Serious Data Security Breaches

[Name Removed] (Account suspended) made this Freedom of Information request to Essex Police

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was refused by Essex Police.

[Name Removed] (Account suspended)

Dear Essex Police,

Over the last 2 years for which records are available:

1) how many instances have you recorded of serious data security breaches by officers or civilian employees of your organisation (usage of the terms "serious" and "data security breach" are derived from guidance issued by the Information Commissioner e.g. http://preview.tinyurl.com/5u69kz2). Please provide, if held, information relating to what type of breach occurred (for instance, inappropriate or unlawful access to PCN data)?

2) what action if any was taken as a result?

3) how many instances led to your organisation notifying the Information Commissioner of the incident/s in question?

Yours faithfully,

[name removed]

1 Attachment

Thank you for your enquiry which has been logged under the above reference.
Under the Freedom of Information Act we are required to reply within 20 working days but given the current very high number of requests being received this may not be possible.

We will reply as soon as possible and please accept our apologies for the inconvenience any delay may cause.

Kerry Nicholson
Information Officer
Strategic Change Management Department
Essex Police HQ
Internal extension 150025
Direct Dial 01245 452647
Essex Police Non emergency Telephone Number (within Essex) 101 (Outside Essex) 0300 333 4444
Fax: Internal 150045 External 01245 452256
Website: www.essex.police.uk
Information Management, Strategic Change Management Department, Essex Police Headquarters, PO Box 2, Springfield, Chelmsford, CM2 6DA

________________________________________
From: [name removed] [[FOI #180470 email]]
Sent: 09 October 2013 17:55
To: FOI
Subject: Freedom of Information request - Serious Data Security Breaches

Dear Essex Police,

Over the last 2 years for which records are available:

1) how many instances have you recorded of serious data security breaches by officers or civilian employees of your organisation (usage of the terms "serious" and "data security breach" are derived from guidance issued by the Information Commissioner e.g. http://preview.tinyurl.com/5u69kz2). Please provide, if held, information relating to what type of breach occurred (for instance, inappropriate or unlawful access to PCN data)?

2) what action if any was taken as a result?

3) how many instances led to your organisation notifying the Information Commissioner of the incident/s in question?

Yours faithfully,

[name removed]

-------------------------------------------------------------------

Please use this email address for all replies to this request:
[FOI #180470 email]

Is [email address] the wrong address for Freedom of Information requests to Essex Police? If so, please contact us using this form:
https://www.whatdotheyknow.com/help/cont...

Disclaimer: This message and any reply that you make will be published on the internet. Our privacy and copyright policies:
https://www.whatdotheyknow.com/help/offi...

If you find this service useful as an FOI officer, please ask your web manager to link to us from your organisation's FOI page.

-------------------------------------------------------------------

Steve Grayton,

1 Attachment

Thank you for your enquiry which has been logged under the above
reference. Having completed my

enquiries I am able to respond as follows:

Section 1 of the Freedom of Information Act 2000 (FOIA) places two duties
on public authorities. Unless exemptions apply, the first duty at
Sec1(1)(a) is to confirm or deny whether the information specified in a
request is held. The second duty at Sec1(1)(b) is to disclose information
that has been confirmed as being held. Where exemptions are relied upon
s17 of FOIA requires that we provide the applicant with a notice which: a)
states that fact b) specifies the exemption(s) in question and c) states
(if that would not otherwise be apparent) why the exemption applies.

In respect of your enquiry:

 

Over the last 2 years for which records are available:

1) how many instances have you recorded of serious data security breaches
by officers or civilian employees of your organisation (usage of the terms
"serious" and "data security breach" are derived from guidance issued by
the Information Commissioner e.g. [1]http://preview.tinyurl.com/5u69kz2).
Please provide, if held, information relating to what type of breach
occurred (for instance, inappropriate or unlawful access to PCN data)?

2) what action if any was taken as a result?

3) how many instances led to your organisation notifying the Information
Commissioner of the incident/s in question?

 

Essex Police does not hold the information requested.

 

Essex Police follows ACPO Guidelines when dealing with security breaches,
and these are classified as Red, Amber or Green. We do not use the
classification of “serious” as in your request so in terms of FOI we do
not hold the information requested.

