Nid ydym yn gwybod a yw'r ymateb mwyaf diweddar i'r cais hwn yn cynnwys gwybodaeth neuai peidio - os chi ywtim wells mewngofnodwch a gadael i bawb wybod.

Dear Avon Fire and Rescue,
1) please can you send me a copy of the current subject access request
acknowledgment AND response letter that you use
2) a copy of the last 5 dpias completed
3) a copy of any internal mandatory information governance training that
you give to staff which was written in the last 2 years including
presentation slides and videos and any other media
4) a copy of any instructions given to staff members to reduce data
security breaches, for example double checking work
5) a copy of any policies implemented in the last 2 years within the
organisation to help reduce the environmental impact that the organisation
has?
6) please can I have a copy of the risk rating that you use to evaluate data security incidents?

Yours faithfully,

tim wells

Freedom of Information Act & Data Protection Requests, Avon Fire and Rescue

1 Atodiad

Dear Mr Wells

 

I write to acknowledge your email dated 06.01.2020 requesting information
regarding Avon Fire & Rescue Service’s policies.

 

Your request has been assigned reference number 5091; please can you quote
this in any contact with us about this matter.

 

The request will be dealt with under the terms of the Freedom of
Information Act (FoIA) 2000 and you will receive a response within the
statutory timescale of 20 working days from the date of receipt, subject
to the information not being exempt or containing a reference to a third
party. In some circumstances Avon Fire & Rescue Service may be unable to
achieve this deadline but, if this is likely, you will be informed and
given a revised date at the earliest opportunity.

 

Guidance about how we deal with requests for information can be located on
our [1]website. Thank you for your interest in Avon Fire & Rescue Service.

 

Kind regards
 

 

Joanna Warren
Data Protection Co-ordinator (Mon-Thurs), Corporate Services
Avon Fire & Rescue Service
Telephone: 0117 926 2061 Extension: 302
Mobile:
[2]www.avonfire.gov.uk
Working smoke alarms save lives
Help save a tree - please do not print this email unless you really need
to.
[3]cid:image001.jpg@01D5C483.7108CE20

 

dangos adrannau a ddyfynnir

Freedom of Information Act & Data Protection Requests, Avon Fire and Rescue

2 Atodiad

Dear Mr Wells

 

Your request ref 5091 has been dealt with under the terms of the Freedom
of Information Act 2000 (FoIA) and we can confirm that Avon Fire & Rescue
Service (AF&RS) holds the information falling within the description
specified within your request, but we are not obliged to provide all the
information you have requested as it falls within the remit of Section 36
of the FoIA (Prejudice to the Effective Conduct of Public Affairs).

 

You asked for the following information:

 

1     a copy of our current subject access request acknowledgment and
response letter

2     a copy of our last 5 DPIAs

3     a copy of any internal mandatory information governance training
given to staff written in the last 2 years, including presentation slides,
videos, or any other media

4     a copy of any instructions given to staff to reduce data security
breaches

5     a copy of any policies we have implemented to help reduce
environmental impact within the last 2 years

6     a copy of the risk rating we use to evaluate data security incidents

 

Section 36 (2b) states that information is exempt if disclosure of the
information would, or would be likely to, inhibit:

 

      i.        the free and frank provision of advice, or

    ii.        the free and frank exchange of views for the purposes of
deliberation

 

Section 36 (2c) states that information is exempt if disclosure would
otherwise prejudice, or would be likely otherwise to prejudice, the
effective conduct of public affairs.

 

A judgement about whether the release of such information would likely be
prejudicial to our ability to effectively conduct our affairs as a public
authority was made by the legally authorised qualified person for that
public authority, the Monitoring Officer & Clerk (Interim) to the Fire
Authority, who reviewed the implications of disclosure and determined
Section 36 may apply.

 

As this is a qualified exemption, we therefore began a full Public
Interest Test (PIT) to determine whether any of the data are exempt under
the specific Section of the FoIA, or whether the public interest is better
served by disclosing any of the data withheld.

