Policies laid out in the table below. In some instances,
CACI are required to develop Standards and Policies relating directly to
the provision of the Services, and some GROS present Standards and
Policies were provided as an indication of what is required.

Standard/Policy titl Service Provider must comply Service Provider must
develop and comply
Security Documentation (see Items C-1-7, C-1-9, C-1-10, C-1-11, C-1-12, C-1-13
for constituent items (excluding those constituent items to be prepared by the
Service Provider)) ue
Authority’s IS Security Policy ue
UK HMG Information Security policies, guidelines and standards, including those
produced by the Communications-Electronics Security Group (CESG); ue

UK HMG Manual of Protective Security ue

2011 Census Confidentiality Guidelines

ue

Guidelines covering the handling of confidential Census information

Security - e-Government Strategy Framework Policy and Guidelines ue

Security Measures - UK HMG specifications for RESTRICTED level operations

ue

Additional measures required in some areas -see Schedule 2-1 for details

BS7799 / ISO 27001 Information Security Management ue

Refer to Schedule 2-1 for details of compliance and accreditation requirements

ue

Note: Standard requires additional documentation to be prepared. Refer to
Schedule 2-1 for details of required documentation

BS25999 Business Continuity Management ue

Compliance and Accreditation required
Quality Certification (ISO 9001:2000) or any equivalent standard which is
generally recognised as having replaced it or compliance with the Service
Provider's own quality certification ue

________________________________________________________________________________________________________________________________________

F. Extract from contract - B Schedule 2-1: Service Requirements - General
(C).
Description: The Service Requirements applicable to security that CACI
are required to meet in providing the Services are as follows.

Requirement Reference Security
2-1-10-05 The Service Provider shall comply with the security
policies and guidance provided by the Authority, including:

a. UK HMG Information Security policies, guidelines and standards,
including those produced by the CESG;
b. UK HMG Manual of Protective Security;
c. The 2011 Census Confidentiality Declaration and Guidelines; and,
d. UK HMG e-government security framework requirements.
2-1-10-10 The Service Provider shall install security measures
that comply with the Authority’s requirements. These shall follow UK
HMG specifications for RESTRICTED level operations unless otherwise
agreed with the Authority, but bespoke solutions providing additional
safeguards shall be required in some areas to be specified by the
Authority in a Security Aspects letter. If there is any doubt about
the applicability of any security measure for any given item/aspect,
the Authority shall be consulted and the issue discussed and agreed to
before any measures are put in place.
2-1-10-15 The Service Provider shall allow security audit checks
and penetration tests on the Internet services and any other services
provided by the Service Provider at any agreed time, by the
independent body appointed by the Authority, and shall put right any
deficiencies in the agreed level of security.
2-1-10-20 The Service Provider’s Information Security
Management System for the Census services shall comply with and be
independently assessed to the BS7799 / ISO 27001 standard. The scope
and nature of the assessment shall be agreed between the Authority and
the Service Provider.
2-1-10-25 The Service Provider shall prepare, deliver, maintain
and comply with all documentation to meet confidentiality, integrity
and availability requirements and the BS7799 / ISO 27001 accreditation
processes, including:
e. Security Policy;
f. Organisation of Information Security;
g. Asset Management;
h. Human Resources Security;
i. Physical and Environmental Security;
j. Communications and Operations Management;
k. Access Control;
l. Information Systems Acquisition, Development and Maintenance;
m. Information Security Incident Management;
n. Business Continuity Management; and,
o. Compliance – Regulatory and Legal.
2-1-10-30 All persons either employed in processing the Census,
or otherwise contracted to supply other services to the Registrar
General for Scotland in connection with the 2011 Census, shall be
subject to the strict confidentiality provisions of the Census Acts.
All such persons shall give an undertaking indicating that they are
aware of the penalties for unlawfully disclosing Census Data using the
form attached at Appendix A.
2-1-55-05 The Service Provider shall work with the Authority’s
network management team to maintain effective liaison, including:
p. fault reporting;
q. service levels;
r. network security violations;
s. maintaining dialogue during communications difficulties;
t. planned interruptions; and,
u. proposed changes to the technical environment.
2-1-80-60 Whenever the Service Provider commissions an
audit/check from their security partner for any element of the
project, the Authority shall be notified in advance of the scope and
terms of reference of the work to be undertaken.
2-1-80-65 The Service Provider shall provide copies of final
reports of any audit/check by their security partner to the Authority,
so that the Authority can monitor the security content of the Services
as they are developed.
2-1-90-05 After the 2009 Rehearsal, the Service Provider shall
develop and implement a plan for the deployment, scaling up and
commissioning of all final operational Services (i.e. operational
sites, security arrangements, equipment, systems, operational
management and staff, operational procedures, training materials etc).
The plan shall be agreed in discussions between the Service Provider
and the Authority and reflect the milestones in the Detailed
Implementation Plan. The Authority wish to assess progress on
deployment, scaling up and commissioning activities and may observe
some of the activities carried out to obtain assurance.
2-1-90-10 For the 2011 Census, the Service Provider shall
conduct appropriate system tests during the final development and
scaling up phase (inc. performance, resilience, security, volume and
stress tests).
2-1-90-15 After scaling up has been completed, the Service
Provider shall demonstrate operational readiness for the whole Service
to the satisfaction of the Authority. This shall be achieved by
successfully completing operational readiness tests on the full-scale
operational Service (accommodation, security arrangements, equipment,
systems, operating procedures, operations staff, training materials
etc).

