Service providers and PII

The request was successful.

Dear City of Edinburgh Council,

1. Do you use an external IT service provider/Managed Service Provider (MSP)?
- Yes
- No

2. Does your provider/MSP serve as a processor of your Personally Identifiable Information (PII)?
- Yes
- No

If No, thank you for your time.
If Yes, please see below:

3. Does your contract/Service Level Agreement (SLA) with the provider(s) have clear provisions for the allocation of responsibilities in the event of a data breach?
- Yes
- No

4. Have you revisited your original contract(s) to ensure compliance with the General Data Protection Regulation (GDPR)?
- Yes
- No

5. Does the contract/SLA define the time frame in which a security breach at the provider must be reported to you?
- Yes
- No

6. Do you have policies in place for privileged account management?
- Yes
- No

7. Has your service provider/MSP suffered a data breach involving your organisation’s PII in the last 12 months?
- Yes
- No

8. If yes, how long did it take for them to notify you?
- <30 minutes
- 31 mins – 1 day
- 1 – 2 days
- 2 – 3 days
- More than 3 days

Thank you for your time.

Yours faithfully,

Gabby Dunne

City of Edinburgh Council

Ms Gabby Dunne

Our ref: 19741

Dear Ms Dunne

Acknowledgement of Request

Subject: Service providers and PII

Thank you for your request for information received on 16/07/2018. I can confirm that your request will be processed under the Freedom of Information (Scotland) Act 2002, Environmental Information Regulations (Scotland) 2004, or the INSPIRE (Scotland) Regulations 2009.

You will receive the information requested within 20 working days unless the Council does not hold the information, or there is a reason for it to be withheld. We will write to you in any event. This means we have until 14/08/2018 to respond to your request.

In some circumstances a fee may be payable and if that is the case we will let you know.

If you have any requirements regarding the format any information should be supplied in, e.g. the language to be used, audio, large print and so on, then please let me know.

If you have any queries or concerns, do not hesitate to get in touch. Please quote the reference number above in any future communications.

To promote transparency and accountability, please note it is the Council’s policy to publish all request details and responses made under the freedom of information legislation. This information will be made available through the Council’s website and will not include your personal details. The disclosure log is available at the following link: http://www.edinburgh.gov.uk/homepage/175....

Further information about your rights and accessing information is available on our website at: www.edinburgh.gov.uk

Yours sincerely,

Information Governance Unit
Level 2:1, Waverley Court, Edinburgh EH8 8BG Tel 0131 200 2340
[email address] www.edinburgh.gov.uk

Dear City of Edinburgh Council,

It is past the deadline for when I should, by law, have a response to this. Please get back to me promptly, either to answer my questions or ask for clarification on anything.

Yours faithfully,

Gabby Dunne

Mail Delivery System,

2 Attachments

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[Edinburgh City Council request email]
host smtp2.edin.org [193.39.157.35]
SMTP error from remote mail server after RCPT TO:<[Edinburgh City Council request email]>:
550 5.1.1 <[Edinburgh City Council request email]>: Recipient address rejected:
User unknown

Sent a follow up to City of Edinburgh Council again.

Mail Delivery System,

2 Attachments

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[Edinburgh City Council request email]
host smtp1.edin.org [194.32.48.33]
SMTP error from remote mail server after RCPT TO:<[Edinburgh City Council request email]>:
550 5.1.1 <[Edinburgh City Council request email]>: Recipient address rejected:
User unknown

Sent a follow up to City of Edinburgh Council again, using a new contact address.

Information Rights Officer 1, City of Edinburgh Council

Ms Gabby Dunne
[FOI #497594 email]
Our ref: 19741

Dear Ms Dunne,

Thank you for your email. Please accept my apologies for the late response to your request. I can confirm that the request is being processed and the information will be sent to you as soon as possible.

I hope this helps to explain but please don't hesitate to get in touch if you require any further assistance.

