PSN compliance

The request was partially successful.

Dear Devon County Council,

I note that the Council uses a new software system from OLM, called Eclipse. It is being implemented in children's social care, I believe. I note from your previous response that the Council did not undertake any procurement process or comparison work when it committed to move to Eclipse.

Q1: Please list the software components which make up the Eclipse product. I understand from the OLM website that many of these are open source components

Q2: Please provide the dates on which each of these components was last updated, and the version number

Q3: Please provide the dates on which each of these components will next be updated, and the version number

I assume that this will not be a problem, as this information will be required for the Council's PSN compliance.

Yours faithfully,

Steve Hall

access to information - mailbox, Devon County Council

Dear Steve Hall

 

Freedom Of Information Request

Reference – 6729100

 

I am in receipt of your request for information which will be handled in
accordance with your rights under the above legislation.  Your request has
been passed to the Information Governance team to deal with in accordance
with the Council’s Environmental Information Regulations and Freedom of
Information Request Handling Policy.

 

Under the above legislation, you are entitled to be informed as to whether
or not Devon County Council holds the information you have requested, and
if so to have this communicated to you within 20 working days.  At times
the Council may have to withhold certain information because an exemption
from disclosure applies.  If we feel that this should apply to any of the
information you have requested, we will inform you of this fact (unless to
do so would reveal information that would otherwise be exempt).  We will
also give you details of how you may appeal our decision.

 

The Council will endeavour to provide you with a response to your request
as soon as possible but incidentally by no later than 13^th December 2017.

 

I hope this information is of assistance to you.

 

Yours sincerely

 

Hannah Woolacott

Information Governance Officer

Information Governance Team

 

Customer Relations & Information Governance

Room 120

County Hall

Exeter
EX2 4QD

Disclaimer: [1]http://www.devon.gov.uk/email.shtml
Applicable to private messages: "Devon County Council accepts no legal
responsibility for the contents of this message. The views expressed do
not reflect those of Devon County Council"

 

*Please note that emails may be disclosed in response to requests under
the Data Protection Act 1998 and the Freedom of Information Act 2000.

 

 

References

Visible links
1. http://www.devon.gov.uk/email.shtml

access to information - mailbox, Devon County Council

 

Dear Steve Hall

 

Freedom Of Information Request

Reference – 6729100

 

I am in receipt of your request for information under the Freedom of
Information Act.

Please find Devon County Council’s response  available via the attached
[1]LINK

I hope this information is of assistance to you.

 

Yours sincerely,

 

 

Richard Kaye

Information Governance Officer

 

The Customer Relations & Information Governance Team

Room 120

County Hall

Exeter
EX2 4QD
Tel: 01392 383000 – Ask for Information Governance Team

Email: [2][email address]

 

Please note that Devon County Council now publishes most Freedom of
Information and Environmental Information Regulations request responses on
its publication scheme. Details of previous responses are available at
[3]https://new.devon.gov.uk/accesstoinforma....
The council requests that members of the public make use of its disclosure
log search facility before making a Freedom of Information or
Environmental Information Regulations request, as it is possible that the
information sought, may have been disclosed in response to a prior
request.

Your right to complain
If for any reason you are not satisfied with how your request has been
handled, please write to Customer Relations Team, Room 120, County Hall,
Topsham Road, Exeter, EX2 4QD. Details about our Access to Information
complaints procedure can be found at
[4]https://new.devon.gov.uk/accesstoinforma....
  If your complaint is not resolved to your complete satisfaction, you
have the right to refer the matter to the Information Commissioner’s
Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Re-use of information
The information supplied to you continues to be protected by the
Copyright, Designs and Patents Act 1988. You are free to use it for your
own purposes, including any non-commercial research you are doing and for
the purposes of news reporting. Use for Direct Marketing purposes is
prohibited. Any other re-use, for example commercial publication, would
require the permission of the copyright holder. Most documents supplied by
Devon County Council will have been produced by local officials and will
be our copyright. If you would like to re-use any of the information which
has been supplied to you, please contact us. Information you receive which
is not subject to our copyright continues to be protected by the copyright
of the person, or organisation, from which the information originated. You
must ensure that you gain their permission before reproducing any
information.