 

I am however able to confirm that we do follow the Information
Commissioners Office (ICO) reporting requirement guidelines, but we have
had no security breaches in the last two years that required a report to
the ICO

 

I hope this is of use.

 

Steve Grayton
Information Officer
Data Protection & Freedom of Information
Information Management
Strategic Change Management Department
Essex Police Headquarters
PO Box 2, Springfield, Chelmsford, CM2 6DA

 

Internal extension 150029
External Dial 101 then ext.150029
Data Protection / FOI Team direct dial: 01245 452647
Fax: 01245 452256 Internal 150045
Email : [2][Essex Police request email]
Personal email: [3][email address]
Website: [4]www.essex.police.uk

Working hours Mon-Thurs 7:30 – 15:30, Fri 7:30 – 15:00
Office opening hours: Mon-Fri 8:00 - 16:00

 

 

If you are dissatisfied with the handling of your FOI request, you have
the right to ask for an internal review. Internal review requests should
be submitted within two months of the date of receipt of the response to
your original request and should be addressed to the Senior Information
Officer at the above address.

 

If your complaint refers to a decision to apply an exemption it would
assist the review if you would outline the reasons why you feel the
exemption does not apply.

If you are not content with the outcome of the internal review, you have
the right to apply directly to the Information Commissioner for a
decision. The Information Commissioner can be contacted at: Information
Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9
5AF

 

 

________________________________________
From: data foi
Sent: 14 October 2013 16:54
To: [name removed]
Subject: RE: FOI Request Our REf. 5506 - Serious Data Security Breaches

Thank you for your enquiry which has been logged under the above
reference.
Under the Freedom of Information Act we are required to reply within 20
working days but given the current very high number of requests being
received this may not be possible.

We will reply as soon as possible and please accept our apologies for the
inconvenience any delay may cause.

Kerry Nicholson
Information Officer
Strategic Change Management Department
Essex Police HQ
Internal extension 150025
Direct Dial 01245 452647
Essex Police Non emergency Telephone Number (within Essex) 101 (Outside
Essex) 0300 333 4444
Fax: Internal 150045 External 01245 452256
Website: [5]www.essex.police.uk
Information Management, Strategic Change Management Department, Essex
Police Headquarters, PO Box 2, Springfield, Chelmsford, CM2 6DA

________________________________________
From: [name removed] [[FOI #180470 email]]
Sent: 09 October 2013 17:55
To: FOI
Subject: Freedom of Information request - Serious Data Security Breaches

Dear Essex Police,

Over the last 2 years for which records are available:

1) how many instances have you recorded of serious data security breaches
by officers or civilian employees of your organisation (usage of the terms
"serious" and "data security breach" are derived from guidance issued by
the Information Commissioner e.g. [6]http://preview.tinyurl.com/5u69kz2).
Please provide, if held, information relating to what type of breach
occurred (for instance, inappropriate or unlawful access to PCN data)?

2) what action if any was taken as a result?

3) how many instances led to your organisation notifying the Information
Commissioner of the incident/s in question?

Yours faithfully,

[name removed]

-------------------------------------------------------------------

Please use this email address for all replies to this request:
[7][FOI #180470 email]

Is [8][email address] the wrong address for Freedom of Information
requests to Essex Police? If so, please contact us using this form:
[9]https://www.whatdotheyknow.com/help/cont...

Disclaimer: This message and any reply that you make will be published on
the internet. Our privacy and copyright policies:
[10]https://www.whatdotheyknow.com/help/offi...

If you find this service useful as an FOI officer, please ask your web
manager to link to us from your organisation's FOI page.

-------------------------------------------------------------------

References

Visible links
1. http://preview.tinyurl.com/5u69kz2
2. mailto:[Essex Police request email]
3. mailto:[email address]
4. http://www.essex.police.uk/
5. http://www.essex.police.uk/
6. http://preview.tinyurl.com/5u69kz2
7. mailto:[FOI #180470 email]
8. mailto:[email address]
9. https://www.whatdotheyknow.com/help/cont...
10. https://www.whatdotheyknow.com/help/offi...

[Name Removed] (Account suspended)

Dear Steve Grayton,

I would like to clarify that the information I am seeking is an update to this previous request in 2011 which yielded a detailed response from yourself:

https://www.whatdotheyknow.com/request/s...

