Dear Department for Education,
please provide information regarding data recipient security and their use of identifying pupil data by any third-party mentioned in the register: [ref: https://www.gov.uk/government/publicatio... regards Tier 1-4 data [page 19 https://www.gov.uk/government/uploads/sy...

a) the DfE third-party template information security questionnaire
b) the total number in each year of site visits in which any audit was carried out by, or at the request of the DfE since 2011
c) all findings from those site visits in any format
d) the information should include date carried out, location, the affiliation of the site visitor (ie DfE, or a contracted organisation)
e) copies of security and Privacy Impact Assessments carried out of any DfE cloud data management tools for pupil, student, and workforce data processed by the DfE
f) total extraction costs for third-party register requests since 2011, in each year

Thank you for your consideration.
Sincerely,

Jen Persson

ACCOUNT, Unmonitored, Department for Education

Thank you for contacting the Department for Education. We can confirm that
we have received the Freedom of Information request you submitted.

We will respond to you within 20 working days.

 

ACCOUNT, Unmonitored, Department for Education

 

 

Dear Jen Persson

 

Thank you for your recent enquiry. A reply will be sent to you as soon as
possible. For information; the departmental standard for correspondence
received is that responses should be sent within 20 working days as you
are requesting information under the Freedom of Information Act 2000. Your
correspondence has been allocated reference number 2017-0052699

 

Thank you

 

Department for Education

Ministerial and Public Communications Division

Tel: 0370 000 2288

 

Dear Department for Education,

please provide information regarding data recipient security and their use
of identifying pupil data by any third-party mentioned in the register: 
[ref:
[1]https://www.gov.uk/government/publicatio...
regards Tier 1-4 data [page 19
[2]https://www.gov.uk/government/uploads/sy...

 

a) the DfE third-party template information security questionnaire

b) the total number in each year of site visits in which any audit was
carried out by, or at the request of the DfE since 2011

c) all findings from those site visits in any format

d) the information should include date carried out, location, the
affiliation of the site visitor (ie DfE, or a contracted organisation)

e) copies of security and Privacy Impact Assessments carried out of any
DfE cloud data management tools for pupil, student, and workforce data
processed by the DfE

f) total extraction costs for third-party register requests since 2011, in
each year

 

Thank you for your consideration.

Sincerely,

 

Jen Persson

 

 

References

Visible links
1. https://www.gov.uk/government/publicatio...
2. https://www.gov.uk/government/uploads/sy...

Dear DfE FOI Team
please can you provide the information requested on November 3, 2017.

The history of this request is here: https://www.whatdotheyknow.com/request/p...

Many thanks.
Sincerely,

Jen Persson

ACCOUNT, Unmonitored, Department for Education

Thank you for contacting the Department for Education. We can confirm that
we have received the Freedom of Information request you submitted.

We will respond to you within 20 working days.

 

ACCOUNT, Unmonitored, Department for Education

 

 

Dear Sir/Madam

 

Thank you for your recent enquiry. A reply will be sent to you as soon as
possible. For information; the departmental standard for correspondence
received is that responses should be sent within 20 working days as you
are requesting information under the Freedom of Information Act 2000. Your
correspondence has been allocated reference number 2018-0012259.

 

Thank you

 

Department for Education

Ministerial and Public Communications Division

Tel: 0370 000 2288

 

ACCOUNT, Unmonitored, Department for Education

Dear Ms Persson

 

Ref: 2018-0012259

 

Thank you for your request, which was originally received 3 November 2017.
The request was then re-submitted on the 8 March 2018 following our
response explaining how the estimated cost of complying with your
combined requests at that time would exceed the cost threshold.

 

You asked the following:

please provide information regarding data recipient security and their use
of identifying pupil data by any third-party mentioned in the register: 
[ref:
[1]https://www.gov.uk/government/publicatio...
regards Tier 1-4 data [page 19
[2]https://www.gov.uk/government/uploads/sy...

 

a) the DfE third-party template information security questionnaire

b) the total number in each year of site visits in which any audit was
carried out by, or at the request of the DfE since 2011

c) all findings from those site visits in any format

d) the information should include date carried out, location, the
affiliation of the site visitor (ie DfE, or a contracted organisation)

e) copies of security and Privacy Impact Assessments carried out of any
DfE cloud data management tools for pupil, student, and workforce data
processed by the DfE

f) total extraction costs for third-party register requests since 2011, in
each year

The Department holds most of the information you have requested. However,
as previously stated in our response of 30 November 2017, this particular
request needs to be considerably reduced in scope. The Department
estimates that the cost of complying with your request would exceed the
cost threshold applicable to central Government. Section 14 of the FoI Act
states that the cost threshold is £600 and represents the estimated cost
of one person spending 3½ working days locating, retrieving and extracting
the information requested.

