Dear Herefordshire Council,
I appreciate the explanations provided for certain aspects. However, there remain some gaps or ambiguities in the council's prior responses: areas where further clarification is needed to understand the council’s processes.
Remaining Questions Within the 18-Hour Limit:
Your response indicates that answers to questions outside the RIPA-related SAR analysis can be provided within the 18-hour limit. I would appreciate it if you could proceed with addressing these remaining questions to the fullest extent possible.
1. Definition of ‘Reasonable Search’
While your response references a ‘reasonable search,’ the criteria for this remain unclear. Specifically:
• What factors or processes define whether a search is considered reasonable?
• Does this include access to metadata, log files, and potentially deleted records?
2. Handling Surveillance Data
Given the sensitivity of surveillance data:
• Are there documented procedures or specific safeguards in place for SARs involving such data?
CLARIFICATION: Regarding your query about "3. Handling Surveillance Data," I clarify that my question pertains to both aspects:
a. Collation of relevant information: Please confirm whether the council has documented procedures or safeguards to ensure that all relevant surveillance data (whether overt or covert) is identified, retrieved, and considered during the SAR process.
b. Disclosure of surveillance data: Additionally, I seek to understand what documented procedures or safeguards exist to guide decisions about disclosing surveillance data, ensuring compliance with legal obligations and data protection principles, particularly given the sensitive nature of such data.
• If data collected without RIPA authorisation is identified during SAR processing, are there escalation procedures to review its lawfulness?
3. Documentation of Exemptions
While it is helpful to know that reasons for redactions or withholding information are provided in response letters: • Are there formal, standardised processes for documenting these decisions?
• Who is responsible for overseeing or approving redactions to ensure compliance with applicable laws and policies?
4. Retention and Protection of Log Data
Your response states that log data retention varies across systems. To better understand the council's practices: • Are there minimum standards or policies for log data retention across systems?
• How is the integrity of log data safeguarded against inappropriate alteration or deletion in cases of legal inquiries?
5. Trends or Sampling of RIPA-Related SARs
I understand that manually reviewing all 895 SARs processed in the last five years is not feasible within the statutory time limits. However: • Is it possible to provide insights or trends based on a sample set or aggregate analysis of SARs involving RIPA-related data?
• Does the council track the number or nature of SARs involving RIPA-related surveillance to ensure transparency and accountability?
6. Escalation of Potential Lawfulness Concerns
Lastly, while SARs are not designed to evaluate the legality of surveillance, I would appreciate clarification on whether there is an internal process to escalate concerns about potentially unlawful data collection practices.