Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
Freedom of information request reference no: 01.FOI.23.027535
I note you seek access to the following information:
Please provide the following information:
1. Confirm whether or not the MPS utilises lawful business monitoring (LBM) system(s)/platform(s)/software.
2. Provide the name of any system, platform or software that is utilised.
3. Confirm what devices or systems the LBM is utilised on? For example, landline telephones, mobile telephones, computers, tablets, and/or something else.
4. Provide a copy of any notification given to officers/staff that LBM is used.
5. Confirm when the current LBM system(s)/platform(s)/software came into use.
6. Provide a copy of any guidance on the use of the LBM system(s)/platform(s)/software by the professional standards department (or any other department).
7. Confirm the length of time that data is stored within the LBM system(s)/platform(s)/software.
8. Confirm the data stored by or accessible to the LBM system(s)/platform(s)/software.
Further question:
Further to my request, please provide a copy of any Data Protection Impact Assessment related to the use of Lawful Business Monitoring.
I have today decided to disclose some of the requested information. Some data has been withheld as it is exempt from disclosure and therefore this response serves as a Refusal Notice under Section 17 of the Freedom of Information Act 2000 (the Act) by virtue of the following exemptions:
Section 24(1) - National Security
Section 31(1)(a) – Law Enforcement
Section 43(2) - Commercial Interests
Section 40(2)(a)(b) and (3)(a)(i) - Personal Information
Reason for decision
Section 24 Exemption has been utilised with reference to Question 2. This information has been withheld to ensure that MPS’ IT systems are not compromised, thus making them vulnerable to attack.
Section 31 Exemption has been applied to Questions 6 & 9. With reference to Question 6, this information has been withheld because guidance given to the DPS in the operation of the system would disclose sensitive policing techniques which is likely to frustrate the prevention and detection of crime. With regards to Question 9, some information has been redacted because we believe that it will reveal law enforcement methodology and tactics which would be detrimental to law enforcement.
Section 40 Exemption has been applied in relation to Question 9. This is because the details in the Data Protection Impact Assessment (DPIA) include the names of individuals whose personal information would be revealed by disclosure of the requested information. These individuals would not reasonably expect the MPS to put information into the public domain which identifies them. Such disclosure could lead to unwanted and unnecessary intrusion.
Section 43 Exemption has also been applied in relation to Question 9. This is because some of the details contained within the DPIA are subject to commercial confidentiality and revealing this level of information is likely to have a prejudicial impact upon the commercial interest of the MPS.
Section 24(1) - National Security - (1) Information which does not fall within section 23(1) is exempt information if exemption from section 1(1)(b) is required for the purpose of safeguarding national security.
Section 31(1)(a) – Law Enforcement - (3)The duty to confirm or deny does not arise if, or to the extent that, compliance with section 1(1)(a) would, or would be likely to, prejudice any of the matters mentioned in subsection (1).
Section 43(2) - Commercial Interests - (2) Information is exempt information if its disclosure under this Act would, or would be likely to, prejudice the commercial interests of any person (including the public authority holding it).
Evidence of Harm - The following considerations of potential harm have been made in deliberating whether or not the information requested should be disclosed.
Information on the system, platform or software used in LBM has been withheld to ensure that the MPS’ IT systems are not compromised, thus making them vulnerable to attack. This information would be extremely beneficial to those with intent, including terrorists and terrorist organisations.
Some of the information requested also include details that would reveal sensitive policing techniques and law enforcement methodology and tactics which, if released, would be detrimental to law enforcement.
The DPIA includes confidential information pertaining to contracts which have been withheld because the MPS considers that it is likely to impact upon its ability to tender for future contracts. This would weaken its position in a competitive market which would have a negative impact upon the public purse.
The right of access to information is not without exception and is subject to a number of exemptions which are designed to enable public authorities to withhold information that is unsuitable for release. Importantly, the Act is designed to place information into the public domain, that is, once access to information is granted to one person under the Act, it is then considered public information and must be communicated to any individual should a request be received.
