Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
Freedom of information request reference no: 01.FOI.22.025077
I note you seek access to the following information:
Please provide answers to the following questions about your force's data security and waste disposal policies and practices for electronics equipment.
1. Does your department operate any of its own data centres, defined as a site for storing servers and data on or off premises? If so, how many and where are they located?
2. Which third party data centres or cloud computing providers do you use for data storage and cloud services?
3. Which third party do you use to provide data erasure or destruction services for servers - or parts of servers - you own?
4. If you use a third party, do you have a contract(s) in place with them?
5. Please could you outline the clauses in these contracts that stipulate how both hardware should be decommissioned and the associated electronic waste should be handled?
6. Which companies do your cloud computing providers use for data erasure and destruction services of servers - or parts of servers - that have contained or processed your data?
7. Do you stipulate what your cloud computing providers should do with hardware that is being decommissioned and the associated e-waste?
Data destruction:
8. Do you mandate that hard drives or other data storing devices contained in your data centres are shredded or otherwise destroyed to prevent any data leakage? If so, what proportion of your total devices are shredded or otherwise destroyed?
9. What is the total weight or number of hard drives or other data storing devices that your department shredded or otherwise destroyed in 2020 and 2021, respectively?
10. Do you mandate that hard drives or other data storing devices contained in your data centres are incinerated to prevent any data leakage? If so, what proportion of these devices are incinerated?
11. What is the total weight or number of hard drives or other data storing devices that your department incinerated in 2020 and 2021, respectively?
More general IT hardware used by your department (e.g. laptops, phones)
1. Do you have a policy for shredding or otherwise destroying IT hardware that contains data, including mobile phones and laptops? If so, please outline the policy.
2. Which third party do you use to provide data erasure or destruction services for your IT hardware when it reaches its end of life?
3. What is the total weight or number of items of electronics and hardware that your department shredded or destroyed in 2020 and 2021, respectively?
I have today decided to disclose some of the requested information. Some data has been withheld as it is exempt from disclosure and therefore this response serves as a Refusal Notice under Section 17 of the Freedom of Information Act 2000 (the Act) by virtue of the following exemptions:
S24 - National security
S31 - Law enforcement
Reason for decision
Sections 24 and 31 has been utilised in Q1, Q2 and Q3.
Policing is an information-led activity, and information assurance (which includes information security) is fundamental to how the Police Service manages the challenges faced. In order to comply with statutory requirements the College of Policing Authorised Professional Practice for Information Assurance has been put in place to ensure the delivery of core operational policing by providing appropriate and consistent protection for the information assets of member organisations
Disclosing details around suppliers may appear to be fairly harmless, but doing so would highlight who we are working with in this field, which could leave us open to threats. If certain individuals or groups were aware of the details around our suppliers in these sensitive security related areas they could use this to their advantage, for instance, by finding out about the techniques and software used by these companies and then working out how they might exploit or circumvent them.
Although the requested details on their own may not seem to be of concern, in certain circumstances this information alone would alert certain threats to the possibility of doing the above, which would be very harmful to our policing functions, and consequently to our officers, staff and the public.
Section 24(1) - National Security - The information around our cyber security is sensitive in nature and would highlight vulnerabilities. If the information was released into the public domain, a cyber-criminal could use to attack a particular police force - For instance, if it is known that a particular piece of software has weaknesses and a force was to disclose they use this then those weaknesses could be exploited. A cyber-attack could negatively affect the infrastructure of policing. By affecting the infrastructure of policing the nation’s security will be more vulnerable to terrorism.
Security measures are put in place to protect the community that we serve. The public entrust the Police Service to make appropriate decisions with regard to their safety and protection and the only way of reducing risk is to be cautious with what is placed into the public domain.
Information of this nature would render National Security measures less effective. This would lead to the compromise of ongoing or future operations to protect the security or infrastructure of the UK and increase the risk of harm to the public and MPS staff.
The more information disclosed over time will give a more detailed account of not only a force area but also the country as a whole.
Any incident that results from such a disclosure would by default, affect National Security.
