Police Federation 'cyber attacks'

Neil Wilby made this Freedom of Information request to Information Commissioner's Office

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was successful.

Dear Information Commissioner's Office ("ICO"),

Please disclose all information held by the ICO in connection with two alleged 'cyber-attacks' on data, information systems at premises housing the Police Federation of England and Wales. The two distinct incidents have been widely reported in the media and are said to have taken place on 9th March and 21st March, 2019.

In a press release dated 22nd March, 2019, the Police Federation Chairman stated that the Information Commissioner had been informed. He was not specific as to whether that related to the first or second alleged incident, or both.

Given the high public interest in this matter, and the media attention it has attracted, I would be grateful if a prompt response could be provided. Thank you.

Yours faithfully,

Neil Wilby
Investigative journalist

Twitter: @Neil_Wilby
Web: neilwilby.com

AccessICOinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit:

[1]https://ico.org.uk/about-the-ico/our-inf...

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found
[3]here.

Twitter

Find us on Twitter [4]here.

 

References

Visible links
1. https://ico.org.uk/about-the-ico/our-inf...
2. https://ico.org.uk/global/privacy-notice/
3. https://ico.org.uk/about-the-ico/news-an...
4. http://www.twitter.com/ICOnews

Information Commissioner's Office

4 April 2019

 

Case Reference Number IRQ0833959

 

Dear Mr Wilby

Thank you for your recent request for information. We received your
request on 1 April 2019 via the website whatdotheyknow.com
 
We will be considering your request under the Freedom of Information Act
2000. You can expect us to respond in full by 1 May 2019. This is 20
working days from the date we received your request. If, for any reason,
we can’t respond by this date, we will let you know and tell you when you
can expect a response.
 
If you have any questions please contact me using the IRQ case reference
number above or by replying to this email and leaving the subject field
unchanged.
 
Thank you for your interest in the work of the Information Commissioner's
Office.
 
Yours sincerely
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Directorate
Working pattern: Tuesday - Friday
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
For information about what we do with personal data see our [3]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Dear Information Commissioner's Office,

May I, most respectfully, remind the Commissioner that the Act requires a public authority to respond PROMPTLY and, in any event, within 20 working days. That time limit is not intended to be a backstop or a target date.

https://www.legislation.gov.uk/ukpga/200...

Yours faithfully,

Neil Wilby
Investigative journalist

Twitter: @Neil_Wilby
Web: neilwilby.com

Dear Information Commissioner's Office,

1. Under Section 10 of the Act a public authority is required to respond PROMPTLY and, in any event, within 20 working days. The Commissioner has signally failed to meet this requirement.

2. Under Section 17 of the Act a Refusal Notice must be issued if a public authority is seeking to rely on either NCND, section 12 or section 14 exemptions. The Commissioner has signally failed to meet this requirement.

3. The request is plainly expressed, the subject materials readily retrievable and disclosure uncontroversial given that the matter of the alleged 'cyber-attack' has been widely played out in the public domain.

3. No explanation has been provided for the non-compliance. In view of her role as statutory regulator this is a shocking and unacceptable occurence.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/w...

Yours faithfully,

Neil Wilby
Investigative journalist

Twitter: @Neil_Wilby
Web: neilwilby.com

Edward Williams left an annotation ()

Failures by ICO should be reported by email to Jon Manners. Jon.Manners@ico.org.uk

Appeal is to the Parliamentary Ombudsman (via your MP).

Information Commissioner's Office

23 May 2019

 

Case Reference Number IRQ0833959

 

Dear Mr Wilby

Thank you for your correspondence, received 3 May 2019. I sincerely
apologise for the delay in responding to your correspondence.
 
As you are aware, I have not been able to respond to your request for
information within the statutory timeframes. This is due to a high number
of information requests to our department over recent months. I hope to be
able to provide a response in the near future.
 
You are able to raise a concern to the ICO, as the regulator using the
link [1]here. 
 
Once again, I do apologise for the delay in responding. I will contact you
again within the next two weeks.  
 
