RFI 1234892 – Extracts from emails relevant to ICO Follow-up audit information
Information disclosed by H&F
• We got IT to search for any emails and email attachments that were sent between 08 March 2018 - 23 March 2018 and which
contained “ICO Audit”.
• We reviewed the email search results and extracted information to do with the ICO’s follow-up audit report sent to H&F on 08 March
2018. The extracted information is included in this document below.
o We’ve used ‘….’ to indicate where we’ve left out irrelevant information from emails.
o We’ve used ‘========’ to indicate where there are several emails within one email chain.
o We’ve used ‘________' to indicate where one email chain ends and a new one starts.
o We’ve used ‘[H&F Officer(s)]/[RBKC Officer(s)]’ to indicate where we’ve redacted junior officer’s personal data.
• We’ve redacted the names and contact details of junior officers (those below Head of Service level) as the FOIA s.40 (Personal Data)
exemption applies to this information. Their names and contact details are their personal data. They wouldn’t expect us to make their
personal data public in this situation. If we did make it public this would be unfair and would breach Principle 1 (Fair and Lawful) of the
Data Protection Act 1998.
• We’ve also attached redacted copies of the ICO’s follow-up audit report and H&F’s remediation plan to our response to your RFI.
Extracts from emails and email attachments:
From: [H&F Officer(s)]
Sent: 08 March 2018 18:04
To: Shimidzu Ciara: H&F <xxxxx.xxxxxxxx@xxxx.xxx.xx>; Barella Veronica: H&F <xxxxxxxx.xxxxxxx@xxxx.xxx.xx>
Cc: [H&F Officer(s)]
Subject: RE: SIRO engagement with IM
Notes from meeting
….
2. ICO Audit: Follow-up report received
ACTION: H&F have received the ICO audit report, [H&F Officer(s)] will circulate to key stakeholders and CS will then forward on to
Chief Exec
….
From: [H&F Officer(s)]
Sent: 09 March 2018 11:31
To: Thomas Sarah: H&
F <xxxxx.xxxxxx@xxxx.xxx.xx>; Barella Veronica: H&F
<xxxxxxxx.xxxxxxx@xxxx.xxx.xx> Cc: Shimidzu Ciara: H&
F <xxxxx.xxxxxxxx@xxxx.xxx.xx>; [H&F Officer(s)]
Subject: RE: FSS and Information Risk
… greater current scrutiny of H&F’s Data Protection and Information Security practices by the Information Commissioner’s Office
(ICO) through:
• the recent ICO Follow-up review and report on H&F’s progress with agreed ICO audit recommendations to improve H&F’s data
protection practices. Details published on
H&F’s ICO Audit intranet page.
…
o H&F was due to participate in a follow-up review of progress on the ICO audit recommendations and it would not be
appropriate for the ICO to take formal action before that process is complete.
On 9 Mar 2018 3:43 pm, [H&F Officer(s)] wrote:
Hi David and [H&F Officer(s)],
In case of help, I’ve attached the remediation plan that was sent to the ICO as part of the follow-up review process as this provides more
detail on how H&F plans to ‘catch-up’ on those recommendations that are past the implementation dates.
=======
From: Hughes, David: CP: RBKC
Sent: 09 March 2018 10:07
To: [H&F Officer(s)]; Shimidzu Ciara: H&
F <xxxxx.xxxxxxxx@xxxx.xxx.xx>;
Cc: [H&F Officer(s)]
Subject: RE: ICO Audit for LB Hammersmith and Fulham - 9 month follow-up report
Thanks [H&F Officer(s)] and [H&F Officer(s)], [H&F Officer(s)] and I will take account of this review in forming the annual opinion.
=======
From: [H&F Officer(s)]
Sent: 09 March 2018 10:06
To: [H&F Officer(s)]; Shimidzu Ciara: H&
F <xxxxx.xxxxxxxx@xxxx.xxx.xx>; Hughes, David: CP: RBK
C <xxxxx.xxxxxx@xxxx.xxx.xx> Cc: [H&F Officer(s)]>
Subject: RE: ICO Audit for LB Hammersmith and Fulham - 9 month follow-up report
…many thanks for your hard work and the team input into this. David will probably require some time to intelligently appraise the outcomes
and findings of the ICO’s follow-up report in his considerations as the Head of Internal Audit. I have copied David in as the review is an
independent and external form of assurance.
=======
From: [H&F Officer(s)]
Sent: 08 March 2018 19:28
To: Shimidzu Ciara: H&
F <xxxxx.xxxxxxxx@xxxx.xxx.xx>; [H&F Officer(s)]
Subject: FW: ICO Audit for LB Hammersmith and Fulham - 9 month follow-up report
Ciara – Copy of follow-up report and H&F’s 9 month progress tracker have been uploaded to the H&F ICO Audit intranet page, under ‘Audit
Documen
ts’: https://officesharedservice.sharepoint.com/sites/intranet/hf-corporateservices/informationmanagement/Pages/ICO_Audit.aspx
=======
From: [H&F Officer(s)]
Sent: 08 March 2018 19:02
To: McNamara Dave:
H&F <xxxxx.xxxxxxxx@xxxx.xxx.xx>; Stuart Ann: H&
F <xxx.xxxxxx@xxxx.xxx.xx>; Barella Veronica: H&F
<xxxxxxxx.xxxxxxx@xxxx.xxx.xx>; [H&F Officer(s)]; Filus James: H&
F <xxxxx.xxxxx@xxxx.xxx.xx>; Black Belinda: H&F
<xxxxxxx.xxxxx@xxxx.xxx.xx> Subject: FW: ICO Audit for LB Hammersmith and Fulham - 9 month follow-up report
Dear All,
Please find attached a copy of the ICO’s 9 month follow-up report.
