Thank you for your e-mail requesting information under the Freedom of
Information Act 2000 / Environmental Information Regulations 2004.

We will proceed with the request which we received today. It is our
intention to have the information delivered to you as soon as possible
otherwise within the statutory 20 working days.

In consideration of the request, which may be subject to any exemptions/
exceptions the Council may rely on to refuse the request, some of which
are absolute and some of which only apply where the public interest in
maintaining the exemption/exception outweighs that in disclosing the
information.

Please note that should you be requesting information under the
Environmental Information Regulations although we provide free access to a
wide range of information through our website, access to any public
registers which we hold and for inspecting information at our offices, we
are allowed to charge you a reasonable fee for providing certain
information.  If applicable, we will issue you with a fee notice.  This
will detail the tasks involved in responding to the request, and
associated costs.  Further information is available on the EIR page of
Bedford Borough Council’s website at the following link:

[1]http://www.bedford.gov.uk/council_and_de...

Please note that once a response has been forwarded to you an anonymised
summary of all requests appear on the Bedford Borough website at the
following link:

[2]http://www.bedford.gov.uk/council_and_de...
Our current practise is that the information will be available to view on
the web for 2 years.

Any future correspondence you may have with the Council in relation to
this matter should be emailed to [3][Bedford Borough Council request email] .

Any emails containing personal or sensitive data will be sent as ‘secure
e-mails’.  In order for you to access a secure email you will be asked to
create an account and log into the Council’s secure e-mail reply service. 
If you do receive a secure email there will be instructions explaining how
to do this.

“Confidentiality: The information contained in this e-mail and any
attachment may be confidential and may contain legally privileged
information. It is intended only for the use of the named recipient. If
you are not the named recipient, please notify us immediately and delete
it from your system. In such an event, you should not disclose the
contents of this e-mail to any other person, or print it.”

References

Visible links
1. http://www.bedford.gov.uk/council_and_de...
2. http://www.bedford.gov.uk/council_and_de...
3. mailto:[Bedford Borough Council request email]

Bedford BC - OFFICIAL-Unsecure

Dear P Rourke

Request pursuant to Freedom of Information Act 2000 – Request No.12736

I refer to your recent enquiry for information held by the Council under
the provisions of the Freedom of Information Act 2000 concerning Kingdom
Services Group. Under the provisions of the Freedom of Information Act,
the authority must state whether or not the information exists and I can
confirm that we do hold the information you requested which has been
answered below. 

Please find your request and our response below: 

1.    As Joint Controllers of the data being processed for the
Environmental Enforcement contract with KSG (KSG), can you confirm that
either you or KSG reported the breach (within 72hrs) of Kingdom's "Bonus
Spreadsheet for 2018" being available online for anyone to observe? The
spreadsheet was not password protected. It also contained the names of all
the council's working with KSG and all of their employee names and FPN
totals for each day (no security whatsoever).
The breach was reported to the ICO as soon as the full nature of the
breach was known. This was outside of the 72 hours because the full extent
of the breach was still being established.
The document had restricted access with only authorised users having
access to it. The document was not accessible outside the authorised user
group and at this stage there is no evidence to support that the document
was open to public view. The access and dissemination of this document is
still under investigation.

2.    As Joint controllers of the data being processed for the
Environmental Enforcement contracts, can you confirm that either you or
KSG formally informed all of their employees (authorised council
officers), whose names were on the spreadsheet?
Kingdom are currently in the process of notifying all individuals in
writing of this breach. The published document was redacted and there has
been no unedited version published at this stage, albeit it is conceded
the names may well be in the hands of those who unlawfully obtained the
document and disseminated it. The impact of the unedited version on the
staff named is extremely low, with only the names and location of the
council they have worked at being recorded on the document.

3.    Could you confirm that all the Body Worn Cameras being used to
collect personal identifiable information from members of the public have
been encrypted as per the GDPR (2016). KSG use Body Worn Cameras supplied
by Pinnacle. The PR5 model is not encrypted and cannot be used to collect
personal identifiable information. Therefore, they must be using the PR6
model. Could you confirm the model being used for your contract?
The Information Commissioners Officer (ICO) refer to the Government
Body-Worn Video Technical Guidance which states:

“The Information Commissioner’s Office provides the following advice. “The
ICO recommends that portable and mobile devices used to store and transmit
personal information should be protected using approved encryption
software which is designed to guard against the compromise of information.
If encryption is used the key must remain secret in order for the
encryption to provide an appropriate level of protection against such
threats. However, if this is not possible, organisations need to put
alternative, robust security measures in place to circumvent the risk of
not using encryption. Data controllers should be aware that personal data
being processed on body worn video cameras is likely to be sensitive and
is therefore likely to cause damage or distress if it was lost or stolen
and this should be reflected in the security measures that are adopted.
Systems should also be in place so that only authorised personnel can
extract and view the data from the device. Furthermore, if encryption is
not possible on the device its use should not be ignored in other areas of
the evidence management system.” At the current time, encryption is not a
standard feature in many BWV cameras. Note also that some suppliers may
erroneously claim files are encrypted when they are in reality recorded in
a non-standard format. Where encryption is used, this should be to a
recognised standard. The use of non-standard recording formats is not an
acceptable substitute and would conflict with the essential
"interoperability" requirement.”

