Job description for Security Analyst / Security Architect

Bob Packard made this Freedom of Information request to Service Glasgow LLP

This request has been closed to new correspondence. Contact us if you think it should be reopened.

Response to this request is long overdue. By law, under all circumstances, Service Glasgow LLP should have responded by now (details). You can complain by requesting an internal review.

Dear Service Glasgow LLP,

I understand that your organisation, until 1/4/2018, directly employed a number of staff who looked after cybersecurity matters on behalf of Glasgow City Council.

Those roles are now carried out by staff either directly employed by CGI IT UK Limited or employees of GCC who are seconded to CGI.

I would be grateful if you could please provide the following information under the auspices of the Freedom of Information (Scotland) Act:

1) The job description for the roles covering Information/Cyber Security/Assurance. Selected job titles could take the form of Security Architect, Security Analyst, Assurance Analyst; however, this is non exhaustive.

2) The job description for the role covering the management of these individuals, e.g. the Head of Department.

3) Details of the pay and grading banding for those roles, e.g. at which point the roles sit on the former WPBR scale, or, the salary band if the role is outside WPBR.

4) Where possible, a copy of an organogram, showing where these roles sat within the business and the nature of the reporting structure (e.g. Analyst reporting to Architect, reporting to Manager, reporting to Director)

I understand that staffing matters would have been dealt with directly by ACCESS (Service Glasgow LLP)'s Human Resources function, in conjunction with Glasgow City Council's Corporate HR and Employee Service Centre (Customer and Business Services); therefore, even with HR staff being unavailable, the information should still exist within the Council's Human Resources department, or, within the SAP system used by CBS.

I trust this request is relatively self explanatory; however, if you require any clarity I would be pleased to provide it.

Yours faithfully,

Bob Packard

Dear Service Glasgow LLP,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of Service Glasgow LLP's handling of my FOI request 'Job description for Security Analyst / Security Architect'.

I am disappointed that Service Glasgow LLP (Glasgow City Council) has failed to respond to my Freedom of Information request which was made on the 21st of February 2020. By law, I should have received your reply by the 23rd of March at the very latest.

I can see from the WhatDoTheyKnow system that my request was accepted by your email server, cpmesseg02s.glasgow.gov.uk, on the 21st of February at 08:51:51 GMT (reference 48P4vX6Pmpz1ktqc).

I should be grateful if you would, therefore, conduct a review into what has gone wrong; and most importantly, I should also be grateful if you would prioritise provision of the information wherever possible.

I appreciate that the current situation is likely to cause delays, however, it would not have been unreasonable to expect that the Council acknowledge this and advise that a delay was to be anticipated.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/j...

Yours faithfully,

Bob Packard

Bob Packard left an annotation ()

I have written to the chief executive of Glasgow City Council today to ask that the Council's lack of a response be investigated.

Bob Packard left an annotation ()

I have referred this long-standing matter to the Scottish Information Commissioner today, and asked that they issue a decision notice.

Bob Packard left an annotation ()

Scottish Information Commissioner wrote to Service Glasgow LLP on 28 July to "ask it to explain why it failed to reply to your information request and request for review".

Case ref: 202000729

Bob Packard left an annotation ()

Glasgow City Council's Executive Legal Manager - Jennifer McMartin - responded on behalf of Service Glasgow LLP by private email on 31 July.

I attempted to reply to Ms McMartin, however, the Council's email system is blocking responses. I have written to her using the postal system to refute the Council's response; and to remind Ms McMartin that she must reply using WhatDoTheyKnow, citing §11(1) of the Freedom of Information (Scotland) Act.

Enquiries (ACCESS LLP), Service Glasgow LLP

OFFICIAL

 

This email has been sent to your personal email and the what do they know
email, however for completeness, I am sending this again from the Service
Glasgow inbox that you made your initial request too.

 

 

Dear Mr Packard

 

Request for Information under the Freedom of Information (Scotland) Act
2002 (the “Act”)

 

I understand from the Office of the Scottish Information Commissioner that
you have made an application regarding your information request made to
Service Glasgow LLP on 21 February 2020 and subsequent request for review
dated 7 April 2020.

