Data Loss - 150/12
Dated: 07 Jun 2011
Date of request: 03/02/2012
Date of response: 28/02/2012
Provision of information held by Northumbria Police made under the Freedom of Information Act 2000 (the 'Act')(FOIA)
Thank you for your email dated 3rd February 2012 in which you made a request for access to certain information which may be held by Northumbria Police.
As you may be aware the purpose of the Act is to allow a general right of access to information held by a Public Authority (including the Police), subject to certain limitations and exemptions.
"Please state how many data losses have been recorded, in total, by the police force during 2011
Please provide a breakdown of each incident in an Excel spreadsheet, stating:
The year (and, exact date if this is possible) of each loss
the type of information that was lost (as much detail as possible, but category of information is fine, e.g. personal data, classified report, etc.)
how/where it was lost (if known). E.g. 'leaked to media', 'left on train', 'emailed to wrong address', etc.
Any action that was taken as a result, including informing people about the loss, disciplinary action, etc.
The term "data loss" should be taken to mean any instances where information has accidentally or wrongly been misplaced, lost, released, published, leaked, or verbally broadcast. The data should include personal details (I.e. potential Data Protection Act breaches), as well as all other information that, for whatever reason, was not intended to be publicly available at the time of the loss. E.g, commercially sensitive information intended to be announced in the future, reports that had not meant to yet be made public yet, information that was being withheld for security reasons, etc etc.
If it not possible to provide all the information requested, please nevertheless provide as much ad is possible."
We have now had the opportunity to fully consider your request and I provide a response for your attention.
Following receipt of your request, searches were conducted with the ICT Department of Northumbria Police. I can confirm that the information you have requested is held by Northumbria Police.
I have today decided to disclose the located information to you as follows.
Please see the attached spreadsheet which part answers your request.
We can neither confirm nor deny that any other information is held relevant to your request as the duty in Section 1(1)(a) of the Freedom of Information Act 2000 does not apply by virtue of the following exemptions:
Section 23(5) Information Supplied by or concerning certain Security Bodies
Section 24(2) National Security
Section 40(5) Personal Information
Section 31(3) Law Enforcement
Section 40 subsections (1) and (2) is a class based absolute exemption, however Section 40(5) is not, as it is not listed in the schedule of absolute exemptions in Section 2(2). When citing Section 40(5), there is a requirement to articulate the public interest to the applicant to ensure that neither confirming nor denying that information exists is the appropriate response.
Section 23 is a class based absolute exemption and there is no requirement to evidence the harm or articulate public interest considerations to the applicant.
With Sections 24 and 31 being prejudice based qualified exemptions there is a requirement to articulate the harm that would be caused in confirming or not whether information is held as well as carrying out a public interest test.
Harm in Confirming or Denying that Information is held
To confirm or deny whether data losses, such as from ‘hacking’ of a computer system, has taken place, or a theft has occurred of a laptop from a police vehicle or, indeed, whether an individual has gained inappropriate access to a secure building would reveal vulnerable systems/police buildings and provide actual knowledge, or not, that these incidents have taken place.
In order to counter criminal and terrorist behaviour it is vital that the police and other agencies have the ability to work together, where necessary covertly, in order to obtain intelligence within current legislative frameworks to ensure the successful arrest and prosecution of offenders who commit or plan to commit acts of terrorism, whereby their modus operandi may involve ‘hacking’ into systems in order to ‘glean’ confidential information from secure databases.
In order to achieve this gaol, it is vitally important that information sharing takes place with other police forces and security bodies within the UK in order to support counter-terrorism measures in the fight to deprive terrorist networks of their ability to commit crime.
To confirm or deny specific details of any breaches of information technology, such as data losses, which may include security or physical breaches at secure buildings, would be extremely useful to those involved in terrorist activity as it would enable them to map vulnerable buildings and/or information security databases.
Public Interest Considerations
Section 24(2) – National Security
Factors favouring complying with Section 1(1)(a) confirming that information is held
The public are entitled to know how public funds are spent and resources are distributed within an area of policing. To confirm whether any other information is held relating to all data losses, would enable the general public to hold Northumbria Police to account ensuring all such breaches are recorded and investigated appropriately. In the current financial climate of cuts and with the call for transparency of public spending this would enable improved public debate.
