Policies

The request was partially successful.

Dear University of Bristol,

1) please can you send me a copy of the current subject access request acknowledgment AND response letter that you use
2) a copy of the last 5 dpias completed
3) a copy of any internal mandatory information governance training that you give to staff which was written in the last 2 years including presentation slides and videos and any other media
4) a copy of any instructions given to staff members to reduce data security breaches, for example double checking work which was written in the last 5 years
5) a list of any policies implemented in the last 2 years within the organisation to help reduce the environmental impact that the organisation has?

Yours faithfully,

Paul knight

University of Bristol FOI mailbox, University of Bristol

Thank you for your e-mail.  The University will endeavour to respond to
your request under the Freedom of Information Act within 20 working days.

However, we are currently receiving a high volume of requests, and we
would be grateful if you could bear with us if, on occasion, we are unable
to respond within the statutory time-frame. We apologise for any
inconvenience that this may cause.

We may need to ask you certain questions to clarify your request to ensure
we fully understand what information is being requested. If so, the 20
working day deadline will be calculated once we have received such
clarification. 

 

The University's A-Z index can help in locating information that is
publicly available on the University's
website: [1]http://www.bristol.ac.uk/index/

 

Our Publication Scheme is available
at: [2]http://www.bristol.ac.uk/media-library/s...

 

The Higher Education Statistics Agency (HESA) annually publish certain
data about students and higher education: [3]https://www.hesa.ac.uk/.
Bespoke datasets can be requested from
Jisc: [4]https://www.jisc.ac.uk/tailored-datasets.

 

For further information about the University's FOI procedure, please
see: [5]http://www.bristol.ac.uk/secretary/foi/

References

Visible links
1. http://www.bristol.ac.uk/index/
2. http://www.bristol.ac.uk/media-library/s...
3. https://www.hesa.ac.uk/
4. https://www.jisc.ac.uk/tailored-datasets
5. http://www.bristol.ac.uk/secretary/foi/

University of Bristol FOI mailbox, University of Bristol

2 Attachments

Dear Mr Knight,

 

Freedom of Information Request (our reference FOI19-602)

 

We refer to your Freedom of Information request dated 18^th December. We
apologise for the delay in responding to your request. You requested the
following information:

 

“1) please can you send me a copy of the current subject access request
acknowledgment AND response letter that you use
2) a copy of the last 5 dpias completed
3) a copy of any internal mandatory information governance training that
you give to staff which was written in the last 2 years including
presentation slides and videos and any other media
4) a copy of any instructions given to staff members to reduce data
security breaches, for example double checking work which was written in
the last 5 years
5) a list of any policies implemented in the last 2 years within the
organisation to help reduce the environmental impact that the organisation
has?”

 

University’s Response

 

Further to Section 1 of the Freedom of Information Act 2000 (the “Act”) we
confirm that the information requested is held by the University of
Bristol (the “University”).

 

1.    The University does not have a template acknowledgement and response
letter. The response is tailored to what is being asked, the information
that is being provided, and any exemptions that have been applied. There
is some wording that will always appear on both letters. Please find
details of these in the documents attached.

 

2.    This information is exempt from disclosure. Further information can
be found below.

 

3.    Please see the attached deck of slides which have been used as the
basis for mandatory training for some staff groups.

 

4.    No specific instructions have been given to staff members with the
sole aim of reducing data security breaches. The prevention of personal
data breaches from occurring in the first instance is covered by the
University’s [1]Information Security Policy and [2]Data Protection Policy.

 

5.    This information is available on the University website. I have
provided a link for ease of reference:
[3]http://www.bristol.ac.uk/green/policy-co...

 

Exempt Information

 

We are unable to provide you with a copy of the last 5 DPIA’s. This
information is considered exempt from disclosure under section 31 which
relates to law enforcement and also section 43 which relates to commercial
interests.

 

These are qualified exemptions and we are therefore required to carry out
a Public Interest Test.

 

Information is exempt from disclosure under section 31(1)(a) of the Act
where its disclosure would, or would be likely to, prejudice the
prevention or detection of crime.

 

Information is exempt under section 43(2) of the Act where disclosure
would, or would be likely to, prejudice the commercial interests of the
University and our suppliers.

 

The University acknowledges that there is public interest in transparency
to the way it performs. However, the disclosure of the requested documents
would put detailed, sensitive information into the public domain. This
includes information about our security measures and would allow skilled
individuals to conduct potentially illegal activity on the University's
network.

 

In addition, the information contained within the documents contain
information about the University’s relationship with key providers.
Disclosure of this information would provide valuable insight to our
competitors who use the same service and would therefore affect the
University’s ability to operate in the highly competitive higher education
market.

 

In this instance arguments supporting the stance to not disclose outweigh
those favouring disclosure.

 

Internal Review Procedure

 

If you are dissatisfied with the handling of your request, then you have a
right under Section 50 of the Act to request an internal review.  All such
requests must be sent to us within 40 days, and must clearly state our
reference number (at the top of this email) and your reason for requesting
an internal review.  We will aim to respond to your request for an
internal review within 20 working days of receipt.

 

Your request for an internal review should be sent to
[University of Bristol request email], quoting your FOI reference number.
Alternatively, you could post it to:

 

Director of Legal Services

Secretary’s Office

University of Bristol

Beacon House

Queens Road

Bristol

BS8 1QU

 

Information Commissioners Office

 

Should you remain dissatisfied with the final outcome of the internal
review then you may apply directly to the Information Commissioner (the
“ICO”) for an independent review.  The ICO is the Government’s Independent
Body responsible for overseeing the Freedom of Information Act 2000, the
Data Protection Act 2018 and The Environmental Information Regulations
2004.

 

Please note the ICO will only review cases that have exhausted the
University’s internal review procedure. All correspondence to the ICO must
quote the University’s reference number and your reasons for your appeal. 
The ICO’s contact details are as follows:

 

The Information Commissioners Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

 

More information can be found at the ICO’s website
at [4]http://www.ico.org.uk

 

Kind Regards

 

Freedom of Information Team

University of Bristol

References

Visible links
1. http://www.bristol.ac.uk/infosec/policies/
2. http://www.bristol.ac.uk/media-library/s...
3. http://www.bristol.ac.uk/green/policy-co...
4. http://www.ico.org.uk/