I am a solicitor for Glasgow City Council but I am acting on behalf of
Service Glasgow LLP in respect of this matter. Firstly, I would like on
behalf of Service Glasgow to take this opportunity to apologise for the
delay in responding to your information request.

This correspondence is Service Glasgow LLP’s response to your information
request and the result of our review as to why you did not receive a
response within the statutory timescales. I have now carried out a full
investigation into this matter.

By way of background information, I can advise that Service Glasgow LLP
stopped actively trading on 31 March 2018 when the provision of ICT
Services was transferred to CGI UK Limited. An application was made in May
2020 to voluntarily wind up the LLP after a number of legal matters were
completed. The notice to wind up the LLP was published on 20 June 2020 and
is required to be advertised for a period of 2 months and thereafter the
LLP will be formally wound up (scheduled for 30 August 2020).

 

Since 1 April 2018, Service Glasgow LLP has remained a dormant LLP as it
provides no services and has no staff or assets. Therefore, although
Service Glasgow LLP is still a public authority for the purpose of the
Freedom of Information (Scotland) Act 2002, at the time of your
information request, it was a dormant LLP.

 

The mailbox that your requests were sent to is an active mailbox however
it was not being monitored due to the dormant nature of the LLP and the
change in service provision from Service Glasgow to CGI. The audit logs
show that the mailbox has not been accessed in the past 90 days (these
logs are deleted after 90 days) and there was no auto response on the
mailbox. Unfortunately, this meant that your emails were not actioned and
for that I can only apologise on behalf of Service Glasgow. I can advise
that this issue has now been remedied and I now have access to this
mailbox to ensure this does not happen again, prior to Service Glasgow
being formally wound up.

 

DECISION

 

Turning now to your information request, I note that you have asked us to
provide you with information relating to specific job roles. For ease of
reference, the full details of your request are set out in the annex to
this letter. I can advise that Service Glasgow do not hold the information
requested. All of Service Glasgow’s assets (including any remaining data
and information) were transferred to Glasgow City Council. We are
therefore unable to comply with your request in terms of section 17(1)(b)
of the Act.

 

By way of advice and assistance, you can make an information request
directly to the Council by email via [1][email address].

 

I hope that this explanation is helpful and again I can only apologise
again on behalf of Service Glasgow for any inconvenience caused in the
delay in responding to you.

 

RIGHT OF APPEAL

 

I understand that you have already been in touch with the Office of the
Scottish Information Commissioner. However, I am still required to advise
you of your right of appeal.

 

If you are not happy with the response provided you have the right to make
an application within six months of receipt of this letter for a decision
by the Scottish Information Commissioner. The Scottish Information
Commissioner can be contacted as follows:

 

Address:         Kinburn Castle, Doubledykes Road, St Andrews, KY16 9DS.

Email:              [2][email address]

Telephone:     01334 464610

 

You can also use the Scottish Information Commissioner’s online appeal
service to make an application for a decision:
[3]www.itspublicknowledge.info/appeal.

 

Thereafter a decision by Scottish Information Commissioner may be appealed
on a point of law to the Court of Session.

 

Yours sincerely

 

Jennfer Mcmartoim

 

 

 

ANNEX

 

Initial FOI Request:

 

I would be grateful if you could please provide the following information
under the auspices of the Freedom of Information (Scotland) Act:

1) The job description for the roles covering Information/Cyber
Security/Assurance. Selected job titles could take the form of Security
Architect, Security Analyst, Assurance Analyst; however, this is non
exhaustive.

2) The job description for the role covering the management of these
individuals, e.g. the Head of Department.

3) Details of the pay and grading banding for those roles, e.g. at which
point the roles sit on the former WPBR scale, or, the salary band if the
role is outside WPBR.