________________________________________________________________________________________________________________________________________

G. Extract from contract - Appendix A Census Confidentiality Undertaking.

APPENDIX A CENSUS CONFIDENTIALITY UNDERTAKING

1. Introduction

Everyone working on the Census, either employed by, or otherwise
contracted to supply other services, to the Registrar General in
connection with the Census is subject to the strict confidentiality
provisions of the Census Act 1920 as amended by the Census
(Confidentiality) Act 1991. It is a breach of the law to contravene this
legislation.

Everyone working with or who have access to Census Data will be required
to give a Census Confidentiality Undertaking that they fully understand
their legal obligations and are aware of the penalties for unlawfully
disclosing Census Data.

When you have read the legislation, please sign the Confidentiality
Undertaking and pass it to your supervisor for submission to the GROS
Census Programme Support Office. Remember to retain the top part of the
Undertaking.

2. Census Act 1920 as amended by the Census (Confidentiality) Act
1991

Section 8 of the Census Act 1920 as amended by the Census
(Confidentiality) Act 1991, states:

"8(1) If any person -

(a) refuses or neglects to comply with or acts in contravention of any of
the provisions of this Act or any Order in Council or regulations made
under this Act; or

(b) being a person required under this Act to make a statutory declaration
with respect to the performance of his duties, makes a false declaration;

he shall for each offence be liable on summary conviction to a fine not
exceeding level 3 on the standard scale.

8(2) If the Registrar General for England and Wales or the Registrar
General for Scotland ("the Registrars") or any person who is -

(a) under the control of either of the Registrars; or

(b) a supplier of any services to either of them

discloses any personal Census information to another person, without
lawful authority, he shall be guilty of an offence.

8(3) If any person discloses to another person any personal Census
information which he knows has been disclosed in contravention of this
Act, he shall be guilty of an offence.

8(4) It shall be a defense for a person charged with an offence under
subsection (2) or (3) to prove -

(a) that at the time of the alleged offence he believed

(i) that he was acting with lawful authority; or

(ii) that the information in question was not personal Census
information; and

(b) that he had no reasonable cause to believe otherwise.

8(5) A person guilty of an offence under subsection (2) or (3) shall be
liable -

(a) on summary conviction, to imprisonment for a term not exceeding six
months or to a fine not exceeding the statutory maximum or to both;

(b) on conviction on indictment, to imprisonment for a term not exceeding
two years or to a fine or to both.

8(6) For purposes of this section -

(a) references to a Registrar include, where he is also the holder of a
designated office, references to him in his capacity as the holder of that
office;

(b) a person is to be treated as under the control of one of the
Registrars if he is, or has been -

(i) employed by that Registrar (whether or not on a full-time basis);
or

(ii) otherwise employed, or acting, (whether or not on a full-time
basis) as part of that Registrar's staff for purposes of this Act;

(c) a person is to be treated as a supplier of services to a Registrar if
he -

(i) supplies, or has supplied, any services to that Registrar in
connection with the discharge by that Registrar of any of his
functions; or

(ii) is, or has been, employed by such a supplier.

8(7) In this section -

"census information" means any information which is –

(i) acquired by any person mentioned in subsection (2) above in the
course of any work done by him in connection with the discharge of
functions under section 2 or 4 of this Act;

(ii) acquired by any such person in the course of working, for
purposes of section 5 of this Act, with any information acquired as
mentioned in sub-paragraph (i) above; or

(iii) derived from any information so acquired.

“designated office”, in relation to a Registrar, means any office for
the time being designated by him in writing for the purposes of this
section; and

“personal Census information” means any Census information which
relates to an identifiable person or household.

3. The Census (Scotland) Regulations 2000 as amended by the Census
(Scotland) Amendment Regulations 2000

Regulation 15 (3) of the Census (Scotland) Regulations 2000, states:

A person to whom information is given pursuant to the Census Order and
these Regulations shall not without lawful authority -

a) make use of that information; or

b) publish it or communicate it to any other person, otherwise than
for the purpose of the Act.

Regulation 16 of the Census (Scotland) Regulations 2000, states:

Any person having the custody, whether on his own behalf or on behalf of
any other person, of any forms of return or other documents (including
electronic documents) containing personal census information shall keep
such forms and documents in such a manner as to prevent any unauthorised
person having access to them

________________________________________________________________________________________________________________________________________

H. Extract from contract - Schedule 3-1 Authority Responsibilities
-General (C).

Description: Authority responsibilities for security aspects

Requirements Reference Responsibility
3-1-05-10 The Authority staff resources shall provide expertise to
assist the Service Provider in specific tasks, as agreed, including:

a. Certain detailed design and specification (e.g. Internet services
design or optimisation of databases for coding);
b. Some testing (e.g. integration testing or operational readiness
testing); and,
c. Independent quality assurance (e.g. security penetration testing,
process assessment, outputs checking).

________________________________________________________________________________________________________________________________________

I. Extract from contract - Schedule 4-1: The Solution -General (C).

Description: Defines the Solution that CACI shall provide to meet GROS’
General Service Requirements specified in Schedule 2-1.

2-1-10-00 Security
2-1-10-05 The Service Provider shall work closely with the
Authority’s Information Security Officer and IT Security Co-ordinator to
ensure that all HMG security policies, standards and guidance have been
identified and assessed, during Service Specification.

The Service Provider shall ensure that Census-specific security policies,
standards and end-user guidance/operating procedures are included in the
overall Information Security Management System (ISMS) development plan,
defined during Service Specification. The security requirements provided
by, and agreed with, the Authority will serve as the baseline of minimum
security controls and countermeasures for the Census operations.
2-1-10-10 The Service Provider shall ensure that the baseline
requirements (baseline security controls and countermeasures) are
identified, documented and implemented and shall carry out audit checks to
verify the Services are conducted to RESTRICTED level. The baseline
security measures shall be incorporated into the Information Security
Management System (ISMS) and shall be implemented, operated, monitored and
improved in line with the requirements of ISO27001.
2-1-10-15 The Service Provider shall allow the Authority’s
appointed independent body to carry out audit checks and penetration tests
on a periodic basis throughout the Census project. The Service Provider
shall make the details of follow-up remedial actions and their progress
towards completion available to the Authority.

