Provision of information held by Northumbria Police made under the Freedom of Information Act 2000 (the 'Act')
As you may be aware the purpose of the Act is to allow a general right of access to information held at the time of a request, by a Public Authority (including the Police), subject to certain limitations and exemptions.
You asked:
1. How many people are employed by your organisation, including full time and part time?
2. What is your current intranet solution? (Sharepoint, Wordpress, Invotra, etc)
3. How long have you been using this intranet solution?
4. When is your intranet contract up for renewal?
5. What is your annual intranet budget?
6. Do you share an intranet/IT services with other organisations, if so who?
7. Which team and/or individual(s) are responsible for managing your intranet internally?
8. Are you using the Office 365 suite? If so, which applications from the suite are in use?
9. Which team and/or individual(s) are responsible for your intranet’s procurement within the organisation?
10. Is your Active Directory hosted on-premise, or in the cloud?
11. Could you provide us with a link to your Digital Workplace Strategy?
In Response:
Following receipt of your request, searches were conducted within Northumbria Police. I can confirm that the information you have requested is held by Northumbria Police.
I am able to disclose the located information to you as follows.
With regards to point 1: As the information you have requested is accessible by other means I have not provided you with a copy of the information and will rely on Section 21 of the Freedom of Information Act 2000. You should therefore consider this a refusal for your request.
I have provided an explanation to this exemption below.
Section 21 (1) - Information accessible by other means
Information which is reasonably accessible to the applicant is exempt information.
This information is freely available via the Northumbria Police website ‘about us’ page, under ‘structure of Northumbria Police’.
Section 21 is therefore applicable.
2. Liferay
3. Since 2011
4. N/A
5. N/A
6. No
7. Communications and Engagement and ICT
9. ICT
11. No information held. We do not hold a Digital Workplace Strategy
With regards to point 8 we shall not be offering a response to this point and by withholding we rely on the following exemptions.
Northumbria Police can neither confirm nor deny that information is held relevant to your request at this point as the duty in Section 1(1)(a) of the Freedom of Information Act 2000 does not apply by virtue of the following exemptions:
Section 24(2) National Security
Section 31(3) Law Enforcement
Sections 24 and 31 being prejudice based qualified exemptions, both evidence of harm and public interest considerations need to be articulated to the applicant.
Harm in Confirming or Denying that Information is held
Policing is an information-led activity, and information assurance (which includes information security) is fundamental to how the Police Service manages the challenges faced. In order to comply with statutory requirements, the College of Policing Authorised Professional Practice for Information Assurance has been put in place to ensure the delivery of core operational policing by providing appropriate and consistent protection for the information assets of member organisations, see below link:
https://www.app.college.police.uk/app-content/information-management/
To confirm or deny whether Northumbria Police uses a certain operating system would identify vulnerable computer systems and provide actual knowledge, or not, that this software is used within individual force areas. In addition, this would have a huge impact on the effective delivery of operational law enforcement as it would leave forces open to cyberattack which could render computer devices obsolete.
This type of information would be extremely beneficial to offenders, including terrorists and terrorist organisations. It is vitally important that information sharing takes place with other police forces and security bodies within the UK to support counter-terrorism measures in the fight to deprive terrorist networks of their ability to commit crime.
To confirm or deny whether or not Northumbria Police relies on a certain operating system would be extremely useful to those involved in terrorist activity as it would enable them to map vulnerable information security databases.
Public Interest Considerations
Section 24(2) National Security
Factors favour complying with Section 1(1)(a) confirming that information is held
The public are entitled to know how public funds are spent and how resources are distributed within an area of policing. To confirm whether Northumbria Police utilises Office 365 would highlight those forces who may use out of date software. In the current financial climate of cuts and with the call for transparency of public spending this would enable improved public debate into this subject.
Factors against complying with Section 1(1)(a) confirming or denying that information is held
Security measures are put in place to protect the community we serve. As evidenced within the harm to confirm information is held would highlight to terrorists and individuals intent on carrying out criminal activity vulnerabilities within the Northumbria Police force area.
