Well just to let you know I have made an FOI request to the Cabinet Office for this " HMG Information Assurance Standard No 6 Protecting Personal Data and Managing Information Security Risk". My request was refused on the grounds that the document originates from the national security agencies. I am subsequently going through the appeal's process. So I would not hand it round willy-nilly if the spooks take this attitude their precious words. I think the situation is wholly daft as this standard has a wide distribution outside the national security agencies. C My grounds for appeal being considered by the Cabinet Office (since 7th May - 60 days coming up; ICO recommends 20 for an appeal) below: I would like you to review the decision to withhold the FOI request for HMG IA Standard No. 6 (See attached). The grounds for the appeal are as follows: (1) CESG should be considered as an arm's length body and not part of GCHQ in the context of my request. CESG should be seen as having a separate existence as "The National Technical Authority for Information Assurance". It has a separate web-site (http://www.cesg.gov.uk/index.shtml) and the GCHQ web-site clearly states that this IA role is not one linked to Signals Intelligence. (2B) CESG has a minimal national security role. Its web-site states that CESG "aims to protect and promote the vital interests of the UK by providing advice and assistance on the security of communications and electronic data. We deliver information assurance policy, services and advice that government and other customers need to protect vital information services. We work on a cost recovery basis for all customer-specific solutions and services, though IA policy and Guidance documentation is usually free of charge to the UK official community". This enhances the argument that S.23 of FOIA should not be applied as S.23 assumes the context of a body whose role is directly or indirectly linked to a national security function. (3) There is no evidence that a certificate signed under S.23 of FOIA exists to cover CESG activities; one should be produced so that public can see if Ministers agree that S.23 extends to issues that do not relate to national security; arguably a national security exemption is being applied to protect CESG's commercial operations (e.g. the provision of cost recovery advice). (4) If you look at the Parliamentary debates etc, it was clearly the intention of Government to apply S.23 of FOIA to information relating to GCHQ's role as identified in S.3(2) of the Intelligence Services Act 1994 (and in the Regulation of Investigatory Powers Act 2000). My request has nothing to do with that role. (5) My request is limited to those parts of the document that pertains to a role that protects personal data at the "protect" level of classification. Such a document has been widely distributed to public officials well outside national security remit. From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Harrison, Iain Sent: 08 July 2010 15:30 To: [log in to unmask] Subject: Re: [data-protection] P7 and password expiry/complexity Afternoon All Don't know if the ICO has produced anything, but for ideas and technical guidance, you may want to look at the HMG Security Policy Framework, HMG Information Assurance Standard No 6 Protecting Personal Data and Managing Information Security Risk, and best practice guidance from ISO 27002:2005 Code of Practice for Information Security Management. Iain Harrison Information Governance Officer Contracts & Governance Team, Customer & Workforce Services, Coventry City Council Council House, Earl Street Coventry, CV1 5RR Telephone No: 024 7683 3305 Fax No: 024 7683 3395 www.coventry.gov.uk <http://www.coventry.gov.uk/> _____ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving messages please send to the list owner [log in to unmask] Full help Desk - please email [log in to unmask] describing your needs To receive these emails in HTML format send the command: SET data-protection HTML to [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^