4) Where possible, a copy of an organogram, showing where these roles sat
within the business and the nature of the reporting structure (e.g.
Analyst reporting to Architect, reporting to Manager, reporting to
Director)

I understand that staffing matters would have been dealt with directly by
ACCESS (Service Glasgow LLP)'s Human Resources function, in conjunction
with Glasgow City Council's Corporate HR and Employee Service Centre
(Customer and Business Services); therefore, even with HR staff being
unavailable, the information should still exist within the Council's Human
Resources department, or, within the SAP system used by CBS.

 

Jennifer McMartin

Executive Legal Manager

Corporate and Property Law

Chief Executive’s Department

Glasgow City Council

George Square

Glasgow

G2 1DU

 

Tel: ext 74699 (Internal)

Tel: 0141 287 4699 (External)

Tel: 07867 814601 (Mobile)

Email: [4][email address]

 

Any advice contained in this email is strictly privileged and confidential
and is intended for use by the intended recipient only. 

 

 

OFFICIAL

Glasgow - proud host of the 26th UN Climate Change Conference (COP26) -
UK2021.

Please print responsibly and, if you do, recycle appropriately.

  ***Disclaimer****

 This e-mail and any attachments are for the intended addressee(s) only
and may contain confidential and/or privileged material. If you are not a
named addressee, do not use, retain or disclose such information. This
email is not guaranteed to be free from viruses and does not bind Access
in any contract or obligation. SERVICE GLASGOW LLP trading as ACCESS
Registered in Scotland. No: SO301705 Registered Office: 220 High Street,
Glasgow, G4 0QW

References

Visible links
1. mailto:[email address]
2. mailto:[email address]
3. http://www.itspublicknowledge.info/appeal
4. mailto:[email address]

Dear Ms McMartin,

I refer to your message dated 11 August 2020, in which you've provided me with a copy of the response that you sent to my private mailbox. You will, of course, be aware of my communication preference, therefore, I do not accept that Service Glasgow LLP complied with its FoISA obligations until said date.

It is regrettable that it has taken the LLP some 118 days to provide a substantive response to my FoISA request, and that despite several emails and letters being sent (to the registered office), it took the intervention of the Scottish Information Commissioner's office to elicit a response.

I have copied my response to you below, in which I ask you to clarify a number of aspects in the response that you provided. You will note that I have been unable to send this by direct reply to your original email as the Glasgow City Council email system blocks ProtonMail addresses. Given this directly relates to my FoISA request, I would ask that you respond using this channel going forward. For the purposes of clarity, this is a request under §11(1) of FoISA to communicate using a particular medium.

Naturally, the PDF enclosures cannot be provided using this channel, however, I can confirm that a true and accurate copy of said documents was sent to your George Square offices on 1 August, along with confirmation of the ProtonMail "issue".

I look forward to your prompt response to the matters at hand - stay safe, and thank you.

With kind regards,

Bob Packard

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, 31 July 2020 23:16, Packard, Bob <[redacted]> wrote:

Dear Ms McMartin,

Re: https://www.whatdotheyknow.com/request/j...
OSIC reference 2020000729

I acknowledge receipt of your email from this afternoon.

I do not accept, however, that your email constitutes a valid response under the Freedom of Information (Scotland) Act as you have failed to communicate using the email address designated at the time of my FoISA request, namely, the WhatDoTheyKnow address.

You will doubtless be aware that the Scottish Information Commissioner has previously issued a decision on a matter similar to this [1], which, in the Commissioner's "round up" is noted as:

Responding to 'What Do They Know' requests
Whatdotheyknow.com is an online platform through which people can make FOI requests to public bodies across the UK. This week we considered an unusual case where a response was sent to the wrong What Do They Know email address. Despite the response being available online, we concluded that the Council's response did not reach the requester within the FOI timescales. Authorities need to ensure that they use the contact details provided for each request, even where there may be multiple requests from the same requester.

Although the exact phrasing is slightly different, you will note that the Commissioner is acutely aware of the particular use of WDTK, which is, of course a valid medium for making a FoISA request, and has issued specific guidance to public bodies in regard to ensuring that they use the correct email address for delivery of their response to any such request.