 

Factors in favour of disclosure:

 

The first aspect for consideration was whether the public interest is
better served by disclosing the data to provide transparency.

 

By disclosing the information you have requested, we would be providing
the public with insight about how we manage our processes and make our
decisions, which would meet the public interest and reassure public
concerns.

 

Disclosure would also demonstrate accountability and provide transparency
into discussions about our data management systems, and therefore our
handling of data. This in turn would provide a better understanding and
aid local government transparency.

 

A second aspect for consideration was the fact there is public interest in
data protection, and release of this information would throw light on
whether we have adequate safeguards to protect data. An increased access
to information about the processes we use and the dissemination of such
information would contribute to a greater awareness of our data management
systems.

 

Factors in favour of withholding:

 

You have asked for the last five DPIAs completed by us and a copy of any
instructions given to staff to reduce data security breaches.

 

These concern information technology, data security, and operationally
sensitive data, so the first aspect for consideration was whether issues
discussed in these documents should be withheld. The DPIAs are used to
evaluate possible security issues and a method for staff to provide their
honest feedback on suggested changes in our internal processes.

 

After due consideration, we concluded that detail of internal discussions
are not exempt from disclosure under Section 41 of the FoIA (Information
Provided in Confidence). We therefore considered whether withholding this
detail would fall within the remit of Section 36 of the FoIA being
Prejudice to the Effective Conduct of Public Affairs.

 

The method of collecting information from staff to evaluate possible
security issues by encouraging ‘free and frank’ discussion is valuable to
us, and it would be impossible to retain an atmosphere where staff feel
reassured they can offer their individual views (positive or negative)
without fear of reprisal, or placing undue public and media attention on
those staff who freely took part, if it was believed these internal
discussions would be automatically subject to release under FoIA.

 

Release of such information in this case would set a precedent we must
consider for any future risk assessment discussions, as we believe it
would negatively affect our staff’s ability to fully participate with and
have confidence in the process of gathering evidence concerning any
possible security risk, resulting in staff less likely to provide honest
feedback and a resulting impact on both information security and data
protection.

 

Some of the information we provide to staff includes policies that set out
how we manage security incidents to ensure robust and prompt detection,
investigation, and reporting of any real or suspected event that may
adversely affect the security of AF&RS information, premises, or assets.

 

A second aspect for consideration was whether it would be of interest to
the majority of the public how we protect our information and
operationally manage our risks to ensure data security. While disclosure
would allow our methods of dealing with identified risks to be further
scrutinised, it would also unnecessarily expose vulnerabilities that could
be targeted. The likelihood of damage to our resilience to provide an
effective service need not be immediate, as the impact would be
potentially serious in an emergency situation. You will appreciate that,
given the current security climate in the United Kingdom, it is necessary
for us to take a precautionary approach when releasing information about
how we plan to mitigate risks concerning information technology or data
security.

 

While it was considered whether release of this information is in the
public interest in terms of explaining our decisions, ensuring
accountability, or providing transparency into our handling of data, it
was concluded that releasing the detail concerning risk assessments is not
necessary to meet the public interest or reassure public concerns. As a
result, we came to the conclusion that the public interest is better
served by not disclosing this information.

 

We concluded there is a strong possibility the level of service to the
community would be impaired by disclosing information which would
prejudice our ability to carry out our statutory functions, and therefore
disclosure would fall within a Section 36 exemption.

 

Please note that, while prejudice to the effective conduct of public
affairs refers to an adverse effect on our ability to offer an effective
public service or to meet our wider objectives or purpose, the effect does
not have to be on the authority in question; it can be an effect on other
authorities we work with in partnership, or may refer to the disruptive
effects of disclosure (for example the diversion of resources in order to
further protect identified risks, or to preserve the current risk
assessment methods using staff participation, or to find an alternative
method if members of staff feel they cannot participate fully).

 

Conclusion:

 

The overall result of the PIT is therefore that the greater public
interest lies in not releasing information in full, and so not providing
you with part of the information you have requested.