The MPS is charged with enforcing the law and preventing and detecting crime and it is important that any information disclosed by way of FOIA responses do not compromise its law enforcement functions. Release of any information that would leave the force open to cyberattacks would not be in the public interest.
To release information which would compromise the effective delivery of operational law enforcement or expose the MPS to cyberattacks cannot be in the public interest. Releasing information into the public domain that would reduce the MPS’ ability to negotiate or compete in a commercial environment competitive ability to tender for future contracts is also not in the public interest.
I have determined that the disclosure of the information requested would not be in the public interest. The MPS would not reveal any information that could compromise any aspect of future policing.
I consider that the benefit that would result from the requested information being disclosed does not outweigh the considerations favouring non-disclosure.
The public interest is defined not as what the public might find interesting but there must be some tangible benefit to the public in the disclosure of the information. In this case, providing the details requested would not be in the public interest due to the reasons articulated above.
Section 40(2)(a)(b) and (3)(a)(i) - Personal Information - To disclose personal information in relation to your request could publicly reveal information about an individual or individuals, thereby breaching the right to privacy afforded to persons under the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR).
Disclosure
Q1 - Confirm whether or not the MPS utilises lawful business monitoring (LBM) system(s)/platform(s)/software.
Currently, the MPS only has capability to audit systems to identify user activity. The MPS is developing more comprehensive LBM capabilities. This will address recommendations from the HMICFRS Counter Corruption Report and assist in preventing misuse of systems and rooting out corruption from the organisation.
Q2 - Provide the name of any system, platform or software that is utilised.
As stated above, both Section 24 & 31 Exemptions apply to this question.
Q3 - Confirm what devices or systems the LBM is utilised on? For example, landline telephones, mobile telephones, computers, tablets, and/or something else.
MPS Foundation laptops, desktops and tablets and inTune mobile phones.
Q4 - Provide a copy of any notification given to officers/staff that LBM is used.
Please see attached Operational Notice issued on 22 June 2022.
Q5 - Confirm when the current LBM system(s)/platform(s)/software came into use.
Proof of concept commenced in June 2022 and the MPS has now moved to pilot phase.
Q6 - Provide a copy of any guidance on the use of the LBM system(s)/platform(s)/software by the professional standards department (or any other department).
As outlined above, Section 31 Exemption applies to this question.
Q7 - Confirm the length of time that data is stored within the LBM system(s)/platform(s)/software.
Two years. This will be subject to review as the capability is developed.
Q8 - Confirm the data stored by or accessible to the LBM system(s)/platform(s)/software.
Communications including email, Teams chat and social media apps (including WhatsApp) and all other activity on MPS Foundation systems, i.e., log on/off times, what has been typed, including on Word. Specifically:
• Uid – Unique identification number for the Notification
• Phone Number – the registered phone number of the device
• Owner Name – The registered owner for the device
• Device ID – The IMEI (or serial number) of the device
• Notification Type – the Policy event type (e.g. message Received, Phone State Changed, etc.)
• Policy Set – The Policy Set in use when the Notification was generated
• Application – The app which generated the Notification (e.g. com.WhatsApp, com.samsung.android.dialer, etc.)
• Location – Latitude and Longitude geolocation data from the device at the time that the event was captured
• Content – The content of a Notification including the message and third-party name/number where available (e.g. Adam: 🎵 Audio (0:03), Phone ringing or in-call, etc.)
• Media – Where applicable, copies of media attachments (Images, documents, video and audio files) are also stored
• Notification Date/Time Local – The Date and Time (according to the device) that the Notification was generated
Notification Date/Time – The Date and Time (according to the servers) that the Notification was generated
Further question:
Further to my request, please provide a copy of any Data Protection Impact Assessment related to the use of Lawful Business Monitoring.
Please find attached redacted Data Protection Impact Assessment (DPIA). Section 31, 40 & 42 Exemptions apply to the redactions made to this document.