Data Centres - 347/20

Provision of information held by Northumbria Police made under the Freedom of Information Act 2000 (the 'Act')

As you may be aware the purpose of the Act is to allow a general right of access to information held at the time of a request, by a Public Authority (including the Police), subject to certain limitations and exemptions.

You asked:

1. Are the Data Centre's operated by or for the organisation fit for purpose? For example, is there a Business Continuity Plan, is there Disaster Recovery in place or is it a single site?
2. Is there any capital investment in data centres planned in the next 36 months? For example, Mechanical & Electrical or refresh of equipment within the DC such as network, storage area network?
3. Is data privacy and or information security compliance a priority for the organisation’s board?
4. On your Organisation’s risk register, are there any Information Technology related risks? -i)       If time/ cost allows, please list the top three related risks.
5. Are the cyber security vulnerabilities within the organisation’s existing Information Technology estate increasing?
6. Has the organisation had a security breach in the past 12 months?
7. Did the organisation meet its Information Technology savings target in the last Financial Year?
8. What percentage of Information Technology budget is currently allocated to "on-premises" capability vs "cloud" capability?
9. Does the organisation have the skills and resource levels necessary for moving to the cloud?
10. What percentage of the Information Technology department headcount are software developers?
11. In relation to contracts with Amazon Web Services, Microsoft for Azure and/or Google for Google Cloud, was the monthly expenditure higher than budgeted?
12. If yes, has the organisation been able to subsequently reduce the cost whilst maintaining service levels for users?

In Response:

Following receipt of your request, searches were conducted with the ICT Department and Information Management Unit of Northumbria Police. I can confirm that the information you have requested is held, in part, by Northumbria Police.

I am able to disclose the located information to you as follows.

2  Yes.

3  Yes. 

7  There was no ICT Savings target.

8  No information held - this measure is not recorded.

10  No information held - this measure is not recorded.  However, the raw data is: 9.7 FTE from 91.81FTE.

For points 1, 4, 5, 6, 9, 11 and 12 Northumbria Police can neither confirm nor deny that they hold any information relevant to these parts of your request by virtue of the following exemptions:

Section 24 - National Security

Section 31 - Law Enforcement

With both Section 24 - National Security and Section 31 - Law Enforcement being prejudice based qualified exemptions, there is the requirement for us to articulate the harm that would be caused in confirming or not whether information is held as well as carrying out a public interest test.  We have set these out below.

Harm in confirming that Information is held

Every effort should be made to release information under Freedom of Information.  However, a FOIA response is considered to be a release to the world as once the information is published the public authority have no control over what use is made of that information.

The Police Service is charged with enforcing the law, preventing and detecting crime and protecting the communities we serve.  In order to achieve these objectives all forces have Data Centres to house and support the Information Technology essential to front line services.  Disclosure of specific IT services, capabilities, or the lack thereof, in concert with any formal acknowledgement of strategic deficiency (such as a lack of Data Recovery plan) would reveal intricacies of those systems thereby highlighting vulnerabilities and compromising individual force information assurance. 

As this request has been received nationally, disclosure would enable a geographical picture to be drawn up by those individuals who are intent on ‘hacking’ police systems; some of these individuals may include terrorists or terrorist organisations.  In terms of duty of care, this would be detrimental to the public at large as disclosure could assist a malicious actor by highlighting vulnerable forces and leaving those forces open to disruption of Information Technology systems; thus compromising the effective delivery of operational law enforcement which in turn, is met by an increase of criminal offending. 

Public Interest Test

Factors favouring disclosure:

Confirming or denying any information is held that confirms whether a) Northumbria Police has contingency planning in place in respect of a Data Centre, and b), details of any on-site or Cloud based capabilities would allow the public to be better informed on the health state and performance of our forces Information Technology platform.  In addition, forces are required to demonstrate efficient services to local taxpayers and satisfy audit requirements.  This would provide transparency with regard to the use of public funds in so much as highlighting that funds are being used to correctly and appropriately ensure all Data Centres have adequate hardware and software, which results in the smooth running of force Technology systems.

Factors favouring non-disclosure:

Whilst there is public interest in providing reassurance that police forces are appropriately and effectively dealing with any threats posed by terrorist organisations against police force Technology capabilities, there is a strong public interest in safeguarding National Security and the welfare and safety of the general public at large.  Any disclosure has the potential to undermine current and future Data Centre integrity, which in turn compromises the force’s mandate to protect the security of the United Kingdom, eg. counter-terrorism activity.  The risk of significant harm or even death to the community at large would be increased.  In addition, by confirming or denying whether the force has partnered with third party company’s by revealing budget information, is intelligence to those who would wish to exploit vulnerabilities in the service.  This may lead to compromise of force IT systems which ultimately affects law enforcement capabilities and hinders the prevention and detection of crime or terrorism.

Balance Test

The security of the country is of paramount importance and the Police service will not divulge whether any information is or is not held if to do so would undermine law enforcement and therefore compromise the work of the police service.  Whilst there is a public interest in the transparency of policing and force infrastructure, including any initiatives conducted with the private sector in relation to impacting on the crime or terrorist threat, there is a very strong public interest in safeguarding the integrity of these arrangements in this very sensitive area.

The points above highlight the merits for and against disclosure of the requested information.  Disclosure would undoubtedly provide a greater openness and transparency to the community at large with regard to the Information Technology resources available to the police, and whilst there is always a public interest in the transparency of how a police force delivers effective law enforcement and ensures the National Security of the United Kingdom is robust, there is a very strong public interest in safeguarding the intricacies and tactical capabilities of the Data systems used when dealing with information.

In every case, public safety is the paramount focus and any information which would place individuals at risk and compromise the National Security of the United Kingdom, no matter how generic, is not in the public interest.  The effective delivery of operational law enforcement and the National Security of the United Kingdom is crucial and of paramount importance to every force.  This would have a negative impact on law enforcement and national security.

Therefore, for these issues the balancing test for confirming or denying whether any further information is held, is not made out.