Please refer to the PDF at that link for an example of the data I expect to see for 2012 and 2013 to date. This is simply a request for updated information that you have once demonstrated that you hold.

If you are genuinely stating that no breaches of the same level of those you reported in 2011 have occurred in 2012 or 2013 then I am very surprised.

Yours sincerely,

[name removed]

Steve Grayton,

3 Attachments

[Name Removed]

 

Thank you for your email.

 

The answer I provided was a direct response to the question you asked, but
I think the responses on the whatdotheyknow website are confusing as shown
– there are three different questions and responses under the one heading
“serious security breaches”.

 

For clarity these were:

 

Our ref. 3308 where our reply said:

 

RE: FOI request our ref. 3308 - Misuse of systems [NOT PROTECTIVELY
MARKED]

 

Thank you for your enquiry which has been logged under the above
reference. Having completed my enquiries I am able to respond as follows:

 

1. How many (a) police officers and (b) police staff were disciplined in
2009 and 2010 for improper or inappropriate use of Force internet/data
systems? 

 
Please provide for each incident a brief description, which should include
(1) the month of the incident, (ii) the nature of the offence or breach of
force policy, (iii) if the person was an officer or a member or civilian
staff and (iv) how the matter was resolved, i.e. written warning, sacked
etc.  If any person was disciplined for using an inappropriate website
please provide me with the web address.

 

Discipline can take various forms, from an informal warning to the formal
disciplinary hearing and to answer this question would require a manual
review of every officers file over the period of your enquiry. In terms of
Freedom of Information, I am afraid that the specific information you were
seeking access to is not held by Essex Police in what is referred to as a
readily accessible format.

 

For the purposes of section 17 of the Freedom of Information Act 2000
(FOIA) this response serves as a formal notification of refusal of your
request on the basis that Essex Police does not hold, for the purposes of
FOIA, the specific data in a readily accessible format. That is to say,
this data is not extractable from a central database or held in a
spreadsheet. To ascertain whether this information is held would entail a
manual search of Essex Police records; a process which would be likely to
exceed the appropriate limit (as mentioned at section 12 of the FOIA) in
terms of cost/time (£450 or the equivalent in time of 18 hours).

 

Having said that I have spoken to Essex Police's Professional Standards
Department (PSD) who have provided as much information as they can from
their records which may be of use. This relates to cases referred to them
only. Please see attached chart ref. 3308a.pdf.

 

They have no record on their system of the sites visited.

 

I hope the information provided is of use.

 

This reply had the spreadsheet ref. 3308.pdf attached, and is the response
I think you are referring to.

 

Our reply 3568 where our reply said:

 

Our ref. 3568 Unlawful access to systems

Thank you for your enquiry which has been logged under the above
reference. Having completed my enquiries I am able to respond as follows:

Section 1 of the Freedom of Information Act 2000 (FOIA) places two duties
on public authorities. Unless exemptions apply, the first duty at
Sec1(1)(a) is to confirm or deny whether the information specified in a
request is held. The second duty at Sec1(1)(b) is to disclose information
that has been confirmed as being held. Where exemptions are relied upon
s17 of FOIA requires that we provide the applicant with a notice which: a)
states that fact b) specifies the exemption(s) in question and c) states
(if that would not otherwise be apparent) why the exemption applies.

In respect of this enquiry:

Please provide information for the last three years held by your
organisation on incidents involving inappropriate or unlawful access to
PNC data (or any other similar manual or electronic data consisting of the
personal data of third parties).

Preferably I would like to know the nature of the incident and the outcome
of any investigation or action taken as a result.

I would confirm that some information is held by Essex Police and have
spoken to Essex Police's Professional Standards Department (PSD) who
have provided as much information as they can from their records which may
be of use. This relates to cases referred to them only and relates to
Breaches of the Data Protection act and Mis-use of Essex Police systems.

Please see attached chart (ref. 3308a.pdf) which shows not only to
breaches of the Data Protection Act but also the inappropriate use of
Essex Police systems and I hope you can extract the information required
from that.

I am only able to provide limited detail as to provide full details could
allow individuals to be identified and therefore the exemption given at
section 40 (2) (Third Party Personal Data) applies.

40 Personal information

(1) Any information to which a request for information relates is exempt
information if it constitutes personal data of which the applicant is
the data subject.

