Rupert Moss-Eccardt

Dear Fenland District Council,

Please can you provide me with a copy of the E-CINS Security Manual?

Yours faithfully,

Rupert Moss-Eccardt

foi, Fenland District Council

2 Attachments

Dear Rupert,

 

I acknowledge your request for information received on 2^nd April 2013,
which is being investigated.

 

The Act allows the Council 20 working days to comply with your request. 
During this time, the Council will assess the information to establish if
any exemptions apply.  If it is felt that any information may be exempt
from disclosure, this will be given careful consideration and the Public
Interest Test will be applied if appropriate.  If it is determined that
any material is exempt, you will be notified of which information is not
going to be released and the reasons why.

 

If you have any queries, please do not hesitate to contact the Corporate
Support Officers at Fenland District Council, or email
[1][Fenland District Council request email] .  It would help us to help you if you could quote
the Information Request No quoted above on any correspondence.

 

Yours sincerely

 

 

Corporate Support Officers

Fenland District Council

01354 654321

[2][Fenland District Council request email]

 

 

 

Have you made an FOI request to a local government body?
The Constitution Unit, a research body at University College London, is
carrying out a study of the Freedom of Information Act 2000 and its effect
on local government. An important part of the evaluation process is
gathering the experiences and opinions of FOI requesters like you. Any
information you provide will be handled in accordance with the privacy
policy explained in the survey.

If you would like to take part in this study, please click the link below
to be taken directly to the survey. Contact Ben Worthy at
[3][email address] or on 020 7679 4974 to find out more about the study
or to speak further about your experiences.

Link to the survey: [4]http://tinyurl.com/yffzxor

 

 

Data Protection Act 1998

To provide you with our services we will need to record personal
information, such as your name and address. This information will be kept
securely and only accessed by approved staff. We will not share your
information with anyone else without first telling you. If you would like
more details about how we protect personal information then please contact
our Data Protection Officer.

 

 

References

Visible links
1. mailto:[Fenland District Council request email]
2. mailto:[Fenland District Council request email]
3. mailto:[email address]
4. http://tinyurl.com/yffzxor

foi, Fenland District Council

Dear Rupert,

Thank you for your request for information received on 2nd April 2013, which has been processed.

You will need to contact the Empowering Communities team at [email address] for this information.

If you require any further information regarding your request, you should contact the Corporate Support Officers at Fenland District Council or e-mail [Fenland District Council request email] .

Yours sincerely

Corporate Support Officers
Fenland District Council
01354 654321
[Fenland District Council request email]

Data Protection Act 1998
To provide you with our services we will need to record personal information, such as your name and address. This information will be kept securely and only accessed by approved staff. We will not share your information with anyone else without first telling you. If you would like more details about how we protect personal information then please contact our Data Protection Officer.

show quoted sections

Rupert Moss-Eccardt

Dear foi,

Thank you for your reply. Just to be clear are you saying that you do hold this information and Empowering Communities are acting as your agents in this matter?

Yours sincerely,

Rupert Moss-Eccardt

Rupert Moss-Eccardt

Dear Fenland District Council,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of Fenland District Council's handling of my FOI request 'E-CINS Security Manual'.

I have now had a response from the email address I have been given. These are clearly not working for FDC and appear to be the suppliers of the E-CINS technology.

Please provide me with a copy of the manual. I know you have had one as it is referred to in the ASB pilot report.

A full history of my FOI request and all correspondence is available on the Internet at this address:
http://www.whatdotheyknow.com/request/e_...

Yours faithfully,

Rupert Moss-Eccardt

foi, Fenland District Council

Dear Mr Moss-Eccardt,

We acknowledge receipt of your email below.

Our Chief Solicitor will carry out the internal review as requested and respond to you in due course.

With kind regards
Corporate Support Officers
Fenland District Council
01354 654321

show quoted sections

foi, Fenland District Council

Dear Mr Moss-Eccardt,

This email serves as the Council's response to the request for an internal review of our response to the request for a copy of the E-CINS Security Manual (The Manual).

The council in its initial response referred the requester to the producer of the document; in doing this it did not comply with the requirement to confirm whether or not it held the data or consider relevant exemptions. It is accepted that this response failed to meet the full requirements of the legislation and for this we apologise.

This email as internal review will set out the authority’s full position.

The authority accepts that this request is valid in accordance with the Freedom of Information Act 2000 and accepts that the act is the relevant framework for considering the request.

The authority confirms in line with its requirements under section 1(a) that it holds a copy of the Manual version 1-2.0 sent on the 9th September 2011.

The manual was produced by Empowering Communities and is their original copyright. The council holds a copy by virtue of its use of the system; we assert no ownership rights or control of the source material save in respect of the holding of a document which was provided for us to undertake our usual business processes.

The manual details the basis of distribution on the cover, this same restriction is included on every page of the document.. This reads:
“CONFIDENTIAL
After use, destroy by shredding
This document may not be reproduced or the contents transmitted to any third party without the express consent of Empowering Communities.”

The manual provides details of the physical and technological data security procedures undertaken by Empowering Communities in relation to the storage of data for the E-CINS platform. This includes details required to assess the adequacy of procedures for data handling for the purposes of considering obligations under the Data Protection Act 1990.