Yours sincerely

Mark Hepworth
Information Rights Officer

Information Governance Unit
Level 2:1, Waverley Court, Edinburgh EH8 8BG Tel 0131 200 2340
[Edinburgh City Council request email] www.edinburgh.gov.uk

show quoted sections

Information Rights Officer 1, City of Edinburgh Council

Ms Gabby Dunne

[1][FOI #497594 email]

Our ref: 19741

Dear Ms Dunne

 

Freedom of Information (Scotland) Act 2002 - Release of Information

Subject: Service providers and PII

Thank you for your request for information of 16/07/2018.Your request has
been processed and considered under the Freedom of Information (Scotland)
Act 2002 and the information is provided below. Please accept my apologies
for the delay in responding to your request.

You asked the following:

Q1. Do you use an external IT service provider/Managed Service Provider
(MSP)?

A1. Yes

Q2. Does your provider/MSP serve as a processor of your Personally
Identifiable Information (PII)?

A2. Yes

Q3. Does your contract/Service Level Agreement (SLA) with the provider(s)
have clear provisions for the allocation of responsibilities in the event
of a data breach?

Yes. We do have a CGI / Council ICT Security Incident Handling procedure
with SLA’s aligned to Service SLA’s. Dependant on the nature and scale of
any breach, handling would be done in accordance with our prescribed
levels if it involved a breach of electronic systems.

Q4. Have you revisited your original contract(s) to ensure compliance with
the General Data Protection Regulation (GDPR)?

A4. Yes.  As part of the preparations for GDPR, the CGI contract was
reviewed and clauses updated to reflect GDPR responsibilities. 

Q5. Does the contract/SLA define the time frame in which a security breach
at the provider must be reported to you?

A5. As per point 3. The Council’s standard terms and conditions does not
stipulate a timeframe but states as soon as reasonably practicable.

Q6. Do you have policies in place for privileged account management?

A6. Yes

Q7. Has your service provider/MSP suffered a data breach involving your
organisation’s PII in the last 12 months?

A7. There is no record of CGI reporting a data breach by them involving
CEC data in the last 12 months.

Q8. If yes, how long did it take for them to notify you?
- <30 minutes
- 31 mins – 1 day
- 1 – 2 days
- 2 – 3 days
- More than 3 days

A9. Not Applicable

To promote transparency and accountability, please note it is the
Council’s policy to publish all request details and responses made under
the freedom of information legislation. This information will be made
available through the Council’s website and will not include your personal
details. The disclosure log is available at the following link:
[2]http://www.edinburgh.gov.uk/homepage/175...

Your right to seek a review

If you are unhappy with the way we have dealt with your request, you can
ask us to review our actions and decisions by writing to the:

Head of Strategy & Insight

The City of Edinburgh Council

Waverley Court Business Centre 2:1

4, East Market Street

Edinburgh

EH8 8BG or,

Email: [3][email address]  

Please note that your request must be in a recordable format (email,
letter, audio tape etc.), and that you have 40 working days upon receipt
of this letter to ask for a review. You will receive a full response to
your review request within 20 working days of its receipt. Please quote
the reference number above in any future communications.

If you are not content with the outcome of the review, you can ask the
Scottish Information Commissioner to review our decision. You must submit
your complaint to the Commissioner within 6 months of receiving our review
response. The Commissioner can be contacted at:

The Office of the Scottish Information Commissioner

Kinburn Castle

Doubledykes Road

St Andrews

Fife

KY16 9DS

Telephone: 01334 464610

Fax: 01334 464611

Website: [4]www.itspublicknowledge.info/Appeal

Email: [5][email address]

 

Yours sincerely,

 

 

Mark Hepworth

Information Rights Officer

 

 

Information Governance Unit

Level 2:1, Waverley Court, Edinburgh EH8 8BG Tel 0131 200 2340

[6][Edinburgh City Council request email]   [7]www.edinburgh.gov.uk

 

 

 

 

 

 

 

 

show quoted sections

References

Visible links
1. mailto:[FOI #497594 email]
2. http://www.edinburgh.gov.uk/homepage/175...
3. mailto:[email address]
4. http://www.itspublicknowledge.info/Appeal
5. mailto:[email address]
6. mailto:[Edinburgh City Council request email]
7. http://www.edinburgh.gov.uk/