IBM/SW1 SAP IT Controls serious security issue.

Dave Orr made this Freedom of Information request to Avon and Somerset Constabulary

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was refused by Avon and Somerset Constabulary.

Dear Avon and Somerset Constabulary,

This audit report has been produced showing that the configuration of SAP for the Police has been setup in an potentially insecure way with serious shortfalls in data security & audit compliance by sharing databases with other public partners and SW1 itself:

http://www1.somerset.gov.uk/council/boar...

Recommendation

1. Clarify immediately who has access to its data; who has accessed its data and whether there has been any unauthorised access to, or changes made to its data.

2. Clarify if the current access controls leave the Council liable to challenge from the Information Commissioner.

Both of the above recommendations would best be implemented in conjunction with Avon and Somerset Police and Taunton Deane Borough Council.

============================================================

Q1. Are Avon & Somerset Constabulary (ASC) aware of the SAP configuration & security problems within the above report? If so, when did ASC become aware of these problems?

Q1b Has the PCC been informed? If so, when?

Q1c. Has HMIC, Home Office, NAO or other National body/agency been informed? If so, who & when?

Q2. Have ASC carried out a risk assessment to ensure that the IBM/SW1 SAP system remains "fit for purpose" and meets all National criteria (Home Office, HMIC, NAO, ACPO etc) for secure Police IT? If so, what action has been taken as a result of those findings? Has the PCC been informed?

Q3. IBM used/uses a division (IGSI) based in Bangalore, India for the SW1 SAP configuration, build and 3rd line technical support. Has the added security risks associated with that region been taken into account for IT controls and access e.g. when SAP is being system administered; having software patches or updates applied; technical fault rectification etc by technical staff from IBM's IGSI division in India? If so, when was that last carried out and how often is it audited for compliance?

Yours faithfully,

Dave Orr

#Freedom of Information Requests, Avon and Somerset Constabulary

Corporate Information Management Department

Force Headquarters, PO Box 37, Valley Road,

Portishead, Bristol, BS20 8QJ

Facsimile 01275 814667

    

Private Our Reference 992/13

Mr D Orr
Your reference  
[1][FOI #184925 email]

  Date 14^th of
November 2013
 

 

Dear Mr Orr,

 

I write in connection with your request for information dated 14^th of
November concerning SAP. This request will be dealt with under the terms
of the Freedom of Information Act 2000.

 

Your request will now be considered and you will receive a response within
the statutory timescale of 20 working days as defined by the Act, In some
circumstances Avon and Somerset Constabulary may be unable to achieve this
deadline if consideration needs to be given to the public interest test.
If this is likely you will be informed and given a revised time-scale at
the earliest opportunity.

 

Yours sincerely,

 

C Quartey

 

Freedom of Information Officer

Corporate Information Management Department

 

Please note;

1.     Requests and responses may be published on Avon and Somerset
Constabulary’s website (within 24 hours), some of which may contain a link
to additional information, which may provide you with further
clarification.

2.     Whilst we may verbally discuss your request with you in order to
seek clarification, all other communication should be made in writing.

3.     Avon and Somerset Constabulary provides you with the right to
request a re-examination of your case under its review procedure.

 

 

show quoted sections

Dear #Freedom of Information Requests,

This article is relevant to the above FOI:

http://ukcampaign4change.com/2013/11/19/...
Yours sincerely,

Dave Orr

Dear #Freedom of Information Requests,

For info:

I attended the Audit Committee of Somerset County Council (SCC) yesterday (21/11/2013).

SW1 fielded no DBAs or IT security staff, but chose to send only an IBM Auditor and the CEO. In my view, their answers were regrettably unimpressive and lacked the reassurance the Audit Committee were seeking.

It now looks as if the SCC Audit Committee will ask SCC Auditor Grant Thornton to investigate deeper & further and then report again (in January).

They admitted that seconded staff from the two Councils (SCC and Taunton Deane Council) do access SAP admin (with high privileges) for Police data.

The excellent IT SAP auditor from SCC Auditor Grant Thornton went on to explain that IBM/SW1 were not logging the high privilege admin access usage and should do so.

Meanwhile, the Avon & Somerset Police & Crime Commissioner's Office have confirmed that the Police Audit Committee will look at these security assurance issues at a meeting on the 13th of December.