The Service Provider shall ensure that metrics, measures and other
evidence requirements shall be defined during Service Specification and
implemented during Solution development.
2-1-10-20 The Service Provider shall agree the information security
requirements with the Authority, develop the ISMS and have it
independently accredited to BS7799/ISO 27001.

The Service Provider shall use a risk-based approach to all aspects of the
design, development, testing, implementation, deployment and operation of
the Census operational services. The risk assessment approach and risk
management process shall be defined, including the criteria for risk
acceptance and definition of the Authority’s risk appetite with regard
to the Census operations, during Service Specification.
2-1-10-25 The Service Provider shall meet the security and
confidentiality requirements through the establishment and implementation
of an ISMS. All relevant HMG policy, guidelines and standards shall be
adhered to by the Service Provider.

During Service Specification a baseline of security controls and
countermeasures shall be defined by the Service Provider and documented
and controls selected to mitigate unacceptable risks, with the Authority.

The Service Provider shall record the selected controls objectives and
controls in the Statement of Applicability.
2-1-10-30 The Service Provider’s staff shall be required to sign
the Census Confidentiality Undertaking and to adhere to the Census
Confidentiality Guidelines.
2-1-20-20 The Service Provider shall develop a security awareness
and training programme in conjunction with the Authority. On-site
information security awareness training shall be provided for all staff.

The Service Provider shall deliver ongoing information security awareness
messages and reminders to all personnel through appropriate communication
methods on a regular basis.
________________________________________________________________________________________________________________________________________

J. Extract from contract - Schedule 5 - Service Levels (C).

Description: Sets out the Service Levels that CACI shall meet in
performing the Services specified in Schedule 2 and other Schedules.

Type of service Definition Comments
Secure destruction of Census related materials 100% destruction of
artifacts listed in destruction manifest The monitoring arrangements
for the service level and the list of "Census related materials" will be
prescribed in the appropriate quality management plan or decommissioning
plan.

  No artifact identified for destruction found outside secure
area The term "artifact identified for destruction" will be agreed
in the appropriate quality management plan or decommissioning plan.

________________________________________________________________________________________________________________________________________

K. Extract from contract - Terms and Conditions

Description: Contract terms and conditions relating to security,
confidentiality and data protection.

1. AUTHORITY DATA

1.1 The Service Provider shall not (and shall procure that the
Service Provider Personnel shall not) delete or remove any
proprietary notices or ERMI contained within or relating to the
Authority Data.

1.2 The Service Provider shall not (and shall procure that the
Service Provider Personnel shall not) store, copy, disclose, or use
the Authority Data except as necessary for the performance by the
Service Provider of its obligations under this Agreement or as
otherwise expressly authorised in writing by the Authority.

1.3 If the Authority Data is held and/or processed by the Service
Provider, the Service Provider shall supply that Authority Data to
the Authority as requested by the Authority in Schedule 2 (Service
Requirements)

1.4 Upon receipt or creation by the Service Provider of any
Authority Data and during any collection, processing, storage and
transmission by the Service Provider of any Authority Data, the
Service Provider shall take all precautions necessary to preserve the
integrity of the Authority Data and to prevent any corruption or loss
of the Authority Data.

1.5 If at any time the Service Provider suspects or has reason to
believe that Authority Data has or may become corrupted, lost,
destroyed or sufficiently degraded in any way for any reason, then
the Service Provider shall Notify the Authority immediately and
inform the Authority of the remedial action the Service Provider
proposes to take.

1.6 The Service Provider shall not (and shall procure that the
Subcontractors shall not):

1.6.1 purport to sell, let, hire, assign rights in or
otherwise dispose of Authority Data;

1.6.2 make any Authority Data available to any Third Party;

1.6.3 make any Authority Data available to Subcontractors
unless it is necessary for the Subcontractors to perform their
part of the supply of the System or provision of the Services;
or

1.6.4 commercially exploit the Authority Data.

2. PROTECTION OF PERSONAL DATA

2.1 With respect to the Authority Personal Data, the Authority
appoints the Service Provider as a Data Processor. The Service
Provider shall not assume any responsibility for determining the
purposes for which and the manner in which the Authority Personal
Data is Processed, but nevertheless shall comply at all times with
the Data Protection Requirements.

2.2 The Service Provider shall (and shall procure that the
Subcontractors shall):

2.2.1 Process the Authority Personal Data only in accordance
with instructions from the Authority (which may be specific
instructions or instructions of a general nature as set out in
this Agreement or as otherwise Notified by the Authority to the
Service Provider during the Term);

2.2.2 unless otherwise requested by the Authority, Process
the Authority Personal Data only to the extent, and in such
manner, as is necessary for the provision of the Services;

2.2.3 implement appropriate technical and organisational
measures (including those specified by the Data Protection
Requirements) to protect the Authority Personal Data against
unauthorised or unlawful processing and against accidental
loss, destruction, damage, alteration or disclosure. Subject to
the Service Provider’s obligation to comply with the Data
Protection Requirements, the Service Provider acknowledges that
the technical and organisational measures shall be appropriate
to the harm which might result from any unauthorised or
unlawful Processing, accidental loss, destruction or damage to
the Authority Personal Data and having regard to the nature of
the Authority Personal Data which is to be protected;

