Kingdom Services Group "Data Breach and GDPR"

The request was successful.

Dear Tunbridge Wells Borough Council,

1. As Joint Controllers of the data being processed for the Environmental Enforcement contract with KSG (KSG), can you confirm that either you or KSG reported the breach (within 72hrs) of Kingdom's "Bonus Spreadsheet for 2018" being available online for anyone to observe? The spreadsheet was not password protected. It also contained the names of all the council's working with KSG and all of their employee names and FPN totals for each day (no security whatsoever).

2. As Joint controllers of the data being processed for the Environmental Enforcement contracts, can you confirm that either you or KSG formally informed all of their employees (authorised council officers), whose names were on the spreadsheet?

3. Could you confirm that all the Body Worn Cameras being used to collect personal identifiable information from members of the public have been encrypted as per the GDPR (2016). KSG use Body Worn Cameras supplied by Pinnacle. The PR5 model is not encrypted and cannot be used to collect personal identifiable information. Therefore, they must be using the PR6 model. Could you confirm the model being used for your contract?

4. Can you confirm that all officers employed by KSG have been trained in accordance to DPA 1998 and GDPR (2016) and that you have seen the signed training records for this training?

5. Can you confirm that all the officers employed by KSG, authorised to enforce littering offences on behalf of the council have been fully vetted and have valid DBS check, which the council have seen?

Could you confirm KSG have a Data Protection Officer/department and the contact email for this person/department.

Could you provide me with a copy of the following documents/policies which will have been updated in accordance with the General Data Protection Regulations (2016), the regulations came into force on 25th May 2018. Therefore, all of the documents will have been updated.

1. A copy of your Data Sharing Agreement with KSG for the delivery of Environmental Enforcement Services and a variation to this agreement to show the inclusion of GDPR (2016).

2. A copy of the Data Protection Impact Assessment for The Environmental Enforcement Services delivered by KSG on behalf of the council, which will show the inclusion of GDPR (2016). This assessment will include all systems used for processing Personal identifiable information e.g. systems, Body Worn Cameras, Handheld Computers and officer notebooks.

3. A copy of the Body Worn Camera Policy being adhered to by the officers employed by KSG working on behalf of the council. Also the previous version of this policy before adhering to the GDPR (2016).

4. A copy of the data retention policy being used in accordance with GDPR (2016) for the Environmental Enforcement contract with KSG.

Yours faithfully,

P Rourke

info (TWBC), Tunbridge Wells Borough Council

This is an automated response to thank you for your e-mail to Tunbridge
Wells Borough Council and to confirm that it will be forwarded to the
relevant department/officer to respond to.

 

If you have access to the Internet you may wish to see if your enquiry can
be dealt with online - the Council's website allows you to [1]report
problems and make [2]payments, as well as providing [3]comprehensive
information about our services.

 

Please do not reply to this automated response.

 

Customer Service Team

Tunbridge Wells Borough Council

Town Hall

Royal Tunbridge Wells

Kent  TN1 1RS

This e-mail is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Tunbridge Wells Borough Council. If you are not the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited.

If you have received this e-mail in error please notify Tunbridge Wells Borough Council on telephone +44 (0)1892 526121 or e-mail to [Tunbridge Wells Borough Council request email].

References

Visible links
1. http://www.tunbridgewells.gov.uk/report
2. http://www.tunbridgewells.gov.uk/residen...
3. http://www.tunbridgewells.gov.uk/

FOI (TWBC), Tunbridge Wells Borough Council

2 Attachments

Dear P Rourke

Acknowledgement

Our Ref: FOI F07076

Thank you for your recent email which we are handling in accordance with
the Freedom of Information Act 2000. I acknowledge receipt and confirm
that we will respond within 20 working days from the date of receipt; by
no later than 13^th August 2018.

In the meantime, if you have any further queries regarding our Freedom of
Information procedures please contact the team on 01892 554077 or via
e-mail to [1][email address].

Yours sincerely

 

[2]cid:image001.png@01D2A236.DABE3D40  

Abigayle Sankey

Corporate Governance Assistant

 

T: 01892 554272 ext: 4272

E:[3][email address]

Town Hall, Royal Tunbridge Wells, Kent, TN1 1RS

[4]www.tunbridgewells.gov.uk   

      

 

 

 

This e-mail is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Tunbridge Wells Borough Council. If you are not the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited.

If you have received this e-mail in error please notify Tunbridge Wells Borough Council on telephone +44 (0)1892 526121 or e-mail to [Tunbridge Wells Borough Council request email].

