Your census - security classification

The request was partially successful.

Dear General Register Office for Scotland,

In http://www.whatdotheyknow.com/request/yo... you did not answer question 11).

"11) 4.50 tells us of a network only suitable for storing RESTRICTED information, which is hardly reassuring. Please provide copies of the decision making processes involved in only providing such minimal/almost non-existent security for information collected using menaces from every household in Scotland."

Instead you provided some vague information.

Please provide copies of the decision making process. I would hope there is a record of that process, though given the cavalier attitude to security revealed by other enquiries it may be that there is no record. If there is no record please say so.

Please note that "replies" which involve attachments in proprietary file formats are not acceptable. A reply which is not in plain text format will be deemed to be a refusal to answer. It may be that some documents cannot be provided in text form. In that case please contact me to arrange a suitable format.

Yours faithfully,

David Hansen

National Records of Scotland

Dear Mr Hansen,

Thank you for your request dated 11 March 2011 under the Freedom of
Information (Scotland) Act 2002 (FOISA) for information on "Your Census -
Security Classification".

Please see the answer below to your question.

In

[1]http://www.whatdotheyknow.com/request/yo...
you did not answer question 11).

"11) 4.50 tells us of a network only suitable for storing
RESTRICTED information, which is hardly reassuring. Please provide
copies of the decision making processes involved in only providing
such minimal/almost non-existent security for information collected
using menaces from every household in Scotland."

Instead you provided some vague information.

Please provide copies of the decision making process. I would hope
there is a record of that process, though given the cavalier
attitude to security revealed by other enquiries it may be that
there is no record. If there is no record please say so.

Answer: The network mentioned in paragraph 4.50 of the Privacy Impact
Assessment, is part of the Scottish Government's SCOTS infrastructure and
is therefore controlled to the same security classifications that apply to
that infrastructure. The following link provides some additional
information on the GSi:
[2]http://www.scotland.gov.uk/Topics/Govern...

There was no separate decision making process for classifying impacts as
part of the HMG BIL impact assessment. Decisions on the level of security
classification were made during the BIL assessment process. The
Independent Information Assurance Review team were satisfied that, in
using the HMG BIL process for impact assessment, that appropriate
standards had been followed.

The full report on the Independent Information Assurance Review can be
found on our website at
[3]http://www.gro-scotland.gov.uk/files2/th...

I hope you will find this information useful. If you are unhappy with
this response to your request you may ask us to carry out an internal
review by writing to :

Ms Audrey Robertson
Head of Corporate Services
National Records of Scotland
Ladywell House
Ladywell Road
Edinburgh
EH12 7TF

Your request should explain why you wish a review to be carried out, and
should be made within 40 working days of receipt of this email, and we
will reply within 20 working days of receipt. If you are not satisfied
with the result of the review, you then have the right to make a formal
complaint to the Scottish Information Commissioner.

Yours sincerely

S Hazelwood

show quoted sections

References

Visible links
1. http://www.whatdotheyknow.com/request/yo...
2. http://www.scotland.gov.uk/Topics/Govern...
3. http://www.gro-scotland.gov.uk/files2/th...

Dear General Register Office for Scotland,

I note that you have confirmed that the personal information you demand from the public with menaces is not stored on a suitable network.

I further note that you didn't even bother to consider this aspect of data security. The report you refer to is waffle and does not address the issue at all. It was undoubtedly very convenient for you to decide that the network should only be suitable for the minimal security of RESTRICTED information, but that decision means that the data is not adequately protected.

Yours faithfully,

David Hansen