Experience in investigating data loss and internal IPCC data handling systems.

Tony Wise made this Freedom of Information request to Independent Police Complaints Commission

The request was partially successful.

From: Tony Wise

Dear Independent Police Complaints Commission,

There was a serious data loss at HMRC in 2008 that resulted in the
avoidable loss of sensitive data belonging to hundreds of thousands
of UK citizens. HMRC referred the matter to the IPCC on 16 November
2008 which decided to carry out an independent investigation. The
IPCC's investigation will be led by Senior Investigator, Joe
Penrose. At the time Gary Garland, IPCC Commissioner with
responsibility for HMRC, said:

"The focus of our investigation will be to identify the causes of
this extremely serious failure and consider whether relevant local
and national policies and guidelines were complied with. Where
appropriate we will identify where lessons can be learned and will
make recommendations if further action is required.

The subsequent IPCC report uncovered failures in institutional
practices and procedures concerning the handling of data at HMRC.
The investigation revealed the absence of a coherent strategy for
mass data handling and, generally speaking, practices and
procedures were less than effective:

• there was a complete lack of any meaningful systems
• a lack of understanding of the importance of data handling
• a ‘muddle through’ ethos.

Corporate data handling was clearly woefully inadequate. Staff
found themselves working on a day-to-day basis without adequate
support, training or guidance about how to handle sensitive
personal data appropriately.

On the basis of the statements above related to the IPCC and the
investigation by that public body in relation to HMRC I make this
request under the Freedom of Information Act 2000. I am worried
that an organisation such as the IPCC can be charged with
investigating a serious and avoidable data loss at HMRC if the IPCC
itself doesn't have such procedures and systems in place that it
subsequently criticised HMRC for lacking. My request relates to
June 2008 up until the present date.

1/ Please supply all internal documentation at the IPCC and
relevant to the IPCC in relation to institutional practices and
procedures concerning the handling of personal data.
2/ Please supply all internal or other documentation evidencing or
demonstrating a coherent strategy for mass data handling as being
present at the IPCC.
3/ Please supply all internal or other documentation evidencing or
demonstrating any/all meaningful systems in place at the IPCC as
regards mass data handling.
4/ Please supply all internal or other documentation evidencing or
demonstrating the systems maintening and efficacy of the security
of mass data handling in place at the IPCC.
5/ Please supply all internal or other documentation evidencing or
demonstrating the level training or guidance at the IPCC that shows
IPCC's staff how to handle sensitive personal data appropriately.
6/ Please also supply all internal documentation, evidence of
systems in place or procedures that demonstrate that the IPCC had
the knowledge, expertise and experience in order that the IPCC
could investigate all of the requirements at 1/ through 5/ at HMRC
or any other public body as above effectively.
7/ Please supply full detail of any procedural manual that the IPCC
worked against during its investigation of the data loss at HMRC in
2008.

If the IPCC thinks that this request requires any clarification or
explanation please ask and I will assist in any way that I can.
However the crux of the request is an attempt to show that the IPCC
was totally "fit for purpose" and had systems in place at the time
of the HMRC data loss and thereafter that HMRC should have had to
stop the data loss and which the IPCC subsequently criticised the
HMRC for lacking. If the systems in place at the IPCC at the time
and thereafter of the data loss at HMRC were just as woefully
inadequate as those subsequently criticised at HMRC by the IPCC we
will have a clear case of the "pot calling the kettle black". That
is not be desirable in a 21st century public service.

Please acknowledge receipt of this FOI request.

Kind regards,

TONY WISE.

Link to this

From: Athena Cass
Independent Police Complaints Commission


Attachment FOI delay letter.1002029.Mr Tony Wise.Dated.17.2.2010.doc
30K Download View as HTML


[Subject only] FOI delay letter.1002029.Mr Tony Wise.Dated.17.2.2010

show quoted sections

Link to this

From: Athena Cass
Independent Police Complaints Commission


Attachment FOI delay letter.1002029.Mr Tony Wise.Dated.17.2.2010.doc
30K Download View as HTML


[Subject only] FOI delay letter.1002029.Mr Tony Wise.Dated.17.2.2010

show quoted sections

Link to this

From: Tony Wise

Dear Athena Cass,

The performance of the IPCC in regard to FOI is insulting,
complacent and totally ridiculous. The FOI Act is not optional but
a statutory requirement. I'm going directly to the Information
Commissioner.

Yours sincerely,

Tony Wise

Link to this

From: Athena Cass
Independent Police Complaints Commission

I am currently out of the office and will return on Monday 12th April

show quoted sections

Link to this

From: Tony Wise

Dear Athena Cass,

The response to this request has now been ongoing for 4 months. I
trust that the IPCC will now respond in line with the enforcement
notice from the ICO.

Incidentally this is only the second time the Commissioner has
issued an enforcement notice under s.52 of the FOI Act. This is
clearly not a public interest result as regards a public authority
such as the IPCC involved in law enforcement and integrity. Such
bodies should observe the law in full at all times and be seen to
do so. This outcome will not inspire public trust in the efficacy,
effectiveness or the probity of the IPCC. Interestingly the first
enforcement notice was in relation to multiple complaints about the
non-disclosure of the Attorney General's advice on the legality of
military intervention in Iraq.