References

Visible links
1. mailto:[email address]
3. mailto:[email address]
4. http://www.tunbridgewells.gov.uk/

FOI (TWBC), Tunbridge Wells Borough Council

3 Attachments

Dear P Rourke

 

FOI F07076

 

Please accept my apologies for the delay in responding to your FOI request
reference FO7076, copy attached.

 

We are working to collate the information that you have requested but
require further time to do so.

 

A response will be sent to you by the 31^st August 2018.

 

In the meantime, if you have any further queries regarding our Freedom of
Information procedures please contact the team on 01892 554077 or via
e-mail to [1][email address].

 

Yours sincerely

Holly Glaister

Corporate Governance Assistant

Part time (Wednesdays and Thursdays)

T: 01622 602271

E: [2][email address]

Town Hall, Royal Tunbridge Wells, Kent, TN1 1RS

 

[3]www.tunbridgewells.gov.uk   

 

 

 

This e-mail is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Tunbridge Wells Borough Council. If you are not the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited.

If you have received this e-mail in error please notify Tunbridge Wells Borough Council on telephone +44 (0)1892 526121 or e-mail to [Tunbridge Wells Borough Council request email].

References

Visible links
1. mailto:[email address]
2. mailto:[email address]
3. http://www.tunbridgewells.gov.uk/

FOI (TWBC), Tunbridge Wells Borough Council

4 Attachments

Dear P Rourke

 

Re: FOI F07076

Thank you for your Freedom of Information request.

Please find below and attached the response to your recent request. The
information has been provided by our Street Scene Team.

Your request:

1. As Joint Controllers of the data being processed for the Environmental
Enforcement contract with KSG (KSG), can you confirm that either you or
KSG reported the breach (within 72hrs) of Kingdom's "Bonus Spreadsheet for
2018" being available online for anyone to observe?  The spreadsheet was
not password protected.  It also contained the names of all the council's
working with KSG and all of their employee names and FPN totals for each
day  (no security whatsoever).

 

Our contractor, Kingdom Services Group, has provided the following
information:

The breach was reported to the ICO as soon as the full nature of the
breach was known. This was outside of the 72 hours because the full extent
of the breach was still being established.

The document has restricted access, with only authorised users having
access to it. The document was not accessible outside the authorised user
group and at this stage there is no evidence to support that the document
was open to public view. The access and dissemination of this document is
still under investigation.

 

2. As Joint controllers of the data being processed for the Environmental
Enforcement contracts, can you confirm that either you or KSG formally
informed all of their employees (authorised council officers), whose names
were on the spreadsheet?

 

Our contractor, Kingdom Services Group, has provided the following
information:

 

Kingdom are currently in the process of notifying all individuals in
writing of this breach.

 

3.  Could you confirm that all the Body Worn Cameras being used to collect
personal identifiable information from members of the public have been
encrypted as per the GDPR (2016).  KSG use Body Worn Cameras supplied by
Pinnacle.  The PR5 model is not encrypted and cannot be used to collect
personal identifiable information.  Therefore, they must be using the PR6
model.  Could you confirm the model being used for your contract?

 

Our contractor, Kingdom Services Group, has provided the following
information:

 

The Information Commissioner’s Office (ICO) refer to the Government
Body-Worn Video Technical Guidance which states:

 

“The Information Commissioner’s Office provides the following advice. “The
ICO recommends that portable and mobile devices used to store and transmit
personal information should be protected using approved encryption
software which is designed to guard against the compromise of information.
If encryption is used the key must remain secret in order for the
encryption to provide an appropriate level of protection against such
threats.

However, if this is not possible, organisations need to put alternative,
robust security measures in place to circumvent the risk of not using
encryption. Data controllers should be aware that personal data being
processed on body worn video cameras is likely to be sensitive and is
therefore likely to cause damage or distress if it was lost or stolen and
this should be reflected in the security measures that are adopted.
Systems should also be in place so that only authorised personnel can
extract and view the data from the device. Furthermore, if encryption is
not possible on the device its use should not be ignored in other areas of
the evidence management system.”

At the current time, encryption is not a standard feature in many BWV
cameras. Note also that some suppliers may erroneously claim files are
encrypted when they are in reality recorded in a non-standard format.
Where encryption is used, this should be to a recognised standard. The use
of non-standard recording formats is not an acceptable substitute and
would conflict with the essential "interoperability" requirement. “

 

Kingdom ensure that all data is downloaded to a secure location at the end
of every patrol therefore reducing the volume of data on the hard drive to
a minimal amount.

