Data Protection documentation for Virtual Courts Services

The request was refused by HM Courts and Tribunals Service.

Dear Her Majesty's Courts and Tribunals Service,

I would be grateful if you would provide me with the following information under the terms of the Freedom of Information Act 2000.

1 - A copy of all DPIA's completed for the HMCTS use of technologies in provision of 'virtual court' hearings; including Skype, Zoom and the Kinly Cloud Video Platform.

2 - A copy of the security risk assessment for the HMCTS use of technologies in provision of 'virtual court' hearings; including Skype, Zoom and the Kinly Cloud Video Platform.

3 - Details of the Data Controllers involved with the use of technologies in provision of 'virtual court' hearings; including Skype, Zoom and the Kinly Cloud Video Platform, including the legislation under which they are a Data Controller

4 - The designated Lead Data Controller for provision of 'virtual court' hearings.

5 - A list of all processors and notified sub-processors for the provision of 'virtual court' hearings; including Skype, Zoom and the Kinly Cloud Video Platform.

6 - A copy of the terms of service/contracts between HMCTS and the processors (financial data may be redacted if you wish) for provision of 'virtual court' hearings; including Skype, Zoom and the Kinly Cloud Video Platform.

Yours faithfully,

O Sayers

Disclosure Team, HM Courts and Tribunals Service

This is an automated confirmation that your email has been received by the
Disclosure Team (Ministry of Justice) mailbox.

 

Freedom of Information (FOI)

 

If your email is a FOI request you can expect a response within 20 working
days.

 

However, please be advised that due to the current situation with COVID-19
we may not be able to provide a response within this timescale; if this is
the case, we will contact you to provide an update.

 

Every effort is being made to respond to FOIs as usual but the current
situation means that available Departmental resources will be needed on
other high priority areas.

 

We kindly ask for your understanding during this unprecedented situation
and we will aim to deal with your FOI request as soon as is practically
possible.

 

Subject Access Requests (under the General Data Protection Regulation
((EU) 2016/679)) (the Regulation) and/or Data Protection Act 2018 (DPA))

 

If your email is a SAR, you can expect a response within 1 calendar month.

 

However, please be advised that due to the current situation with COVID-19
we may not be able to provide within this timescale; if this is the case,
we will contact you to provide an update.

 

Every effort is being made to respond to SARs as usual but the current
situation means that available Departmental resources will be needed on
other high priority areas.

 

We kindly ask for your understanding during this unprecedented situation
and we will aim to deal with your SAR as soon as is practically possible.

 

 

show quoted sections

Changeinfo, HM Courts and Tribunals Service

1 Attachment

Dear Sir / Madam

 

Please find attached response to your enquiry.

 

Regards

Strategy & Change Directorate Team

 

 

show quoted sections

Dear Sirs,

Freedom of Information Act (FOIA) Request – 200825006

Thank you for your response of 23rd inst. in which you confirm that all the information asked for is indeed held.

I am surprised that such a request should require the significant level of work you believe is necessary to reject the request on financial grounds.

However, as per your advice I would be satisfied at this time under THIS request if you fulfil it on the basis of the following modification:

Please fully respond to element 1 - '"A copy of all DPIA's completed for the HMCTS use of technologies in provision of 'virtual court' hearings; including Skype, Zoom and the Kinly Cloud Video Platform."

This information is of material public interest and should be contained in specific documents created under your obligation S.64 of the DPA 2018, It should not therefore incur significant cost for its delivery, or if you prefer, its publication.

The key aspects of element 3 (Details of the Data Controllers) and element 5 (list of all processors and notified sub-processors for the provision of 'virtual court' hearings) should already be contained within that DPIA report, and if so I shall be happy to consider those elements fulfilled without further work by the MOJ.

For element 6 I will be content to clarify that a simple confirmation if the MoJ has used the standard Cloud Service Provider terms of service for the cloud processing, or if special terms have been agreed will suffice at present.

The remaining elements (2 & 4) I am happy at this time to withdraw, but may make a separate submission under suitable terms in future if this proves necessary to explore further.

I am sure that this significant reduction in scope will remove the financial barrier to completing the request and I look forward to receiving this material as soon as possible

Please note that I will not accept these being treated as a new FOI request - these are merely clarifications and reductions in detail as suggested by the MoJ in your response to the original request and should therefore be answered as quickly as you are able.

Yours sincerely,

O Sayers

Dear Sirs,

I note with some surprise that you appear - in your responses to two wholly different requests made by myself - to have responded in a single form and with a single reference (200825006) : both to the effect that the cost of responding to the request is too high.