Yours sincerely,

Dave Orr

#Freedom of Information Requests, Avon and Somerset Constabulary

1 Attachment

Corporate Information Management Department

Force Headquarters, PO Box 37, Valley Road,

Portishead, Bristol, BS20 8QJ

Facsimile 01275 814667

Email [1][email address]

 

     

Private    

Mr Dave Orr Our Reference 992/13

[2][FOI #184925 email] Your reference  
Date 12 December
  2013

 

Dear Mr Orr

 

I write in connection with your request for information dated 14^th
November concerning the configuration of SAP. Specifically you asked:

 

This audit report has been produced showing that the configuration of SAP
for the Police has been setup in an potentially insecure way with serious
shortfalls in data security & audit compliance by sharing databases with
other public partners and SW1 itself:

 

[3]http://www1.somerset.gov.uk/council/boar...

 

Q1. Are Avon & Somerset Constabulary (ASC) aware of the SAP configuration
& security problems within the above report? If so, when did ASC become
aware of these problems?

 

The Constabulary was made aware of the SAP configuration issues at the
beginning of 2012. However, it appears the findings and recommendations
were made as a result of work with Somerset County Council, not this
Constabulary.

 

Q1b Has the PCC been informed? If so, when?

 

No. There was no reason to inform the PCC.

 

Q1c. Has HMIC, Home Office, NAO or other National body/agency been
informed? If so, who & when?

 

The external agencies specified were not informed by ASC as this was a
matter for internal review.

 

Q2. Have ASC carried out a risk assessment to ensure that the IBM/SW1 SAP
system remains "fit for purpose" and meets all National criteria (Home
Office, HMIC, NAO, ACPO etc) for secure Police IT? If so, what action has
been taken as a result of those findings? Has the PCC been informed?

 

As part of Governance of the SAP Project within ASC at the end of the
calendar year 2011, Avon and Somerset Constabulary commissioned a detailed
post implementation review of the SAP system implemented thus far for the
police, direct from SAP. The review took place between 1^st February and
5^th March 2012. The report concluded that ‘the original technical
implementation is aligned to best practices and is a good example of how
the core configuration should be set up’.

The report also made a number of recommendations including those mentioned
in the Grant Thornton Audit. All the high priority recommendations
relating to access to data and information security were actioned. They
were signed off as completed on 29^th September 2012. At the time of
publication of their report, Grant Thornton were not aware of the work
carried out at ASC.

 

Q3. IBM used/uses a division (IGSI) based in Bangalore, India for the SW1
SAP configuration, build and 3rd line technical support. Has the added
security risks associated with that region been taken into account for IT
controls and access e.g. when SAP is being system administered; having
software patches or updates applied; technical fault rectification etc by
technical staff from IBM's IGSI division in India? If so, when was that
last carried out and how often is it audited for compliance?

 

Avon and Somerset Constabulary have arrangements with SAP Germany in
relation to technical support.

 

 

Yours sincerely

 

C Quartey

 

Freedom of Information Officer

Corporate Information Management Department

 

 

Please note:

1.     Requests and responses may be published on Avon and Somerset
Constabulary’s website (within 24 hours), some of which may contain a link
to additional information, which may provide you with further
clarification.

2.     Whilst we may verbally discuss your request with you in order to
seek clarification, all other communication should be made in writing.

3.     Avon and Somerset Constabulary provides you with the right to
request a re-examination of your case under its review procedure (copy
attached).

 

 

show quoted sections

Dear #Freedom of Information Requests,

To clarify some of the answers please:

A1. As SAP is a shared system implemented on a single database basis and Somerset was the lead partner, then surely the findings by external auditor Grant Thornton (the same Auditor as the police) apply to the Police as well, thus indicating formal action & response?

A2. Please disclose who conducted the Police review into SAP Feb-Mar 2012? Which committee had oversight of this report? Did the other partners (SCC & TDBC) receive a copy of this report? If the report concluded that ‘the original technical implementation is aligned to best practices and is a good example of how the core configuration should be set up’ then how are the discrepancies with the latest Grant Thornton report for SCC explained? Please disclose a copy of this report.

Yours sincerely,

Dave Orr

#Freedom of Information Requests, Avon and Somerset Constabulary

Corporate Information Management Department

Force Headquarters, PO Box 37, Valley Road,

Portishead, Bristol, BS20 8QJ

Facsimile 01275 814667

Email foirequests@avonandsomerset.police.uk    

 

     

     

Private Our Reference 1113/13

Mr D Orr Your reference  

[FOI #184925 email] Date 15 January 2014

 

Dear Mr Orr,

 

I write in connection with your request for further information dated
13^th December concerning the audit of SAP.