I do not, therefore, believe that your response is compliant in terms of the Act, as I have previously stated a preference for communication using a particular medium - this is, to be specific, citing a preference under §11(1) of FoISA.

I am sure the Council will seek to comply with its obligations under the Act by producing its response to the relevant WhatDoTheyKnow address in due course.

Turning to the other aspects of your correspondence which are pertinent in this immediate scenario, I note that you have stated

The mailbox that your requests were sent to is an active mailbox however it was not being monitored due to the dormant nature of the LLP and the change in service provision from Service Glasgow to CGI. The audit logs show that the mailbox has not been accessed in the past 90 days (these logs are deleted after 90 days) and there was no auto response on the mailbox. Unfortunately, this meant that your emails were not actioned and for that I can only apologise on behalf of Service Glasgow. I can advise that this issue has now been remedied and I now have access to this mailbox to ensure this does not happen again, prior to Service Glasgow being formally wound up.

This is not a wholly persuasive argument in itself - there is documented evidence that the request dated 21/02/20 was delivered to the designated Service Glasgow mailbox, along with the Internal Review request dated 07/04/2020.

It is concerning that, even excusing an apparent lack of Out of Office message, or lack of an autoforward (which, of course, the Council's Microsoft Exchange email system is readily able to support[2]), the Council failed to act on two letters sent to the Service Glasgow LLP registered office[3] on the 20th of May and 14th of June.

I have enclosed a copy of the letters, addressed to Annemarie O'Donnell, your Chief Executive, and Councillor Susan Aitken (Leader of the Council), for your records.

You will, of course, be acutely aware of the obligation that the LLP has to receive mail at its registered office.

These letters provided the Council (and indeed, the LLP) with more than adequate notice that there were matters outstanding, and included a copy of the original request. It is therefore somewhat incredulous for your response to effectively suggest that the LLP had not received the request. This premise is wholly misleading.

Looking toward the "[email address]" email address itself, I am aware that the Council and its ICT partner still actively use the access.uk.com email address system, and indeed, since my initial correspondence, I note that the Council's ICT provider has recently changed the "mx" record for this domain. The "mx" record is the server address which tells an email system where messages should be delivered - in literal terms, it is the post box address for correspondence.

This appears to have been updated in recent weeks, at the same time as the Council's primary domain, glasgow.gov.uk, and has changed the server names from servers beginning "cp" to servers beginning "dv" - presumably this refers to the Council moving its email system to an outside datacentre.

Furthermore, even if it were true that the Council (or the LLP) had no record of receiving the email, the Council has an email archiving solution, which should have retained a copy of the message as received. I believe this system is known as Enterprise Vault, and, depending on the archiving policy, I understand that the Council default is to hold email correspondence for up to 10 years - unless there is a specific configuration on the folder within the user's Outlook mailbox that specifies otherwise.

It appears therefore, that your response is, perhaps, being slightly economical with the truth in such regard. This is most regrettable, and it appears to be a prima facie attempt to mislead. I am sure, however, that this is merely an error and that you will seek to correct the record in due course.

** The status of the LLP **

I note that you have intimated that the LLP filed to be voluntarily wound up in May 2020. The official record does not support this premise.

You will doubtless be aware that the Companies House database shows that the Registrar for Companies lodged papers with the official Gazette on 25/02/20 [4] as the LLP had failed to supply its accounts and confirmation statement.

This notice was not revoked until the Registrar received paperwork from the LLP's members on 23/06/20 [5], confirming the intent of both members that the LLP be wound up in due course. It is disingenuous to suggest otherwise - the public record is clear that the paperwork was not received until said date. I would, for record, draw your attention to said paperwork, which bears the electronic signature of Carole Forrest, confirming the date of signing as 22/06/20.

You will be aware, of course, that the public record also shows that the LLP was "active" at the time of my request being made. If the LLP was, in fact, dormant it would have been reasonable to expect that it file accounts for the Financial year 18/19 stating such.

