Zero data loss of EPC information

The request was partially successful.

Dear Department for Communities and Local Government,

I write to request further information concerning the award and the contract for handling Energy Performance Certificates and other Energy Documents to Landmark Information Group, following the publication of Decision Notice FS50309543 of 21 June 2011.
The assertions made by DCLG justifying that certain portions of the contract amounted to a trade secret has raised additional questions.

In particular, Paragraph 41 of the Notice includes:[1]

"c) An important reservation expressed by Landmark regarding disclosure of the software and hardware solution is that if disclosed, a competitor or any skilled computer hacker, would be provided with invaluable knowledge giving them a head start in breaking the system. Disclosure of the software used would therefore jeopardise the security of the system.

"d) One of DCLG's most stringent requirements was for the solution to provide 'zero data loss' capability. Landmark's solution is a unique and very cost-effective way of providing a combination of specific hardware and software, network and physical site configuration development. None of Landmark's competitors offered the same solution. Its disclosure would not only potentially bring about economic harm to the company, it would also potentially devalue one of the unique features that enabled it to win the contract in the first place and jeopardise the security fo the register in a manner that would threaten the viability of the entire register."

Now, the consequence of such hacking would -- presumably -- result in non-zero data loss. In fact, these assertions make plain that the Department is aware of, though has not reconsidered its belief in, the well-known fallacy of security through obscurity.[2]

I have reread the Landmark 2006 and 2008 contracts[3] in light of the importance placed by the DCLG on the 'zero data loss' capability in terms of selecting its supplier, and they appear to contain nothing exceptional in relation to this requirement.

In particular, Clause 4.2 (Back-up & recovery) Schedule 2 (Service specification), states:[4]

"There are no special considerations for back-up and recoverability of the Home Condition Report Register over and above the normal requirements for protecting the data."

Owing to the questions that this response to the Information Commissioner raises, I am making the following request for information to qualify the requirement of 'zero data loss' and to provide the necessary information to future potential suppliers to the DCLG who will need to take account of mistaken technical assumptions about data security that could be exploited by current suppliers for unfair advantage.

Please may I be sent:

1) A copy of the pre qualification questionaire issued by DCLG on 20 March 2006 mentioned in <Whereas A> of the 2006 contract.[5]

2)
(a) A copy of the Invitation to Submit Outline Proposals issued on 3 May 2006 mentioned in <Whereas B>,
(b) the number of Operators these were submitted to,
(c) a copy of the Outline Proposal submitted by Landmark.

3)
(a) A copy of the Invitation to Submit Best and Final Offers issued on 4 August 2006 mentioned in <Whereas C>,
(b) the number of potential service suppliers these were sent to,
(c) a copy of the Best and Final Offer submitted by Landmark.

4) A copy of the notice to OJEU issued by DCLG on 15 June 2007 mentioned in <Whereas A> of the 2008 contract.[6]

5)
(a) A copy of the Invitation to Submit Outline Proposals issued on 17 August 2007 mentioned in <Whereas B>,
(b) the number of operators these were sent to,
(c) a copy of the Outline Proposal submitted by Landmark

6)
(a) A copy of second the Invitation to Submit Outline Proposals issued on 21 September 2007 mentioned in <Whereas C>,
(b) the number of operators these were sent to,
(c) a copy of the second Outline Proposal submitted by Landmark.

7)
(a) A copy of the Invitation to Submit Best and Final Offers issued on 14 December 2007 mentioned in <Whereas D>,
(b) the number of potential service providers these were submitted to,
(c) a copy of the best and final offer submitted by Landmark.

And finally,

8) Whether DCLG or another third party entirely independent of Landmark that reports to the government is contracted to receive a fully up to date copy of the Energy Documents data which it can independently verify is complete.

[1] http://scraperwiki.com/cropper/u/page_9/...

[2] http://en.wikipedia.org/wiki/Security_th...

[3] http://www.whatdotheyknow.com/request/co...

[4] http://scraperwiki.com/cropper/u/page_54...

[5] http://scraperwiki.com/cropper/u/page_6/...

[6] http://scraperwiki.com/cropper/u/page_6/...

Yours faithfully,

Julian Todd

Raphael Smith,

Dear Mr Todd
 
FOI Ref No: F0004984
 
Thank you for your e-mail of 17 July, 2011 requesting further information
concerning the award and the contract for handling Energy Performance
Certificates and other Energy Documents to Landmark Information Group,
following the publication of Decision Notice FS50309543 of 21 June 2011.
Your request was received by the Department for Communities and Local
Government on 18 July.

I am considering your request under the Freedom of Information Act 2000
and you should expect to receive a reply by 16 August, 2011. In some
circumstances a fee may be chargeable. If that is the case, I will let you
know the likely charges before proceeding.

