JISCMail - DATA-PROTECTION Archives


Well just to let you know I have made an FOI request to the Cabinet Office
for this " HMG Information Assurance Standard No 6 Protecting Personal Data
and Managing Information Security Risk". My request was refused on the
grounds that the document originates from the national security agencies. I
am subsequently going through the appeal's process.



So I would not hand it round willy-nilly if the spooks take this attitude
their precious words.  I think the situation is wholly daft as this standard
has a wide distribution outside the national security agencies.



C



My grounds for appeal being considered by the Cabinet Office (since 7th May
- 60 days coming up; ICO recommends 20 for an appeal) below:



I would like you to review the decision to withhold the FOI request for HMG
IA Standard No. 6 (See attached). The grounds for the appeal are as follows:



(1) CESG should be considered as an arm's length body and not part of GCHQ
in the context of my request. CESG should be seen as having a separate
existence as "The National Technical Authority for Information Assurance".
It has a separate web-site (http://www.cesg.gov.uk/index.shtml) and the GCHQ
web-site clearly states that this IA role is not one linked to Signals
Intelligence.



(2B) CESG has a minimal national security role. Its web-site states that
CESG "aims to protect and promote the vital interests of the UK by providing
advice and assistance on the security of communications and electronic data.
We deliver information assurance policy, services and advice that government
and other customers need to protect vital information services. We work on a
cost recovery basis for all customer-specific solutions and services, though
IA policy and Guidance documentation is usually free of charge to the UK
official community". This enhances the argument that S.23 of FOIA should not
be applied as S.23 assumes the context of a body whose role is directly or
indirectly linked to a national security function.



(3) There is no evidence that a certificate signed under S.23 of FOIA exists
to cover CESG activities; one should be produced so that public can see if
Ministers agree that S.23 extends to issues that do not relate to national
security; arguably a national security exemption is being applied to protect
CESG's commercial operations (e.g. the provision of cost recovery advice).



(4) If you look at the Parliamentary debates etc, it was clearly the
intention of Government to apply S.23 of FOIA to information relating to
GCHQ's role as identified in S.3(2) of the Intelligence Services Act 1994
(and in the Regulation of Investigatory Powers Act 2000).  My request has
nothing to do with that role.



(5) My request  is limited to those parts of the document that pertains to a
role that protects personal data at the "protect" level of classification.
Such a document has been widely distributed to public officials well outside
national security remit.









From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Harrison, Iain
Sent: 08 July 2010 15:30
To: [log in to unmask]
Subject: Re: [data-protection] P7 and password expiry/complexity



Afternoon All



Don't know if the ICO has produced anything, but for ideas and technical
guidance, you may want to look at the HMG Security Policy Framework, HMG
Information Assurance Standard No 6 Protecting Personal Data and Managing
Information Security Risk, and best practice guidance from ISO 27002:2005
Code of Practice for Information Security Management.



Iain Harrison

Information Governance Officer
Contracts & Governance Team,
Customer & Workforce Services,
Coventry City Council
Council House,
Earl Street
Coventry, CV1 5RR



Telephone No: 024 7683 3305

Fax No:          024 7683 3395



www.coventry.gov.uk <http://www.coventry.gov.uk/>



  _____


^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^