Disclaimer: [5]http://www.devon.gov.uk/email.shtml
Applicable to private messages: "Devon County Council accepts no legal
responsibility for the contents of this message. The views expressed do
not reflect those of Devon County Council"

 

 

 

References

Visible links
1. https://new.devon.gov.uk/accesstoinforma...
2. mailto:[email address]
3. https://new.devon.gov.uk/accesstoinforma...
4. https://new.devon.gov.uk/accesstoinforma...
5. http://www.devon.gov.uk/email.shtml

Dear Devon County Council,

Thank you for your reply, copied below:

"Q1: Please list the software components which make up the Eclipse product. I understand from the OLM website that many of these are open source components

Q2: Please provide the dates on which each of these components was last updated, and the version number

Q3: Please provide the dates on which each of these components will next be updated, and the version number

Devon County Council does not hold this information. The software components that make up Eclipse are the property of OLM and we would therefore recommend that you re-direct your enquiry at OLM via the website that you have referred to"

I find this utterly astonishing. If Devon County Council does not know which open source components are present in a major system, then it can not comply with PSN requirements. It really is that simple! Please direct my original query to your PSN compliance officer.

Yours sincerely,

Steve Hall

access to information - mailbox, Devon County Council

Dear Mr Hall

Freedom of Information Act 2000
Information Request 6729100

I write further to your recent email concerning the Council's response to your Freedom of Information enquiry. Given the feedback you have provided, the Council will reconsider your request as part of an internal review. This will be handled in accordance with your rights under the Freedom of Information Act 2000

We will endeavour to provide you with a response to this matter as soon as possible, but incidentally by no later than 11/01/2018.

Yours sincerely,

Martin Lawrence
Information Governance Manager

Customer Relations & Information Governance
Room 120
County Hall
Exeter
EX2 4QD
Tel: 01392 383000 – Ask for Martin Lawrence
Email: [email address]
 
Disclaimer: http://www.devon.gov.uk/email.shtml
Applicable to private messages: "Devon County Council accepts no legal responsibility for the contents of this message. The views expressed do not reflect those of Devon County Council"
 
*Please note that emails may be disclosed in response to requests under the Data Protection Act 1998 and the Freedom of Information Act 2000.

show quoted sections

access to information - mailbox, Devon County Council

1 Attachment

Dear Mr Hall

Please find attached our response to your internal review request for Freedom of Information request 6729100.

Please accept our apologies for the late response.

Regards

Information Governance Team.

show quoted sections

Steve Howkins,

 
 
 
 
 
 
 
Information request
Our reference: 6729100

--------------------------------------------------------------------------

 
Dear Sir/Madam
 
Thank you for your request for a review received on 11 December 2017. I am
sorry that you are dissatisfied with our attempts to handle your request
under the under the Freedom of Information Act 2000
 
[Enter content of letter here]
 
Yours faithfully
 
 
Steve Howkins
Senior Information Governance Officer
Customer Relations & Information Governance Team
01392 383000
[email address]
 
NOTE: Please do not edit the subject line when replying to this email.

Dear Mr Howkins,

Thank you for your response.

I note the following:

"Devon County Council does not evaluate the source code for third party system products but rely on assurances provided by the companies, and where necessary, penetration tests performed against any perceived vulnerabilities. The OLM Accreditation page indicates compliance with several national and industry specific security standards"

Unfortunately, the OLM accreditation page provides none of the information relevant to my query. What the OLM website does make clear is that Eclipse has been built by adding together hundreds of open source components. In order for Devon CC to comply with its PSN requirements, you will need to demonstrate a process for verifying that each element of code in this system is up to date with its latest security patch. Your response suggests that Devon CC does not have a process for verifying this - which I find worrying.

Could you ask your PSN compliance team the following questions, please. I will regard this as a fresh enquiry with its own FOI timescales:

1. How many open source components are present in the OLM Eclipse system? I won't ask you to name them as this might be considered commercially sensitive by OLM, though I would expect the Council to know what these are
2. Does the Council know the latest security patch release number for each of these components?
3. Does the Council have an agreed process in place with OLM to manage these specific security patches? If the solution is hosted by OLM then this might be relatively invisible to the Council, but PSN requires that the Council has a monitoring process and can actively verify that it is not running software outside the security patch window

I might seem like an anorak (OK, I am a bit of one) but this is unbelievably significant. A major system, accessing the Council's network, holding confidential data on vulnerable children - it is simply vital that every aspect of this system's code is up to date, with test certificates which are not allowed to lapse. The Council's response to date has been to send me to a run-of-the-mill accreditations page, which doesn't exactly inspire confidence that you are taking this seriously.