 

I now advise you that the amended date for a response is 12^th February. 
This is due to consideration being given to the application of a qualified
exemption and as such will require further consideration regarding the
public interest test.  I can assure you that every effort will be made to
ensure an appropriate response will be made within this new timescale.

 

May I apologise for any inconvenience caused.

 

Yours sincerely

 

C Quartey

 

Freedom of Information Officer

Corporate Information Management Department

 

 

Please note:

1.     Requests and responses may be published on Avon and Somerset
Constabulary’s website (within 24 hours), some of which may contain a link
to additional information, which may provide you with further
clarification.

2.     Whilst we may verbally discuss your request with you in order to
seek clarification, all other communication should be made in writing.

3.     Avon and Somerset Constabulary provides you with the right to
request a re-examination of your case under its review procedure (copy
attached).

 

 

 

 

 

 

 

 

 

show quoted sections

#Freedom of Information Requests, Avon and Somerset Constabulary

1 Attachment

Corporate Information Management Department

Force Headquarters, PO Box 37, Valley Road,

Portishead, Bristol, BS20 8QJ

Facsimile 01275 814667

Email [1][email address]

 

 

     

Private    

Mr Dave Orr Our Reference 1113/13
Your reference  
[FOI #184925 email] Date 29 January 2014

 

 

Dear Mr Orr

 

I write in connection with your request for further information dated
13^th December concerning SAP. Specifically you asked:

 

Q1. As SAP is a shared system implemented on a single database basis and
Somerset was the lead partner, then surely the findings by external
auditor Grant Thornton (the same Auditor as the police) apply to the
Police as well, thus indicating formal action & response?

 

Avon and Somerset Constabulary is monitoring the progress at SCC and will
not be formulating a separate response.

Q2. Please disclose who conducted the Police review into SAP Feb-Mar 2012?

 

The review was conducted by SAP (UK) Ltd.

 

Q3. Which committee had oversight of this report? Did the other partners
(SCC & TDBC) receive a copy of this report?

 

The Police Authority at the time were fully briefed, as were SCC and TDBC.
The partners did not receive copies of the report.

 

Q4. If the report concluded that ‘the original technical implementation is
aligned to best practices and is a good example of how the core
configuration should be set up’ then how are the discrepancies with the
latest Grant Thornton report for SCC explained?

 

Avon and Somerset Constabulary cannot comment on whether or not there are
discrepancies as Grant Thornton has not discussed their review with this
constabulary.

 

Q5. Please disclose a copy of this report.

 

The report was provided in confidence and the document is commercially
sensitive. Additionally, disclosure of the report would undermine law
enforcement. As such the report will not be disclosed. 

 

The exemptions applicable are section 31(1)(a) law enforcement, section
41(1)(b) information provided in confidence and section 43(2) commercial
interests.  Section 41 is an absolute and class based exemption which
means that there is no requirement to identify and evidence the harm that
would be caused by disclosure or consider the public interest.  There is a
requirement however to conduct a public interest test on whether the
common law duty of confidentiality can be overcome however the default
position favours non-disclosure.  Section 31 and 43 are qualified and
prejudice based exemptions which mean there is a requirement to identify
and evidence the harm that would be caused by disclosure and consideration
given to the public interest.

 

Overall Harm

The disclosure of the information requested would constitute an actionable
breach of confidence. As noted above an absolute exemption under Section
41 applies to these arrangements.  This disclosure could render the forces
vulnerable to civil proceedings.  The report demonstrates the methodology
as to how SAP will carry out the services of providing such a review of
the implementation of its products. The disclosure of this information
would be prejudicial to SAP as it would enable competitors and other
bodies to draw conclusions about SAP products. Additionally, conclusions
may be drawn about the performance of its products and services which may
influence future purchasing decisions - thus harming their commercial
interests.

Furthermore, disclosure could compromise the constabulary’s IT security.

 

Public Interest test

Section 31 considerations

Factors favouring disclosure:

Disclosure may add value to the accuracy of public debate with regards to
resources allocated for the prevention and detection of crime.

 

Factors favouring non- disclosure:

The Police Service has a duty to deliver effective law enforcement
ensuring the prevention and detection of crime, apprehension or
prosecution of offenders and administration of justice is carried out
appropriately. By identifying specific information in respect of the
Constabulary's IT systems would enable a third party to exploit any
potential vulnerabilities within those systems.

