Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
Freedom of information request reference no: 01.FOI.22.024259
I note you seek access to the following information:
8. We would like to know your information policies and standards that you follow in relation to the safeguarding of our client’s personal data, such as whether you adhere to ISO27001 for information security, and more particularly, your practices in relation to the following:
a. Please inform us whether you have backed up our client’s personal data to tape, disk or other media, and where it is stored and how it is secured, including what steps you have taken to protect our client’s personal data from loss or theft, and whether this includes encryption.
b. Please also advise whether you have in place technology which allows you with reasonable certainty to know whether or not our client’s personal data has been disclosed, including but not limited to the following:
i. Intrusion detection systems;
ii. Firewall technologies;
iii. Access and identity management technologies;
iv. Database audit and/or security tools: or;
v. Behavioural analysis tools, log analysis tools, or audit tools;
9. In regards to employees and contractors, please advise as to the following:
a. What technologies or business procedures do you have to ensure that individuals within your organisation will be monitored to ensure that they do not deliberately or inadvertently disclose personal data outside your company, through email, web-mail, or instant messaging, or otherwise.
b. Have you had any circumstances in which employees or contractors have been dismissed, and/or been charged under criminal laws for accessing our client’s personal data inappropriately, or if you are unable to determine this, of any customers, in the past twelve months?
c. Please advise as to what training and awareness measures you have taken in order to ensure that employees and contractors are accessing and processing our client’s personal data in conformity with the General Data Protection Regulation.
I have today decided to disclose some of the requested information. Some data has been withheld as it is exempt from disclosure and therefore this response serves as a Refusal Notice under Section 17 of the Freedom of Information Act 2000 (the Act) by virtue of the following exemptions:
Section 40(5A)&(5B)(a)(i) – Personal Information
Reason for decision
A Freedom of Information Act request is not a private transaction. Both the request itself, and any information disclosed, are considered suitable for open publication. This is because, under Freedom of Information, any information disclosed is released into the wider public domain, effectively to the world and not just to one individual.
In most cases, Personal Data is exempt from disclosure under the Freedom of Information Act as I will explain below.
Where an individual is requesting his or her own personal data the information is always exempt. Such information can be requested under other legislation (please see the advice and assistance section below).
Where an individual is requesting third party personal data the MPS must ensure that any action taken adheres to the principles of the Data Protection Act 2018 and the GDPR. To clarify, the Freedom of Information Act only allows disclosure of personal data if that disclosure would be compliant with the principles for processing personal data. These principles are outlined under section 34 of the DPA 2018 and under Article 5 of the GDPR.
Disclosure
9. In regards to employees and contractors, please advise as to the following:
a. What technologies or business procedures do you have to ensure that individuals within your organisation will be monitored to ensure that they do not deliberately or inadvertently disclose personal data outside your company, through email, web-mail, or instant messaging, or otherwise.
The MPS use a range of controls commensurate to protecting individual’s personal data, We are unable to respond in detail because disclosing detail of our security infrastructure would contribute to disclosing the scale, strength in depth and possible attack surface to facilitate a would be attacker to gain access to our data.
In response to your request:
• 8a, 8b, 9b and 9c above.
ADVICE AND ASSISTANCE
If the information is your own personal information, for example, if you are seeking a crime report where you were a victim, witness or suspect, then you are able to request your information via a Right of Access Request (ROA) under the DPA. In order for us to progress your request as an ROA request, please provide us with the following information:
1. A proof of your residential address dated within the last six months, this can be a utility bill or bank statement.
2. A proof of ID to confirm your name, date of birth and signature, this can be a passport or driving licence.
3. A dated sample of your signature to match that on your ID this can be on a blank piece of paper section 5 of the optional application form (see below).
Further guidance and an optional application form are available on our website: www.met.police.uk, click Request > Information: about the police, about yourself or someone else > myself > my own personal Interest.
You can also request the ROA application form from any MPS Police Station. This process may take up to 30 calendar days from the date we receive the additional information.
Please note that this notice does not confirm nor deny that the MPS hold the information that you have requested.