Factors against complying with Section 1(1)(a) confirming or denying that any other information is held
Security measures are put in place to protect the community that we serve. As evidenced within the harm to confirm where specific data losses have occurred would highlight to terrorists and individuals intent on carrying out criminal activity vulnerabilities within the force.
Taking into account the current security climate within the United Kingdom, no information (such as the citing of an exemption which confirms any other information pertinent to this request is held, or conversely, stating ‘no information is held’) which may aid a terrorist should be disclosed. To what extent this information may aid a terrorist is unknown, but it is clear that it will have an impact on a force’s ability to monitor terrorist activity.
Irrespective of what information is or isn’t held, the public entrust the Police Service to make appropriate decisions with regard to their safety and protection and the only way of reducing risk is to be cautious with what is placed into the public domain.
The cumulative effect of terrorists gathering information from various sources would be even more impactive when linked to other information gathered from various sources about terrorism. The more information disclosed over time gives a more detailed account of the tactical infrastructure of not only a force area but also the country as a whole.
Any incident that results from such a disclosure would be default affect National Security.
Section 40(5) – Personal Information
The duty to neither confirm nor deny under this section of the Act arises where the disclosure of the information into the public domain would contravene any of the data protection principles or Section 10 of the Data Protection Act 1998 or would do so if the exemptions in Section 33(1) of that Act were disregarded.
Irrespective of what information Northumbria Police may or may not hold, any request which has potential to identify a third party by citing an exemption, would attract a neither confirm nor deny response that information is held by virtue of Section 40(5) as it constitutes personal data of an individual other than the applicant and disclosure would contravene the first data protection principle which states in part that personal data shall be processed fairly and lawfully.
Section 31 – Law Enforcement
Factors favouring complying with Section 1(1)(a) confirming that information is held
Confirmation that any information exists relevant to this request would lead to a better informed public which may encourage individuals to provide intelligence in order to reduce such security and physical security breaches.
Factors against complying with Section 1(1)(a) neither confirming nor denying that information is held
Confirmation or denial that any information is held in this case would suggest that Northumbria Police take their responsibility to protect against data losses, etc., occurring dismissively and inappropriately.
The points above highlight the merits of confirming or denying the requested information exists. The Police Service is charged with enforcing the law, preventing and detecting crime and protecting the communities we serve. As part of that policing purpose, information is gathered which can be highly sensitive relating to individuals’ personal data and high profile investigative activity.
Weakening the mechanisms used to monitor any type of criminal activity, and specifically terrorist activity would place the security of the country in an increased level of danger.
In order to comply with statutory requirements and to meet ACPO/ACPOS expectation of the Police Service with regard to the management of information security a national policy approved by ACPO IMBA in 2009 entitled Information Systems Community Security Policy has been put in place. This policy has been constructed to ensure the delivery of core operational policing by providing appropriate and consistent protection for the information assets of member organisations. A copy of this can be found at the below link:
In addition anything that places that confidence at risk, no matter how generic, would undermine any trust or confidence the individuals have in the Police Service.
Therefore, at this moment in time, it is our opinion that for these issues the balance test favours neither confirming nor denying that any other information is held.
No inference can be drawn from this refusal that any other information is or isn’t held.
The information we have supplied to you is likely to contain intellectual property rights of Northumbria Police. Your use of the information must be strictly in accordance with the Copyright Designs and Patents Act 1988 (as amended) or such other applicable legislation. In particular, you must not re-use this information for any commercial purpose.
How to complain
If you are unhappy with our decision or do not consider that we have handled your request properly and we are unable to resolve this issue informally, you are entitled to make a formal complaint to us under our complaints procedure which can be found at: http://www.northumbria.police.uk/foi/disclosurelog/foicomprights.asp
If you are still unhappy after we have investigated your complaint and reported to you the outcome, you may complain directly to the Information Commissioner’s Office and request that they investigate to ascertain whether we have dealt with your request in accordance with the Act.
DownloadsFOI Complaint Rights Procedure_tcm4-28029