I would like therefore to request that you internally examine your processes wrt to these requests and treat them as different matters.

The first relates specifically to information relating to the Virtual Courts services introduced by HMCTS during the COVID-19 pandemic.

The second relates specifically to information relating to the Common Platform Programme, led by HMCTS with involvement from Policing, CPS and other agencies and under development for several years to replace core existing systems.

It should be clear that each must be treated as unique requests since they relate to wholly different areas, different technologies and different participants and suppliers.
I would be grateful if :
a) you can confirm that you understand this to be the case and that your obligations to each are in fact separate and
b) if you still wish to apply the undue cost justification for refusal.

Yours sincerely,

O Sayers

Dear Her Majesty's Courts and Tribunals Service,

I would be grateful if you would provide an update on this request and your deliberations on fulfilling it.
It is now quite seriously overdue and I have not had confirmation since my clarification email that indicates if you shall be responding or not with the requested information.

Yours faithfully,

O Sayers

Disclosure Team, HM Courts and Tribunals Service

This is an automated confirmation that your email has been received by the
Disclosure Team (Ministry of Justice) mailbox.

 

Freedom of Information (FOI)

 

If your email is a FOI request you can expect a response within 20 working
days.

 

However, please be advised that due to the current situation with COVID-19
we may not be able to provide a response within this timescale; if this is
the case, we will contact you to provide an update.

 

Every effort is being made to respond to FOIs as usual but the current
situation means that available Departmental resources will be needed on
other high priority areas.

 

We kindly ask for your understanding during this unprecedented situation
and we will aim to deal with your FOI request as soon as is practically
possible.

 

Subject Access Requests (under the General Data Protection Regulation
((EU) 2016/679)) (the Regulation) and/or Data Protection Act 2018 (DPA))

 

If your email is a SAR, you can expect a response within 1 calendar month.

 

However, please be advised that due to the current situation with COVID-19
we may not be able to provide within this timescale; if this is the case,
we will contact you to provide an update.

 

Every effort is being made to respond to SARs as usual but the current
situation means that available Departmental resources will be needed on
other high priority areas.

 

We kindly ask for your understanding during this unprecedented situation
and we will aim to deal with your SAR as soon as is practically possible.

 

 

show quoted sections

Disclosure Team, HM Courts and Tribunals Service

Dear O Sayers,

Thank you for your email.

As you have clarified the request on 07 October 2020 the new statutory deadline for our response is 04 November 2020.

Kind Regards,

Disclosure Team, Information Services
Follow us on Twitter @MoJGovUK

show quoted sections

Dear Disclosure Team,

It does now appear - even with your clarification email that the effective date was 4th November that this is now overdue without update.

Please provide a full response or your reasoning for not responding by return.

Yours sincerely,

O Sayers

Disclosure Team, HM Courts and Tribunals Service

4 Attachments

 

Dear Sir/Madam,

 

Please find attached correspondence dated 4 November 2020

 

Yours sincerely,

 

 

 

[1]Ministry of Justice  

Disclosure Team, Information
Services

Communications and Information
Directorate

 

Find out more on [2]People
Finder

Follow us on Twitter
[3]@MoJGovUK
[4]Protecting and advancing the principles of justice

 

 

 

 

 

show quoted sections

Dear Her Majesty's Courts and Tribunals Service,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of Her Majesty's Courts and Tribunals Service's handling of my FOI request 'Data Protection documentation for Virtual Courts Services'.

Please be aware that this request is associated to a separate request for review I submitted as detailed below and linked here: (https://www.whatdotheyknow.com/request/r...)

I am submitting this in copy to ensure that both of my original requests - which the MoJ elected to treat as one request - are properly and concurrently examined in the review process.

-------
Dear Changeinfo,

I have now reviewed the materials sent to me on 2nd December in response to my two FOI requests:

'Request for copies of Data Protection Impact Assessments' and 'Data Protection documentation for Virtual Courts Services' made on 25th August 2020 which you chose to bundle into a single request despite my repeated indications that this was inappropriate and unlikely to be able to meet the requests as tabled.

Unfortunately this appears now to have had the result which I raised concerns about and I am disappointed that some of the data I requested in these submissions (as amended and clarified in my letter of 24th September) has still not been provided, the answers provided do not fully align to the two requests correctly and the reasons for non-provision of some of the data remain to be made clear.