 

Section 43 considerations

Factors favouring disclosure:

Where public funds are being spent, there is a public interest in
accountability and justification. Disclosure could also add value to
public debate.

 

Factors favouring non- disclosure:

As stated within the harm disclosure of the information requested would
constitute an actionable legal breach of confidence surrounding the
current contractual arrangements.   This disclosure could render the
forces vulnerable to civil proceedings. 

 

Section 43(2) states that information is exempt if its disclosure under
this Act would, or would be likely to prejudice commercial interests of
any person.  In this case disclosure would adversely affect SAP Ltd as
their testing methodology and process would be available to competitor
companies, which will negatively affect the commercial interests. 

 

Balance test

On balance, the damage incurred by release of this information is likely
to prejudice the commercial interests of SAP Ltd, including a possible
actionable breach of confidence against the constabulary of which the
common law duty of confidence cannot be overcome, outweighs the benefit of
accountability or public debate. After weighing up the competing
interests, I have determined that the disclosure of the above information
would therefore not be in the public interest. In accordance with the Act,
this letter represents a Refusal Notice for this specific information.

 

 

Yours sincerely

 

C Quartey

 

Freedom of Information Officer

Corporate Information Management Department

 

 

Please note:

1.     Requests and responses may be published on Avon and Somerset
Constabulary’s website (within 24 hours), some of which may contain a link
to additional information, which may provide you with further
clarification.

2.     Whilst we may verbally discuss your request with you in order to
seek clarification, all other communication should be made in writing.

3.     Avon and Somerset Constabulary provides you with the right to
request a re-examination of your case under its review procedure (copy
attached).

 

 

 

show quoted sections

Dear Avon and Somerset Constabulary,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of Avon and Somerset Constabulary's handling of my FOI request 'IBM/SW1 SAP IT Controls serious security issue.'.

SAP is a back office IT system for accounts and payroll. It has no connection with frontline policing and therefore the application of a law enforcement exemption is both inappropriate and excessive.

Additionally, published ICO guidance on the application of the law enforcement exemption does not support this use by you to avoid proper disclosure.

The SAP UK assessment report (referred to above) should be disclosed in a redacted form, with redactions only being applied where genuine security risks and commercial confidence issues apply. In that regard, much of SAP IT controls and security guidance is available publicly through web site searches, so redaction should not be applied where that is the case.

The shared SAP IT system was supplied back in 2009 by IBM through the South West One joint venture and was recently subject to a negative IT controls audit by lead partner Somerset County Council (in November 2013).

There is a strong public interest case in why the two assessments are in direct contradiction with each other and whether the single database model implemented for multiple public partners and South West One themselves is "fit for purpose" with regard to secure and Home Office/ACPO compliant Police use.

There is a particular public interest if other Police forces were to join South West One and use the same shared SAP IT system, if the configuration is not "fit for purpose" i.e. a secure database per partner configuration should have been implemented instead.

There are additional security issues, as IBM used and use a Bangalore, India division to configure SAP and supply 3rd line configuration and upgrade support. If the law enforcement exemption is applied correctly, and upheld, then the access by IBM staff who are employed in an offshore Indian sub-continent location would be of greater concern.

Please conduct an internal review and supply a minimally and appropriately redacted copy of the SAP UK report referred to above.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/i...

Yours faithfully,

Dave Orr

#Freedom of Information Requests, Avon and Somerset Constabulary

 

 

Corporate Information Management Department

Force Headquarters, PO Box 37, Valley Road,

Portishead, Bristol, BS20 8QJ

Facsimile 01275 814667

 

   

 

Private Our Reference 1113/13

Dave Orr

[FOI #184925 email] Your reference  

 
Date 29^th January
  2014

 

 

 

Dear Mr Orr,

 

I write in receipt of your letter dated 29^th January 2014 requesting an
internal review regarding the response to your Freedom of Information
request.

 

This request has been forwarded to our internal review panel who will
respond to you in due course.

