
The data was hidden from anyone opening the files
What does that even mean ?
Norfolk and Suffolk police have stepped forward to admit that a “technical issue” resulted in raw data pertaining to crime reports accidentally being included in Freedom of Information responses. The latest blunder follows a litany of recent errors elsewhere in the forces: Police Service in Northern Ireland (PSNI) last week …
I'd imagine it's more likely that they used a pivot table to select the data requested in the FOI but then when they copied that informaton to send it on they just used PASTE (CTRL+V) instead of using PASTE VALUES. That meant that the full dataset was embedded in the table and could be uncovered with a few clicks, even if the table had been pasted into a fresh excel workbook
It happened to me where I made an internal request for the numbers of staff at different grades in different roles (the same request as was made in the recent PSNI leak), but noticed the file was far bigger than I would have expected. A couple of clicks later I found I had also been sent the names, dates of birth and National Insurance numbers for all 20K staff in our organisation, all the way up to the CEO. I resisted the temptation to start selling on the Dark Web
I mean, first it was NI Police via a FOIA request, then Cumbrian Police via a FOIA request, and now Norfolk & Suffolk? That's three I count so far.
Looks like people are being lazy when replying to FOIA requests, or are not given the appropriate training to ensure FOIA requests don't leak personal data.
I don't think it's a particularly odd phrase. Saying "their respective counties" is only meaningful if you know where Norfolk and Suffolk are. Likewise, referring to East Anglia" is only meaningful if you know where East Anglia is (and it's a stretch to imagine that someone knows where East Anglia is, but doesn't know that it's affectively a synonym for Norfolk & Suffolk)
Well, no. East of England generally refers to Norfolk and Suffolk. At least on the weather forecast, which is all that matters.
Northumberland is in The North, and Kent is in The South East.
Also, I'm not sure why they lump Norfolk and Suffolk together and in Suffolk we don't tend to marry our siblings (apart from Shotley, which used to get cut off regularly by the sea - so not much else to do I guess?)
"East of England generally refers to Norfolk and Suffolk. At least on the weather forecast, which is all that matters."
Context was post worrying about confusing Left-Pondians who won't be listening to UK weather forecasts. Taken literally by someone with no other context the East of England would literally* be anywhere from Northumberland to Kent inclusive.
* Literally literally.
technically yes they are separate forces, but they share alot of back office functions and some units are combined force units, so it absolutely makes sense that a FOI request data breach like this would impact both forces as a single entity, because the data spreadsheet was probably put together by the same group.
I just hope theyve remembered to redact the online copies that would have been released
"or are not given the appropriate training to ensure FOIA requests don't leak personal data"
More likely this. A further possible cause is someone being handed the job just before the deadline and not having time to do the job.
Whatever the factors there seems to be a collective lack of quality in this area. Perhaps the forces could join together to set up a central, properly staffed office to which it would be mandatory to send responses to review and release.
And it would also raise concerns about institutional overreach. The ACPO and the NPCC (in particular the former before it was disbanded and replaced by the NPCC) were/are accused of excessive data harvesting and objecting en masse to privacy measures, although the NPCC would the the natural place to put this kind of central FOIA request office...
NPCC already operarte a central clearing house function for FOI requests that are considered 'problematic' by Forces.
When asked difficult questions via FOI it is not unusual for the send to be contacted by that function and asked why they are asking - its happened to me twice.
Quite illegal of course - and I told them to bolt, but a standard practice.
But, and this is often ignored, there are huge issues dealing with FOIA requests where organisations will not be robust enough in responding to the serial requesters and vexatious requests.
I would surmise that teh actual request may have come from the same source. There are people out there who do nothing but send out request after request.
I am not excusing the mistakes but having been on the receiving end of some of these:
An inventory of all our network equipment, manufacturer, model, purchase date
The same for all storage and servers
The square meter area occupied for teaching space compared to admin.
The list goes on.
Management and CIOs are scared to say no so people run round sorting all this crap out.
FOIA has it's place however it is just being abused and most of the requests are absolutely nothing to do with the original concepts when it was first setup.
