Kingdom Services Group "Data Breach and GDPR"

The request was successful.

Dear Thurrock Borough Council,

1. As Joint Controllers of the data being processed for the Environmental Enforcement contract with KSG (KSG), can you confirm that either you or KSG reported the breach (within 72hrs) of Kingdom's "Bonus Spreadsheet for 2018" being available online for anyone to observe? The spreadsheet was not password protected. It also contained the names of all the council's working with KSG and all of their employee names and FPN totals for each day (no security whatsoever).

2. As Joint controllers of the data being processed for the Environmental Enforcement contracts, can you confirm that either you or KSG formally informed all of their employees (authorised council officers), whose names were on the spreadsheet?

3. Could you confirm that all the Body Worn Cameras being used to collect personal identifiable information from members of the public have been encrypted as per the GDPR (2016). KSG use Body Worn Cameras supplied by Pinnacle. The PR5 model is not encrypted and cannot be used to collect personal identifiable information. Therefore, they must be using the PR6 model. Could you confirm the model being used for your contract?

4. Can you confirm that all officers employed by KSG have been trained in accordance to DPA 1998 and GDPR (2016) and that you have seen the signed training records for this training?

5. Can you confirm that all the officers employed by KSG, authorised to enforce littering offences on behalf of the council have been fully vetted and have valid DBS check, which the council have seen?

Could you confirm KSG have a Data Protection Officer/department and the contact email for this person/department.

Could you provide me with a copy of the following documents/policies which will have been updated in accordance with the General Data Protection Regulations (2016), the regulations came into force on 25th May 2018. Therefore, all of the documents will have been updated.

1. A copy of your Data Sharing Agreement with KSG for the delivery of Environmental Enforcement Services and a variation to this agreement to show the inclusion of GDPR (2016).

2. A copy of the Data Protection Impact Assessment for The Environmental Enforcement Services delivered by KSG on behalf of the council, which will show the inclusion of GDPR (2016). This assessment will include all systems used for processing Personal identifiable information e.g. systems, Body Worn Cameras, Handheld Computers and officer notebooks.

3. A copy of the Body Worn Camera Policy being adhered to by the officers employed by KSG working on behalf of the council. Also the previous version of this policy before adhering to the GDPR (2016).

4. A copy of the data retention policy being used in accordance with GDPR (2016) for the Environmental Enforcement contract with KSG.

Yours faithfully,

P Rourke

Information.Matters@thurrock.gov.uk, Thurrock Borough Council

Thank you for your email. 

 

Your enquiry is important to us and will be recorded and responded to in
line with respective timeframes.  Our team will monitor the progress of
your enquiry to ensure you receive a timely response.

 

Data Protection Statement

We will use your information to provide the service requested. We may
share your personal data between our services and with partner
organisations, such as government bodies and the police. We will do so
when it is of benefit to you, or required by law, or to prevent or detect
fraud. To find out more, go to thurrock.gov.uk/privacy. Get free internet
access at libraries and community hubs

 

Regards

Tina Martin

Statutory & Corporate Complaints Manager

Information Governance Team

 

Disclaimer

The information in this e-mail and any attachment(s) are intended to be
confidential and may be legally privileged. Access to and use of its
content by anyone else other than the addressee(s) may be unlawful and
will not be recognised by Thurrock Council for business purposes. If you
have received this message by mistake, please notify the sender
immediately, delete it and do not copy it to anyone else. Thurrock Council
cannot accept any responsibility for the accuracy or completeness of this
message as it has been transmitted over a public network.

Any opinions expressed in this document are those of the author and do not
necessarily reflect the opinions of Thurrock Council.

Any attachment(s) to this message has been checked for viruses, but please
rely on your own virus checker and procedures.

Senders and recipients of e-mail should be aware that under the UK Data
Protection and Freedom of Information legislation these contents may have
to be disclosed in response to a request.

All e-mail sent to or from this address will be processed by Thurrock
Council's corporate e-mail system and may be subject to scrutiny by
someone other than the addressee.

This email has been scanned for viruses and malware, and may have been
automatically archived by Mimecast Ltd, an innovator in Software as a
Service (SaaS) for business. Providing a safer and more useful place for
your human generated data. Specializing in; Security, archiving and
compliance. To find out more [1]Click Here.

References

Visible links
1. http://www.mimecast.com/products/

Information.Matters@thurrock.gov.uk, Thurrock Borough Council

2 Attachments

Dear P Rourke,

Thank you for your recent communication which is being managed in line
with the Freedom of Information Act under the above reference number. The
details of your request are outlined below together with the council’s
response.

Your request and our response:

1.    As Joint Controllers of the data being processed for the
Environmental Enforcement contract with KSG (KSG), can you confirm that
either you or KSG reported the breach (within 72hrs) of Kingdom's "Bonus
Spreadsheet for 2018" being available online for anyone to observe? The
spreadsheet was not password protected. It also contained the names of all
the council's working with KSG and all of their employee names and FPN
totals for each day (no security whatsoever).

