The Risk Registers for the iVPD/VPD

SJA Grove made this Freedom of Information request to Police Scotland This request has been closed to new correspondence. Contact us if you think it should be reopened.

The request was refused by Police Scotland.

Dear Police Scotland,

Background

Major information technology (IT) projects often run under specific Project Management protocols, for example PRINCE2. It is almost inconceivable that a project of the scale of the Vulnerable Persons Database [now known as the interim Vulnerable Persons Database (iVPD)] would not have been introduced under PRINCE2 or a similar project management system that uses a Risk Register.

The Risk Register of a project is a version-controlled document that identifies major threats and opportunities from implementing the Project. Under PRINCE2 the Risk Register is the responsibility of the Project Manager but it is Project Support that will maintain it.

It is now beyond all doubt that metaphorically there is “something rotten in the state of Denmark” with respect to the VPD/iVPD.

FIOSA 2002 Requests

Will Police Scotland provide the Risk Register that was in operation on 1 NOVEMBER 2018?
Will Police Scotland provide the Risk Register that was in operation on 1 NOVEMBER 2019?
Will Police Scotland provide the Risk Register that was in operation on the date of this FOISA 2002 request (i.e. 2 OCTOBER 2020)?

Yours faithfully,

SJA Grove

Police Scotland

1 Attachment

Please accept this message as confirmation that your request has been
received by Police Scotland and will be dealt with under the terms of the
Freedom of Information (Scotland) Act 2002.

Please note, this mailbox is FOI request only.
Further details are below if you wish to request personal information,
road traffic incident or crime reports, or other non-FOI related
enquiries.

Requesting personal information held by Police Scotland
Applications must be made under GDPR/Data Protection Act 2018. Please
follow this link -
[1]http://www.scotland.police.uk/access-to-...

Road traffic incident or crime report relating to property which has been
damaged and/or stolen
Please click on this link -
[2]http://www.scotland.police.uk/about-us/f....

Non FOI related queries
Please phone 101 or refer to this link -
[3]http://www.scotland.police.uk/contact-us

Kind regards

FOI Team
Police Scotland

References

Visible links
1. http://www.scotland.police.uk/access-to-...
2. http://www.scotland.police.uk/about-us/f...
3. http://www.scotland.police.uk/contact-us

FOI Glasgow, Police Scotland

OFFICIAL

Good Morning

In order to progress your information request,  I would be obliged if you
could provide me with some clarification.  Can you advise if you are
requesting the Risk Register for the project to implement iVPD or the risk
register for the iVPD system?

Once I have received your clarification your request will be considered
and an appropriate response provided within the statutory timescale of 20
working days as defined by the Act.  The 20 working days will commence
upon receipt of the additional information requested from you.  If,
however, the additional information requested has not been received by 17
November 2020, I shall assume that you no longer wish to proceed with this
request and will treat it as withdrawn.

Kind Regards

Information Management
Police Scotland
2 French Street
Dalmarnock
Glasgow
G40 4EH

show quoted sections

Dear FOI Glasgow,

Police Scotland are thanked for the clarification, it was unclear to the FOISA 2002 requester that there would be more than one risk register.
All risk registers are requested however it is understood that commercial sensitive information relating to IT systems/software will be redacted. The specific Risk Registers requested are those relating to Data Protection matters specific to the General Data Protection Regulations (GDPRs), The Data Protection Act 2018, Memoranda of Understanding (between Police Scotland and other organisations) and the transfer of erroneous and libelleous information from the iVPD/VPD from Police Scotland as the "Data Controller" to other organisations that process this data ("Data Processors") that include, but are not limited to, Local Authority Social Work Departments, the Crown Office & Procurator Fiscal Service and Children's Reporters.

Yours sincerely,

SJA Grove

FOI Glasgow, Police Scotland

1 Attachment

OFFICIAL

Good Afternoon

Please find attached the Service response to your request

Kind Regards
Information Management
Police Scotland, Clyde Gateway
2 French Street
Dalmarnock
Glasgow
G40 4EH

show quoted sections

Dear FOI Glasgow,

Police Scotland are thanked for their candour in this response.