** Remaining matters at hand **

I have not yet evaluated your formal response under FoISA as you have, as yet, failed to comply with your obligation to proffer a response using my preferred method of communication.

I should, therefore, be obliged if you would proffer your response to the designated WhatDoTheyKnow email address as a matter of urgency. At that stage I will then evaluate your response and reply in due course.

I should, however, make you aware that the premise that the LLP no longer held data is one that does not appear to stand - the LLP would clearly have retained records as a "Data Controller", and Glasgow City Council's Customer and Business Services department, who acted as "Data Processor" for and on behalf of the LLP would have retained records.

You will, of course, be aware that the seconded employees of the LLP (to whom, Glasgow City Council is their official employer), were administered by the LLP's Human Resources section, and that those records were held on media operated by the Council (namely, the Council's SAP Human Resources system, the Council's "Pulse" request management tool, and the Council's Electronic Document Record Management System - Opentext EDRMS).

I am minded to suggest that if the LLP's response remains negative, I shall seek an internal review - however, given your response has not yet been delivered to the correct place, I ponder if the LLP will perhaps seek to revise its response, and issue something that is more in keeping with actuality when it corrects its mistake.

If you are unaware of the address, you will find it on the enclosed letters - which, for avoid

If, for some reason, you are unable to reply to the WhatDoTheyKnow address, please do explain why. If you are needing assistance I believe you can contact their administrators at [email address].

I am copying Mr Kelly from the Scottish Information Commissioner's office for his reference. I believe it would be reasonable to allow until COB on Monday 03/08/20 for you to correct the mistake regarding the wrong email address being used.

At this stage, it would be my intent to seek that the SIC issue a decision notice in regard to the LLP's disregard of its obligations under the FOISA; however, if you have representations which disagree with the above, I am sure that the Commissioner would consider them.

I very much look forward to your response - stay safe, and thank you.

With kind regards,

Bob Packard.

cc: John Kelly, OSIC - by email; file.
cc: Councillor Susan Aitken, Leader of Glasgow City Council

[1] Kerr - v- West Lothian Council, OSIC decision 076/2019 - http://www.itspublicknowledge.info/Appli...
[2] As noted by the Council's own Internal Audit section - http://www.glasgow.gov.uk/Councillorsand...
[3] City Chambers, 82 George Square, Glasgow, G2 1DU
[4] https://beta.companieshouse.gov.uk/compa...
[5] https://beta.companieshouse.gov.uk/compa...

Dear Jennifer McMartin,

I refer to my correspondence dated 13 August - a copy of which can be found at: https://www.whatdotheyknow.com/request/j...

Taking cognisance of the fact that you have previously advised that the LLP has had issues receiving emails, would you please confirm that this is receiving attention, and that you intend to respond?

Yours sincerely,

Bob Packard

Bob Packard left an annotation ()

The Scottish Information Commissioner has now issued a Decision Notice, 104/2020, dated 16/09/2020, which states, amongst other things:

"The Commissioner finds that Service Glasgow LLP failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant. In particular, Service Glasgow LLP failed to respond to the Applicant’s request for information and requirement for review within the timescales laid down by sections 10(1) and 21(1) of FOISA.

As Service Glasgow LLP responded to the Applicant’s requirement for review during the investigation, the Commissioner does not require to it to take any action in respect of these failures, in response to the Applicant’s application."

… it is notable however that this decision notice only refers to the original request (and subsequent request for internal review). It does not refer to the subsequent correspondence to which a response is currently outstanding.

Dear Enquiries (ACCESS LLP) / Jennifer McMartin,

Re: https://www.whatdotheyknow.com/request/j...

I note that you have not, as yet, had the courtesy to acknowledge my correspondence of 13 and 28 August, sent to you via the WhatDoTheyKnow website; nor have you had the courtesy to acknowledge the hard copy which had previously been sent to your City Chambers offices on 1 August.

I should be grateful if you would confirm that matters are in hand, and that the LLP intends to provide a response without further undue delay.

Yours sincerely,

Bob Packard