2.2.4 when implementing and updating technical and
organisational measures, have regard to:

a. the sensitive nature of the personal data
contained within the Authority Personal Data and
the substantial harm which would result from
unauthorised or unlawful processing or accidental
loss or destruction of or damage to such personal
data; and

(b) the state of technological development and the
cost of implementing such measures;

2.2.5 ensure:

a. the reliability and integrity of any Service
Provider Personnel who have access to the
Authority Personal Data;

(b) that all Service Provider Personnel involved
in the Processing of the Authority Personal Data have
undergone adequate training in the care, protection
and handling of Personal Data; and

(c) that all such Service Provider Personnel
perform their duties strictly in compliance with the
Data Protection Requirements and with the provisions
of Clause 51 (Confidentiality) by treating such
Authority Personal Data as Confidential Information;

2.2.6 neither disclose nor transfer the Authority Personal
Data to any Subcontractors or Affiliates other than where
strictly necessary for the provision of the Services and in
such event the Service Provider shall obtain the Prior Written
Consent of the Authority and secure that the Subcontractor or
Affiliate processes Data in accordance with the Data Protection
Requirements and this Clause 49;

2.2.7 promptly comply with the applicable Data Protection
Requirements if it receives:

a. a request from a Data Subject concerning any
information relating to himself (whether or not
relating to Authority Personal Data);

(b) a request from the Authority or a Data Subject
to rectify, block or erase any Authority Personal
Data, to prevent the processing of Authority Personal
Data in connection with direct marketing and/or to
require an explanation of any decision made by
automated means in respect of that person's Personal
Data; or

(c) a complaint, communication or request relating
to the Authority's obligations under the Data
Protection Legislation (including requests from the
Information Commissioner);

2.2.8 provide the Authority with full cooperation and
assistance (within the timescales required by the Authority) in
relation to any complaint, communication or request made,
including by:

a. complying fully with the applicable Data
Protection Requirements;

(b) providing the Authority with full details of
the complaint, communication or request;

(c) providing the Authority with any Authority
Personal Data it holds in relation to a Data Subject
(within the timescales required by the Authority); and

(d) providing the Authority with any information
requested by the Authority;

2.2.9 permit the Authority or an Authority Representative
(subject to the provisions of Clause 35 (Audits), to inspect
and audit the Service Provider's data Processing activities
(and/or those of its agents, Affiliates and Subcontractors) and
comply with all reasonable requests or directions by the
Authority to enable the Authority to verify and/or procure that
the Service Provider or Subcontractor (as the case may be) is
in full compliance with the Data Protection Requirements and
their obligations under this Agreement;

2.2.10 provide a written description of the technical and
organisational methods employed by the Service Provider or
Subcontractor (as the case may be) for Processing Authority
Personal Data (within the timescales required by the
Authority);

2.2.11 Process and permit the Processing of Authority Personal
Data in the United Kingdom and at no stage remove Authority
Personal Data from the United Kingdom;

2.2.12 not include Authority Personal Data in any product or
service offered by the Service Provider or Subcontractor (as
the case may be) to third parties unless it is specifically
required as part of the provision of the Services; and

2.2.13 not carry out any research, analysis or profiling
activity which involves the use of any element of Authority
Personal Data (including in aggregate form) or any information
derived from any processing of such Authority Personal Data
unless it is specifically required as part of the provision of
the Services.

2.3 The Service Provider shall assist the Authority to comply
with any obligations under the Data Protection Legislation and shall
not perform its obligations under this Agreement in such a way as to
cause the Authority to breach any of its applicable obligations under
the Data Protection Legislation.

2.4 The Service Provider acknowledges that compliance with the
provisions of this Clause 49 is of the utmost importance to the
Authority and that any breach may cause the Authority to suffer not
only financial Loss but also other direct and indirect losses in
terms of the use and application of the System and/or the Services.

3. FREEDOM OF INFORMATION

3.1 The Service Provider acknowledges that the Authority is
subject to the FOISA (the Freedom of Information (Scotland) Act
2002), and the Environmental Information Regulations and shall assist
and cooperate with the Authority to enable the Authority to comply
with FOISA and the Environmental Information Regulations.

3.2 The Service Provider shall (and shall procure that the
Subcontractors shall):

3.2.1 transfer to the Authority all Requests for Information
that it or they receive as soon as practicable and in any event
within two (2) Working Days of receiving a Request for
Information;

3.2.2 provide the Authority with a copy of all Information in
its or their possession or power in the form that the Authority
requires within five (5) Working Days (or such other period as
the Authority may specify) of the Authority's request; and

3.2.3 provide all necessary assistance as reasonably
requested by the Authority to enable the Authority to respond
to the Request for Information within the time for compliance
set out in section 10 of the FOISA or regulation 5 of the
Environmental Information Regulations (as applicable).

3.3 The Service Provider, if it has designated information as
Commercially Sensitive Information, acknowledges that any
Commercially Sensitive Information is of indicative value only. The
Authority acknowledges the nature of the Commercially Sensitive
Information but shall be responsible for determining whether the
Commercially Sensitive Information and/or any other Information is
required to be disclosed pursuant to a Request for Information and
whether it is exempt from disclosure in accordance with the
provisions of the FOISA or the Environmental Information Regulations.

3.4 The Service Provider shall not respond directly to a Request
for Information unless expressly authorised to do so by the
Authority.

3.5 The Service Provider acknowledges that the Authority is
entitled to disclose Information without consulting or obtaining
consent from the Service Provider, or having taken the Service
Provider’s views into account.

3.6 The Service Provider shall ensure that all Information is
retained for disclosure, and shall permit the Authority to inspect
such records as requested from time to time.

