Service providers and PII
Dear City of Edinburgh Council,
1. Do you use an external IT service provider/Managed Service Provider (MSP)?
- Yes
- No
2. Does your provider/MSP serve as a processor of your Personally Identifiable Information (PII)?
- Yes
- No
If No, thank you for your time.
If Yes, please see below:
3. Does your contract/Service Level Agreement (SLA) with the provider(s) have clear provisions for the allocation of responsibilities in the event of a data breach?
- Yes
- No
4. Have you revisited your original contract(s) to ensure compliance with the General Data Protection Regulation (GDPR)?
- Yes
- No
5. Does the contract/SLA define the time frame in which a security breach at the provider must be reported to you?
- Yes
- No
6. Do you have policies in place for privileged account management?
- Yes
- No
7. Has your service provider/MSP suffered a data breach involving your organisation’s PII in the last 12 months?
- Yes
- No
8. If yes, how long did it take for them to notify you?
- <30 minutes
- 31 mins – 1 day
- 1 – 2 days
- 2 – 3 days
- More than 3 days
Thank you for your time.
Yours faithfully,
Gabby Dunne
Ms Gabby Dunne
Our ref: 19741
Dear Ms Dunne
Acknowledgement of Request
Subject: Service providers and PII
Thank you for your request for information received on 16/07/2018. I can confirm that your request will be processed under the Freedom of Information (Scotland) Act 2002, Environmental Information Regulations (Scotland) 2004, or the INSPIRE (Scotland) Regulations 2009.
You will receive the information requested within 20 working days unless the Council does not hold the information, or there is a reason for it to be withheld. We will write to you in any event. This means we have until 14/08/2018 to respond to your request.
In some circumstances a fee may be payable and if that is the case we will let you know.
If you have any requirements regarding the format any information should be supplied in, e.g. the language to be used, audio, large print and so on, then please let me know.
If you have any queries or concerns, do not hesitate to get in touch. Please quote the reference number above in any future communications.
To promote transparency and accountability, please note it is the Council’s policy to publish all request details and responses made under the freedom of information legislation. This information will be made available through the Council’s website and will not include your personal details. The disclosure log is available at the following link: http://www.edinburgh.gov.uk/homepage/175....
Further information about your rights and accessing information is available on our website at: www.edinburgh.gov.uk
Yours sincerely,
Information Governance Unit
Level 2:1, Waverley Court, Edinburgh EH8 8BG Tel 0131 200 2340
[email address] www.edinburgh.gov.uk
Dear City of Edinburgh Council,
It is past the deadline for when I should, by law, have a response to this. Please get back to me promptly, either to answer my questions or ask for clarification on anything.
Yours faithfully,
Gabby Dunne
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
[Edinburgh City Council request email]
host smtp2.edin.org [193.39.157.35]
SMTP error from remote mail server after RCPT TO:<[Edinburgh City Council request email]>:
550 5.1.1 <[Edinburgh City Council request email]>: Recipient address rejected:
User unknown
Sent a follow up to City of Edinburgh Council again.
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
[Edinburgh City Council request email]
host smtp1.edin.org [194.32.48.33]
SMTP error from remote mail server after RCPT TO:<[Edinburgh City Council request email]>:
550 5.1.1 <[Edinburgh City Council request email]>: Recipient address rejected:
User unknown
Sent a follow up to City of Edinburgh Council again, using a new contact address.
Ms Gabby Dunne
[FOI #497594 email]
Our ref: 19741
Dear Ms Dunne,
Thank you for your email. Please accept my apologies for the late response to your request. I can confirm that the request is being processed and the information will be sent to you as soon as possible.
I hope this helps to explain but please don't hesitate to get in touch if you require any further assistance.