Yours sincerely
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Directorate
Usual working pattern – Tuesday to Friday
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF F. 01625 524510  [2]ico.org.uk  [3]twitter.com/iconews
For information about what we do with personal data see our [4]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. https://ico.org.uk/make-a-complaint/offi...
2. http://ico.org.uk/
3. https://twitter.com/iconews
4. https://ico.org.uk/global/privacy-notice/

Neil Wilby left an annotation ()

For the benefit of What Do They Know readers and users, a Section 77 complaint has now been made to the ICO.

https://www.legislation.gov.uk/ukpga/200...

My submissions are that information, readily accessible and retrievable, requiring little effort to prepare for disclosure, is being deliberately withheld by the Commissioner to conceal wrongdoing.

The explanation provided, so far, "This is due to a high number of information requests to our department over recent months. I hope to be able to provide a response in the near future", appears to have no grounding in facts, based on information available via open source.

It also appears to have no grounding in fact based on a recent request made by this applicant to the ICO.

https://www.whatdotheyknow.com/request/s...

To seriously mislead an accredited journalist, with such a falsehood, will inevitably lead to legal proceedings being taken against the Commissioner, over and above this section 77 complaint and, inevitably, a complete loss of public confidence in a statutory regulator.

Dear Information Commissioner's Office,

On all the open source evidence available, the assertion by the Commissioner that there has been 'high number of freedom of information requests over recent months' appears to be false. In my respectful submission, deliberately so.

That falsehood proposition is supported by the timely finalisation of this request, made by the same applicant on the very same day.

https://www.whatdotheyknow.com/request/s...

It is argued that the instant request is much less complex than the one referred to at the above weblink.

Accordingly, the Commissioner is put to proof over the number of freedom of information requests received in the first five months of this year (2019) versus the corresponding number of requests made in January to May, 2018 and 2017.

Yours faithfully,

Neil Wilby
Investigative journalist

Twitter: @Neil_Wilby
Web: neilwilby.com

Information Commissioner's Office

4 June 2019

 

Case Reference Number IRQ0833959

 

Dear Mr Wilby

Further to my letter of 23 May 2019 I am now in a position to respond to
your request for information, originally received 1 April 2019. Please
accept my sincere apologies for the lateness of my response.
 
We have considered your request under the Freedom of Information Act 2000.
 
Your request
 
“Please disclose all information held by the ICO in connection with two
alleged 'cyber-attacks' on data, information systems at premises housing
the Police Federation of England and Wales. The two distinct incidents
have been widely reported in the media and are said to have taken place on
9th March and 21st March, 2019. In a press release dated 22nd March, 2019,
the Police Federation Chairman stated that the Information Commissioner
had been informed. He was not specific as to whether that related to the
first or second alleged incident, or both. Given the high public interest
in this matter, and the media attention it has attracted, I would be
grateful if a prompt response could be provided.”
 
Our response 
 
Information Withheld – Section 31 FOIA
 
I can confirm that we hold information that falls under the scope of your
request. The ICO is currently investigating the case and our enquiries are
ongoing and no conclusion has been reached.

As our investigation is ongoing, we consider the information that we hold
relating to this incident and which falls under the scope of your request
to be exempt from disclosure under section 31(1)(g) of the FOIA. This
section states:
 
“Information… is exempt information if its disclosure under this Act
would, or would be likely to, prejudice – (g) the exercise by any public
authority of its functions for any of the purposes specified in subsection
(2)
 
The purposes referred to in sections 31(2)(a) and (c) are
 
 

 1. the purpose of ascertaining whether any person has failed to comply
with the law

 3. the purpose of ascertaining whether circumstances which would justify
regulatory action in pursuance of any enactment exist or may arise

 
The purposes at section 31(2)(a) and (c) apply when a regulator is
determining whether or not there has been a breach of relevant
legislation, and whether any further action is appropriate.
 
The exemption at section 31 is not absolute, and we need to consider the
public interest test by weighing up the factors for and against disclosure
of the information we hold at this time, as well as any prejudice or harm
which may be caused by disclosure.
 
Information provided to us in relation to this issue is still being
considered, and final decisions regarding formal regulatory action are
still to be made. We take the view that disclosure of the information you
have asked for would be likely to prejudice that ongoing
consideration. This in turn would be likely to hinder the thorough, fair
and proportionate conduct and conclusion of our process.
 