The ICO recognise that H&F has made some progress but not as much as we had originally planned by this date. They acknowledge that
we have a remediation plan in place (which ties in with the GDPR readiness project) and they advise H&F to continue our progress with the
outstanding actions to the revised implementation dates.
Please all continue to progress the actions sitting with yourselves/your teams and provide me with an update on progress by the 12 month
progress update (4th May).
I’ll publish a copy of the Follow-up report on the H&F ICO Audit intranet page.
From: [H&F Officer(s)]
Sent: 08 March 2018 21:01
To: [H&F Officer(s)]
Cc: [H&F Officer(s)]
Subject: Re: FW: ICO Audit for LB Hammersmith and Fulham - 9 month follow-up report
… I won't be able to complete one thing which is the local SAR policy.
…
However, I can confirm that the indexing project was approved at SLT this week and I will also be presenting the paper at member briefing
on 20th March so that hopefully we can get funding approved for the project.
From: [H&F Officer(s)]
Sent: 09 March 2018 10:05
To: Stuart Ann: H&
F <xxx.xxxxxx@xxxx.xxx.xx>; Barella Veronica:
H&F <xxxxxxxx.xxxxxxx@xxxx.xxx.xx>; Redfern Lisa: H&F
<xxxx.xxxxxxx@xxxx.xxx.xx>; Shimidzu Ciara:
H&F <xxxxx.xxxxxxxx@xxxx.xxx.xx> Cc: [H&F Officer(s)]; Information Management
<xxxxxxxxxxxxxxxxxxxxx@xxxx.xxx.xx>; [H&F Officer(s)]; Whittingham Viv: H&F
<xxx.xxxxxxxxxxx@xxxx.xxx.xx>; [H&F Officer(s)]
Subject: RE: OFFICIAL-SENSITIVE: I453 - DP breach/IS Incident (Email disclosure to unauthorised individual): ICO Response[Ref.
COM0718683]
…
The ICO will not be taking enforcement action against H&F, in relation to this breach, at this time.
• They refer to the fact that the ICO will complete a follow-up of H&F’s progress on ICO Audit recommendations in March 2018.
• …
The particular actions they recommend H&F implement are captured in the table below. I’ve assigned owners and included dates.
Please keep IMT updated on progress with actions.:
Action
Implementation Owner - Lead
Owner Owner -
Owner - Status
Notes
Details
Date
Officer
- Dept Service
IAO
Not
Area
Started
(RED)
In
Progress
(AMBER)
Complete
(GREEN)
LBHF
Mar-18
[H&F Officer(s)]
FCS
Information
Veronica Complete
All - I spoke to the lead auditor
should
& Strategy -
Barella
earlier this week and the ICO
continue
Information
(SIRO)
isssued the ICO audit follow-up
to
Management
report yesterday so this item is
engage
Team
closed. H&F will need to
with the
continue with implementing the
ICO in
outstanding recommendations
relation
from the ICO audit report. Details
to its
of the ICO audit and copies of
upcoming
the relevant documents are on
follow-up
the
intranet ICO Audit page.
audit.
…
From: [H&F Officer(s)]
Sent: 09 March 2018 10:23
To: McNamara Dave:
H&F <xxxxx.xxxxxxxx@xxxx.xxx.xx>; Miley Steve:
H&F <xxxxx.xxxxx@xxxx.xxx.xx>; Barella Veronica: H&F
<xxxxxxxx.xxxxxxx@xxxx.xxx.xx>; Shimidzu Ciara:
H&F <xxxxx.xxxxxxxx@xxxx.xxx.xx> Cc: Maarouf Redouan: H&
F <xxxxxxx.xxxxxxx@xxxx.xxx.xx>; [H&F Officer(s)]
Subject: OFFICIAL-SENSITIVE: I462 - Data protection Breach (Miss-sent information): ICO Response [Ref. COM0702339]
[Relevant email content as per email above:
‘RE: OFFICIAL-SENSITIVE: I453 - DP breach/IS Incident (Email disclosure to unauthorised
individual): ICO Response[Ref. COM0718683]]
Attachment to email
From: Shimidzu Ciara: H&F
Sent: 20 March 2018 09:00
To: [H&F Officer(s)]
Subject: GDPR and schools
Attachment: 180313 Feb-18 Highlight Report – SLT Appendx No2 v2
Extract from Attachment:
…
Dependencies
ICO Audit
The ICO have accepted H&F’s remediation plan to address the delays in the agreed ICO Audit action plan. The remediation plan agreed
with the SIRO, Caldicott Guardians and Chief Executive was to ensure H&F completed all the deliverables for the GDPR Readiness Project
on time as most of the audit actions replicated those on the GDPR Readiness Project Plan. However, they are still expecting H&F to
complete those that do not fall within this project, for example ChS to correct errors with historical indexing for offsite archived Looked After
Children (LAC) files.
…