(2) Any information to which a request for information relates is also
exempt information if--

(a) it constitutes personal data which do not fall within subsection
(1), and

(b) either the first or the second condition below is satisfied.

(3) The first condition is--

(a) in a case where the information falls within any of paragraphs (a)
to (d) of the definition of "data" in section 1(1) of the [1998 c. 29.]
Data Protection Act 1998, that the disclosure of the information to a
member of the public otherwise than under this Act would contravene--

(i) any of the data protection principles, or

(ii) section 10 of that Act (right to prevent processing likely to cause
damage or distress), and

(b) in any other case, that the disclosure of the information to a
member of the public otherwise than under this Act would contravene any
of the data protection principles if the exemptions in section 33A(1) of
the [1998 c. 29.] Data Protection Act 1998 (which relate to manual data
held by public authorities) were disregarded.

(4) The second condition is that by virtue of any provision of Part IV
of the [1998 c. 29.] Data Protection Act 1998 the information is exempt
from section 7(1)(c) of that Act (data subject's right of access to
personal data).

(5) The duty to confirm or deny--

(a) does not arise in relation to information which is (or if it were
held by the public authority would be) exempt information by virtue of
subsection (1), and

(b) does not arise in relation to other information if or to the extent
that either--

(i) the giving to a member of the public of the confirmation or denial
that would have to be given to comply with section 1(1)(a) would (apart
from this Act) contravene any of the data protection principles or
section 10 of the [1998 c. 29.] Data Protection Act 1998 or would do so
if the exemptions in section 33A(1) of that Act were disregarded, or

(ii) by virtue of any provision of Part IV of the [1998 c. 29.] Data
Protection Act 1998 the information is exempt from section 7(1)(a) of
that Act (data subject's right to be informed whether personal data
being processed).

(6) In determining for the purposes of this section whether anything
done before 24th October 2007 would contravene any of the data
protection principles, the exemptions in Part III of Schedule 8 to the
[1998 c. 29.] Data Protection Act 1998 shall be disregarded.

(7) In this section-- "the data protection principles" means the
principles set out in Part I of Schedule 1 to the [1998 c. 29.] Data
Protection Act 1998, as read subject to Part II of that Schedule and
section 27(1) of that Act; "data subject" has the same meaning as in
section 1(1) of that Act; "personal data" has the same meaning as in
section 1(1) of that Act.

To clarify, to provide information which constitutes an individual's
personal data (information that identified them as a living individual)
would be in contravention of that individual's rights under the Data
Protection Act 1998.

Disclosure of this information will breach principles 1 and 2 of the Data
Protection Act. These principles require personal data to be: 1) processed
(defined to include 'obtained') fairly and lawfully and 2) obtained only
for specified and lawful purposes and not processed incompatibly with the
specified purposes.

'Data subjects' are provided with certain legally enforceable rights under
the Data Protection Act 1998. The fact that the information is held for
lawful policing purposes, disclosing it onwards would breach the
principles, and would be incompatible with the data subject's right that
their data is held securely. By disclosing this information, the force
could be subject to enforcement proceedings under the Act if it breaches
any of those principles. For example, the 'fairness' of any disclosure of
personal data would be whether the disclosure would cause unnecessary or
unjustified distress or damage to the person whom the information is
about.

In an effort to assist I have obtained up to date information from PSD who
have confirmed that in addition the the information on the chart they are
currently investigating another 3 cases of potential breaches of DPA, but
as these are ongoing I am unable to to provide details. I would also
confirm that the fact that an investigation is ongoing does not mean that
any breach has occurred, simply that Essex Police takes all breaches
seriously and investigates as appropriate.

I hope this is of use.

 

Our ref. 3485 where our reply said:

 

FOI request our ref. 3485 - Serious data security breaches [NOT
PROTECTIVELY MARKED]

Thank you for your enquiry which has been logged under the above
reference. Having completed my enquiries I am able to respond as follows:

Over the last three years for which records are available:
    
1) how many instances have you recorded of serious data security breaches
by officers or civilian employees of your organisation (usage of the terms
"serious" and "data security breach" are derived from guidance issued by
the Information Commissioner e.g.
 [1]http://preview.tinyurl.com/5u69kz2.

Please provide, if held, information relating to what type of breach
occurred (for instance, inappropriate or unlawful access to PNC data).
    
