Experience in investigating data loss and internal IPCC data handling systems.
Dear Independent Police Complaints Commission,
There was a serious data loss at HMRC in 2008 that resulted in the avoidable loss of sensitive data belonging to hundreds of thousands of UK citizens. HMRC referred the matter to the IPCC on 16 November 2008 which decided to carry out an independent investigation. The IPCC's investigation will be led by Senior Investigator, Joe Penrose. At the time Gary Garland, IPCC Commissioner with responsibility for HMRC, said:
"The focus of our investigation will be to identify the causes of this extremely serious failure and consider whether relevant local and national policies and guidelines were complied with. Where appropriate we will identify where lessons can be learned and will make recommendations if further action is required.
The subsequent IPCC report uncovered failures in institutional practices and procedures concerning the handling of data at HMRC. The investigation revealed the absence of a coherent strategy for mass data handling and, generally speaking, practices and procedures were less than effective:
• there was a complete lack of any meaningful systems
• a lack of understanding of the importance of data handling
• a ‘muddle through’ ethos.
Corporate data handling was clearly woefully inadequate. Staff found themselves working on a day-to-day basis without adequate support, training or guidance about how to handle sensitive personal data appropriately.
On the basis of the statements above related to the IPCC and the investigation by that public body in relation to HMRC I make this request under the Freedom of Information Act 2000. I am worried that an organisation such as the IPCC can be charged with investigating a serious and avoidable data loss at HMRC if the IPCC itself doesn't have such procedures and systems in place that it subsequently criticised HMRC for lacking. My request relates to June 2008 up until the present date.
1/ Please supply all internal documentation at the IPCC and relevant to the IPCC in relation to institutional practices and procedures concerning the handling of personal data.
2/ Please supply all internal or other documentation evidencing or demonstrating a coherent strategy for mass data handling as being present at the IPCC.
3/ Please supply all internal or other documentation evidencing or demonstrating any/all meaningful systems in place at the IPCC as regards mass data handling.
4/ Please supply all internal or other documentation evidencing or demonstrating the systems maintening and efficacy of the security of mass data handling in place at the IPCC.
5/ Please supply all internal or other documentation evidencing or demonstrating the level training or guidance at the IPCC that shows IPCC's staff how to handle sensitive personal data appropriately.
6/ Please also supply all internal documentation, evidence of systems in place or procedures that demonstrate that the IPCC had the knowledge, expertise and experience in order that the IPCC could investigate all of the requirements at 1/ through 5/ at HMRC or any other public body as above effectively.
7/ Please supply full detail of any procedural manual that the IPCC worked against during its investigation of the data loss at HMRC in 2008.
If the IPCC thinks that this request requires any clarification or explanation please ask and I will assist in any way that I can. However the crux of the request is an attempt to show that the IPCC was totally "fit for purpose" and had systems in place at the time of the HMRC data loss and thereafter that HMRC should have had to stop the data loss and which the IPCC subsequently criticised the HMRC for lacking. If the systems in place at the IPCC at the time and thereafter of the data loss at HMRC were just as woefully inadequate as those subsequently criticised at HMRC by the IPCC we will have a clear case of the "pot calling the kettle black". That is not be desirable in a 21st century public service.
Please acknowledge receipt of this FOI request.
Dear Athena Cass,
The performance of the IPCC in regard to FOI is insulting, complacent and totally ridiculous. The FOI Act is not optional but a statutory requirement. I'm going directly to the Information Commissioner.
Dear Athena Cass,
The response to this request has now been ongoing for 4 months. I trust that the IPCC will now respond in line with the enforcement notice from the ICO.
Incidentally this is only the second time the Commissioner has issued an enforcement notice under s.52 of the FOI Act. This is clearly not a public interest result as regards a public authority such as the IPCC involved in law enforcement and integrity. Such bodies should observe the law in full at all times and be seen to do so. This outcome will not inspire public trust in the efficacy, effectiveness or the probity of the IPCC. Interestingly the first enforcement notice was in relation to multiple complaints about the non-disclosure of the Attorney General's advice on the legality of military intervention in Iraq.
Dear Mr Wise,
Please find attached to this e-mail my letter setting out the
Commission's response to your request (as below), together with the
documents referred to in the letter.
Please quote the above IPCC reference in any subsequent correspondence
about this matter.
<<Wise, T 1002029 - decision ltr.pdf>> <<Wise T 1002029 DOC 1 - Users
Handbook - Summary of Policy Statements [NPM] Issue 1.pdf>> <<Wise T
1002029 DOC 2 - IPCC Guardian Data Import Export Procedure.pdf>> <<Wise
T 1002029 DOC 3 - Information Assurance IAO Reference Manual.pdf>>
<<Wise T 1002029 DOC 4 - security form - procedures when dealing with
IPCC equipment, knowledge, information and assets.pdf>> <<Wise T
1002029 DOC 5 - Annex A IPCC RETENTION SCHEDULES.pdf>> <<Wise T 1002029
DOC 6 - Annex B - Retention Schedules Casework and Investigations.pdf>>
<<Wise T 1002029 DOC 7 - IPCC Information Charter 2009.pdf>> <<Wise T
1002029 DOC 8 - FAQ on Managing Personal Data.pdf>> <<Wise T 1002029
DOC 9 - 10 golden rules for handling personal data at IPCC.pdf>> <<Wise
T 1002029 - DOC 10 - Guidance on Privacy Impact Assessments at the IPCC
NPM.pdf>> <<Wise T 1002029 DOC 11 - Code of Conduct - December 07
update.pdf>> <<Wise T 1002029 DOC 12 - Guidance on use of CCTV for
monitoring IPCC premises 062006.pdf>> <<Wise T 1002029 DOC 13 -
Information Assurance - Annex A to IAO Reference Manual.pdf>>
<<Wise T 1002029 DOC 14 - Access to Personnel Files 111104.pdf>>
<<Wise T 1002029 DOC 15 - Guidance on Level 1 - Personal Data User
Training for Information Assurance Compliance.pdf>>