We have also considered the public interest test for and against
disclosure. In this instance the public interest factors in favour of
disclosure are:
 
 

* Openness and transparency in the way in which data security incidents
are reported to the ICO and how the ICO deals with those incidents at
each stage of an investigation,
* The understandable interest of the public, and particularly the
affected data subjects, in being able to see and understand the nature
and detail of this particular incident.

The public interest factors in favour of maintaining the exemption are:
 
 

* It is key to our work that we can encourage organisations to
pro-actively engage with us, report incidents of this type, and go on
to co-operate with any investigation,
* Allowing us a ‘safe space’ in which to consider the information
provided to us free from external influence, and to ensure the
confidentiality of any enquiries undertaken, information provided, and
analysis of the incident in question, and
* Disclosure of information considered to be confidential, or the
premature disclosure of information provided to us, would be likely to
have a detrimental effect on the reporting of incidents to the ICO,
and future co-operation with us. 

Having considered all of these factors I have taken the decision that the
public interest in withholding the information outweighs the public
interest in disclosing it, and the information you have asked for is
exempt from disclosure under s31(1)(g) of the FOIA.
 
Information Withheld – Section 44 FOIA
 
We have also withheld the information under section 44 of the Freedom of
Information Act 2000. This is an absolute exemption which means that it
can be withheld without further consideration if other legislation
prevents its release, if it meets certain conditions, and if none of the
circumstances that would give us lawful authority to release it apply.
 
Section 44(1)(a) of the FOIA states;
 
‘(1) Information is exempt information if its disclosure (otherwise than
under this Act) by the public authority holding it –
 
 

 1. is prohibited by or under any enactment’

In this case, the Data Protection Act 2018, Part 5, section 132 prohibits
the disclosure of confidential information that -
 
 

 1. has been obtained by, or provided to, the Commissioner in the course
of, or for the purposes of, the discharging of the Commissioner’s
functions,
 2. relates to an identified or identifiable individual or business, and
 3. is not available to the public from other sources at the time of the
disclosure and has not previously been available to the public from
other sources, unless the disclosure is made with lawful authority. 

We do not have lawful authority to disclose to you the information
relating to the data security incident as this information was provided to
us in confidence. Section 132(3) imposes a criminal liability on the
Commissioner and her staff not to disclose information relating to an
identifiable individual or business for the purposes of carrying out our
regulatory functions, unless we have the lawful authority to do so or it
has been made public from another source.
 
This concludes our response to your request. 

Next steps
 
I hope this response is clear. If you would like me to clarify anything
about the way your request has been handled please contact me.
 
You can ask us to review the way we have handled your request. Please see
our review procedure [1]here.
 
If you remain dissatisfied with the way we have handled your request
following an internal review you can [2]report your concern to the
regulator.
 
If you wish to contact me, please quote the reference number at the top of
this email. If you reply to this email please leave the subject field
unchanged.
 
More information about the Information Commissioner’s Office and the
legislation we oversee is available on our website at [3]www.ico.org.uk.
For information about what we do with personal data see our [4]privacy
notice. Our retention policy can be found [5]here.

Yours sincerely,
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Directorate
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
F. 01625 524510  [6]ico.org.uk  [7]twitter.com/iconews
For information about what we do with personal data see our [8]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. https://ico.org.uk/media/1883/ico-review...
2. https://ico.org.uk/make-a-complaint/
3. http://www.ico.org.uk/
4. https://ico.org.uk/global/privacy-notice/
5. https://ico.org.uk/media/about-the-ico/p...
6. http://ico.org.uk/
7. https://twitter.com/iconews
8. https://ico.org.uk/global/privacy-notice/

Information Commissioner's Office

6 June 2019

 

Case Reference Number IRQ0847270

 

Dear Mr Wilby

Thank you for your recent request for. We received your request on 31 May
2019.
 
We will be considering your request under the Freedom of Information Act
2000. You can expect us to respond in full by 28 June 2019. This is 20
working days from the date we received your request. If, for any reason,
we can’t respond by this date, we will let you know and tell you when you
can expect a response.
 