 

Yours sincerely,

 

C Quartey

 

Freedom of Information Officer

Corporate Information Management Department

 

 

 

 

 

 

 

 

 

 

 

show quoted sections

#Freedom of Information Requests, Avon and Somerset Constabulary

1 Attachment

Corporate Information Management Department

Force Headquarters, PO Box 37, Valley Road,

Portishead, Bristol, BS20 8QJ

Facsimile 01275 814667

Email [1][email address]

 

 

     

Private    

Mr David Orr Our Reference 1105/13
Your reference  
[2][email address] Date 11 February
2014

 

Dear Mr Orr

 

I write in connection with your request for information dated 11^th
December concerning SAP. Specifically you asked:

 

Q1a. When was SAP last formally security assessed?

 

SAP has not been assessed since it was first introduced. We re-accredit
internal systems on a risk basis taking in to account the content of the
system, the number of incidents concerning the system (including misuse,
wrongful disclosure and un authorised access) and where the system sits in
relation to our network and external connections.  SAP has been considered
a low risk.

 

Q1b. What policy standards or frameworks were utilised for the last
security assessment for SAP? If either or both of the above ACPO and HMG
security standards were not utilised, then what security standard was used
and who authorised the alternative security assessment used?

 

When SAP was assessed HMG Security Standards IS1 and IS2 which were
applicable at that time were used.  These standards have been
amended since then. 

 

Q1c. Was SAP independently security assessed? If so, who carried out the
formal SAP security assessment (name of audit body/organisation/consultant
etc.)? If not, what internal security assessment arrangements were used
and how were IBM/SW1 security responses assured.

 

This was an internal assessment by an IBM CLAS consultant using HMG
standards relevant at the time. 

 

Q1d. What was the outcome of the last SAP security assessment (i.e. full
assurance, partial assurance, no assurance/fail etc.)?

 

SAP was assessed as being suitable to use for the purpose it was
purchased, or amendments would have been made at the time.

 

Please disclose a copy of the last SAP security assurance report[s].

 

Some redactions have been made concerning personal details of individuals
who would not have an expectation that their information would become
public.  The exemption applicable to the information is Section 40 (2),
third party personal information, this is an Absolute exemption. Any
information to which a request relates is exempt if it constitutes
personal data of which the applicant is not the data subject and if
disclosure of that information to a member of the public would contravene
any of the principles of the 1998 Data Protection Act. In this particular
case, disclosure of this information would contravene Principles 1 and 2
of the Act, whereby personal data shall be processed fairly and lawfully
and only obtained for one or more specified purpose or purposes. Some
entries relate to other staff members for reference and do not meet the
criteria for this request therefore theses details have also been
redacted.

 

In addition some entries have been redacted as it relates to information
concerning law enforcement (section 31).  Section 31 is a qualified and
prejudice based exemption which means there is a requirement to identify
and evidence the harm that would be caused by disclosure and consideration
given to the public interest.

 

Harm

Although SAP is a back office system, information contained within the
report relates to the constabulary’s IT system as a whole. There are
concerns associated with the disclosure of sensitive information that
could adversely affect law enforcement. Certain information if released
could help facilitate a breach of security by a third party.  This
information could be used by a hacker to gain access to our information if
they were to penetrate our network. It could lead to the identification of
sensitive personal information of people that have come to police notice,
or have an adverse effect on a policing operation.  Subsequently this will
impact on our ability to effectively police the communities we serve
affecting public safety.

 

Public Interest test

Section 31 considerations

Factors favouring disclosure:

Disclosure of this information could aid public debate and awareness of
the technology we employ.

 

Factors favouring non- disclosure:

Disclosure of IP addresses and other such information could assist the
criminal fraternity to breach our systems, potentially hack into the
systems, retrieve information, damage information, or infect our systems
with a virus. Therefore, identifying specific information in respect of
the Constabulary's IT systems would enable a third party to exploit any
potential vulnerability within those systems. To police our communities
effectively we are reliant on the information and systems we use.  Should
a breach of security be successful this will impact on our ability to
enforce law.  Policing is largely intelligence led, if this information
was infected or infiltrated this would impact negatively on victims of
crime, and detection rates would decrease.

 

 

Balance test

When balancing the public interest we have to consider whether the
information should be released into the public domain.  Arguments need to
be weighed against each other.

 

Disclosure of this information, whilst acknowledged would aid public
debate, would also have a negative effect on law enforcement.  Our systems
and information are invaluable to uphold the law, and any breach could
have severe consequences especially with regard to sensitive information. 
This would have a negative impact on our service and the public.