Section 31(1) - Law Enforcement - The release of this type of information would better inform a criminal on how to cyber-attack the police. If a force was hacked and this led to our IT systems not working efficiently then a negative impact would occur on the prevention or detection of crime. And would lead to forces being unable to carry out their policing objectives.
The Police Service is charged with enforcing the law, preventing and detecting crime and protecting the communities we serve. As part of that policing purpose, will never divulge information pertinent to this request, if to do so would place the safety of an individual(s) and forces at risk, compromise investigation or undermine the policing purpose in the effective delivery of operational law enforcement.
Whilst there is a public interest in the transparency around policing, providing reassurance that the Police Service is appropriately and effectively engaging with the threat from criminals, there is a very strong public interest in safeguarding the health and safety of those who would be directly affected by the release of the information.
The security of the country is of paramount importance and the MPS will not disclose information as to do so would place the safety of the MPS and the public at risk and undermine National Security.
Disclosure
Please provide answers to the following questions about your force's data security and waste disposal policies and practices for electronics equipment.
Q1 - Does your department operate any of its own data centres, defined as a site for storing servers and data on or off premises? If so, how many and where are they located?
The MPS currently has 3 Corporate and multiple Secret Data Centres in its estate.
Information relating to the number of Secret Data Centres and where all the data centres are located is exempt. Please see the Reason for Decision for further details.
Q2 - Which third party data centres or cloud computing providers do you use for data storage and cloud services?
This information is exempt. Please see the Reason for Decision for further details.
Q3 - Which third party do you use to provide data erasure or destruction services for servers - or parts of servers - you own?
This information is exempt. Please see the Reason for Decision for further details.
Q4 - If you use a third party, do you have a contract(s) in place with them?
The MPS does have a contract in place
Q5 - Please could you outline the clauses in these contracts that stipulate how both hardware should be decommissioned and the associated electronic waste should be handled?
The MPS has multiple contracts across its Cloud and Data Centre provision. Contracts are necessarily different for the types of service provided and therefore there is not one common clause covering all contracts.
Q6 - Which companies do your cloud computing providers use for data erasure and destruction services of servers - or parts of servers - that have contained or processed your data?
This information is not held. MPS contracts directly with its Cloud Services provider for end to end lifecycle of service provision including secure destruction.
Q7 - Do you stipulate what your cloud computing providers should do with hardware that is being decommissioned and the associated e-waste?
Yes. MPS contracts stipulate the secure destruction of hardware as and when necessary.
Data destruction:
Q8 - Do you mandate that hard drives or other data storing devices contained in your data centres are shredded or otherwise destroyed to prevent any data leakage? If so, what proportion of your total devices are shredded or otherwise destroyed?
Yes Mandated.
Proportion of devices is not recorded as elements are replaced on a rolling basis as they become End of Supportable Life.
Q9 - What is the total weight or number of hard drives or other data storing devices that your department shredded or otherwise destroyed in 2020 and 2021, respectively?
This information is not recorded.
Q10 - Do you mandate that hard drives or other data storing devices contained in your data centres are incinerated to prevent any data leakage? If so, what proportion of these devices are incinerated?
Hard Drives are shredded.
Proportion is not recorded.
Q11 - What is the total weight or number of hard drives or other data storing devices that your department incinerated in 2020 and 2021, respectively?
This information is not recorded
More general IT hardware used by your department (e.g. laptops, phones)
Q1 - Do you have a policy for shredding or otherwise destroying IT hardware that contains data, including mobile phones and laptops? If so, please outline the policy.
The process for disposal of IT equipment includes provision for wiping any residual data using an approved method, including software which wipes data to an accredited standard. The disposal process results in a certificate of destruction for each device that is disposed of.
Q2 - Which third party do you use to provide data erasure or destruction services for your IT hardware when it reaches its end of life?
The MPS has a contracted infrastructure supplier, Capgemini. Part of this contract includes provision for disposal of ICT assets as part of the core infrastructure service. The Authority may also chose to use disposal services supplier which are available through the MPS Value Added Reseller.
Q3 - What is the total weight or number of items of electronics and hardware that your department shredded or destroyed in 2020 and 2021, respectively?
For 2020 - 1,942 items.
For 2021 – 3,421.