FOI Request
- Disclosure ID
- FOI/03532
- Request Date
- January 15, 2020
- Subject
- Assett Register
- Description
Please see below a screenshot of page 3 of the IGA publication ‘The General Data Protection Regulation: Guidance on Accountability and Organisational Priorities’ available at https://digital.nhs.uk/binaries/content/assets/legacy/pdf/1/o/iga_-_guidance_on_gdpr_acc___org_priorities_v1_final.pdf
I would be grateful if I could be given a copy of the records highlighted in the screenshot i.e. which detail : ‘the recording of all data processing activities with their legal bases and data retention periods’.
- Response
Our Trust has developed a bespoke Asset Management Register within the Nexus suite of apps; this has been developed in-house by our Health Informatics department, and is populated on an ongoing basis by the Information Governance department.
The Asset Management Register contains details which relate to our information systems and the security of these systems, and as such, this is exempt from disclosure under FOIA Section 24 (Safeguarding National Security) and Section 31 (Prevention and Detection of Crime).
If disclosed, this information could be used to identify ways of breaching our Trust’s information security measures. This would potentially put invaluable patient and staff data at risk, which the Trust has a legal duty to protect under the GDPR and DPA 2018, and other confidential data which is essential to the running of Trust services. The disclosure of information which may undermine the integrity of our information systems, and NHS information sytems on a national scale, is exempt under Section 24. The disclosure of information which would make our Trust more vulnerable to crime is exempt under Section 31, as releasing the requested information may prejudice our ability to prevent crime targeting our systems.
FOIA Sections 24 and 31 are qualified exemptions; the public interest in withholding information must outweigh the public interest in disclosure. It is the opinion of the Trust that the public interest in protecting the integrity of our information and ensuring our ability to provide healthcare services justifies the application of these exemptions.
The Asset Management Register also contains information relating to our staff which is exempt under FOIA Section 40(2) (Personal Information) and information relating to our information systems which is exempt under FOIA Section 43(2) (Commercial Interests).
The information is held within a system and to provide an extract from the system, which (for your context) would produce several thousand pages of information, and would require extensive processing, review and redaction – including but not limited to, consideration of the above factors (Safeguarding National Security, Prevention and Detection of Crime, Personal Information, Commercial Interests) – would involve a disproportionate and unjustifiable effort to provide.
As a result of all of the above considerations, and the lack of purpose or value in disclosing this amount of information – especially in light of the point below – the disclosure of our Asset Management Register is exempt under FOIA Section 14(1) (Vexatious). Please see here for further information on this: https://ico.org.uk/media/for-organisations/documents/1198/dealing-with-vexatious-requests.pdf
Additionally, under FOIA Section 21, we are not required to provide information in response to a request if it is already reasonably accessible to you. Information regarding our data processing activities, including the legal bases and retention periods, is outlined in our Privacy Notice for Our Service Users, which can be found on the Trust website – please see: https://www.bfwh.nhs.uk/privacy-notice-for-our-service-users/ To provide information beyond this in the form of our Asset Management Register would be disoproportionate, unjustifiable and lacking in purpose or value.