3.7 Without prejudice to Clause 50.5, where the Authority
receives a Request for Information that relates to Commercially
Sensitive Information the Authority may elect to notify the Service
Provider of its receipt of a Request for Information, in which case,
the Parties shall comply with the procedure set out below:

3.7.1 subject to Clause 50.7.4, the Authority shall, before
making any disclosure of the requested information and as soon
as reasonably practicable after receiving the Request for
Information, notify the Service Provider of the receipt of the
Request for Information and of the nature and extent of the
information covered by the Request for Information;

3.7.2 following notification under Clause 50.7.1, the Service
Provider may make representations in writing to the Authority
as to whether and on what basis the requested information is
covered by an exemption in the FOISA or Environmental
Information Regulations and, therefore, should be disclosed,
including, without limitation, any representations as to the
balance of the public interests in disclosure and
non-disclosure;

3.7.3 the Authority shall reasonably consider any
representations and recommendations made by the Service
Provider under Clause 50.7.2 before reaching a decision on
whether it must and will disclose the requested information;

3.7.4 notwithstanding Clause 50.7.1, the Authority shall not
be obliged to notify the Service Provider under that Clause
where the Authority has already decided that it does not intend
to disclose the requested information because the FOISA or the
Environmental Information Regulations do not apply to the
Request for Information or an exemption under the FOISA or
Environmental Information Regulations can be applied.

3.7.5 if the Authority makes a decision to disclose the
requested information, it shall notify the Service Provider of
this decision;

3.7.6 for the avoidance of doubt, nothing in Clause 50.7
prohibits the disclosure of any information by the Authority
where such disclosure is necessary to comply with the FOISA or
the Environmental Information Regulation and to that extent the
Authority shall not be in breach of its obligations of
confidentiality under Clause 51 (Confidentiality).

4. CONFIDENTIALITY

4.1 Except to the extent set out in this Clause 51 or where
disclosure is expressly permitted elsewhere in this Agreement, each
Party shall (and in the case of the Service Provider, procure that
the Subcontractors shall):

4.1.1 treat the other Party's Confidential Information as
confidential and keep it in secure custody (which is
appropriate depending upon the form in which such materials are
stored and the nature of the Confidential Information contained
in those materials);

4.1.2 not disclose the other Party's Confidential Information
to any other person without the owner's Prior Written Consent;
and

4.1.3 immediately Notify the other Party if it suspects or
becomes aware of any unauthorised access, copying, use or
disclosure in any form of any of the other Party's Confidential
Information.

4.2 Clause 51.1 shall not apply to the extent that:

4.2.1 disclosure is made in accordance with the FOISA or the
Environmental Information Regulations pursuant to Clause 50
(Freedom of Information) or is otherwise required by reason of
a court order or other obligation (not including a contract
obligation) to which the Authority or the Service Provider is
subject;

4.2.2 the information was obtained from a third party without
obligation of confidentiality;

4.2.3 the information was already in the public domain at the
time of disclosure otherwise than by a breach of this
Agreement; or

4.2.4 the information is independently developed without
access to the other Party's Confidential Information.

4.3 If the Service Provider or any Subcontractor is required by
Law to make a disclosure of the Authority Confidential Information,
the Service Provider shall as soon as reasonably practicable:

4.3.1 Notify the Authority of the full circumstances of the
required disclosure including the relevant Law and/or
regulatory body requiring such disclosure and the Authority
Confidential Information to which such disclosure would apply;

4.3.2 supply to the Authority a legal opinion indicating that
disclosure is necessary (which may include a note of advice
from an in-house legal adviser of the Service Provider or
advice from the Service Provider's solicitors);

4.3.3 consult with the Authority as to the possible steps to
avoid or limit disclosure and take those steps, provided that
they do not result in significant adverse consequences to the
Parties;

4.3.4 to the extent reasonably possible, seek confidentiality
undertakings from the body which is to receive the Authority
Confidential Information; and

4.3.5 agree with the Authority in advance the particulars of
the Authority Confidential Information to be disclosed
including, in the case of any stock exchange announcement, the
relevant wording.

4.4 The Service Provider shall (and shall procure that the
Subcontractors shall):

4.4.1 implement security practices against any unauthorised
copying, use, disclosure (whether that disclosure is oral, in
writing or in any other form), access and damage or destruction
of Authority Confidential Information including the
implementation of and compliance with those security
requirements relating to the Authority Confidential Information
as set out in the Security Documentation or as otherwise
Notified by the Authority from time to time;

4.4.2 ensure that all copies of Confidential Information
which contain Protectively Marked Information shall be clearly
marked in accordance with the security marking classification.

4.4.3 ensure that the Authority Confidential Information can
be separately identified from the Service Provider's own
information for the purposes of Audit, and the Service
Provider's obligations to return and destroy such information
on termination or expiry of this Agreement in accordance with
Clause 66 (Termination Rights).

4.5 Subject to Clauses 51.1.2 and 51.2 the Service Provider may
only disclose the Authority Confidential Information to:

4.5.1 the Service Provider Personnel who are directly
involved in the provision of the Deliverables and the Services
and who need to know the information to enable performance of
their obligations under this Agreement, and shall ensure that
such Service Provider Personnel are aware of and shall comply
with these obligations as to confidentiality;

4.5.2 the Service Provider's insurers to the extent necessary
to enable the Service Provider to meet its obligations to such
insurers (upon first obtaining from such insurers a written
undertaking of confidentiality in relation to the Authority
Confidential Information in question, on the same terms as are
contained in this Agreement); and

4.5.3 any bank or financial institution from whom it is
seeking or obtaining finance (upon first obtaining from such
bank or institution a written undertaking of confidentiality in
relation to the Authority Confidential Information in question,
on the same terms as are contained in this Agreement).