 

In coming to this conclusion, the public interest in providing the
information has been carefully weighed against any prejudice to the public
interest that might arise from withholding the information. In all
circumstances of the case, the public interest in maintaining the
exemption outweighs the public interest in disclosing the information.

 

Please find attached all information that can be released to you.

 

1     A copy of our current subject access request acknowledgment and
response letter

 

2     A copy of our DPIA template

 

3     The only mandatory information governance training given to staff
that was written in the last 2 years is the ACT Awareness eLearning,
freely available from their website, and published 18 April 2018.

[1]https://www.gov.uk/government/organisati...

 

We have a mandatory e-learning course for all staff, which is a purchased
package not written in the last two years, although it has been updated to
include legislation changes. This package is subject to copyright, and we
cannot by law release a copy to you. If you wish us to, we can provide you
with the supplier’s details so you can contact them direct to purchase
your own copy.

4     A copy of some of the instructions given to staff to reduce data
security breaches.

Please note what we can release to you is not a complete set. Some of our
policies are for internal publication only as they contain operational
data, and are therefore exempt under Section 36 of the FoIA as stated
above. However some of the policies, such as the Information Security
Policy, are freely available on our AF&RS website at
[2]avonfire.gov.uk/guide-to-published-information/our-policies-and-procedures.
We also use news bulletins to highlight data issues arising from current
affairs when they happen, and the information we are releasing to you
contains some examples of these.

5     We have not implemented any policies to help reduce environmental
impact within the last 2 years

 

6     A copy of the risk rating we use to evaluate data security incidents
is included in the DPIA template.

 

 

This email acts as a refusal notice under section 17 of FoIA as some of
the information you have requested is exempt from disclosure under Section
36.

 

If you are unhappy with the way your request has been handled, you can
request an internal review by writing to us at the following address.
There is no charge for making an appeal.

 

Data Protection Officer

Avon Fire & Rescue Service

Police & Fire HQ

PO Box 37

Valley Road

Portishead

Bristol

BS20 8JJ

 

telephone 0117 9262061

email [3][Avon Fire and Rescue request email]

 

Further guidance about exemptions under the FOIA is available on the
Information Commissioner’s website at [4]https://ico.org.uk

 

Guidance about how we deal with requests for information can be located on
our [5]website. AF&RS retain request correspondence for the current
financial year plus 3 years.

Thank you for your interest in Avon Fire & Rescue Service.

 

Kind regards

 

 

Joanna Warren
Data Protection Co-ordinator (Mon-Thurs), Corporate Services
Avon Fire & Rescue Service
Telephone: 0117 926 2061 Extension: 302
Mobile:
[6]www.avonfire.gov.uk
Working smoke alarms save lives
Help save a tree - please do not print this email unless you really need
to.
[7]cid:image001.jpg@01D5DA94.1A7926A0

 

This email and any attachments should only be read by the person or people
to whom it is addressed, and to be used by them for its intended purpose.
Avon Fire & Rescue Service cannot accept liability for statements or
legally binding obligations, which are the sender's and not made on behalf
of Avon Fire & Rescue Service or Avon Fire Authority. Replies to this
email address may be monitored under lawful business purposes. This email
and any attachments are scanned by Forcepoint Mail Control Security
Service and believed to be free from viruses, but it is your
responsibility to carry out all necessary virus checks and Avon Fire
Authority accepts no liability in connection therewith.

References

Visible links
1. https://www.gov.uk/government/organisati...
2. https://avonfire.gov.uk/guide-to-publish...
3. mailto:[Avon Fire and Rescue request email]
4. https://ico.org.uk/
5. http://www.avonfire.gov.uk/guide-to-publ...
6. http://www.avonfire.gov.uk/

Nid ydym yn gwybod a yw'r ymateb mwyaf diweddar i'r cais hwn yn cynnwys gwybodaeth neuai peidio - os chi ywtim wells mewngofnodwch a gadael i bawb wybod.