If you have any questions please contact me using the IRQ case reference
number above or by replying to this email and leaving the subject field
unchanged.
 
Thank you for your interest in the work of the Information Commissioner's
Office.
 
Yours sincerely
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Directorate
Working pattern: Tuesday - Friday
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
For information about what we do with personal data see our [3]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Information Commissioner's Office

14 June 2019

 

Case Reference Number IRQ0847270

 

Dear Mr Wilby

I am writing further to my letter of 6 June 2019, I am now in a position
to respond to your request for information.
 
We have considered your request under the Freedom of Information Act
(FOIA) 2000.
 
Your request
 
“Dear Information Commissioner's Office,
 
On all the open source evidence available, the assertion by the
Commissioner that there has been 'high number of freedom of information
requests over recent months' appears to be false. In my respectful
submission, deliberately so.
 
That falsehood proposition is supported by the timely finalisation of this
request, made by the same applicant on the very same day.
 
[1]https://eur03.safelinks.protection.outlo...
 
It is argued that the instant request is much less complex than the one
referred to at the above weblink. Accordingly, the Commissioner is put to
proof over the number of freedom of information requests received in the
first five months of this year (2019) versus the corresponding number of
requests made in January to May, 2018 and 2017.”
 
Our response 
 
I confirm that we do hold information in scope of your request.
 
You have asked for the number of freedom of information requests received
by the ICO across three periods, namely January to May 2017 and the same
time span in 2018 and 2019.
 
It would be prudent to explain that the Information Access Team, who
respond to requests for information made under the FOIA, also respond to
requests made for personal data as well as requests which necessitate
consideration under both FOIA and personal data protection legislation.
The ICO refers to this latter type of request as a “hybrid” request.
 
In order to provide a full response to your request I have provided below
a breakdown of all information requests received by the ICO in its
capacity as a public authority and data controller for the periods you
have stated.
 
2017
 
 

2017 DP EIR FOI Hybrid TOTAL
January 38 90 32 160
February 34 1 68 31 134
March 25 82 47 154
April 23 46 22 91
May 21 65 47 154
693

 
2018
 
 

2018 DP EIR FOI Hybrid TOTAL
January 48 69 38 155
February 43 62 30 135
March 28 61 39 128
April 39 75 28 142
May 50 87 44 181
741

 
2019
 
 

2019 DP EIR FOI Hybrid TOTALS
January 95 108 32 235
February 88 101 30 219
March 62 85 40 187
April 82 102 21 205
May 66 98 23 187
1033

 
As the figures above demonstrate the increase from 693 information
requests to the ICO’s Information Access for the period January to May
2017 to 1033 requests for the same period in 2019 represents an overall
increase of 49%.
 
This concludes my response to your request. I hope the information
provided is helpful.
 
Next steps
 
I hope this response is clear. If you would like me to clarify anything
about the way your request has been handled please contact me.
 
You can ask us to review the way we have handled your request. Please see
our review procedure [2]here.
 
Following our internal review, if you remain dissatisfied with the way we
have handled your request, there is a statutory complaints process and you
can report your concern to the regulator. I have included information
about how to do this separately.
 
Your information
 
Please note that our [3]Privacy notice explains what we do with the
personal data you provide to us and what your rights are.
 
This includes entries regarding the specific purpose and legal basis for
the ICO processing information that people that have provided us with,
such as an [4]information requester.
 
The length of time we keep information is laid out in our retention
schedule, which can be found [5]here.
 
Yours sincerely
 
 
 
 

Alexis Karlsson-Jones
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Directorate
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
F. 01625 524510  [6]ico.org.uk  [7]twitter.com/iconews
For information about what we do with personal data see our [8]privacy
notice. Please consider the environment before printing this email

References

Visible links
1. https://eur03.safelinks.protection.outlo...
2. https://ico.org.uk/media/about-the-ico/p...
3. https://ico.org.uk/global/privacy-notice...
4. https://ico.org.uk/global/privacy-notice...
5. https://ico.org.uk/media/about-the-ico/p...
6. http://ico.org.uk/
7. https://twitter.com/iconews
8. https://ico.org.uk/global/privacy-notice/