For these reasons I am now asking you to review the requests in their entirety and the responses provided to them and to specifically consider the following areas of omission and concern:

A - Virtual Courts Request
i) Element 1 :"A copy of all DPIA's completed for the HMCTS use of technologies in provision of 'virtual court' hearings; including Skype, Zoom and the Kinly Cloud Video Platform."
This information remains of material public interest and should be contained in specific documents created under your obligation S.64 of the DPA 2018.

No DPIA has been received relating to this service and it has been confirmed that the Virtual Courts Platform is not covered under the Common Platform DPIA response.
I would therefore still like to receive the DPIA created specifically for the HMCTS Virtual Courts progamme and services as requested in August 2020.

ii) Element 3 (Details of the Data Controllers) and Element 5 (list of all processors and notified sub-processors for the provision of 'virtual court' hearings) have not been provided.

These should be in the DPIA and since it is necessary to understand who the processors and sub-processors are to confirm that the service is being ioperated within the requirements of GDPR and DPA 2018 Part 3 I request that the failure to respond to this request and provide this information is reviewed.

iii) I am content that your confirmation to the effect that the MoJ has used the standard Cloud Service Provider terms of service for the cloud processing, fulfils the final (Element 6) of the request.

B - Common Platform Request
i) Element 1 -' A copy of all DPIA's completed for the HMCTS Common Platform Programme'

Some of the information presented in the provided document in your response does not meet the criteria and required statutory content of a DPIA under the terms of DPA 2018 Part 3 Section 64.
I would therefore be grateful if it could be confirmed that this is the limit of the available DPIA content requested and that no other valid DPIA documentation exists.

If other content or versions do exist but have been held back I would request that this is reviewed and copies of the relevant DPIA's are provided.

ii) I requested Element 3 (Details of the Data Controllers) , Element 5 (list of all processors and notified sub-processors for the provision of 'virtual court' hearings) and Element 4 ( designated Lead Data Controller for the Common Platform Programme), which should be contained within the DPIA.

Element 4 has been clarified - thank you - but the remainder of the information has not been provided (though it may be contained in the redacted sections of the provided 'Crime Programme DPIA').

I would be grateful if you review cand onsidereif there is a valid exemption applicable to support not providing this information since it is of fundamental importance and relevance in determining whether the legal obligations for the services once they in operation with live data have in fact been fully met.

This public interest in the transparency of the judicial process must, I feel, take precedence over any commercial concerns and unless the systems are of national security import (which at OFFICIAL they cannot be under the HMG Security Classification Policy) there is no clear justification not to supply that information.

iii) For element 6 (copy of the terms of service/contract between HMCTS and the processors) I am content with your confirmation to the effect that the MoJ has used standard Cloud Service Provider terms of service for cloud processing.

I would respectfully request that all the above information and my original requests are reviewed.
If after review you will still not provide this information, please provide the reasons for not doing so in order that I can escalate this to the ICO for their determination.

Yours sincerely,

O Sayers

-------------

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/d...

Yours faithfully,

O Sayers

Changeinfo, HM Courts and Tribunals Service

1 Attachment

Dear Sir/Madam

 

Please find attached response to your enquiry.

 

Regards

Strategy & Change Directorate Team

 

show quoted sections

Dear Sirs,

Thank you for your response.

I would like to clarify and correct your response as follows:

>>"On the 25 August 2020, we received your FOI request to answer six questions related to Common Platform and six questions relating to Virtual Court Hearings. This was refused under s12(1) as it exceeded the costs limit to obtain the information. We sent you a letter at the end of September setting this all out and asked you to refine your request"

This is incorrect.
On 25th August I made two separate requests - Request one relating to the Common Platform (titled "Request for copies of Data Protection Impact Sssessments" - please excuse the type on Assessments, though it functions well in this respect as a unique element of the request) and a second request [Request Two] sent under separate cover relating to Virtual Courts (titled "Data Protection documentation for Virtual Courts Services").

These are two quite distinct requests relating to quite different topics and areas of interest.
HMCTS/MOJ have internally combined these into a single request but this was incorrect and improper: the two systems, their governance and areas of delivery are quite distinct and each request should have been handled individually and answered individually. I wrote to you on 24th September to identify this but received no response:

I also submitted a second email to you on the same day (24th September) asking that you do NOT link the two requests:
'I note with some surprise that you appear - in your responses to two wholly different requests made by myself - to have responded in a single form and with a single reference (200825006) : both to the effect that the cost of responding to the request is too high.
I would like therefore to request that you internally examine your processes wrt to these requests and treat them as different matters.