The Council has not made a formal third party information request of Empowering Communities however we are in receipt of an email from Gary Pettengell of Empowering Communities to the requester of the 8th April 2013 in respect of a follow up request directly to Empowering Communities for the Manual. Having had this communication we do not consider that further dialogue is necessary at this time to establish their position on the principal of disclosure.

In this email he refuses the request; firstly on the basis that the Act does not apply to them, and secondly in reference to section 43 (commercial information). The first point whilst valid for this external company does not apply to the council and is not relied upon.

In considering the request in light of section 43 there has to be consideration of what the material is and secondly whether or not it meets the requirements of the public interest test.

The material sets out the security procedures for the relevant platform, the system is an internet cloud based intelligence and data sharing platform.

The information in this paragraph is taken from the public website of Empowering Communities to explain the scope of the system and its users. The same platform is used for a range of agencies across the country. The system is in use by police, probation, social services and other teams within local authorities. Its function is to share data on crime, victims, vulnerable people and offenders. It holds personal details on these persons as well as details of potential crimes.

Given the system is cloud based the details of the technology and physical security arrangements of the servers are information which has the potential to be regarded as a trade secret and certainly would have the capacity to prejudice the commercial interests of Empowering Communities.

The result of releasing this information into the public domain would be to potentially release information to third parties which could be used to compromise the data security of the system. This in turn would require Empowering Communities to adjust their security system to counter any relevant vulnerabilities or new threats.

In considering this it is accepted that the computer security industry is regularly evolving and there is a strong case for arguing that the requirements of this mean that as a document ages there is limited risk. That said the basis for a system; indicates its routes of development and could give rise to understandings of its legacy vulnerabilities.

In considering the public interest for disclosure I have the benefit of an email dated the 8th April from the requester to Gary Pettengell in which he makes reference to some factors under the public interest test.

The main argument which I intend to assess is the one which follows that as the authority is assessing the adequacy of the system as to whether or not data should be secured within it is in the public interest that the details of the system should also be available for scrutiny.

This argument has some substantial attraction; it is accepted that the security of personal data is a key issue and as such should be a matter in which there is public concern and interest; however this correlates directly with the argument that the details of the methods weakens that very security.

By way of analogy; if assessing the quality of security for a valuable item factors such as its location (or more relevantly the location of the safe containing said item) are relevant to assessing the quality of the security offered. That said if there are only a limited number of people who know the location of the safe, this is of itself a security measure as any potential thief has a harder time finding the safe before they can consider working out how to obtain the object.

Considering first the potential argument that the release of the information would firstly constitute a release of trade secrets; I am not fully persuaded that there is sufficient evidence for this at the present time, accordingly no reliance is placed on s43(1).

Considering whether the release would prejudice the commercial interests of Empowering Communities; it is considered that there is a material likelihood that the release of this information would potentially involve the company in additional risk of loss of data security. Given the range and detail of the information held within a common platform it is considered that there has to be a very significant regard given to the risk of compromising data against the public having access to the detail of the security arrangements. For this regard the fact that there is not full transparency of the arrangements is in itself a partial safeguard to attack and therefore it is felt that in this case the balance can be sustained that it is in the public interest for the exemption to be upheld.

Turing as to whether or not it is in the authorities commercial interest to maintain an exemption under this section it is considered that this is a debatable point; the arguments are essentially similar to those set out for Empowering Communities however this area of work is not commercial in nature; and any work on the system given the funding arrangements would not incur a direct cost to the authority; therefore reliance is not placed on this argument.

Turning to other arguments, as set out above the document was provided on a limited basis to the authority from its creator Empowering Communities a third party. The document carries a clear confidentiality warning and was provided for the purposes of our own assessment of the data security offered as part of the consideration as to the use or otherwise of the system.

It is considered that these circumstances mean that the council is under an obligation of confidence which could be sustainable in law having the necessary requirements; particularly of clarity of obligation and information which is intrinsically confidential in nature and not in the public domain.

It is accepted that the document contains elements of information which are available by other means (for example there are some details of security arrangements on the website) consideration has been given to a partial release. This has been discounted on two grounds, firstly it is not apparent from the document the full extent of what is or is not in the public domain, and secondly from a redacted document inferences may be made about other elements of the document. For these grounds; although accepting the duty to assist it is not practical in this circumstance to assist the requester in this way.

Accordingly the authority relies on the exemption for information provided in confidence under section 41 of the act. This section is an absolute exemption and accordingly no assessment of the public interest is required.

There are two further sections of the act which I wish to discuss, section 31 (Law Enforcement) and section 40 (Personal Information). The underlying system contains the personal information on a range of individuals including potentially sensitive information, also it is used in the prevention and detection of crime.

The manual however is information about the security of the system, I do not therefore consider that there is any direct relevance to either of these sections notwithstanding their obvious links to the underlying data. Had the question been about the release of information from the system both of these would be directly relevant.

In summary for the detailed reasons above the request for a copy of the manual is refused in its entirety on the basis of section 41 information provided in confidence and section 43, commercial interests.

If you are dissatisfied with this decision, you may request the Information Commissioner to investigate. The contact details are:

Office of the Information Commissioner
Wycliffe House
Water Lane
WILMSLOW
Cheshire SK9 5AF
Tel: 01625 545700
www.informationcommissioner.gov.uk

Yours sincerely

Corporate Support Officers
Fenland District Council
01354 654321

show quoted sections

Looking for an EU Authority?

You can request documents directly from EU Institutions at our sister site AskTheEU.org . Find out more .

AskTheEU.org