FOI release

RIPA & Subject Access Requests (ref2)

Case reference FOI2024/01838

Received 31 October 2024

Published 20 November 2024

Request

Please provide the following information:

1. Regarding Subject Access Requests (SARs)

• How do you verify that all relevant data, including metadata, log files, and potentially deleted records, are included in a Subject Access Request response?

• What is the process for handling SARs that involve data which may have been collected through surveillance whether covert or directed? Are there specific criteria for determining whether to disclose such data?

• If a SAR request reveals surveillance data collected without RIPA authorisation, what procedures are in place to investigate whether the surveillance was lawful?

• How do you document decisions to redact or withhold information in response to a SAR, and who is responsible for approving these decisions?

2. Combining RIPA and SAR Issues

• Have there been instances where data gathered under RIPA authorisation or without RIPA authorisation was disclosed to individuals through a SAR, and if so, how was the risk of compromising ongoing investigations managed?

• If a SAR relates to a time period when surveillance was being conducted, does the council notify the data subject about the existence of surveillance logs, and under what circumstances would this information be withheld?

• Regarding requests for data linking from external to internal networks and staff usage, what level of log data is recorded (e.g., date, time, user, operating system, browser, digital fingerprint etc.) and how long is this data retained in the event of challenges or legal redress by a member of the public?

• In the case of potential legal inquiries, what measures are implemented to ensure that relevant log data is not inappropriately altered, destroyed, or concealed?

Response

Please provide the following information:

1. Regarding Subject Access Requests (SARs)

• How do you verify that all relevant data, including metadata, log files, and potentially deleted records, are included in a Subject Access Request response?

Answer: When processing a subject access request, the Information Governance team undertakes a reasonable search of the council’s records to find and retrieve the requested information.

Answer: The process of handling all subject access requests is the same regardless of whether or not the data involves surveillance. A reasonable search would take place to find and retrieve the requested information and then the officer in the Information Governance team who was processing the request would consider whether or not an exemption applied.

• If a SAR request reveals surveillance data collected without RIPA authorisation, what procedures are in place to investigate whether the surveillance was lawful?

Answer: It is not the purpose of providing a response to a subject access request to investigate whether or not any surveillance is lawful. Information concerning the council’s RIPA processes can be found at RIPA policy - Council policies, strategies and procedures – Herefordshire Council

• How do you document decisions to redact or withhold information in response to a SAR, and who is responsible for approving these decisions?

Answer: The response letter sent to the data subject would set out the reasons for any redactions or withholding of information. If a number of exemptions had been applied to the information, the responding officer might write a file note documenting the reasons for this, to assist in cases of internal review / complaint to the ICO. The responding officer would make the decision whether or not an exemption might apply to some or all of the information.

2. Combining RIPA and SAR Issues

Answer: Please can you provide a timeframe for this question e.g. SAR processed in the last year, etc.? A response to the first part of this question is suspended pending further clarification of the timeframe in question.

There are exemptions within SAR to withhold information pertaining to ongoing investigations, these would be considered, along with all exemptions relevant to the information being processed for a subject access request.

Answer: There are exemptions within SAR to withhold information pertaining to ongoing investigations, these would be considered, along with all exemptions relevant to the information being processed for a subject access request.

Answer: This will vary from system to system. In general, electronic systems used by Herefordshire Council to retain and access data will have audit logs which are retained in line with the relevant retention period for the system and data concerned.

The retention period for RIPA documents is set out in the following link: Regulation of Investigatory Powers Act 2000 (RIPA) Policy and Procedures

• In the case of potential legal inquiries, what measures are implemented to ensure that relevant log data is not inappropriately altered, destroyed, or concealed?

Answer: Herefordshire Council complies with all legislative obligations and its procedures, staff training and retention periods provide a framework to ensure that data is retained and shared appropriately, and that data is not inappropriately altered, destroyed or concealed.

Documents

There are no documents for this release.

This is Herefordshire Council's response to a freedom of information (FOI) or environmental information regulations (EIR) request.

You can browse our other responses or make a new FOI request.