Yours sincerely,

Tony Wise

Link to this

P Swift left an annotation ()

For others with an interest in this subject, the enforcement notice can be found here:

http://www.ico.gov.uk/what_we_cover/free...

Link to this

From: Phil Johnston
Independent Police Complaints Commission


Attachment Wise T 1002029 decision ltr.pdf
189K Download View as HTML

Attachment Wise T 1002029 DOC 1 Users Handbook Summary of Policy Statements NPM Issue 1.pdf
1.0M Download View as HTML

Attachment Wise T 1002029 DOC 2 IPCC Guardian Data Import Export Procedure.pdf
394K Download View as HTML

Attachment Wise T 1002029 DOC 3 Information Assurance IAO Reference Manual.pdf
989K Download View as HTML

Attachment Wise T 1002029 DOC 4 security form procedures when dealing with IPCC equipment knowledge information and assets.pdf
182K Download View as HTML

Attachment Wise T 1002029 DOC 5 Annex A IPCC RETENTION SCHEDULES.pdf
1.1M Download View as HTML

Attachment Wise T 1002029 DOC 6 Annex B Retention Schedules Casework and Investigations.pdf
115K Download View as HTML

Attachment Wise T 1002029 DOC 7 IPCC Information Charter 2009.pdf
122K Download View as HTML

Attachment Wise T 1002029 DOC 8 FAQ on Managing Personal Data.pdf
203K Download View as HTML

Attachment Wise T 1002029 DOC 9 10 golden rules for handling personal data at IPCC.pdf
89K Download View as HTML

Attachment Wise T 1002029 DOC 10 Guidance on Privacy Impact Assessments at the IPCC NPM.pdf
114K Download View as HTML

Attachment Wise T 1002029 DOC 11 Code of Conduct December 07 update.pdf
1.2M Download View as HTML

Attachment Wise T 1002029 DOC 12 Guidance on use of CCTV for monitoring IPCC premises 062006.pdf
144K Download View as HTML

Attachment Wise T 1002029 DOC 13 Information Assurance Annex A to IAO Reference Manual.pdf
788K Download View as HTML

Attachment Wise T 1002029 DOC 14 Access to Personnel Files 111104.pdf
120K Download View as HTML

Attachment Wise T 1002029 DOC 15 Guidance on Level 1 Personal Data User Training for Information Assurance Compliance.pdf
196K Download View as HTML


Dear Mr Wise,
Please find attached to this e-mail my letter setting out the
Commission's response to your request (as below), together with the
documents referred to in the letter.

Please quote the above IPCC reference in any subsequent correspondence
about this matter.

P Johnston
IPCC
<<Wise, T 1002029 - decision ltr.pdf>> <<Wise T 1002029 DOC 1 - Users
Handbook - Summary of Policy Statements [NPM] Issue 1.pdf>> <<Wise T
1002029 DOC 2 - IPCC Guardian Data Import Export Procedure.pdf>> <<Wise
T 1002029 DOC 3 - Information Assurance IAO Reference Manual.pdf>>
<<Wise T 1002029 DOC 4 - security form - procedures when dealing with
IPCC equipment, knowledge, information and assets.pdf>> <<Wise T
1002029 DOC 5 - Annex A IPCC RETENTION SCHEDULES.pdf>> <<Wise T 1002029
DOC 6 - Annex B - Retention Schedules Casework and Investigations.pdf>>
<<Wise T 1002029 DOC 7 - IPCC Information Charter 2009.pdf>> <<Wise T
1002029 DOC 8 - FAQ on Managing Personal Data.pdf>> <<Wise T 1002029
DOC 9 - 10 golden rules for handling personal data at IPCC.pdf>> <<Wise
T 1002029 - DOC 10 - Guidance on Privacy Impact Assessments at the IPCC
NPM.pdf>> <<Wise T 1002029 DOC 11 - Code of Conduct - December 07
update.pdf>> <<Wise T 1002029 DOC 12 - Guidance on use of CCTV for
monitoring IPCC premises 062006.pdf>> <<Wise T 1002029 DOC 13 -
Information Assurance - Annex A to IAO Reference Manual.pdf>>
<<Wise T 1002029 DOC 14 - Access to Personnel Files 111104.pdf>>
<<Wise T 1002029 DOC 15 - Guidance on Level 1 - Personal Data User
Training for Information Assurance Compliance.pdf>>

show quoted sections

Link to this

Things to do with this request

Anyone:
Independent Police Complaints Commission only:

Follow this request

There are 2 people following this request

Offensive? Unsuitable?

Requests for personal information and vexatious requests are not considered valid for FOI purposes (read more).

If you believe this request is not suitable, you can report it for attention by the site administrators

Report this request

Act on what you've learnt

Similar requests

More similar requests

Event history details

Are you the owner of any commercial copyright on this page?