[extraneous material removed]

Yours sincerely,

SJA Grove

Dear Police Scotland,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of Police Scotland's handling of my FOI request 'The Risk Registers for the iVPD/VPD'.

The recently released Data Protection Impact Assessment (DPIA) released by Police Scotland in response to the FOISA 2002 request number FOI 20-1959 states the following at Q38 on page 32:

The system is governed by the Information Asset
Owner Board chaired at Force Executive level within
Police Scotland. This board is responsible for decision
making and governance of iVPD. In addition a Risk
Register is compiled by this board which feeds into the
Corporate and Portfolio Risk Registers.

The Section 17(1) exemption can no longer apply.
Please release all of the Risk Registers into the public domain.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/t...

Yours faithfully,

SJA Grove

Police Scotland

1 Attachment

  • Attachment

    Internal review of Freedom of Information request The Risk Registers for the iVPD VPD.txt

    2K Download View as HTML

Please accept this message as confirmation that your request has been
received by Police Scotland and will be dealt with under the terms of the
Freedom of Information (Scotland) Act 2002.

Please note, this mailbox is FOI request only.
Further details are below if you wish to request personal information,
road traffic incident or crime reports, or other non-FOI related
enquiries.

Requesting personal information held by Police Scotland
Applications must be made under GDPR/Data Protection Act 2018. Please
follow this link -
[1]http://www.scotland.police.uk/access-to-...

Road traffic incident or crime report relating to property which has been
damaged and/or stolen
Please click on this link -
[2]http://www.scotland.police.uk/about-us/f....

Non FOI related queries
Please phone 101 or refer to this link -
[3]http://www.scotland.police.uk/contact-us

Kind regards

FOI Team
Police Scotland

References

Visible links
1. http://www.scotland.police.uk/access-to-...
2. http://www.scotland.police.uk/about-us/f...
3. http://www.scotland.police.uk/contact-us

FOI Glasgow, Police Scotland

OFFICIAL

Good Afternoon

 

I refer to your request for a formal review of your information request
with reference number 20-1721. 

 

The response was provided to you on 18 November 2020 and your request for
review was submitted on 24 January 2021.  In this instance Police Scotland
are unable to progress this review request as it was received after the
statutory 40 working day period, provided under the legislation, had
expired.

 

Kind Regards

 

Information Management

Police Scotland

2 French Street

Dalmarnock

Glasgow

G40 4EH

show quoted sections

Dear FOI Glasgow,

Police Scotland are thanked for the response. Given that Police Scotland gave a Section 17(1) response to the initial FOISA 2002 it was decided not to submit an Internal Review and accept Police Scotland's word that there was no Risk Register for the iVPD.

The submission of the Internal Review after the statutory time period of 40 days was done to give Police Scotlsnd the opportunity to be open, honest and transparent with respect to the situation with the iVPD Risk Register(s).

The release of the Data Protection Impact Assessment (DPIA) (that was signed off by ACC Gillian MacDonald on 11 October 2018 and Information Governance on 12 October 2018) suggests that there should be a Risk Register. Either senior management of Police Scotland have not performed the tasks that are listed in the DPIA or else the Section 17(1) exemption is not valid.

The data sharing of Special Category (SC) and likely “sensitive data" (as defined by Data Protection Act 2018) with Local Authority Councils, the likely failures of Police Scotland to reveal exculpatory evidence on the iVPD to the COPFS, the “weeding" of potential exculpatory evidence, the financial costs of “weeding” the large volume of iVPD records and the secrecy with which Police Scotland sources information that is recorded on the iVPD [and hiding the source and therefore breaching the transparency principle of the DPA 2018 and preventing Data Subjects from enacting their GDPR Article 15(1)(g) rights] are extremely serious matters.

It may be that the legal issues around the iVPD are so serious that were there to be a Risk Register then Police Scotland would not want this document in the public domain. This request therefore has to be closed as a refusal under the circumstances with the knowledge of the iVPD DPIA requirements for Risk Registers in the public domain.

Yours sincerely,

SJA Grove