Kingdom Services Group "Data Breach and GDPR"

P Rourke made this Freedom of Information request to Walsall Metropolitan Borough Council

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was partially successful.

Dear Walsall Metropolitan Borough Council,

1. As Joint Controllers of the data being processed for the Environmental Enforcement contract with KSG (KSG), can you confirm that either you or KSG reported the breach (within 72hrs) of Kingdom's "Bonus Spreadsheet for 2018" being available online for anyone to observe? The spreadsheet was not password protected. It also contained the names of all the council's working with KSG and all of their employee names and FPN totals for each day (no security whatsoever).

2. As Joint controllers of the data being processed for the Environmental Enforcement contracts, can you confirm that either you or KSG formally informed all of their employees (authorised council officers), whose names were on the spreadsheet?

3. Could you confirm that all the Body Worn Cameras being used to collect personal identifiable information from members of the public have been encrypted as per the GDPR (2016). KSG use Body Worn Cameras supplied by Pinnacle. The PR5 model is not encrypted and cannot be used to collect personal identifiable information. Therefore, they must be using the PR6 model. Could you confirm the model being used for your contract?

4. Can you confirm that all officers employed by KSG have been trained in accordance to DPA 1998 and GDPR (2016) and that you have seen the signed training records for this training?

5. Can you confirm that all the officers employed by KSG, authorised to enforce littering offences on behalf of the council have been fully vetted and have valid DBS check, which the council have seen?

Could you confirm KSG have a Data Protection Officer/department and the contact email for this person/department.

Could you provide me with a copy of the following documents/policies which will have been updated in accordance with the General Data Protection Regulations (2016), the regulations came into force on 25th May 2018. Therefore, all of the documents will have been updated.

1. A copy of your Data Sharing Agreement with KSG for the delivery of Environmental Enforcement Services and a variation to this agreement to show the inclusion of GDPR (2016).

2. A copy of the Data Protection Impact Assessment for The Environmental Enforcement Services delivered by KSG on behalf of the council, which will show the inclusion of GDPR (2016). This assessment will include all systems used for processing Personal identifiable information e.g. systems, Body Worn Cameras, Handheld Computers and officer notebooks.

3. A copy of the Body Worn Camera Policy being adhered to by the officers employed by KSG working on behalf of the council. Also the previous version of this policy before adhering to the GDPR (2016).

4. A copy of the data retention policy being used in accordance with GDPR (2016) for the Environmental Enforcement contract with KSG.

Yours faithfully,

P Rourke

InformationRights, Walsall Metropolitan Borough Council

Dear Sir/Madam,

 

 

Thank you for your request for information about Data Breach and GDPR,
which was received on 13 July 2018.

 

In accordance with provisions within Freedom of Information Act 2000, the
council will respond to your request within 20 working days, saying
whether we have the information that you want, and if there will be any
charges. 

 

If, for any reason, we cannot provide you with the information, we will
tell you why. If we need to clarify your request, we will contact you
again.

 

In the meantime, if you need to contact me about your request, please do
so quoting the above reference number.

 

Yours sincerely

 

 

Fakhara Qanwal

 

InformationRights, Walsall Metropolitan Borough Council

Dear Sir/Madam

 

Freedom of Information Request RFI1020/18

 

Further to your request for information about Kingdom Services Group "Data
Breach and GDPR" I can tell you the following:

 

As you have requested multiple questions relating to a potential incident
and data breach we should inform you that we will not be disclosing any
information relating to this breach under section 30 of the FOI in that
this is deemed an investigation and is confidential at the outset. (please
see our response to each question below).

 

You should also please consider that while assessing and collating our
response we have found that most of the questions relate directly to KSG
as a third party and data controller in their own right and we therefore
also refuse disclosure under the basis that this information is either
available via their website and data protection/privacy pages or from the
company directly.   Therefore the exemption that this information is
available elsewhere under the FOI section 21 applies and we recommend you
direct your questions to KSG.

 

1.    As Joint Controllers of the data being processed for the
Environmental Enforcement contract with KSG (KSG), can you confirm that
either you or KSG reported the breach (within 72hrs) of Kingdom's "Bonus
Spreadsheet for 2018" being available online for anyone to observe?  The
spreadsheet was not password protected. It also contained the names of all
the council's working with KSG and all of their employee names and FPN
totals for each day  (no security whatsoever).

 

We received confirmation of a data breach involving possible systems and
or data relating to KSG for which we are currently undertaking a full
investigation in line with the controller/processor obligations. All
internal investigations are dealt with in a confidential manner unless
there is substantial public interest and at this point in time we cannot
divulge the status or outcomes of this investigation under section 30 of
the FOI act.

 

We do however publish our annual incident reports with statistics on all
incidents and specific information relating to serious incidents and
lessons learnt via the website and committee minutes which you are more
than welcome to view and research at the end of each financial year via
our website.

 

2.    As Joint controllers of the data being processed for the
Environmental Enforcement contracts, can you confirm that either you or
KSG formally informed all of their employees (authorised council
officers), whose names were on the spreadsheet?

 

For clarity over the working relationship, WMBC are the data controller
and instruct KSG to process environmental services on our behalf as the
Data Processor. KSG are also a Data Controller in their own right
therefore any questions relating to the KSG internal processes,
procedures, training or equipment requirements should be directed to KSG
as the data controller.

WMBC are not aware of such a spread sheet and are currently investigating
this matter with KSG directly.