4.6 The Service Provider shall not, (and shall procure that the
Subcontractors shall not), use or copy any of the Authority
Confidential Information other than for the purposes of this
Agreement.

4.7 Nothing in this Agreement shall prevent the Authority from
using the Service Provider Confidential Information to the extent
necessary for the Authority to benefit from the Services.

4.8 Nothing in this Agreement shall prevent the Authority from
disclosing the Service Provider Confidential Information:

4.8.1 to any Crown Body and/or any other Contracting
Authority provided that the Authority makes such disclosure on
the basis that the information is confidential and is not to be
disclosed to a third party which is not part of any Crown Body
and/or any Contracting Authority. The Service Provider agrees
that all Crown Bodies and/or Contracting Authorities receiving
such Confidential Information shall be entitled to further
disclose the Confidential Information to other Crown Bodies
and/or other Contracting Authorities on the basis that the
information is confidential and is not to be disclosed to a
Third Party which is not part of any Crown Body and/or any
Contracting Authority;

4.8.2 to the extent the Authority (acting reasonably) deems
disclosure necessary or appropriate in the course of carrying
out its public functions;

4.8.3 to any professional adviser, insurance agent, insurance
provider, consultant, contractor or other person engaged by the
Authority or any person conducting a Gateway Review in respect
of either this Agreement or related Authority programmes;

4.8.4 for the purpose of the examination and certification of
the accounts of the Authority;

4.8.5 for any examination pursuant to section 23 of the
Public Finance and Accountability (Scotland) Act 2000 of the
economy, efficiency and effectiveness with which the Authority
is making use of the System and/or Services;

4.8.6 if the disclosure relates to the outcome of the
procurement process for the Services supplied under this
Agreement as may be required to be published in the Supplement
to the Official Journal of the European Union in accordance
with EC directives or elsewhere in accordance with requirements
of UK Government policy on the disclosure of information
relating to government contracts;

4.8.7 to a proposed transferee, assignee or novatee of, or
successor in title to, the Authority; or

4.8.8 to a Replacement Service Provider or any third party
whom the Authority is considering engaging as contemplated or
permitted by this Agreement.

4.9 The Authority shall use all reasonable endeavours to ensure
that any Crown Body, Contracting Authority, or third party to whom
the Service Provider Confidential Information is disclosed pursuant
to Clause 51.8 is made aware of the Authority's obligations of
confidentiality under this Agreement.

4.10 Except as specified in Clause 51.11, upon the Authority’s
request, and in any event on termination of the whole or part of this
Agreement or expiry of this Agreement the Service Provider shall
promptly return:

4.10.1 any Authority Confidential Information which it
received while providing the relevant Services;

4.10.2 all physical and written records containing the
Authority Confidential Information related to the relevant
Services; and

4.10.3 all documentation relating to any other Confidential
Information of the Authority,

to the Authority or, if requested by the Authority, destroy or delete
the same in a manner specified by the Authority and promptly certify
to the Authority that it has completed such destruction or deletion.

4.11 Clause 51.10 shall not apply to any copies of Confidential
Information which the Service Provider is required to keep by Law.

4.12 The obligations with respect to Confidential Information
disclosed under this Agreement shall survive either expiry or
termination of this Agreement and will continue for as long as the
information remains confidential.

4.13 Each Party agrees that damages would not be an adequate
remedy for any breach of this Clause 51. Without prejudice to section
8(2) and (3) of the Census Act 1920, each Party shall be entitled to
remedies of interdict, specific performance and any other appropriate
remedy for any threatened or actual breach of this Clause 51.

5. OFFICIAL SECRETS ACTS

5.1 The Service Provider shall (and shall ensure that its
Subcontractors shall) at all times comply with the Official Secrets
Acts 1911 to 1989.

5.2 The Service Provider shall:

5.2.1 take all necessary steps including the display of
notices to ensure that all persons engaged on any work in
connection with this Agreement have notice that these statutory
provisions apply to them; or

5.2.2 as requested by the Authority at any time, in respect
of all Service Provider Personnel procure the signature by some
or all (as specified by the Authority) of such persons of a
statement (in a form specified by the Authority) that they
understand that the Official Secrets Acts 1911 to 1989 apply to
them.

________________________________________________________________________________________________________________________________________

L. Extract from Services and Systems for the Census in Scotland ( SaSCinS)
Statement of Requirements v1.0.

Please find detailed below extracts from the SoR (Statement of
Requirements) relating to Security and Off-shoring, with the Off-shoring
items highlighted in RED. The full SoR was issued to Bidders and they
were asked to bid against these requirements. For information,
requirements marked (M) are mandatory requirements, and requirements
marked (I) are for information only.

You will see from this that our strategy was not necessarily to keep
Census data in Scotland, but within the UK. The fact that the CACI(UK)
consortium resulted in both the Paper Data Capture and Internet Hosting
sites being in Scotland was a bonus.

Extracts from SaSCinS 2011 SoR v1.0

4.5.15 (M) The preferred Bidder must provide copies of final reports of
any audit/check by their security partner to the Authority, so that the
Authority can monitor the security content of systems and services as they
are developed.

4.6 Security

4.6.1 Confidentiality is the cornerstone of the Census and must not be
compromised in any way.

4.6.2 The Authority has an excellent reputation for maintaining the
confidentiality of Census data. The overall security measures for the 2011
Census need to address direct and indirect security threats, risks to
maintaining the confidentiality of Census data, issues of public
perception and risks to the Authority’s reputation.

