SOJP data centre risk (FOI)

​Request

I seek the following information from the States of Jersey Police:

A
Are the Data Centre's operated by or for the organisation fit for purpose? For example, is there a Business Continuity Plan, is there Disaster Recovery in place or is it a single site?
B
Is there any capital investment in data centres planned in the next 36 months? For example, Mechanical & Electrical or refresh of equipment within the DC such as network, storage area network?
C
Is data privacy and or information security compliance a priority for the organisation’s board?
D
On your Organisation’s risk register, are there any Information Technology related
risks?
i) If time/ cost allows, please list the top three related risks.
E
Are the cyber security vulnerabilities within the organisation’s existing Information
Technology estate increasing?
i) Has the organisation had a security breach in the past 12 months?
F
Did the organisation meet its Information Technology savings target in the last
Financial Year?
G
What percentage of Information Technology budget is currently allocated to “on premises” capability vs “cloud” capability?
H
Does the organisation have the skills and resource levels necessary for moving to the cloud?
I
What percentage of the Information Technology department headcount are software developers?
J
In relation to contracts with Amazon Web Services, Microsoft for Azure and/or Google for Google Cloud, was the monthly expenditure higher than budgeted?
i) If yes, has the organisation been able to subsequently reduce the cost whilst maintaining service levels for users?

Response

This response is a National police response based on the possible threat to the national security of the Channel Islands and the UK in general.

A
The States of Jersey Police neither confirm or deny the status of police data centres.
B
Yes.
C
Yes.
D
The States of Jersey Police neither confirm or deny any specific information Technology risk.
E
The States of Jersey Police neither confirm or deny any breach of security in the past 12 months.
F
Yes
G
The States of Jersey Police neither confirm or deny any budget commitments to cloud operations.
H
See answer G
I
40 %.
J
See answer G

Article applied

Article 10      Obligation of scheduled public authority to confirm or deny holding information

(1)     Subject to paragraph (2), if –
(a)     a person makes a request for information to a scheduled public authority; and
(b)     the authority does not hold the information,
it must inform the applicant accordingly.
(2)     If a person makes a request for information to a scheduled public authority and –
(a)     the information is absolutely exempt information or qualified exempt information; or
(b)     if the authority does not hold the information, the information would be absolutely exempt information or qualified exempt information if it had held it,
the authority may refuse to inform the applicant whether or not it holds the information if it is satisfied that, in all the circumstances of the case, it is in the public interest to do so.
(3)     If a scheduled public authority so refuses –
(a)     it shall be taken for the purpose of this Law to have refused to supply the information requested on the ground that it is absolutely exempt information; and
(b)     it need not inform the applicant of the specific ground upon which it is refusing the request or, if the authority does not hold the information, the specific ground upon which it would have refused the request had it held the information.

Public Interest Test

Factors favouring disclosure - Confirming or denying any information is held that confirms whether the States of Jersey Police, (A), has contingency planning in place in respect of a Data Centre, and (B), details of any on-site or Cloud based capabilities would allow the public to be better informed on the health state and performance of your forces Information Technology platform.  In addition, forces are required to demonstrate efficient services to local taxpayers and satisfy audit requirements. This would provide transparency with regard to the use of public funds in so much as highlighting that funds are being used to correctly and appropriately ensure all Data Centres have adequate hardware and software, which results in the smooth running of force Technology systems.

Factors favouring non-disclosure - Whilst there is public interest in providing reassurance that police forces are appropriately and effectively dealing with any threats posed by terrorist organisations against police force Technology capabilities, there is a strong public interest in safeguarding National Security and the welfare and safety of the general public at large. Any disclosure has the potential to undermine current and future Data Centre integrity, which in turn compromises the force’s mandate to protect the security of Jersey and the United Kingdom, e.g. counter-terrorism activity.  The risk of significant harm or even death to the community at large would be increased.   In addition, by confirming or denying whether the force has partnered with third party company’s by revealing budget information, is intelligence to those who would wish to exploit vulnerabilities in the service.  This may lead to compromise of force IT systems which ultimately affects law enforcement capabilities and hinders the prevention and detection of crime or terrorism.

Balance Test

The security of the Jersey and other UK country’s is of paramount importance and the Police service will not divulge whether any information is or is not held if to do so would undermine law enforcement and therefore compromise the work of the police service as a whole.  Whilst there is a public interest in the transparency of policing and force infrastructure, including any initiatives conducted with the private sector in relation to impacting on the crime or terrorist threat, there is a very strong public interest in safeguarding the integrity of these arrangements in this very sensitive area.

The points above highlight the merits for and against disclosure of the requested information.  Disclosure would undoubtedly provide a greater openness and transparency to the community at large with regard to the Information Technology resources available to the police, and whilst there is always a public interest in the transparency of how a police force delivers effective law enforcement and ensures the National Security of Jersey, the other Channel islands and the United Kingdom is robust, there is a very strong public interest in safeguarding the intricacies and tactical capabilities of the Data systems used when dealing with information.

In every case, public safety is the paramount focus and any information which would place individuals at risk and compromise the National Security of Jersey no matter how generic, is not in the public interest.  The effective delivery of operational law enforcement and the National Security of the Channel islands and the United Kingdom is crucial and of paramount importance to every force.  This would have a negative impact on law enforcement and national security.

Therefore, for these issues the balancing test for confirming or denying whether any further information is held, is not made out.