RIPA & Subject Access Requests (ref2)
Case reference FOI2024/02114
Received 18 December 2024
Published 24 December 2024
Request
FOI2024/01838 Response:
I would like to seek further clarification on a number of points where the response appears ambiguous or lacks sufficient transparency.
1. Scope of "Reasonable Search"
Your response mentions that the council undertakes a "reasonable search" when processing Subject Access Requests (SARs). Could you please clarify:
• What constitutes a "reasonable search" in practical terms?
• Does this search include retrieving metadata, log files, and potentially deleted records? If so, how is this achieved?
2. Handling SARs Involving Surveillance Data
Your response indicates that all SARs are handled the same, regardless of whether surveillance data is involved. Given the sensitive nature of surveillance data, could you clarify, for the period January 2019 -November 2024:
• Are there additional checks or safeguards in place for handling SARs that include surveillance data, particularly covert or directed surveillance?
• If surveillance data gathered without RIPA authorisation is identified during a SAR, what steps (if any) are taken to review or address the potential lawfulness of such surveillance?
3. Notification of Surveillance Logs
In relation to SARs during a period where surveillance was conducted, your response references exemptions for ongoing investigations. However, it does not clarify:
• Whether the council explicitly notifies individuals of the existence of surveillance logs.
• Under what criteria surveillance logs or related data might be withheld or redacted.
4. Documentation and Approval of Exemptions
You state that the reasons for redactions or withholding of information are documented in a response letter, with a file note written where multiple exemptions are applied. Could you confirm:
• Is there a formal, standardised process for documenting exemptions to ensure consistency?
• Who has oversight or approval responsibility for decisions to redact or withhold information?
5. Retention and Protection of Log Data
Regarding the level of log data recorded and its retention, your response states that this "varies from system to system." Could you provide further clarity:
• What specific types of log data (e.g., date, time, user, browser, digital fingerprint, etc.) are typically retained?
• Are there minimum standards for log data retention across council systems to ensure consistency?
• What mechanisms are in place to ensure that log data cannot be altered, destroyed, or concealed, particularly in the event of legal inquiries or disputes?
6. Ongoing Investigations and RIPA Data Disclosure
You requested a timeframe to address the question about disclosing data gathered under RIPA authorisation. To assist, please consider the following timeframe:
• SARs processed in the last five years.
• Additionally, could you clarify how the council balances the need to withhold information due to ongoing investigations with the right of the data subject to access their data?
• Are there specific safeguards or risk management measures in place to prevent the inadvertent compromise of investigations?
7. Data Lawfulness and Escalation Procedures
Lastly, while I understand that SARs are not designed to investigate the lawfulness of surveillance, could you confirm:
• Whether there is an internal process to escalate concerns if unlawfully obtained data (e.g., surveillance without RIPA authorisation) is identified during a SAR review.
I would appreciate your further clarification on these points to ensure understanding of the council’s processes.
Response
FOI2024/01838 Response:
I would like to seek further clarification on a number of points where the response appears ambiguous or lacks sufficient transparency.
1. Scope of "Reasonable Search"
Your response mentions that the council undertakes a "reasonable search" when processing Subject Access Requests (SARs). Could you please clarify:
• What constitutes a "reasonable search" in practical terms?
• Does this search include retrieving metadata, log files, and potentially deleted records? If so, how is this achieved?
2. Handling SARs Involving Surveillance Data
Your response indicates that all SARs are handled the same, regardless of whether surveillance data is involved. Given the sensitive nature of surveillance data, could you clarify, for the period January 2019 -November 2024:
• Are there additional checks or safeguards in place for handling SARs that include surveillance data, particularly covert or directed surveillance?
• If surveillance data gathered without RIPA authorisation is identified during a SAR, what steps (if any) are taken to review or address the potential lawfulness of such surveillance?
3. Notification of Surveillance Logs
In relation to SARs during a period where surveillance was conducted, your response references exemptions for ongoing investigations. However, it does not clarify:
• Whether the council explicitly notifies individuals of the existence of surveillance logs.
• Under what criteria surveillance logs or related data might be withheld or redacted.
4. Documentation and Approval of Exemptions
You state that the reasons for redactions or withholding of information are documented in a response letter, with a file note written where multiple exemptions are applied. Could you confirm:
• Is there a formal, standardised process for documenting exemptions to ensure consistency?
• Who has oversight or approval responsibility for decisions to redact or withhold information?
5. Retention and Protection of Log Data
Regarding the level of log data recorded and its retention, your response states that this "varies from system to system." Could you provide further clarity:
• What specific types of log data (e.g., date, time, user, browser, digital fingerprint, etc.) are typically retained?
• Are there minimum standards for log data retention across council systems to ensure consistency?
• What mechanisms are in place to ensure that log data cannot be altered, destroyed, or concealed, particularly in the event of legal inquiries or disputes?
6. Ongoing Investigations and RIPA Data Disclosure
You requested a timeframe to address the question about disclosing data gathered under RIPA authorisation. To assist, please consider the following timeframe:
• SARs processed in the last five years.
• Additionally, could you clarify how the council balances the need to withhold information due to ongoing investigations with the right of the data subject to access their data?
• Are there specific safeguards or risk management measures in place to prevent the inadvertent compromise of investigations?
7. Data Lawfulness and Escalation Procedures
Lastly, while I understand that SARs are not designed to investigate the lawfulness of surveillance, could you confirm:
• Whether there is an internal process to escalate concerns if unlawfully obtained data (e.g., surveillance without RIPA authorisation) is identified during a SAR review.
I would appreciate your further clarification on these points to ensure understanding of the council’s processes.
Answer: The information for section 6 is not held in a form that would enable it to be located, retrieved and extracted within the Appropriate Time Limit which equates to 18 hours as defined by the Freedom of Information and Data Protection (Appropriate Limits and Fees) Regulations 2004.
The original question (where we’d asked for a timeframe) asked – “Have there been instances where data gathered under RIPA authorisation or without RIPA authorisation was disclosed to individuals through a SAR, and if so, how was the risk of compromising ongoing investigations managed?”
The Service Area have advised in the last 5 years, Herefordshire Council has processed 895 subject access requests (SAR). In order for us to classify which SAR involved data gathered under RIPA and which involved data not gathered under RIPA, would involve officers manually checking each of these requests to see what they were in relation to. If the SAR was found to involve data gathered under RIPA, then manual checks of the request would need to take place to see whether it involved an ongoing investigation, and if so, how the risk of compromising any ongoing investigation was managed.
It is estimated that it would take at least 10 minutes to check each of the SAR received in the last 5 years for this information. This would take at a conservative estimate 149 hours. Where the Limit is exceeded Public Authorities are not obliged to supply the information requested by virtue of S12 of the Act. Please take this letter as a refusal notice under S17 of the Act.
However, within the 18 hour limit, we can provide answers for the rest of the questions in this request. Please advise us if this is something you require.
Documents
This is Herefordshire Council's response to a freedom of information (FOI) or environmental information regulations (EIR) request.
You can browse our other responses or make a new FOI request.