The ICO has the details here.
Of course, the UK government has gone out of its way to exploit every possible loophole in order to frustrate otherwise admissible requests.
Organisations can look at the time it takes to gather the data, then work out how much that is in cold hard cash, and if it's over a certain limit, decline the request on the basis of cost and effort. They *can* charge you up to a certain amount for the FOIA request too, but if the amount exceeds the limit, they tend to turn it down.
For example, a few years ago I made a request to Thames Valley Police about the number of accidents along a certain stretch of road, but because of the way the information was recorded, they couldn't provide exactly the information I requested because it would have cost too much to go through every single case recorded to get it (which is understandable). However, rather than refusing the request, TVP wanted to provide *something*, so they bracketed the request with provisos by saying "there are X number of cases in our system along the entire stretch of the road we're responsible for, but we can't tell you whether those cases included fatalities or injuries or not. They can include breakdowns, etc, effectively any report in which the road is mentioned".
That's helpful to a degree, and the poor person having to go through every one of those cases to see if it was an accident or not, and whether it was in that specific stretch or not, probably cost more per hour than the information was worth.
What was that bit about "So far, Norfolk and Suffolk police reckon that data has not been accessed by anyone outside of policing"
Does that mean that the FOI requests are coming from other police areas?
(That would be in line with the way FOI requests are handled here: if you want any information, the way to request it is through a Freedom From Information Request).
Vexatious requests, oh dear, I work in local Govt, and luckily, some of our more vexatious citizens haven't realised FOIA means we have to respond, and instead just send emails to Councillors and the City Mayor. Most of our FOIA requests are salespeople fishing for information 'how much have you spent on Y in the last year' etc. The vexatious letters to the Mayor tend to be stuff like 'Do you shield people from the harmful effects of 5G in public libraries' etc.
Most of our FOIA requests are salespeople fishing for information
Yup. We get that a lot too - especially as, for stuff bought through the Government Gateway, contract dates and awards are matters of public record. And bidding losers are *even* more likely to file lots of spurious FOI requests in order to try to make us reconsider. Likewise, suing us for rejecting their bid on the basis that 'we were prejudiced against them for x reason'.
Fortunately, the team handling the contracts is very scrupulous about record keeping, in a form that makes responding to FOI relatively easy.
Sorry to tell you but those would potentially be valid FOI requests.
They don't need to mention FOI or go to a central contact point. They just need to ask a question about/of the authority and go to the authority.
Member of the public wouldn't see the distinction between members and the LA being a separate entity (which potentially they are for IG purposes) and the ICO would very much consider an FOI submitted to a member as being submitted to the Council for the purposes of FOI.
I think your IG lead needs to do some staff training sharpish
Somebody must be sat in an office somewhere trying desperately to think up a good excuse for all this.....
"Following our investigation, we have concluded that no actual errors were made, the data was just going away on it's usual August Summer holidays"
ALL of these police authorities are "pre-punishing" police to try to get them to not go on strike for fairer pay and conditions.
You'll notice not ONE single higher-ranking officers info was given away, as those were all removed "for reasons" shortly before the police authorities deliberately leaked the data.
Now they're basically saying "if the police go on strike, someone might get access to EVEN MORE data about you and your fellow officers...."
Summer recess for parliament, meaning most MPs are happily sunning themselves in foreign climes, and a much more muted political reaction. Even when the loafers get back on 4 September, they're only around for a couple of weeks before swanning off for another 3-4 weeks for the "conference recess".
This is the result of constantly making pointless changes to your user interface. It will only confuse some poor desk jockey further. They can't be bothered re-learning and re-training how to Excel because it will all be different in the next version anyway.
Then because your product has penetrated so deeply into the crucial parts of society, this eventually happens. I'm certain it wont be the last time.
Guessing the problem is someone ran a report from an HR system that gave them the FOI data plus a pile more. Said report likely posted without understanding that said pile was still attached. As PSNI are now finding out, this is no laughing matter and will have repercussions for years to come.