Taking into account the current security climate within the United Kingdom, no information (such as the citing of an exemption which confirms information pertinent to this request is held, or conversely, stating ‘no information is held’) which may aid a terrorist should be disclosed. To what extent this information may aid a terrorist is unknown, but it is clear that it will have an impact on a force’s ability to monitor terrorist activity.
Irrespective of what information is or isn’t held, the public entrust the Police Service to make appropriate decisions with regard to their safety and protection and the only way of reducing risk is to be cautious with what is placed into the public domain.
The cumulative effect of terrorists gathering information from various sources would be even more impactive when linked to other information gathered from various sources about terrorism. The more information disclosed over time will give a more detailed account of the tactical infrastructure of not only a force area, but also the country as a whole.
Any incident that results from such a disclosure would, by default, affect National Security.
Section 31(3) Law Enforcement
Factors favouring complying with Section 1(1)(a) confirming that information is held
Confirming that information exists relevant to this request would lead to a better informed public which may encourage individuals to provide intelligence in order to reduce the risk of police networks being hacked.
Factors against complying with Section 1(1)(a) neither confirming nor denying that information is held
Confirmation or denial that information is held in this case would suggest that Northumbria Police take their responsibility to protect information and information systems from unauthorised access, destruction, etc., dismissively and inappropriately.
Balancing Test
The points above highlight the merits of confirming or denying the requested information exists. The Police Service is charged with enforcing the law, preventing and detecting crime and protecting the communities we serve. As part of that policing purpose, information is gathered which can be highly sensitive relating to high profile investigative activity.
Weakening the mechanisms used to monitor any type of criminal activity, and specifically terrorist activity would place the security of the country at an increased level of danger.
In order to comply with statutory requirements and to meet NPCC expectation of the Police Service with regard to the management of information security a national policy approved by the College of Policing titled National Policing Community Security Policy has been put in place. This policy has been constructed to ensure the delivery of core operational policing by providing appropriate and consistent protection for the information assets of member organisations. A copy of this can be found at the below link:
http://library.college.police.uk/docs/APP-Community-Security-Policy-2014.pdf
In addition, anything that places that confidence at risk, no matter how generic, would undermine any trust or confidence individuals have in the Police Service. Therefore, at this moment in time, it is our opinion that for these issues the balance test favours neither confirming nor denying that information is held.
With regards to point 10 we shall not be responding to this point as we have considered the below exemption appropriate to withhold.
Section 31(1)(a) Law Enforcement.
Harm
To disclose information requested at this point has the potential to introduce risk and therefore compromise systems used. This would have a huge impact on the effective delivery of operational law enforcement as it would leave forces open to cyberattack.
This type of information would be extremely beneficial to offenders, including terrorists and terrorist organisations. It is vitally important that information sharing takes place with other police forces and security bodies within the UK to support counter-terrorism measures in the fight to deprive terrorist networks of their ability to commit crime.
Whilst we attempt to put as much information into the public domain as possible we must only do so when that information offers no risk. To put into the public domain information that could make our information security vulnerable is to be avoided.
Factors favouring disclosure.
The public are entitled to know how public funds are spent and how resources are distributed within an area of policing. In the current financial climate of cuts and with the call for transparency of public spending this would enable improved public debate into this subject.
Factors against disclosure
Disclosure of such information would suggest that Northumbria Police take their responsibility to protect information and information systems from unauthorised access, destruction, etc., dismissively and inappropriately. In order to avoid attacks on systems we are required to protect those systems. The smallest amount of information may be hugely beneficial to those intent on causing disruption to our systems. Any risk that would leave systems vulnerable to attack is to be avoided.
Balancing Test
The points above highlight the merits of confirming or denying the requested information exists. As per our previous harm test above, the Police Service is charged with enforcing the law, preventing and detecting crime and protecting the communities we serve. As part of that policing purpose, information is gathered which can be highly sensitive relating to high profile investigative activity.
Weakening the mechanisms used to monitor any type of criminal activity, and specifically terrorist activity would place the security of the country at an increased level of danger.
In addition, anything that places that confidence at risk, no matter how generic, would undermine any trust or confidence individuals have in the Police Service. Therefore, at this moment in time, it is our opinion that for these issues the balance test does not favour disclosure of the information requested.
You should consider this to be a refusal notice under Section 17 of the Act for these parts of your request.