Kingdom ensure that all data is downloaded to a secure location at the end
of every patrol therefore reducing the volume of data on the hard drive to
a minimal amount.

Each camera is either personally assigned to an officer and is booked in
and out at the start and end of every shift. All staff are aware of the
sensitive nature of the footage contained on the camera and therefore the
security of the camera is paramount for the officer whilst on patrol.

Kingdom staff at Bedford are supplied with Pinnacle PR6 Cameras.

4.    Can you confirm that all officers employed by KSG have been trained
in accordance to DPA 1998 and GDPR (2016) and that you have seen the
signed training records for this training?
GDPR awareness training has been disseminated to all Kingdom staff
produced by a qualified trainer. This awareness has since been implemented
into the recruit training package.
A copy of the signed training record is available for the council to view.

5.    Can you confirm that all the officers employed by KSG, authorised to
enforce littering offences on behalf of the council have been fully vetted
and have valid DBS check, which the council have seen?
All staff are fully vetted to DBS standard.
A copy of the DBS is available for the council to view.

6.    Could you confirm KSG have a Data Protection Officer/department and
the contact email for this person/department.
Kingdom have a Data Protection Officer in place who can be contacted via:
[1][email address]

Could you provide me with a copy of the following documents/policies which
will have been updated in accordance with the General Data Protection
Regulations (2016), the regulations came into force on 25th May 2018.
Therefore, all of the documents will have been updated.

1.    A copy of your Data Sharing Agreement with KSG for the delivery of
Environmental Enforcement Services and a variation to this agreement to
show the inclusion of GDPR (2016).

This is covered in the contract between Bedford Borough council and
Kingdom Services Group details for which are below;

Part 5 - Protection of Information

33        Data Protection Act

33.1     The Contractor shall (and shall procure that any of its Staff
involved in the provision of the Services) comply with its obligations
under the Data Protection Act 1998 (“DPA”) (including where appropriate
obtaining registration hereunder) and the Computer Misuse Act 1990 insofar
as the performance of the Agreement gives rise to obligations under DPA.

33.2     Notwithstanding the general obligation in clause 33.1, where the
Contractor is processing personal data (as defined by the DPA) as a data
processor for the Authority (as defined by the DPA) the Contractor shall
ensure that it has in place appropriate technical and contractual measures
to ensure the security of the personal data (including encryption of any
laptop computer on which personal data is held) (and to guard against
unauthorised or unlawful processing of the personal data and against
accidental loss or destruction of, or damage to, the personal data), as
required under the Seventh Data Protection Principle in Schedule 1 to the
DPA; and

(a)  provide the Authority with such information as the Authority may
reasonably require to satisfy itself that the Contractor is complying with
its obligations under the DPA;

(b)  promptly notify the Authority of any breach of the security measures
required to be put in place pursuant to clause 33.2;

(c)  permit the Authority to audit the Contractor’s compliance with this
clause 32; and

(d)  ensure it does not knowingly or negligently do or omit to do anything
which places the Authority in breach of the Authority’s obligations under
the DPA.

2.    A copy of the Data Protection Impact Assessment for The
Environmental Enforcement Services delivered by KSG on behalf of the
council, which will show the inclusion of GDPR (2016). This assessment
will include all systems used for processing Personal identifiable
information e.g. systems, Body Worn Cameras, Handheld Computers and
officer notebooks.
Data Protection Impact Assessments are being completed and will be signed
off by Kingdom Senior Management. 

3.    A copy of the Body Worn Camera Policy being adhered to by the
officers employed by KSG working on behalf of the council. Also the
previous version of this policy before adhering to the GDPR (2016).
A copy of the BWC policy is available for the council to view on request.
Kingdom Services Group are currently considering publishing this policy on
their web site.

4.     A copy of the data retention policy being used in accordance with
GDPR (2016) for the Environmental Enforcement contract with KSG.
Our policy is 6 years + 1 year.

The information supplied to you continues to be protected by the
Copyright, Designs and Patents Act 1988. You are free to use it for your
own purposes, including any non-commercial research you are doing and for
the purposes of news reporting. Any other reuse, for example commercial
publication, would require the permission of the copyright holder. For
further information regarding Re-use of Public Sector information please
see link below.  If for whatever reason you are unhappy with our response
to your application you are entitled to pursue any dissatisfaction through
the Council's Internal Review Procedure.  Pursuant to Section 17 (7) of
the Act the procedure provided by the Council for dealing with complaints
about the determination of this request for information is the Council’s
FOI Complaints Procedure, a copy of which can be obtained on request or is
set out at:

[2]http://www.bedford.gov.uk/council_and_de...

Yours sincerely

Andrea Bechtle

FOI & EIR Officer - Environment

Bedford Borough Council

Room 336, Borough Hall, Cauldwell Street, Bedford, MK429AP

(01234) 718243 (ext 47243)
‘Bedford Borough Council - Working with our partners to make the borough a
better place to live, work and visit.’

dangos adrannau a ddyfynnir