If you were to make a new request for a narrower category of information
or significantly limit the scope of your request, the Department may be
able to comply with your request within the cost limit, although I cannot
guarantee that this will be the case.

 

Providing copies of the DfE third- party template information security
questionnaire for all applications included within the published list
carries a significant cost due to the numbers involved. Requesting a
significantly reduced number of specific questionnaires would help reduce
the effort required.

 

I must also state that some of the information requested may also be
exempt from release. In particular, we would seek advice as to whether
copies of the security questionnaires provided in confidence by third
parties to the Department could be released. This is because the
information they contain may be regarded – by the third parties - as
(business or commercially) sensitive.

If you are unhappy with the way your request has been handled, you should
make a complaint to the Department by writing to me within two calendar
months of the date of this letter. Your complaint will be considered by an
independent review panel, who were not involved in the original
consideration of your request.

If you are not content with the outcome of your complaint to the
Department, you may then contact the Information Commissioner’s Office.

Yours sincerely,

Samantha Morrison

Department for Education

References

Visible links
1. https://www.gov.uk/government/publicatio...
2. https://www.gov.uk/government/uploads/sy...

Dear ACCOUNT, Unmonitored,

thank you for the reply today, April 5, 2018. I clarify and hope this shows why the amount of data requested is smaller than you may have interpreted. In order to meet your request and reduce workload I suggest one question to remove.

Question a) is one item only, the security questionnaire template, not completed for each data user.

Therefore the request is for:

a) the DfE third-party template information security questionnaire --ONE TEMPLATE ITEM
b) the total number in each year of site visits in which any audit was carried out by, or at the request of the DfE since 2011 - ONE TOTAL NUMBER
f) total extraction costs for third-party register requests since 2011, in each year -- ONE TOTAL SUM x 6 (one £ total amount cost to the DfE, per each of six years)

As we understand there have been very few data audits of data recipients in the third party register, we believe c)and d) are a low amount of effort or workload to return:

c) all findings from those site visits in any format --FINDINGS FOR EACH SITE VISIT (A DATA USER AUDIT) 2012-17
d) the information should include date carried out, location, the affiliation of the site visitor (ie DfE, or a contracted organisation) - --ABOUT EACH SITE VISIT TO CARRY OUT THE DATA USER AUDIT 2012-17

REMOVE
e) copies of security and Privacy Impact Assessments carried out of any DfE cloud data management tools for pupil, student, and workforce data processed by the DfE --

Thank you.
Sincerely,
Jen Persson

ACCOUNT, Unmonitored, Department for Education

Thank you for contacting the Department for Education. We can confirm that
we have received the Freedom of Information request you submitted.

We will respond to you within 20 working days.

 

ACCOUNT, Unmonitored, Department for Education

Dear Ms Jen Persson,

           

Thank you for your recent enquiry. A reply will be sent to you as soon as
possible. For information; the departmental standard for correspondence
received is that responses should be sent within 20 working days as you
are requesting information under the Freedom of Information Act 2000. Your
correspondence has been allocated reference number 2018-0016544.

 

Thank you                                                                 

 

Department for Education

Ministerial and Public Communications Division

Tel: 0370 000 2288

 

ACCOUNT, Unmonitored, Department for Education

Dear Ms Persson

 

Ref: 2018 – 0016544

 

Thank you for your request, which was originally received 3 November 2017.
The request was then re-submitted on the 8 March 2018 to which we
responded explaining how the estimated cost of complying with the request
would exceed the cost threshold. You then responded on the 6 April 2018
with a reduced request and further clarification.

 

The Department holds most of the information you have requested however,
we are in the process of finalising our response and securing approvals.
We will be sending a final response no later than the 17 May 2018.

 

We apologise for the inconvenience this may cause.

 

If you are unhappy with the way your request has been handled, you should
make a complaint to the Department by writing to me within two calendar
months of the date of this letter.  Your complaint will be considered by
an independent review panel, who were not involved in the original
consideration of you request.

 

If you are not content with the outcome of your complaint to the
Department, you may then contact the Information Commissioner’s Office.

 

If you have any queries, please contact me.  Please remember to quote the
reference number in any future communications.

 

Samantha Morrison

 

National Pupil Database and Data Sharing team

ACCOUNT, Unmonitored, Department for Education

Dear Jen Persson,

 

RE: 2018 - 0016544

 

I refer to our correspondence of 3 May 2018 in reference to the above
request which is being dealt with under the Freedom of Information Act
2000 (“the Act”).

 

A final conclusion has been reached and your request is currently
progressing through final sign off.  We will be sending a final response
no later than the 6 June 2018, we apologise we are unable to send the
final response by 17 May as previously stated.