2) what action if any was taken as a result?

3) how many instances led to your organisation notifying the Information
Commissioner of the incident/s in question?

The definition of "serious" data security breaches is not clear as you
will see from the ICO's guidance available at:

[2]http://www.ico.gov.uk/for_organisations/...

and

[3]http://www.ico.gov.uk/for_organisations/...

We therefore have some difficulty understanding exactly what information
you are looking for especially as Essex Police does not use this
classification as it views all security breaches, and potential breaches,
seriously and these are reported to the Force Information Security Officer
in line with the guidelines shown on the attached document (3485
definitions.pdf).

Essex Police do report breaches to the Information Commissioner where
we consider this is necessary but during the period of your enquiry there
were none that would be defined as "serious" and needed reporting in line
with the ICO guidelines.

Whilst outside the scope of your enquiry, as it did not involve officers
or staff, I can advise that Essex Police reported one incident to the
Information Commissioner's Office where our physical security was
compromised during 2010.  This related to a break-in at a Police Office
and the ICO were satisfied with the action taken by Essex Police at the
time.

I hope this is of use.

 

This reply had the file 3485 definitions.pdf attached and is very similar
to the response I have just sent.

 

I have attached both files for clarity, but it does seem that you are
looking for an update on a different question to the one you asked.

 

I hope this clarifies the position, and should you want an update on a
previous request please submit a new, re-worded request and we will do our
best to provide the information. If you can make clear exactly what
information you are looking for it should avoid this confusion again.

 

I hope this is of use.

 

 

Steve Grayton

Information Officer

Data Protection & Freedom of Information

Information Management

Strategic Change Management Department

Essex Police Headquarters

PO Box 2, Springfield, Chelmsford, CM2 6DA

 

Internal extension 150029

External Dial 101 then ext.150029

Data Protection / FOI Team direct dial: 01245 452647

Fax: 01245 452256 Internal 150045

Email : [Essex Police request email]

Personal email: [email address]

Website: www.essex.police.uk

Working hours Mon-Thurs 7:30 – 15:30, Fri 7:30 – 15:00

Office opening hours: Mon-Fri 8:00 - 16:00

 

show quoted sections

[Name Removed] (Account suspended)

Dear Steve Grayton,

I'm finding it hard to understand your statement:

"To ascertain whether this information is held would entail a
manual search of Essex Police records; a process which would be likely to
exceed the appropriate limit (as mentioned at section 12 of the FOIA) in
terms of cost/time (£450 or the equivalent in time of 18 hours)."

Due to my profession I am fully aware of how a properly maintained database is managed and how one would go about extracting these requested records especially if they are tagged with the terms 'Red', 'Amber' or 'Green'.

I will accept a simple raw output of the data from a standard database search query for those terms and date range. I do not require formatting of the data into any other form; this will save you a lot of time. It certainly doesn't take 18 hours to write and run a database query and filter out the protected records.

If the cost of running this query against the database really exceeds £450 then I am happy to consider funding it.

Yours sincerely,

[name removed]

Steve Grayton,

1 Attachment

[Name Removed]

Having answered you initial enquiry, and explained the background to those requests in the link you referred to, I'm afraid I do not understand what you are now asking us to provide. The wording you question is part of a previous response and is in the legal terms required under FOI legislation.

I am happy to log, and research, a new request for you but in cannot be under the heading "serious security breaches" for the reasons previously described. Your previous request has been closed as we have provided a response.

For the sake of clarity, and so that we can log a new request can I ask you to please set out what information you are looking for, and what timescale you wish the information to cover?

We can then start afresh with a new request, where both you and us understand what we are answering. Without that I'm afraid we cannot proceed.

Thank you.

Steve Grayton
Information Officer
Data Protection & Freedom of Information
Information Management
Strategic Change Management Department
Essex Police Headquarters
PO Box 2, Springfield, Chelmsford, CM2 6DA

Internal extension 150029
External Dial 101 then ext.150029
Data Protection / FOI Team direct dial: 01245 452647
Fax: 01245 452256 Internal 150045
Email : [Essex Police request email]
Personal email: [email address]
Website: www.essex.police.uk
Working hours Mon-Thurs 7:30 – 15:30, Fri 7:30 – 15:00
Office opening hours: Mon-Fri 8:00 - 16:00

show quoted sections