Yours sincerely,

Steve Hall

access to information - mailbox, Devon County Council

Dear Mr Hall

Freedom Of Information Request
Reference 6906696

I am in receipt of your request for information which will be handled in accordance with your rights under the above legislation. Your request has been passed to the Information Governance team to deal with in accordance with the Council’s Environmental Information Regulations and Freedom of Information Request Handling Policy.

Under the above legislation, you are entitled to be informed as to whether or not Devon County Council holds the information you have requested, and if so to have this communicated to you within 20 working days. At times the Council may have to withhold certain information because an exemption from disclosure applies. If we feel that this should apply to any of the information you have requested, we will inform you of this fact (unless to do so would reveal information that would otherwise be exempt). We will also give you details of how you may appeal our decision.

The Council will endeavour to provide you with a response to your request as soon as possible but incidentally by no later than 14/02/2018.

I hope this information is of assistance to you.

Information Governance Team

show quoted sections

Dear Devon County Council,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of Devon County Council's handling of my FOI request 'PSN compliance'.

These questions are almost a year overdue. They remain as pertinent now as they were when first asked. I don't know if the Council has gone live with the OLM Eclipse system, but it is absolutely vital, if so, that the Council has a robust process for verifying the security patch update status of each open source component.

Please conduct an internal review into the reasons for failing to meet FOIA timescales with this request, and please answer my questions without further delay.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/p...

Yours faithfully,

Steve Hall

access to information - mailbox, Devon County Council

Dear Steve

Thank you for your email dated 23/12/2018.

We have provided links to our responses to all of your relevant requests below. To help us to respond to your request for an internal review please could you confirm which one your questions relate to, quoting the seven digit reference number.

7766596 - 21/08/2018 - https://new.devon.gov.uk/accesstoinforma...

6988996 - 06/02/2018 - https://new.devon.gov.uk/accesstoinforma...

6906696 - 17/01/2018 - https://new.devon.gov.uk/accesstoinforma...

6729100 - 15/11/2017 - https://new.devon.gov.uk/accesstoinforma...

6269396 - 05/07/2017 - https://new.devon.gov.uk/accesstoinforma...

Regards

Steve Howkins
Senior Information Governance Officer
Information Governance Team
01392 383000
Email:[email address]
Website: Devon County Council
Disclaimer: Emails and any attached or linked to documents from Devon County Council which contain personal or sensitive personal data about clients or employees, or sensitive business data, are confidential. If you are not the intended recipient, please notify the sender immediately by replying to the email, and then delete the email without forwarding, printing, copying, sharing or using it in any way. Personal data in any format should be processed in accordance with the General Data Protection Regulations. Personal data we collect from you will be processed in accordance with this Privacy Notice. Devon County Council will take all reasonable steps to make emails secure and protect them from viruses but cannot accept liability for loss or damage caused by their transmission to a recipients device or network. Please follow your own organisations virus checking procedure before opening attachments. Links to publicly available information or to documents in a shared area will be sent where possible. Senders and recipients of email should be aware that under UK Data Protection and Freedom of Information legislation the content of emails may have to be disclosed in response to a request so care should be taken in terms of content.

show quoted sections

Dear access to information - mailbox,

The FOI question was reference number 6729100

Yours sincerely,

Steve Hall

access to information - mailbox, Devon County Council

I will be out of the office until the morning of January 2nd 2019. Should
you have any queries in my absence, please e-mail
[Devon County Council request email].

 

Many thanks.

 

Paul Bastin.

 

Information Governance Assistant

Information Governance Team

Phone: 01392 383207

E-mail: [email address]

E-mail: [Devon County Council request email]

access to information - mailbox, Devon County Council

2 Attachments

  • Attachment

    Information Governance Team Internal Review SW.PDF.pdf

    365K Download View as HTML

  • Attachment

    RE Freedom Of Information Request Reference 6729100 RK.html

    6K Download

Dear Mr Hall

Thank you for your enquiry and for confirming the number of the request it related to. We apologise for any inconvenience caused.

I have attached a copy of our original disclosure which was sent to you on December 8th 2017 and of our response to an internal review which we carried out on that response which was sent to you in January 2018.

Please confirm if these were received or not, if the latter, that may explain why you feel our response to your request is overdue.