The first relates specifically to information relating to the Virtual Courts services introduced by HMCTS during the COVID-19 pandemic.

The second relates specifically to information relating to the Common Platform Programme, led by HMCTS with involvement from Policing, CPS and other agencies and under development for several years to replace core existing systems.

It should be clear that each must be treated as unique requests since they relate to wholly different areas, different technologies and different participants and suppliers.
I would be grateful if :
a) you can confirm that you understand this to be the case and that your obligations to each are in fact separate and b) if you still wish to apply the undue cost justification for refusal.'

I received no acknowledgement of this email - though like all correspondence its creation and delivery are logged on the whatdotheyknow.com systems and as such proof of sending and delivery are centrally recorded.

>>"On the 7 October 2020, you submitted a refined FOI request and asked for the following:"

I believe this is wrong, on 24th September I responded wrt the Virtual Courts request (Data Protection documentation for Virtual Courts Services) [Request Two] thus:

'Thank you for your response of 23rd inst. in which you confirm that all the information asked for is indeed held. I am surprised that such a request should require the significant level of work you believe is necessary to reject the request on financial grounds.
However, as per your advice I would be satisfied at this time under THIS request if you fulfil it on the basis of the following modification:
Please fully respond to element 1 - '"A copy of all DPIA's completed for the HMCTS use of technologies in provision of 'virtual court' hearings; including Skype, Zoom and the Kinly Cloud Video Platform."
This information is of material public interest and should be contained in specific documents created under your obligation S.64 of the DPA 2018, It should not therefore incur significant cost for its delivery, or if you prefer, its publication.
The key aspects of element 3 (Details of the Data Controllers) and element 5 (list of all processors and notified sub-processors for the provision of 'virtual court' hearings) should already be contained within that DPIA report, and if so I shall be happy to consider those elements fulfilled without further work by the MOJ.
For element 6 I will be content to clarify that a simple confirmation if the MoJ has used the standard Cloud Service Provider terms of service for the cloud processing, or if special terms have been agreed will suffice at present.
The remaining elements (2 & 4) I am happy at this time to withdraw, but may make a separate submission under suitable terms in future if this proves necessary to explore further.'

This request has not been fulfilled, but you appear to have extracted some wording from Element 5 in your response to Request One (Common Platform) thus:

>>"Element 5 (list of all processors and notified sub-processors for the provision of 'virtual court' hearings)"

This does suggest that HMCTS/MOJ received my emailed clarifications in respect of Request Two (Virtual Courts) of 24th September but simply did not respond to it, and later combined (parts of) it with the other request relating to Common Platform (Request One) in your response.

On 2nd October I submitted clarifications wrt Request One; and I believe this is your referred to correspondence of 7th October above, as follows:

'Thank you for your response of 23rd inst. in which you confirm that all the information asked for is indeed held.
I am surprised that such a request should require the significant level of work you believe is necessary to reject the request on financial grounds.
However, as per your advice I would be satisfied at this time under THIS request if you fulfil it on the basis of the following modification:

Please fully respond to element 1 -' A copy of all DPIA's completed for the HMCTS Common Platform Programme'
This information is of material public interest and should be contained in specific documents created under your obligation S.64 of the DPA 2018, It should not therefore incur significant cost for its delivery, or if you prefer, its publication.

The key aspects of element 3 (Details of the Data Controllers) , element 5 (list of all processors and notified sub-processors for the provision of 'virtual court' hearings) and element 4 ( designated Lead Data Controller for the Common Platform Programme) should already be contained within that DPIA report,;and if so I shall be happy to consider those elements fulfilled without further work by the MOJ if the DPIA is provided in full.
For element 6 (copy of the terms of service/contract between HMCTS and the processors) I will be content for you to clarify as a simple confirmation if the MoJ has used the standard Cloud Service Provider terms of service for the cloud processing, or if special terms have been agreed .

The remaining element (2) I am happy at this time to withdraw in order to reduce to cost of finding it at this time, but may make a separate submission under suitable terms in future if this proves necessary to explore elements 2 & 6 further.'

This has been partly responded to in your response of 2nd December with a redacted document which bears some resemblance to, but is not obviously structured as, a Data Protection Impact Assessment.