 

This incident has been assessed and there is no Thurrock Council related
personal information in scope of this incident. KSG are looking into this
matter separately.

 

2. As Joint controllers of the data being processed for the Environmental
Enforcement contracts, can you confirm that either you or KSG formally
informed all of their employees (authorised council officers), whose names
were on the spreadsheet?

 

As above.

 

3. Could you confirm that all the Body Worn Cameras being used to collect
personal identifiable information from members of the public have been
encrypted as per the GDPR (2016). KSG use Body Worn Cameras supplied by
Pinnacle. The PR5 model is not encrypted and cannot be used to collect
personal identifiable information. Therefore, they must be using the PR6
model. Could you confirm the model being used for your contract?

 

This information is held by KSG.

4. Can you confirm that all officers employed by KSG have been trained in
accordance to DPA 1998 and GDPR (2016) and that you have seen the signed
training records for this training?

 

This information relates to KSG and not the council.

 

5. Can you confirm that all the officers employed by KSG, authorised to
enforce littering offences on behalf of the council have been fully vetted
and have valid DBS check, which the council have seen?

 

This information relates to KSG and not the council.

 

6. Could you confirm KSG have a Data Protection Officer/department and the
contact email for this person/department.

 

This information relates to KSG and not the council.

 

Could you provide me with a copy of the following documents/policies which
will have been updated in accordance with the General Data Protection
Regulations (2016), the regulations came into force on 25th May 2018.
Therefore, all of the documents will have been updated.

1. A copy of your Data Sharing Agreement with KSG for the delivery of
Environmental Enforcement Services and a variation to this agreement to
show the inclusion of GDPR (2016).

 

The Council have a contract with KSG and it covers Data Protection.

2. A copy of the Data Protection Impact Assessment for The Environmental
Enforcement Services delivered by KSG on behalf of the council, which will
show the inclusion of GDPR (2016). This assessment will include all
systems used for processing Personal identifiable information e.g.
systems, Body Worn Cameras, Handheld Computers and officer notebooks.

 

This information is not held by the council as it was not mandated at the
time the contract was entered into with KSG.

3. A copy of the Body Worn Camera Policy being adhered to by the officers
employed by KSG working on behalf of the council. Also the previous
version of this policy before adhering to the GDPR (2016).

 

This information is held by KSG.

 

4. A copy of the data retention policy being used in accordance with GDPR
(2016) for the Environmental Enforcement contract with KSG.

 

The council has a privacy policy which has the retention policy included.
This is on our website.  

You are free to use any information supplied to you for your own use,
including non-commercial research purposes. However, any other type of
re-use, for example, by publishing the information or issuing copies to
the public will require the permission of the copyright owner. Where the
copyright is owned by Thurrock Council, you must apply to the Council to
re-use the information. Please email
[1][Thurrock Borough Council request email] if you wish to re-use the
information you have been supplied. For information where the copyright is
owned by another person or organisation, you must apply to the copyright
owner to obtain their permission.

If you are dissatisfied with the way in which the council have managed
your request you can pursue an independent review by contacting us at the
above address and your request will be considered by the Information
Manager who will update you with the outcome. You may also wish to refer
your case to the Information Commissioner’s Office, details of this
organisation can be found at [2]www.ico.org.uk. Alternatively they can be
contacted on 0303 123 1113.

Kind Regards,

Chloe

 

 

Chloe Green l Corporate Complaints and Information Governance Officer I
HR, OD and Transformation

[email address]

Thurrock Council, Civic Offices, New Road, Grays, Essex RM17 6SL

 

An ambitious and collaborative community which is proud of its heritage
and excited by its diverse opportunities and future

 

[3]cid:image001.png@01CECE72.3F5FA730

 

[4]cid:image002.png@01CECE72.3F5FA730

 

 

Disclaimer

The information in this e-mail and any attachment(s) are intended to be
confidential and may be legally privileged. Access to and use of its
content by anyone else other than the addressee(s) may be unlawful and
will not be recognised by Thurrock Council for business purposes. If you
have received this message by mistake, please notify the sender
immediately, delete it and do not copy it to anyone else. Thurrock Council
cannot accept any responsibility for the accuracy or completeness of this
message as it has been transmitted over a public network.

Any opinions expressed in this document are those of the author and do not
necessarily reflect the opinions of Thurrock Council.

Any attachment(s) to this message has been checked for viruses, but please
rely on your own virus checker and procedures.

Senders and recipients of e-mail should be aware that under the UK Data
Protection and Freedom of Information legislation these contents may have
to be disclosed in response to a request.

All e-mail sent to or from this address will be processed by Thurrock
Council's corporate e-mail system and may be subject to scrutiny by
someone other than the addressee.

This email has been scanned for viruses and malware, and may have been
automatically archived by Mimecast Ltd, an innovator in Software as a
Service (SaaS) for business. Providing a safer and more useful place for
your human generated data. Specializing in; Security, archiving and
compliance. To find out more [5]Click Here.

References

Visible links
1. mailto:[Thurrock Borough Council request email]
2. http://www.lgo.org.uk/
5. http://www.mimecast.com/products/