If you have any queries regarding this letter, please contact me. Remember
to quote the reference number above in any future communications. Our
Access to Information leaflet on our website at:
[1]http://www.communities.gov.uk/documents/...
explains how the Department handles formal requests for information. I
hope you will find it useful.

Yours sincerely
 
Raphael Smith
EPBD Operations
Department for Communities and Local Government
Zone 5/H9
Eland House
Bressenden Place
London
SW1E 5DU 

__________________________________________________________________________________________

From: Julian Todd [[2]mailto:[FOI #80293 email]]
Sent: Sunday, July 17, 2011 10:22 AM
To: FoI Requests
Subject: Freedom of Information request - Zero data loss of EPC
information

Dear Department for Communities and Local Government,

I write to request further information concerning the award and the
contract for handling Energy Performance Certificates and other
Energy Documents to Landmark Information Group, following the
publication of Decision Notice FS50309543 of 21 June 2011.
The assertions made by DCLG justifying that certain portions of the
contract amounted to a trade secret has raised additional
questions.

In particular, Paragraph 41 of the Notice includes:[1]

"c) An important reservation expressed by Landmark regarding
disclosure of the software and hardware solution is that if
disclosed, a competitor or any skilled computer hacker, would be
provided with invaluable knowledge giving them a head start in
breaking the system. Disclosure of the software used would
therefore jeopardise the security of the system.

"d) One of DCLG's most stringent requirements was for the solution
to provide 'zero data loss' capability. Landmark's solution is a
unique and very cost-effective way of providing a combination of
specific hardware and software, network and physical site
configuration development. None of Landmark's competitors offered
the same solution. Its disclosure would not only potentially bring
about economic harm to the company, it would also potentially
devalue one of the unique features that enabled it to win the
contract in the first place and jeopardise the security fo the
register in a manner that would threaten the viability of the
entire register."

Now, the consequence of such hacking would -- presumably -- result
in non-zero data loss. In fact, these assertions make plain that
the Department is aware of, though has not reconsidered its belief
in, the well-known fallacy of security through obscurity.[2]

I have reread the Landmark 2006 and 2008 contracts[3] in light of
the importance placed by the DCLG on the 'zero data loss'
capability in terms of selecting its supplier, and they appear to
contain nothing exceptional in relation to this requirement.

In particular, Clause 4.2 (Back-up & recovery) Schedule 2 (Service
specification), states:[4]

"There are no special considerations for back-up and recoverability
of the Home Condition Report Register over and above the normal
requirements for protecting the data."

Owing to the questions that this response to the Information
Commissioner raises, I am making the following request for
information to qualify the requirement of 'zero data loss' and to
provide the necessary information to future potential suppliers to
the DCLG who will need to take account of mistaken technical
assumptions about data security that could be exploited by current
suppliers for unfair advantage.

Please may I be sent:

1) A copy of the pre qualification questionaire issued by DCLG on
20 March 2006 mentioned in <Whereas A> of the 2006 contract.[5]

2)
(a) A copy of the Invitation to Submit Outline Proposals issued on
3 May 2006 mentioned in <Whereas B>,
(b) the number of Operators these were submitted to,
(c) a copy of the Outline Proposal submitted by Landmark.

3)
(a) A copy of the Invitation to Submit Best and Final Offers
issued on 4 August 2006 mentioned in <Whereas C>,
(b) the number of potential service suppliers these were sent to,
(c) a copy of the Best and Final Offer submitted by Landmark.

4) A copy of the notice to OJEU issued by DCLG on 15 June 2007
mentioned in <Whereas A> of the 2008 contract.[6]

5)
(a) A copy of the Invitation to Submit Outline Proposals issued on
17 August 2007 mentioned in <Whereas B>,
(b) the number of operators these were sent to,
(c) a copy of the Outline Proposal submitted by Landmark

6)
(a) A copy of second the Invitation to Submit Outline Proposals
issued on 21 September 2007 mentioned in <Whereas C>,
(b) the number of operators these were sent to,
(c) a copy of the second Outline Proposal submitted by Landmark.

7)
(a) A copy of the Invitation to Submit Best and Final Offers
issued on 14 December 2007 mentioned in <Whereas D>,
(b) the number of potential service providers these were submitted
to,
(c) a copy of the best and final offer submitted by Landmark.

And finally,

8) Whether DCLG or another third party entirely independent of
Landmark that reports to the government is contracted to receive a
fully up to date copy of the Energy Documents data which it can
independently verify is complete.

[1]

[3]http://scraperwiki.com/cropper/u/page_9/...

[2] [4]http://en.wikipedia.org/wiki/Security_th...

[3]

[5]http://www.whatdotheyknow.com/request/co...

[4]

[6]http://scraperwiki.com/cropper/u/page_54...