Thankyou

Steve Howkins
Senior Information Governance Officer
Information Governance Team
01392 383000
Email:[email address]
Website: Devon County Council
Disclaimer: Emails and any attached or linked to documents from Devon County Council which contain personal or sensitive personal data about clients or employees, or sensitive business data, are confidential. If you are not the intended recipient, please notify the sender immediately by replying to the email, and then delete the email without forwarding, printing, copying, sharing or using it in any way. Personal data in any format should be processed in accordance with the General Data Protection Regulations. Personal data we collect from you will be processed in accordance with this Privacy Notice. Devon County Council will take all reasonable steps to make emails secure and protect them from viruses but cannot accept liability for loss or damage caused by their transmission to a recipients device or network. Please follow your own organisations virus checking procedure before opening attachments. Links to publicly available information or to documents in a shared area will be sent where possible. Senders and recipients of email should be aware that under UK Data Protection and Freedom of Information legislation the content of emails may have to be disclosed in response to a request so care should be taken in terms of content.

show quoted sections

Dear access to information - mailbox,

I made a mistake in my previous response - my apologies. The question which remains unanswered was a follow-on question from January 2018 with the reference number 6906696

Yours sincerely,

Steve Hall

access to information - mailbox, Devon County Council

Dear Steve

Thankyou for the clarification.

We do not have a record of a follow up question in relation to this request from you in January 2018.

We do have a record of a follow up enquiry received on 13/02/2018 which was " You have provided a response to a different FOI request. Could you review please? You haven't answered this request.

I am unable to locate a response to this enquiry so I would uphold your point about this, please accept our apologies for the oversight and for any inconvenience caused.

Your questions and our responses are below. It seems clear that we did respond to this request, however, please confirm which question or part of which question you feel may have been for a different request.

1. How many open source components are present in the OLM Eclipse system? I won’t ask you to name them as this might be considered commercially sensitive by OLM, though I would expect the Council to know what these are.

We do not hold this information. The system is provided through a contractual arrangement and is hosted and managed by the provider, we would not expect or need to hold the information.

2.Does the Council know the latest security patch release number for each of these components?

No, we do not hold this information. The system is provided through a contractual arrangement and is hosted and managed by the provider, we would not expect or need to hold the information.

3.Does the Council have an agreed process in place with OLM to manage these specific security patches? If the solution is hosted by OLM then this might be relatively invisible to the Council, but PSN requires that the Council has a monitoring process and can actively verify that it is not running software outside the security patch window

Yes, we monitor hosted and managed services through contractual and Service Agreements. The responsibility to ensure that system components, open-source or otherwise, are at the latest security patch, is that of the provider and is clearly documented and agreed.

Regards

Steve Howkins
Senior Information Governance Officer
Information Governance Team
01392 383000
Email:[email address]
Website: Devon County Council
Disclaimer: Emails and any attached or linked to documents from Devon County Council which contain personal or sensitive personal data about clients or employees, or sensitive business data, are confidential. If you are not the intended recipient, please notify the sender immediately by replying to the email, and then delete the email without forwarding, printing, copying, sharing or using it in any way. Personal data in any format should be processed in accordance with the General Data Protection Regulations. Personal data we collect from you will be processed in accordance with this Privacy Notice. Devon County Council will take all reasonable steps to make emails secure and protect them from viruses but cannot accept liability for loss or damage caused by their transmission to a recipients device or network. Please follow your own organisations virus checking procedure before opening attachments. Links to publicly available information or to documents in a shared area will be sent where possible. Senders and recipients of email should be aware that under UK Data Protection and Freedom of Information legislation the content of emails may have to be disclosed in response to a request so care should be taken in terms of content.

show quoted sections

Dear access to information - mailbox,

Thank you for these responses.

In a nutshell:
- Devon County Council has a critical, sensitive IT system holding personal data on hundreds of Devon citizens, and doesn't even know which open source components are in use in that system;
- the Council doesn't have any means of verifying whether or not the supplier is keeping up to date with security updates for these open source components
- so it would be fair to say that the Council's citizens are highly vulnerable to security attacks on that system. It's a web-exposed system, I believe - so every hacker on the planet can have free rein with it, which should (fingers crossed) be okay if the various components are being upgraded regularly - but you have no means of verifying that. Blimey.

Yours sincerely,

Steve Hall