ICO Data Protection Audit
Dear Sirs,
FREEDOM OF INFORMATION (SCOTLAND) ACT 2002
REQUEST FOR INFORMATION
Pursuant to the general right of access to information contained in the Freedom of Information (Scotland) Act 2002 I request from the Chief Constable of the Police Service of Scotland the following information:
(a) the full content of the ICO's report following their recent consensual data protection audit of the Police Service of Scotland; and
(b) the full content of any action plans (or similar) that have been produced by the Police Service of Scotland pertaining to any issues identified within the ICO's report.
I look forward to receiving a substantive response on behalf of the Chief Constable within the statutory twenty working days.
Yours faithfully,
Alistair P Sloan
NOT PROTECTIVELY MARKED
Good Afternoon.
Your request has been received and a response should be issued within 20 working days.
Thank you.
Steven.
NOT PROTECTIVELY MARKED
Good afternoon
I would advise that Police Scotland are unable to provide you with the requested information within the statutory timescale. The information you have requested is currently being collated from business areas.
I can assure you that every effort will be made to ensure that an approriate response will be made as soon as possible.
If you have any queries, please contact me at the number below.
Kind regards
Information Management
Police Scotland
Clyde Gateway
2 French Street
Dalmarnock
Glasgow
G40 4EH
01786 895867
Dear Sirs,
FREEDOM OF INFORMATION (SCOTLAND) ACT 2002
REQUIREMENT FOR REVIEW
I refer to my request for information dated 21 December 2016 concerning the ICO's data protection audit of the Police Service of Scotland. It would appear that I have yet to receive a response to that request for information and note that 34 working days have now elapsed since the request for information was recieved by the Police Service of Scotland. I therefore now require that the Chief Constable of the Police Service of Scotland conducts an internal review of its handling of the request for information and provides me with a response to my request for information in terms of Section 21(4)(c) of the Freedom of Information (Scotland) Act 2002.
I look forward to receiving the review response on behalf of the Chief Constable of the Police Service of Scotland.
Yours faithfully,
Alistair P Sloan
NOT PROTECTIVELY MARKED
Good morning
I would like to confirm we have received your request for a review of FOI
2016-2891
You will receive a response within 20 working days.
Kind Regards
Information Management
Police Scotland, Clyde Gateway
2 French Street
Dalmarnock
Glasgow
G40 4EH
01786 895867
NOT PROTECTIVELY MARKED
Good afternoon
Attached is the Service response to your information request.
Kind Regards
Information Management
Police Scotland, Clyde Gateway
2 French Street
Dalmarnock
Glasgow
G40 4EH
01786 895867
We work to defend the right to FOI for everyone
Help us protect your right to hold public authorities to account. Donate and support our work.
Donate Now
Doug Paulley left an annotation ()
On Tuesday, March 21, 2017 the Police Force contacted WhatDoTheyKnow to note that their attempted redaction of the ICO data protection audit report had been technically deficient such that the redacted names could be retrieved by copying and pasting. They requested that the document be removed from our website.
On behalf of WhatDoTheyKnow, I asked for details as to why our continued publication of this information is problematic. I/we were unconvinced that it was problematic for us to continue to publish the document and so refused to do so.
On 22nd May, the ICO emailed WhatDoTheyKnow to state that they considered our continued publication of this document was contrary to our obligations under the Data Protection Act. We objected, noting that the names, and roles, in question are the Head of Information Management at Police Scotland, the Lead Auditors and Auditor Managers at the ICO and the police's records/information managers and a Chief Inspector responsible for Information Management. We stated that we do not believe that these individuals had a legitimate expectation that their names would not be released, that the integrity of the communications and the report are important and that we therefore requested the ICO retract their request.
Following repeated emails back and forth to discuss the issue, the ICO conducted a case review. They finally responded on 17th August to say:
"We have considered the points you have raised and, having reviewed the matter, we accept that the fact a disclosure is made inadvertently by a public authority is not automatically a determining factor which will mean the publication of the information by WDTK breaches the DPA. It is instead appropriate to consider the nature of the particular personal data, and whether WDTK is complying with the data protection principles where it decides to continue to publish it after being made aware it had been disclosed inadvertently.
"In this particular case the personal data constitutes the names and job titles of ICO staff involved in the audit in addition to those of Police Scotland’s contact points. We are satisfied that the disclosure of the personal data in this case is likely to be fair and not unwarranted in terms of prejudice to the data subjects’ rights and freedoms. We have reached this view in light of the fact the information only relates to the data subjects in the context of their professional roles, some of which are senior, and about which they would have reasonable expectations of varying degrees of accountability and scrutiny.
"For these reasons we have amended our assessment in this case and our conclusion is that WDTK’s processing of the personal data complies with the DPA. Therefore the ICO will not be taking further steps in this particular case."
We are glad that our interpretation of our obligations in this matter has ultimately been determined to be correct.
--
Doug - volunteer, WhatDoTheyKnow.com