RIPA & Subject Access Requests (ref2)
Case reference FOI2025/00004
Received 3 January 2025
Published 12 February 2025
Request
Dear Herefordshire Council,
I appreciate the explanations provided for certain aspects. However, there remain some gaps or ambiguities in the council's prior responses: areas where further clarification is needed to understand the council’s processes.
Remaining Questions Within the 18-Hour Limit:
Your response indicates that answers to questions outside the RIPA-related SAR analysis can be provided within the 18-hour limit. I would appreciate it if you could proceed with addressing these remaining questions to the fullest extent possible.
1. Definition of ‘Reasonable Search’
While your response references a ‘reasonable search,’ the criteria for this remain unclear. Specifically:
• What factors or processes define whether a search is considered reasonable?
• Does this include access to metadata, log files, and potentially deleted records?
2. Handling Surveillance Data
Given the sensitivity of surveillance data:
• Are there documented procedures or specific safeguards in place for SARs involving such data?
CLARIFICATION: Regarding your query about "3. Handling Surveillance Data," I clarify that my question pertains to both aspects:
a. Collation of relevant information: Please confirm whether the council has documented procedures or safeguards to ensure that all relevant surveillance data (whether overt or covert) is identified, retrieved, and considered during the SAR process.
b. Disclosure of surveillance data: Additionally, I seek to understand what documented procedures or safeguards exist to guide decisions about disclosing surveillance data, ensuring compliance with legal obligations and data protection principles, particularly given the sensitive nature of such data.
• If data collected without RIPA authorisation is identified during SAR processing, are there escalation procedures to review its lawfulness?
3. Documentation of Exemptions
While it is helpful to know that reasons for redactions or withholding information are provided in response letters: • Are there formal, standardised processes for documenting these decisions?
• Who is responsible for overseeing or approving redactions to ensure compliance with applicable laws and policies?
4. Retention and Protection of Log Data
Your response states that log data retention varies across systems. To better understand the council's practices: • Are there minimum standards or policies for log data retention across systems?
• How is the integrity of log data safeguarded against inappropriate alteration or deletion in cases of legal inquiries?
5. Trends or Sampling of RIPA-Related SARs
I understand that manually reviewing all 895 SARs processed in the last five years is not feasible within the statutory time limits. However: • Is it possible to provide insights or trends based on a sample set or aggregate analysis of SARs involving RIPA-related data?
• Does the council track the number or nature of SARs involving RIPA-related surveillance to ensure transparency and accountability?
6. Escalation of Potential Lawfulness Concerns
Lastly, while SARs are not designed to evaluate the legality of surveillance, I would appreciate clarification on whether there is an internal process to escalate concerns about potentially unlawful data collection practices.
Response
Dear Herefordshire Council,
I appreciate the explanations provided for certain aspects. However, there remain some gaps or ambiguities in the council's prior responses: areas where further clarification is needed to understand the council’s processes.
Remaining Questions Within the 18-Hour Limit:
Your response indicates that answers to questions outside the RIPA-related SAR analysis can be provided within the 18-hour limit. I would appreciate it if you could proceed with addressing these remaining questions to the fullest extent possible.
1. Definition of ‘Reasonable Search’
While your response references a ‘reasonable search,’ the criteria for this remain unclear. Specifically:
• What factors or processes define whether a search is considered reasonable?
Answer: The Service Area have advised we follow the Information Commissioner’s Guidance with regards to searches, and this is available via How do we find and retrieve the relevant information? | ICO
• Does this include access to metadata, log files, and potentially deleted records?
Answer: The Service Area have advised searches carried out would depend on what the data subject has requested. Searches are carried out by collating information from case management systems, information held by relevant departments or by ICT.
2. Handling Surveillance Data
Given the sensitivity of surveillance data:
• Are there documented procedures or specific safeguards in place for SARs involving such data?
CLARIFICATION: Regarding your query about "3. Handling Surveillance Data," I clarify that my question pertains to both aspects:
a. Collation of relevant information: Please confirm whether the council has documented procedures or safeguards to ensure that all relevant surveillance data (whether overt or covert) is identified, retrieved, and considered during the SAR process.
Answer: The Service Area have advised Herefordshire Council does not have a separate, specific procedure for the collation and consideration of surveillance data in response to a Subject Access Request. All requests are subject to a reasonable search for information held. Any information identified is then considered and processed in line with the legislation and guidance.
b. Disclosure of surveillance data: Additionally, I seek to understand what documented procedures or safeguards exist to guide decisions about disclosing surveillance data, ensuring compliance with legal obligations and data protection principles, particularly given the sensitive nature of such data.
Answer: The Service Area have advised Herefordshire Council does not have a separate, specific procedure for the collation and consideration of surveillance data in response to a subject access request. All requests are subject to a reasonable search for information held. Any information identified is then considered and processed in line with the legislation and guidance.
• If data collected without RIPA authorisation is identified during SAR processing, are there escalation procedures to review its lawfulness?
Answer: The Service Area have advised, as we have advised in response to your previous request (our reference FOI2024/02114), it is not the purpose of providing a response to a SAR to investigate whether or not any surveillance is lawful.
3. Documentation of Exemptions
While it is helpful to know that reasons for redactions or withholding information are provided in response letters: • Are there formal, standardised processes for documenting these decisions?
Answer: The Service Area have advised yes, there is a process, as previously explained to you in response to your previous request (our reference FOI2024/02114). If a data subject is dissatisfied with the response they receive, they can request an internal review, which would be carried out by another member of the Information Governance team who was not involved in providing the original response. They would then review any exemptions / redactions applied. If the data subject remained dissatisfied following that they are at liberty to report the matter to the Information Commissioner’s Office who would investigate further.
• Who is responsible for overseeing or approving redactions to ensure compliance with applicable laws and policies?
Answer: The Service Area have advised the decision to redact or withhold information would be made by the officer who processed the subject access request. If the data subject is dissatisfied with the way in which it has been handled then they can request an internal review, as explained above.
4. Retention and Protection of Log Data
Your response states that log data retention varies across systems. To better understand the council's practices: • Are there minimum standards or policies for log data retention across systems?
Answer: Yes.
• How is the integrity of log data safeguarded against inappropriate alteration or deletion in cases of legal inquiries?
Answer: The Service Area have advised access to logs / system information is limited, with only authorised users allowed access. Data is retained in line with the relevant retention schedules.
5. Trends or Sampling of RIPA-Related SARs
I understand that manually reviewing all 895 SARs processed in the last five years is not feasible within the statutory time limits. However: • Is it possible to provide insights or trends based on a sample set or aggregate analysis of SARs involving RIPA-related data?
Answer: The Service Area have advised no, because that would involve the creation of data, and we are not required to create data in order to provide a response to an FOI request.
• Does the council track the number or nature of SARs involving RIPA-related surveillance to ensure transparency and accountability?
Answer: No, not specifically.
6. Escalation of Potential Lawfulness Concerns
Lastly, while SARs are not designed to evaluate the legality of surveillance, I would appreciate clarification on whether there is an internal process to escalate concerns about potentially unlawful data collection practices.
Answer: Yes.
Documents
This is Herefordshire Council's response to a freedom of information (FOI) or environmental information regulations (EIR) request.
You can browse our other responses or make a new FOI request.