Yours sincerely
Mark Hepworth
Information Rights Officer
Information Governance Unit
Level 2:1, Waverley Court, Edinburgh EH8 8BG Tel 0131 200 2340
[Edinburgh City Council request email] www.edinburgh.gov.uk
Ms Gabby Dunne
[1][FOI #497594 email]
Our ref: 19741
Dear Ms Dunne
Freedom of Information (Scotland) Act 2002 - Release of Information
Subject: Service providers and PII
Thank you for your request for information of 16/07/2018.Your request has
been processed and considered under the Freedom of Information (Scotland)
Act 2002 and the information is provided below. Please accept my apologies
for the delay in responding to your request.
You asked the following:
Q1. Do you use an external IT service provider/Managed Service Provider
(MSP)?
A1. Yes
Q2. Does your provider/MSP serve as a processor of your Personally
Identifiable Information (PII)?
A2. Yes
Q3. Does your contract/Service Level Agreement (SLA) with the provider(s)
have clear provisions for the allocation of responsibilities in the event
of a data breach?
Yes. We do have a CGI / Council ICT Security Incident Handling procedure
with SLA’s aligned to Service SLA’s. Dependant on the nature and scale of
any breach, handling would be done in accordance with our prescribed
levels if it involved a breach of electronic systems.
Q4. Have you revisited your original contract(s) to ensure compliance with
the General Data Protection Regulation (GDPR)?
A4. Yes. As part of the preparations for GDPR, the CGI contract was
reviewed and clauses updated to reflect GDPR responsibilities.
Q5. Does the contract/SLA define the time frame in which a security breach
at the provider must be reported to you?
A5. As per point 3. The Council’s standard terms and conditions does not
stipulate a timeframe but states as soon as reasonably practicable.
Q6. Do you have policies in place for privileged account management?
A6. Yes
Q7. Has your service provider/MSP suffered a data breach involving your
organisation’s PII in the last 12 months?
A7. There is no record of CGI reporting a data breach by them involving
CEC data in the last 12 months.
Q8. If yes, how long did it take for them to notify you?
- <30 minutes
- 31 mins – 1 day
- 1 – 2 days
- 2 – 3 days
- More than 3 days
A9. Not Applicable
To promote transparency and accountability, please note it is the
Council’s policy to publish all request details and responses made under
the freedom of information legislation. This information will be made
available through the Council’s website and will not include your personal
details. The disclosure log is available at the following link:
[2]http://www.edinburgh.gov.uk/homepage/175...
Your right to seek a review
If you are unhappy with the way we have dealt with your request, you can
ask us to review our actions and decisions by writing to the:
Head of Strategy & Insight
The City of Edinburgh Council
Waverley Court Business Centre 2:1
4, East Market Street
Edinburgh
EH8 8BG or,
Email: [3][email address]
Please note that your request must be in a recordable format (email,
letter, audio tape etc.), and that you have 40 working days upon receipt
of this letter to ask for a review. You will receive a full response to
your review request within 20 working days of its receipt. Please quote
the reference number above in any future communications.
If you are not content with the outcome of the review, you can ask the
Scottish Information Commissioner to review our decision. You must submit
your complaint to the Commissioner within 6 months of receiving our review
response. The Commissioner can be contacted at:
The Office of the Scottish Information Commissioner
Kinburn Castle
Doubledykes Road
St Andrews
Fife
KY16 9DS
Telephone: 01334 464610
Fax: 01334 464611
Website: [4]www.itspublicknowledge.info/Appeal
Email: [5][email address]
Yours sincerely,
Mark Hepworth
Information Rights Officer
Information Governance Unit
Level 2:1, Waverley Court, Edinburgh EH8 8BG Tel 0131 200 2340
[6][Edinburgh City Council request email] [7]www.edinburgh.gov.uk
References
Visible links
1. mailto:[FOI #497594 email]
2. http://www.edinburgh.gov.uk/homepage/175...
3. mailto:[email address]
4. http://www.itspublicknowledge.info/Appeal
5. mailto:[email address]
6. mailto:[Edinburgh City Council request email]
7. http://www.edinburgh.gov.uk/
We work to defend the right to FOI for everyone
Help us protect your right to hold public authorities to account. Donate and support our work.
Donate Now