To enable you to move this forward under the review process I would like the following to be considered:

1 - Please provide the information I requests on 25th August - and further clarified on 24th September with regard to the Virtual Courts system in the as yet unfulfilled FOI request, specifically the following:
a) The Virtual Courts DPIA (Element 1)
b) Details of the Data Controllers (Element 3) and
c) A list of all processors and notified sub-processors for the provision of 'virtual court' hearings (Element 5)

In balancing the public interest test on whether to refuse disclosure of the information under a possible exemption of section 31(1)(a) and (c)) of the Act, I suggest you consider also that not disclosing source information that may identify failures on the part of HMCTS/MOJ to comply with the provisions of the Data Protection Act 2018 Part 3 s.59(2),s. 64 - and potentially others - would itself be directly against the public interest since the public have a right to expect that Justice is conducted fully in compliance with UK law.

You may also note that other Law Enforcement Competent Authorities (including the ICO themselves) have examined the same exemptions for DPIA's and then issued information of this type or published it, even where it reflected poorly on their internal practices.

This request is now seriously overdue without proper fulfilment, or valid excuse against fulfilling it and I wish to have it properly responded to urgently.

2 - Please confirm if the provided 'DPIA' document for Request One (Common Platform) is the totality of the DPIA information held. It contains numerous omissions in core content (over and above the obvious redactions) that appear to make it of questionable value against the statutory requirements of DPA 2018 s.64 for such a document. I would like therefore to know if this is in fact the Common Platform DPIA as requested in August 2020.

If you would consider and respond to points 1 and 2 above I can then determine if this request will need escalation to the ICO for them to examine both your handling of it in the first instance and the extent to which it has been fulfilled.

Yours faithfully,

Owen Sayers

O Sayers left an annotation ()

This is one of two requests made to HMCTS relating to DPIA's for Virtual Courts and (the second) relating to DPIA's for the Common Platform service.

HMCTS elected to combine these two requests to claim they were too expensive to respond to and have failed to separate them despite multiple requests to do so.
After 4 months and much to and fro they responded in part to the Common Platform DPIA request with a heavily redacted document (which is not in fact a valid DPIA).
They have not responded to the DPIA request for Virtual Courts other than to say the Common Platform DPIA did not cover Virtual Courts.

Dear Sirs,

I write with regard to my email of 1st February in respect of this request for information which was originally made over 6 months ago on August 25th 2020, relating to the use of Virtual Courts in HMCTS/MOJ and which contained the following specific elements:

"1 - Please provide the information I requests on 25th August - and further clarified on 24th September with regard to the Virtual Courts system in the as yet unfulfilled FOI request, specifically the following:
a) The Virtual Courts DPIA (Element 1)
b) Details of the Data Controllers (Element 3) and
c) A list of all processors and notified sub-processors for the provision of 'virtual court' hearings (Element 5) "

You have not fulfilled this request and I feel I have no choice but to now refer this to the ICO for theiur attention and action.

Yours faithfully,

O Sayers left an annotation ()

Referred to ICO as Case Reference: IC-94088-C8W1 on 15th March 2021; ICO responded 9th april 2021 to ask for further information (provided same day).

O Sayers left an annotation ()

On 2nd June the ICO accepted there was a case to be examined with regard to MoJ handling of this request and advised that it would be assigned to a caseworker for investigation:

"Your complaint has been accepted as eligible for further consideration and will be allocated to a case officer as soon as possible."
"Currently the waiting time is approximately four to six months before being allocated to a case officer. Once your case is allocated we will contact you and the case officer will explain how they will progress your complaint."

Six months would mean that the system in use by MoJ will be allowed to expand in size and if it it then found to be in breach of the DPA 2018 Part 3 would endanger all cases handled in the interim.

this is not really a very good response - and whilst we could dismiss this as 'it is what it is' it does raise the question - even under FOI just what accountability for actions (including illegal actions under DOPA 2018) exists for public sector in UK today?
]It seems very little in real terms...

O Sayers left an annotation ()

Email received from ICO on 09/11/2021:

"9 November 2021

Case Reference: IC-94088-C8W1

Dear Mr Sayers

Following correspondence with the MOJ, they have produced a fresh response to your request, including disclosing further information, with redactions.

The MOJ has asked if I can provide them with your e-mail address, as they only have contact details for whatdotheyknow.com. Is it acceptable for me to let them know your e-mail address?

Yours sincerely,

<Name Removed by OS>
Senior Case Officer (Northern Ireland)
Information Commissioner's Office"

My response was as follows:

"Hello XX XXXXXXX,

Thank you for the email, I am fairly happy that MOJ can have my email address for this if it facilitates a response.

To be honest, the whatdotheyknow.com email address on the initial request should work (it enabled earlier responses), but if it expedites a positive response please do give them my details."

As MoJ responses are received I shall add them here if that is technically possible.