 

If you are unhappy with the way your request has been handled, you should
make a complaint to the Department by writing to me within two calendar
months of the date of this letter.  Your complaint will be considered by
an independent review panel, who were not involved in the original
consideration of you request.

 

If you are not content with the outcome of your complaint to the
Department, you may then contact the Information Commissioner’s Office.

 

If you have any queries, please contact me.  Please remember to quote the
reference number in any future communications.

 

Samantha Morrison

 

National Pupil Database

Dear ACCOUNT, Unmonitored,

thank you for the update. I look forward to a final response no later than the 6 June 2018 as stated.

Sincerely,

Jen Persson

ACCOUNT, Unmonitored, Department for Education

Thank you for contacting the Department for Education. We can confirm that
we have received the Freedom of Information request you submitted.

We will respond to you within 20 working days.

 

ACCOUNT, Unmonitored, Department for Education

Dear Ms Persson,

Ref: 2018-0016544

Thank you for your request, which was originally received 8 March 2018.
The request was then re-submitted on the 5 April 2018 following our
response explaining how the estimated cost of compiling with the request
exceeded the cost threshold.

You asked the following:

Thank you for the reply today, April 5, 2018. I clarify and hope this
shows why the amount of data requested is smaller than you may have
interpreted. In order to meet your request and reduce workload I suggest
one question to remove.

 

Question a) is one item only, the security questionnaire template, not
completed for each data user.

 

Therefore the request is for:

 

a) the DfE third-party template information security questionnaire --ONE
TEMPLATE ITEM

b) the total number in each year of site visits in which any audit was
carried out by, or at the request of the DfE since 2011  - ONE TOTAL
NUMBER

f) total extraction costs for third-party register requests since 2011, in
each year -- ONE TOTAL SUM x 6  (one £ total amount cost to the DfE, per
each of six years)

 

As we understand there have been very few data audits of data recipients
in the third party register, we believe c)and d) are a low amount of
effort or workload to return:

 

c) all findings from those site visits in any format --FINDINGS FOR EACH
SITE VISIT (A DATA USER AUDIT) 2012-17

d) the information should include date carried out, location, the
affiliation of the site visitor (ie DfE, or a contracted organisation) -
--ABOUT EACH SITE VISIT TO CARRY OUT THE DATA USER AUDIT 2012-17

 

REMOVE

e) copies of security and Privacy Impact Assessments carried out of any
DfE cloud data management tools for pupil, student, and workforce data
processed by the DfE  --

 

I have dealt with your request under the Freedom of Information Act 2000
(“the Act”) and have addressed the individual points as follows:

a)    The DfE third-party template information security questionnaire is
available on gov.uk at the following link:
[1]https://www.gov.uk/government/publicatio...

 

b)    The DfE started Security Compliance site visits in relation to NPD
data requests in December 2015. According to centrally held records at the
time of drafting, since then, the NPD has carried out 13 visits. 

 

f)  We are unable to provide the total extraction costs for NPD
third-party register requests since 2011 as the information is not
available due to the extraction service not holding a unique cost centre
code.

c) & d) The Department holds the information you have requested however,
the information is being withheld under Section 31(1)(a) the prevention or
detection of crime.

 

 

 Section 31 is a qualified exemption and therefore a public interest test
has been carried out. In doing so the following factors have been taken
into consideration:.

·     It could be considered open and transparent to disclose this
information and it would demonstrate the importance that we place on the
information contained within the NPD and the scrutiny that we carry out.

·     However, this is outweighed by the risks of criminal activity being
undertaken if this information was disclosed. 

·      The completed reports include details of the IT security practices
of the third party organisations. This information, if made public, could
lead to cyber and/or physical (of the premises) attack and compromise the
security of not only the data shared but also the rest of the business of
the company.

·     The release of this information would provide valuable information
to those wishing to circumvent security systems, meaning that we would
fail in our duty to help prevent criminal activity which in turn would
fail in our duty to assist those services providing us with law
enforcement.

 

The Department has concluded that in this instance the factors comprising
the public interest consideration in withholding the information are
greater than the general public interest considerations for disclosure.

If you have any queries about this letter, please contact me. Please
remember to quote the reference number above in any future communications.

If you are unhappy with the way your request has been handled, you should
make a complaint to the Department by writing to me within two calendar
months of the date of this letter. Your complaint will be considered by an
independent review panel, who were not involved in the original
consideration of your request. 

If you are not content with the outcome of your complaint to the
Department, you may then contact the Information Commissioner’s Office.

 

Regards

Samantha Morrison

National Pupil Database and Data Sharing team.

References

Visible links
1. https://www.gov.uk/government/publicatio...

Looking for an EU Authority?

You can request documents directly from EU Institutions at our sister site AskTheEU.org . Find out more .

AskTheEU.org