 

After weighing up the competing interests, I believe the damage incurred
by release of this information, including information being damaged or
destroyed, would adversely affect public safety, and subsequently have
negative financial implications ultimately affecting the public. I have
determined that the disclosure of the above information would not be in
the public interest. In accordance with the Act, this letter represents a
Refusal Notice for this specific information.

 

Q1e. Which Constabulary and/or Police and Crime Commissioner and/or Police
and Crime Panel committee had oversight of the SAP security assessment[s]?
Please disclose the relevant committee reports and meeting outcomes.

 

This would have been the Police Security Management Board, which has since
become the Strategic Information Management Board. No reports or minutes
from these meetings are held.

 

Yours sincerely

 

C Quartey

 

Freedom of Information Officer

Corporate Information Management Department

 

 

Please note:

1.     Requests and responses may be published on Avon and Somerset
Constabulary’s website (within 24 hours), some of which may contain a link
to additional information, which may provide you with further
clarification.

2.     Whilst we may verbally discuss your request with you in order to
seek clarification, all other communication should be made in writing.

3.     Avon and Somerset Constabulary provides you with the right to
request a re-examination of your case under its review procedure (copy
attached).

 

 

 

show quoted sections

Dear #Freedom of Information Requests,

The above letter was wrongly posted to this FOI rather than the other related FOI:

https://www.whatdotheyknow.com/request/w...

For the Internal Review, can you please add the query as to why a law enforcement exemption is being considered when SAP is considered "low risk" e.g.

Q1a. When was SAP last formally security assessed?

SAP has not been assessed since it was first introduced. We re-accredit internal systems on a risk basis taking in to account the content of the system, the number of incidents concerning the system (including misuse, wrongful disclosure and un authorised access) and where the system sits in relation to our network and external connections. SAP has been considered a low risk.

Yours sincerely,

Dave Orr

#Freedom of Information Requests, Avon and Somerset Constabulary

1 Attachment

Dear Mr Orr,

Please find attached a letter in response to your recent FOI appeal.

Regards

Information Access Manager
Corporate Information Management Department
Avon and Somerset Constabulary
PO Box 37, Valley Road, Bristol, BS20 8QJ

 

 

show quoted sections

Dear #Freedom of Information Requests,

I believe that your Internal Review does not meet the FOIA.

There is supposed to be a balancing public interest test that has not been engaged.

SAP is a shared IT system used by the Police, Somerset County Council, Taunton Deane Borough Council and crucially Southwest One (SW1) themselves (with direct hire staff involvement).

Somerset County Council has twice recently published SAP audit reports by the external auditor Grant Thornton (also the Police external auditor) that was critical of the SAP security and the lack of some key controls by SW1.

http://www1.somerset.gov.uk/council/meet... [Agenda Item 6 first report]

The question has been raised that SAP should not have been implemented on a shared Group Company basis but that each partner should have had its own database and security schema, whilst sharing program code only.

Meanwhile, the Constabulary has reported that their SAP audit has provided "exemplary assurance".

It is of clear, genuine and timely public interest that the two reports can be compared as the conclusions differ so much.

It is also of interest as to whether the latest HMIC and Government security standards are met and whether another Police Service could confidently join.

Instead of applying redactions for information that is genuinely of security risk, you have chosen a blanket refusal, which is against the public interests expressed above.

I respectfully request that the Internal Review is carried out afresh, to take into account a public interest test based on the above and to comply properly with the FOIA.

Yours sincerely,

Dave Orr

Dear #Freedom of Information Requests,

Can you please advise me whether the IR will now include a public interest test or whether you are advising me that you will take no further action and I should proceed to an ICO appeal.

I would prefer to avoid the overhead and costs of an ICO referral to ensure that the IR is compliant via a fully weighed up public interest test.

Yours sincerely,

Dave Orr

#Freedom of Information Requests, Avon and Somerset Constabulary

De Mr Orr,

The appeal panel has agreed to review your internal review. You will receive a response to this the week beginning 17th March.

With regard to the public interest test, is there a particular exemption you believe it should be done for? Please let us know.

Regards

FOI Officer

show quoted sections

Dear #Freedom of Information Requests,

Please apply a public interest test (as I have described) to each exemption cited in turn.

Yours sincerely,

Dave Orr

#Freedom of Information Requests, Avon and Somerset Constabulary

1 Attachment

Mr Orr
Please find attached the response into your recent request dated 11 March
for a review of your internal review.

Regards
FOI Officer

<<Letter Mr Orr Appeal follow up.pdf>>

 

show quoted sections