 

This again would be exempt from disclosure under section 30
“investigations” of the FOI. However if you are willing to share any
further information to assist in identifying and locating such a spread
sheet, we will be more than happy to investigate the contents and
undertake any further actions where a data breach of WMBC data is related.

 

3.    Could you confirm that all the Body Worn Cameras being used to
collect personal identifiable information from members of the public have
been encrypted as per the GDPR (2016).  KSG use Body Worn Cameras supplied
by Pinnacle. The PR5 model is not encrypted and cannot be used to collect
personal identifiable information. Therefore, they must be using the PR6
model.  Could you confirm the model being used for your contract?

 

KSG are an approved national supplier of services and we recommend any
questions relating to their internal security controls should be placed
directly on the data controller themselves as this information is only
available directly from KSG. The ICO is clear in that “ that you have
appropriate security measures in place to protect the personal data you
hold” and this again would be a compliance requirement of KSG as this
forms part of their internal processes and security regime.

 

4.    Can you confirm that all officers employed by KSG have been trained
in accordance to DPA 1998 and GDPR (2016) and that you have seen the
signed training records for this training?

 

KSG are an approved national supplier of services and we recommend any
questions relating to their internal security controls should be placed
directly on the data controller themselves as this information is only
available directly from KSG.

 

5.    Can you confirm that all the officers employed by KSG, authorised to
enforce littering offences on behalf of the council have been fully vetted
and have valid DBS check, which the council have seen?

 

KSG are an approved national supplier of services and we recommend any
questions relating to their internal security controls should be placed
directly on the data controller themselves as this information is
available directly from KSG.

Could you confirm KSG have a Data Protection Officer/department and the
contact email for this person/department.

 

KSG are an approved national supplier of services and we recommend any
questions relating to their internal security controls should be placed
directly on the data controller themselves as this information is
available directly from KSG.

Could you provide me with a copy of the following documents/policies which
will have been updated in accordance with the General Data Protection
Regulations (2016), the regulations came into force on 25th May 2018. 
Therefore, all of the documents will have been updated.

 

1.    A copy of your Data Sharing Agreement with KSG for the delivery of
Environmental Enforcement Services and a variation to this agreement to
show the inclusion of GDPR (2016).

 

Contract changes and variation letters where issued to all third parties
with regards to GDPR, however as these are internal management controls
there is no basis for disclosure as part of our management and corporate
confidential processes. Contracts would only be reviewed or disclosed
during a dispute or conflict between authorised parties during an
investigation for evidence of the controls in place to protect data.
Therefore the request for copies of the agreements and or variation
letters in place is denied.

 

2.    A copy of the Data Protection Impact Assessment for The
Environmental Enforcement Services delivered by KSG on behalf of the
council, which will show the inclusion of GDPR (2016).  This assessment
will include all systems used for processing Personal identifiable
information e.g. systems, Body Worn Cameras, Handheld Computers and
officer notebooks.

 

KSG entered into contract with the local authority prior to the
requirements for a DPIA and provided sufficient evidence through
certification, policies and process statements that they comply with the
obligations under data protection. The signing of the contract and
acceptance of the GDPR update and variation letter also provides
sufficient evidence of compliance for the local authority.

 

A copy of the Body Worn Camera Policy being adhered to by the officers
employed by KSG working on behalf of the council.  Also the previous
version of this policy before adhering to the GDPR (2016).

 

Denied under section 21 Available via KSG

 

3.    A copy of the data retention policy being used in accordance with
GDPR (2016) for the Environmental Enforcement contract with KSG.

WMBC IG Framework containing our data protection policy is available
online via the Walsall Council website. KSG also have appropriate policies
and privacy notices in place via their own website and therefore the
information is reasonably available elsewhere and will not be disclosed
with this response.

Most of the information that we provide in response to Freedom of
Information Act 2000 and Environmental Information Regulations 2004
requests will be subject to copyright protection.  In most cases the
copyright will be owned by Walsall Council. The copyright in respect of
other information may be owned by another person or organisation, as
indicated.

 

You are free to use any information supplied to you in response to this
request for your own non-commercial research or private study purposes.
The information may also be used for any other purpose allowed by a
limitation or exception in copyright law, such as news reporting.
 However, any other type of re-use, for example by publishing the
information in analogue or digital form, including on the internet, will
require the permission of the copyright owner.

 

I hope that the information provided is useful to you. However, if you are
dissatisfied, you should set out in writing your grounds for complaint and
send to: Corporate Assurance Manager, Resources & Transformation, Civic
Centre, Darwall Street, Walsall, WS1 1TP.

 

If you are not content with the outcome of your complaint, you may apply
directly to the Information Commissioner’s Office (ICO) for a decision.
Please remember that, generally, the ICO cannot make a decision unless you
have first exhausted the complaints procedure provided by the council. The
Information Commissioner can be contacted at: The Information
Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9
5AF. [1]https://ico.org.uk/global/contact-us/

 

Yours sincerely

 

 

 

Anne Perks

Assurance Officer

Assurance Team, Resources and Transformation

Walsall Metropolitan Borough Council

3rd Floor (HR Suite), Civic Centre, Darwall Street, Walsall, WS1 1DG

Tel: 01922 65 2405         

Email: [2][email address]

Web: [3]www.walsall.gov.uk

 

References

Visible links
1. https://ico.org.uk/global/contact-us/
2. mailto:[email address]
3. http://www.walsall.gov.uk/
http://www.walsall.gov.uk/