4.6.3 Confidentiality of the Census in the United Kingdom is covered by
Section 8 of the Census Act 1920 (see
[2]http://www.statistics.gov.uk/census2001/...), as
amended by the Census (Confidentiality) Act 1991. The 1920 Act made
provisions for penalties for the unlawful disclosure of information
acquired in connection with the discharge of functions under the Act, and
for connected purposes. The 1991 Act extended the legislation about
confidentiality to persons providing services to the Registrar General for
Scotland.

4.6.4 All persons either employed in processing the Census, or otherwise
contracted to supply other services to the Registrar General for Scotland
in connection with the 2011 Census, will be subject to the strict
confidentiality provisions of the Census Acts. It will be a requirement
that such persons make a statutory declaration which will indicate that
the persons are aware of the penalties for unlawfully disclosing personal
Census information. Anyone using or disclosing personal Census information
improperly will be liable to prosecution.

4.6.5 There may be additional security clearance requirements for
certain key staff involved in handling personal Census information. The
Authority will discuss and agree any requirements with the preferred
Bidder.

4.6.6 The level of physical security and security clearance for staff
involved in handling personal Census information will be kept under review
by the Authority. The Authority will discuss and agree any changes to
requirements with the preferred Bidder should there be a future need for
increased or reduced security levels.

4.6.7 The Census is a very high profile operation that is subject to
close scrutiny by certain pressure groups, the press and Parliament. It is
essential that personal Census information is handled and held securely in
accordance with specified security requirements.

4.6.8 The Authority has in place security measures and procedures
designed to protect the integrity, confidentiality and security of its own
data and systems. The Authority must give its approval before any external
access is given to its computer facilities or its data. Approval will only
be granted after ensuring that there is no risk to confidentiality and
security of any of the data held by, or systems operated by, the
Authority. The continuation of these standards is essential to the
realisation of the business aims of the Authority.

4.6.9 The Authority will appoint an independent body to conduct one or
more security reviews during development, testing, implementation and
operational stages. The preferred Bidder must be prepared to provide the
independent body with all relevant information relating to the delivered
services.

4.6.10 The term ‘Census Confidentiality’ does not refer to the
security rating CONFIDENTIAL as used in the UK Government Manual of
Protective Security. Census information has no official protective
marking. However, the Authority recognises that standards and procedures
appropriate for RESTRICTED level operations will normally provide a
suitable baseline for solutions required to manage Census information.
Census data is also registered under the Data Protection Act 1998, and the
Authority is required by the Act to safeguard that data.

4.6.11 For confidentiality reasons only certain development and
operational activities will be permitted outside of the UK. Section 12.15
provides details of which activities can, and cannot, be undertaken
outside the UK. Proposals which do not meet these requirements will be
rejected.

4.6.12 (M) The preferred Bidder must adhere to the security policies and
guidance provided by the Authority. Policies and guidance will comprise:

• UK HMG Information Security policies, guidelines and standards,
including those produced by the CESG;
• UK HMG Manual of Protective Security;
• The Census Confidentiality Declaration and Guidelines; (the 2011
Guidelines are not yet finalised, but the 2001 Guidelines are provided as
an illustration of the likely content); and,

• UK HMG e-government security framework requirements.

4.6.13 (M) The preferred Bidder must install security measures that
comply with the Authority’s requirements. These will usually follow UK
HMG specifications for RESTRICTED level operations, but bespoke solutions
providing additional safeguards will be required in some areas. If there
is any doubt about the applicability of any security measure for any given
item/aspect, the Authority must be consulted and the issue discussed and
agreed to before any measures are put in place.

4.6.14 (M) The preferred Bidder must allow audit checks at any agreed
time by the independent body appointed by the Authority, and put right any
deficiencies in the agreed level of security. The preferred Bidder must
allow security penetration tests on the Internet services and any other
services provided by the preferred Bidder at any agreed time, by the
independent body appointed by the Authority, and will put right any
deficiencies in the agreed level of security.

4.6.15 (M) The preferred Bidder’s Information Security Management
System for the Census services must comply with and be independently
accredited to the BS7799 / ISO 27001 standard. The scope and nature of the
accreditation will be agreed between the Authority and the preferred
Bidder.

4.6.16 (M) The preferred Bidder must deliver, maintain and adhere to all
documentation needed to meet confidentiality, integrity and availability
requirements and the BS7799 / ISO 27001 accreditation processes. The
documentation must be produced in the following areas of information
security management:

• Security Policy;
• Organisation of Information Security;
• Asset Management;
• Human Resources Security;
• Physical and Environmental Security;
• Communications and Operations Management;
• Access Control;
• Information Systems Acquisition, Development and Maintenance;
• Information Security Incident Management;
• Business Continuity Management; and,
• Compliance – Regulatory and Legal.

4.7 Business Continuity and Disaster Recovery Planning

4.7.1 The Authority expects the preferred Bidder to adhere to Business
Continuity and Disaster Recovery (BCDR) plans agreed with the Authority.
The plans will ensure that the preferred Bidder is able to respond to any
event that may threaten services or ability to deliver services, recover
from any such event and mitigate against the impact of any such event. The
plans should be compliant with good practice standards including BS25999.

4.7.2 (I) Bidders should explain how their BCDR processes and procedures
will be applied to maintain service delivery throughout the life of the
project. The response should cover:

• Arrangements during development, integration, testing and
operational readiness of services;
• Arrangements during service operation;
• Service levels proposed for potential disaster scenarios; and
• Authority role in BCDR activities.

4.7.3 (M) For each operational service within their bid the preferred
Bidder must prepare, deliver, maintain and adhere to a BCDR plan that
identifies the processes and procedures required to support and execute
the services following any event that threatens or incapacitates them. The
content of each BCDR plan will be agreed between the Authority and the
preferred Bidder and will include:

• Plan purpose;
• Applicability and scope;
• Objectives;
• Planning assumptions;
• Priorities;
• Service levels;
• Execution of the plan; and,
• Plan procedures.