[5]

[7]http://scraperwiki.com/cropper/u/page_6/...

[6]

[8]http://scraperwiki.com/cropper/u/page_6/...

Yours faithfully,

Julian Todd

show quoted sections

Raphael Smith,

1 Attachment

Dear Mr Todd

I regret that we must extend the time limit for responding to your data
request by 20 working days, as there are, in my view, significant data
protection issues surrounding commercial interests and financial
information in the data as requested, which could result in contravention
of regulation 43(2) and 40(2) of the Freedom of Information Act 2000

In addition, it may not be possible to provide you with all of the
information because the cost of locating, retrieving and extracting all
the information relevant to your request would exceed £600 and we are not
obliged to provide information if the cost exceeds that limit.

For further details, please see my letter seeking an extension of time
attached
<<Extension Notice 16 August 2011_ .doc>>
kind regards

Raphael Smith
EPBD Operations
Department for Communities and Local Government
Zone 5/H9
Eland House
Bressenden Place
London
SW1E 5DU

show quoted sections

Raphael Smith,

1 Attachment

Dear Mr Todd

Please see my letter seeking a further extension of time attached
<<Further Extension Notice 12 Sept 2011_.doc>>
kind regards

Raphael Smith
EPBD Operations
Department for Communities and Local Government
Zone 5/H9
Eland House
Bressenden Place
London
SW1E 5DU

show quoted sections

Raphael Smith,

21 Attachments

Dear Mr Todd
 
FOI Ref No: F0004984
 
Thank you for your e-mail of 17 July, 2011 requesting information about
the procurement and award of the contract for establishing and maintaining
both the Domestic and Non-Domestic Register for Energy Performance
Certificates and other Documents to Landmark Information Group.
Please find attached:

 
i. Letter in response to your request under the FOI Act
  <<111006_Todd FOI - Zero Data loss of EPC info - Final reply+.pdf>>
ii. Table of the documents available with reference to each question
raised.
<<FOI request Todd Table of docs _110930_ _4_.pdf>>
Please note these documents are subject to the specific exemption under
section 43(2) of the FoI Act - prejudice to commercial interests, which
means some of the financial, system security and personal data remains
redacted.

<<Annex A (6 03 20 HCRRegisterPQQ)_.pdf>> <<Annex B1 (060602 06043
Invitation to express an interest).pdf>> <<Annex B2 (06043 HCR Register
ISOP Instr to suppliers 06 05 24 v2.0).pdf>> <<Annex B3 (060602 06043 ISOP
Evaluation Plan v1 0 Issued).pdf>> <<Annex B4 (060602 06043 HCR REGISTER
SOR 060503 V1 0).pdf>> <<Annex B5 (060602 06043 HCRR ISOP - draft contract
17th May).pdf>> <<Annex B6 (06043 HCR Register ISOP Questionnaire
v1.0).pdf>> <<Annex C1 (06043 HCR Register BAFO Instr to suppliers
2006-08-02 Final 2).pdf>> <<Annex C2 (06043 HCR Register BAFO
Questionnaire 2006-08-02 Final).pdf>> <<Annex C3 (06043 HCR Register -
BAFO Contract - draft 2006-07-04).pdf>> <<Annex C4 Financial Model
2006-08-03 example.pdf>> <<Annex C5 (Financial Model 2006-08-03
unprotected).pdf>> <<Annex C6 (Financial Model 2006-08-03).pdf>> <<Annex D
Copy of OJEU.pdf>> <<Annex E1 070817 Commercial Register ISOP
Questionnaire v1.0.pdf>> <<Annex E2 070816 Commercial Register SRS
v1.0.pdf>> <<Annex E3 (070817 EPC Commercial Register Contract -
v1.5).pdf>> <<Annex E4 070816 Financial Model illustrative example.pdf>>
<<Annex E5 070816 Financial Model unprotected.pdf>>  

kind regards
  
Raphael Smith
EPBD Operations
Department for Communities and Local Government
Zone 5/H9
Eland House
Bressenden Place
London
SW1E 5DU 

show quoted sections

Communications via the GSi may be automatically logged, monitored and/or
recorded for legal purposes.

Dear Raphael Smith,

I am writing to express my satisfaction with your attention to my FOI request for contracts relating to the procurement of the EPC database.

My interest in this issue primarily concerns the reuse (or lack thereof) of this potentially valuable database which now exists.

The Service Requirements Specification (Annex B4) therefore provides me with valuable insight in the form of footnote 7 on page 29, where the unnecessary existence of yet another Unique Property Reference Number database is explained as the consequence of "a licensing impass between Ordnance Survey and National Land & Property Gazetteer".

Once again, I am grateful for the attention you have given to this request.

Yours sincerely,

Julian Todd

Raphael Smith,

Thank you Mr Todd

Raphael

show quoted sections