 

Each camera is either personally assigned to an officer and is booked in
and out at the start and end of every shift. All staff are aware of the
sensitive nature of the footage contained on the camera and therefore the
security of the camera is paramount for the officer whilst on patrol.

 

Pinnacle PR5 body worn cameras used.

 

 

4. Can you confirm that all officers employed by KSG have been trained in
accordance to DPA 1998 and GDPR (2016) and that you have seen the signed
training records for this training?

 

Our contractor, Kingdom Services Group, has provided the following
information:

 

GDPR awareness training has been disseminated to all Kingdom staff
produced by a qualified trainer. This awareness has since been implemented
into the recruitment training package.

 

A copy of the signed training record is available for the council to view.

 

We confirm that the Council has sight of training records for officers
employed by KSG.

 

 

5. Can you confirm that all the officers employed by KSG, authorised to
enforce littering offences on behalf of the council have been fully vetted
and have valid DBS check, which the council have seen?

 

Our contractor, Kingdom Services Group, has provided the following
information:

 

All staff are fully vetted to DBS standard.

 

Could you confirm KSG have a Data Protection Officer/department and the
contact email for this person/department.

 

 

Kingdom have a Data Protection Officer in place who can be contacted via
the following email address:

 

[1][email address]

 

 

Could you provide me with a copy of the following documents/policies which
will have been updated in accordance with the General Data Protection
Regulations (2016), the regulations came into force on 25th May 2018. 
Therefore, all of the documents will have been updated.

 

 1. A copy of your Data Sharing Agreement with KSG for the delivery of
Environmental Enforcement Services and a variation to this agreement
to show the inclusion of GDPR (2016).

 

The Council is currently in the process of updating all contracts to
reflect the new data protection requirements and the introduction of the
General Data Protection Regulation.

 

 2. A copy of the Data Protection Impact Assessment for The Environmental
Enforcement Services delivered by KSG on behalf of the council, which
will show the inclusion of GDPR (2016).  This assessment will include
all systems used for processing Personal identifiable information e.g.
systems, Body Worn Cameras, Handheld Computers and officer notebooks.

 

I confirm that the Council does not hold the data requested.

 

 3. A copy of the Body Worn Camera Policy being adhered to by the officers
employed by KSG working on behalf of the council.  Also the previous
version of this policy before adhering to the GDPR (2016).

 

I attach a copy of the Council’s Body Worn Camera Policy.  

 

 

 4. A copy of the data retention policy being used in accordance with GDPR
(2016) for the Environmental Enforcement contract with KSG.

 

 

Directorate Service Service Record Storage Retention Retention Retain Review/Disposal Legislation StartEvent Contains Comments
Area Function Description Period Period Until Action or business Personal
or Title of Years Months requirement Information?
Information
Asset
Planning Contracts Litter Substantive Electronic 6 0 It is Delete by [2]HMRC - Year Yes  
and / Waste enforcement records & or hard expected shredding Compliance records
Development /Street relating to copy, held that this Handbook created
Cleaning the by client will be a Manual
enforcement or dynamic CH15400
of litter contractor list which
dropping is
schemes constantly
updating,
if not
year
records
created +
1 year

 

I hope this information is helpful and if there is anything further I can
help with please contact me on 01892 554077 or via email to
[3][email address

If you are dissatisfied with the information provided or the way in which
we have dealt with your request, you can request a review.   Please write
to Patricia Narebor, Head of Legal Partnership and Monitoring Officer at
the Town Hall, Royal Tunbridge Wells, Kent, TN1 1RS or via e-mail to
[4][email address]  requesting a review of the
decision.

We will aim to deal with your request within 20 working days. If you
remain dissatisfied following our review, you can then appeal to the
Information Commissioner.

Yours sincerely

 

 

 

Jessica Cox LLB

Corporate Governance Assistant

 

T: 01892 554077 ext: 4077

E: [5][email address]

Town Hall, Royal Tunbridge Wells, Kent, TN1 1RS

 

[6]www.tunbridgewells.gov.uk   

 

 

 

This e-mail is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Tunbridge Wells Borough Council. If you are not the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited.

If you have received this e-mail in error please notify Tunbridge Wells Borough Council on telephone +44 (0)1892 526121 or e-mail to [Tunbridge Wells Borough Council request email].

References

Visible links
1. mailto:[email address]
2. http://www.hmrc.gov.uk/manuals/chmanual/...
3. mailto:[email address]
4. mailto:[email address]
5. mailto:[email address]
6. http://www.tunbridgewells.gov.uk/