Collecting the Licence Fee

The request was partially successful.

Dear British Broadcasting Corporation,

This is a freedom of information request lodged under the Freedom of Information Act 2000.

Television Licence Fee Trust Statement for year ending 31 March 2016 has the following:

"The information security management system has now been used by over 40 organisations working directly and indirectly for the BBC to collect the Licence Fee."

Please fully disclose and publish complete and accurate information about:

"The information security management system used . . . to collect the Licence Fee"

and

"The . . . over 40 organisatons working directly and indirectly for the BBC to collect the Licence Fee" which have used the information security management system.

Yours faithfully,

Mr Hillas

FOI Enquiries, British Broadcasting Corporation

Dear Mr Hillas,

Thank you for your request for information under the Freedom of Information Act 2000. Your request was received on 21 November 2016. We will deal with your request as promptly as possible, and at the latest within 20 working days.

If you have any queries about your request, please contact us at the above address.

The reference number for your request is RFI20162218.

Yours sincerely

Information Rights, BBC Legal
BC2A4, Broadcast Centre
201 Wood Lane, London W12 7TP

show quoted sections

Dear British Broadcasting Corporation,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of British Broadcasting Corporation's handling of my FOI request 'Collecting the Licence Fee'.

Response is long overdue and neither information nor explanation has been offered as to the progress of the request which has been lodged. As far as this requestor is concerned the BBC have not complied with S16 duty to provide advice and assistance.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/c...

Yours faithfully,

Mr Hillas

FOI Enquiries, British Broadcasting Corporation

Dear Mr Hillas

We have received your request for an internal review on 11th January 2017

We will deal with the review as promptly as possible and will endeavour to do so within 20 working days in accordance with the Information Commissioner’s guidance, although in some instances reviews may take longer. If you have any queries, please contact us at the address below.

The reference number for your internal review is IR2017001.

Yours sincerely

The Information Policy and Compliance Team

BBC Information Policy and Compliance
BC2A4, Broadcast Centre
201 Wood Lane
London W12 7TP, UK

Website: www.bbc.co.uk/foi
Email: mailto:[BBC request email]
Tel: 020 8008 2882

show quoted sections

Peter Jones left an annotation ()

Might the first point is a bit vague? As you know, they'll use any excuse to refuse disclosure. Maybe you'd have more luck asking for the names of the 40 organisations with access to the information management system.

Mr Hillas left an annotation ()

Hi Peter
The names of the 40+ organisations is asked for in the request.
If they want clarification, all they have to do is ask. They've had plenty of time do ask by now, haven't they? Failing to inform a requestor of delay or request progress update is a breach, apart from being very rude.

FOI Enquiries, British Broadcasting Corporation

2 Attachments

Dear Mr Hillas,

 

Please find attached the BBC’s internal review decision concerning your
freedom of information request [IR2017001/ RFI20162218]. 

 

Kind regards,

 

BBC Information Rights

BC2 A4, Broadcast Centre

201 Wood Lane

London W12 7TP

 

Website: [1]www.bbc.co.uk/foi

Email: [2][BBC request email]

 

[3]Description: Description: \\BBCFS2025\UserData$\myrien01\Documents\My
Pictures\BBC.png

 

 

 

show quoted sections

References

Visible links
1. http://www.bbc.co.uk/foi
2. mailto:[BBC request email]
4. http://www.bbc.co.uk/

FOI Enquiries, British Broadcasting Corporation

3 Attachments

Dear Mr Hillas,

                                                     

Please find attached the response to your request for information,
reference RFI20162218.

 

Yours sincerely

 

BBC Information Policy and Compliance

Room BC2 A4

Broadcast Centre

White City

London

W12 7TS

UK

 

Website: [1]www.bbc.co.uk/foi

Email: [2]mailto:[BBC request email]

 

[3]Description: Description: \\BBCFS2025\UserData$\myrien01\Documents\My
Pictures\BBC.png

 

 

show quoted sections

References

Visible links
1. file:///tmp/www.bbc.co.uk/foi
2. mailto:[BBC request email]
4. http://www.bbc.co.uk/

Janik2 left an annotation ()

One of the original requests was

" 1. "The information security management system used . . . to collect the Licence Fee" "

The refusal to answer suggests weak and inadequate security. Lawful replies, ignoring the BBC waffle and concealment of potentially poor procedures, might have included

(A) Our database system stores personal data in a highly encrypted format which, when extracted from the database, is decoded not on the server but on the individual workstation viewing that data subject to the user's individual security credentials contained on the inserted security smart card.

(B) Mindful of the main sources of hackers and attackers, the Internet gateway access to the network hosting the secure database has several firewalls which block IP addresses (both IPv6 and IPv4) from the major culprits including Russia and China. Additionally traffic from faraway places such as India, South America, Africa is automatically blocked on the basis those locations have no legitimate reason in attempting to access our network.

(C) To increase security we have, or we will, block all IP addresses generally allowing access only by exception from known static IP addresses which have a pre-approved reason to access our network.

(D) We block all Internet Protocols and all ports except for those pre-approved solely for the purpose of accessing our database.

(E) On workstations connected to our database network, we have no Internet browsers. Users are prohibited from using computers on our database network for all personal activities without exception. Anyone breeching our security policy will be immediately suspended prior to dismissal proceedings for gross misconduct.

(F) We review our database security every 2 weeks using staff comments and suggestions. We also run several open-source (safer than closed-source) monitoring systems.

(G) We liaise with GCHQ's computer security group.

(H) On our Linux systems we use SELINUX which was invented by the USA's National Security Agency.

(I) There are no USB connections on our workstations. This prevents any person removing data or inserting data, including viruses etc., into our systems and network.

(J) Contractors, Consultants and Agency Staff are not permitted access to our database system.

(K) We do not share or transfer our data outside the shores of mainland United Kingdom, thus no Northern Ireland, IoM or Channel Islands.

(L) Without exception, we do not share the data on our database with any other organisation.

In reality the security will be defective. Spread to 40 organisations, each with their own staff flows and lack of reliable confidence inspiring checks on their staff backgrounds, and with no efficient supervision of anything by anyone, no one can be confident their person data has not been unlawfully viewed or even "exported". Security is always weakened when access is shared by multiple commercial organisations. It is, in my opinion, a badly designed project - but just remember Capita's long history of computer incompetence and the vast amounts of public money poured down the drains.

This is definitively not how I would organise things.