4.7.4 (M) The preferred Bidder must include plans for the testing of
BCDR plans in their implementation and/or test strategy.

4.7.5 (M) The preferred Bidder’s Business Continuity Management System
for the Census services must comply with and be independently accredited
to the BS25999 – Business Continuity Management standard (incl. Disaster
Recovery). The scope and nature of the accreditation will be agreed
between the Authority and the preferred Bidder.

4.8 Training

4.8.1 (M) If the preferred Bidder’s solution includes systems that
will be used by Authority staff, the preferred Bidder must provide
appropriate training courses and course material for Authority staff on
the use of the systems.

4.8.2 (M) The preferred Bidder must ensure that all preferred Bidder
staff are trained to a skill level to carry out their particular tasks in
accordance with the agreed service levels.

4.8.3 (M) In the event of staff changes, the preferred Bidder must
ensure that new staff are trained to the same skill level to ensure that
there is no impact on the delivery and quality of the services to the
Authority.

4.8.4 Everyone who handles or may come into contact with personal Census
information needs to be aware of their individual responsibility under the
Census Act to protect and prevent disclosure of the Census information in
their care. Each of the companies contracted to provide services for the
2009 Rehearsal and the 2011 Census will be responsible for ensuring that
their staff are familiar with the Census confidentiality guidelines.

4.8.5 (M) The preferred Bidder must ensure that staff receive
appropriate training on the Census confidentiality guidelines provided by
the Authority.

12.9 Off-shoring

12.9.1 While the Authority appreciates the financial advantages in
off-shoring, the over-riding priority will be to protect the security and
confidentiality of information. We must also ensure that the response
rate is not affected because of the public "perception" of the possibility
of breaches. Possible functions which could be delivered off-shore:

• any development activity, provided there is no access to census
data
• printing, but only within European Economic Area
• contact centre but NOT telephone data capture
• Internet public assistance but this may cause difficulties with
any interface to Internet data capture

Paper data capture and Internet data capture are not deemed to be
appropriate functions for delivery offshore as they include storage of
full census returns and images

The Authority would also need to consider services which include systems
needing access to other information that could be perceived as
confidential e.g. repository of addresses.

12.9.2 (M) The preferred Bidder must at no stage allow the removal of any
completed paper questionnaire, or electronic data or images from the
United Kingdom. Both the warehouse and the processing site must therefore
be located within the United Kingdom.

12.10 Compliance and Legal/Regulatory

12.10.1 (M) The preferred Bidder is required to protect Census data even
when legislation (either from the country in which they or their parent
companies work or the jurisdiction in which they reside) exists which may
compromise confidentiality by requiring them to disclose information of a
confidential nature and with which they must comply. An example of such
legislation would be the US Patriot Act.

12.10.2 (I) Bidders are required to detail:

 how their proposed solution avoids a conflict between non-UK
legislation and the confidentiality requirements as expressed in this SoR
and/or UK legislation (e.g. The Census Act as amended or the Data
Protection Act 1998);

 how they could jointly work with the Authority to manage the
public perception of the risk to data confidentiality presented by such
external legislation, including example key messages.

12.10.3 The preferred Bidder should be able, either within their preferred
approach (their “base bid”) or as a variant bid, to provide a solution
such that any Census Data able to be related to specific individuals will
never be held or controlled by employees of companies who are subject to
the Patriot Act. The Authority reserves the right to only award a contract
that meets this requirement.

________________________________________________________________________________________________________________________________________

M. Response to telecommunications question

GROS can confirm that there are telephone and broadband connections to the
building, but that the servers which will hold the census data at the data
capture site are ‘stand alone’ and no external connections are
accessible to these. Access to the Server Room will be controlled via
secure key pad entry system, with access restricted to named key
personnel.

________________________________________________________________________________________________________________________________________

N. Protections in place to safeguard the handling of data

Protections in place to safeguard the handling of data and to offer
assurance include the following :-
 
.        All services provided by the contractor have been
security assessed to ensure the services are in line with Her
Majesty’s Government Security guidelines, the Census Confidentiality
guidelines and the international security standard. The security applied
to the solution is in line with HMG standards – Manual of Protective
Security, HMG Information Security Standards 1 and 2, CESG guidance –
and international standards for security ISO 27001 and 27002. Technical
security products with HMG or international (Common Criteria)
evaluation have been used wherever technically possible. Provision has
been lead by a CLAS consultant and independent verification will be
undertaken by another CLAS consultant (from a different company and
under a separate GROS contract). Technical assessments have been
undertaken in the form of IT health checks.

 
.        All personnel have had security checks undertaken and
have undergone appropriate security awareness training.
 
.        Strict Access controls have been implemented for all
systems and services where census data is being stored.
 
.        Security measures have been adopted to protect against
the risk of disclosure from mobile computing and communications
facilities.

    
.        All systems and services will undergo security testing
prior to live operations. Technical assessments have been undertaken in
the form of IT health checks, risk assessments have been undertaken in
line with HMG standards.

 
.        Ongoing security audits are planned for all systems and
services. A programme of compliance audits has been developed to ensure
that security is maintained.

 

.        An Independent Security Review of all census systems and
services has been commissioned by GROS.

* A further joint UK wide census Independent Security Review shall be
undertaken, details have still to be agreed.

_______________________________________________________________________________________________________________________________________

show quoted sections

References

Visible links
1. http://www.opsi.gov.uk/click-use/index.htm
2. http://www.statistics.gov.uk/census2001/...