ACRO Information and Technology Board Minutes · ACTION 19/071: CW to provide a documented summary, at the next AITB IM Meeting, to explain the DAF reporting breach detailing the

[Official Sensitive] Page 1 of 4

ACRO Criminal Records Office

ACRO Information and Technology Board Minutes Minutes of the meeting held at ACRO Criminal Records Office on 9th October 2019 at 10am in the Ante Room.

1. 1.1 1.2

Attendance Rob Price (RP) ACRO CEO Chloe Bowler (CB) ACRO Senior Manager Julia Barnard (JB) ACRO Senior Manager Tom Mason (TM) T/ACRO Senior Manager Sean De-Fraine (SdF) IT Technical Delivery Manager Derek Bucksey (DB) Technical Support Analyst Claire Wills (CW) Systems Development Advisor Anne Saxton (AS) Finance Manager Dave Blackburn (DBl) GSA Ryan Curtin (RC) Service Delivery Manager, HC/TVP Rebekah Lanfear (RL) Management Assistant (Minutes)

2. 2.1

Apologies Apologies were received from Alison Anderson-Sanger, James Fulton, Lucy Saunders, Tim Feltham, Alex Ollis, Karen Garrett, Steve South, Annie Fursey and Susan Francis.

3. 3.1 3.2

Minutes and Action Log Previous Minutes The minutes of the previous meeting held on 4th September 2019 were agreed as an accurate record Action Log The action log was updated accordingly following discussion.

4. 4.1 4.2 4.3

IT Update General Update from IT & SM (inc JICT and GSA updates) JB went through the IT & SM update for the meeting and discussions were as follows: JB advised that the Service Now update is currently happening, and that HC/TVP are

making adjustments and changes from 10th October ready for 21st October, HTVP will

be onsite. Comms to go out via TF.

Custody API services are now in place on the DEZ. This has been confirmed in a

conference call with JB and HC looking to proceed with work and upgrades. Joint ICT

have given the go ahead for this.

CB advised that this is no longer happening having been confirmed with her yesterday

as API is not Business Critical for ACRO. Although testing is still happening.



4.4 4.5 4.6 4.7 4.8 4.9 4.9.1 4.9.2 4.9.3

ACRO server upgrades are planned for November/December depending on the

outcome of Brexit and the impact on ACRO. JB to Liaise with relevant departments

when the dates are fixed. RC is working on this too and is meeting with HC/TVP DVAS to

agree dates.

Action: 19/075 JB to liaise with relevant departments when dates are fixed for server upgrades Windows 7 2016 build has now been agreed.

AS now has access to Worldpay on Website so can do changes to Worldpay without

having to go through Hampshire county council.

DAFs National meeting took place on 1st October and the slides have come back. All

business areas need to review these to ensure DAFs are covered. There is a meeting on

the 17th October to cover Subject Access. TM to raise issue with meeting title for SA on

the 17th October meeting as it is not a DAFS review and the meaning needs to be

clearer.

Action: 19/076 Feedback to next AITB meeting (IM) as to the outcome of LEDS SA meeting on 17th October and report back with action to be raised at 6th November AITB. On 17th October GSA will be down for robotic processes for automation. GSA Update There are ongoing works for the replacement of PNC functionality, DBI and his team have been doing PNC training for this and the aim is to be completed within this financial year. DBI would like to speak to Annie Fursey and Becci Miller regarding the layout of PNC results and if this can be presented differently. Engagement around CHS has started to include this in the same PNC interface to make PNC multifaceted to support PNC/CHS/LEDS one product providing results. JB advises that this has been approved with Scotland and is in the budget for this financial year. This will lead onto further discussion with TM around how best to enable the searches and merge this in with PNC searching to spot where there may be issues in order to prevent live breaches. DBI has had engagement with the LEDS team to start work with engagement around February 2020 to have capability by late 2020.



5. 5.1

Information Management Update Data Breach Update KP advised that there is one update on item 2.4 in the data breach update paper, and confirmed that this is the only outstanding ICO referral we have. This relates to historical Irish offences in 2014 that are still being dealt with and was brought to KP attention last Friday. The ICO are aware of this. The trajectory for data breaches has been rising but seemingly around human error. August is the second highest month in the last 12 months across ACRO as a whole. In International Services and Intel there has been historical works in relation to breaches which has seen a rise in the figures due to volumes of transactions increasing, so this will have an impact. In August 2019, there were 65 breaches, near misses and 1 data dispute reported for the whole of ACRO. This represents a 6% increase in breaches compared to July. AAS to meet with Paul Moorman to help with the report on analytical side.

6. 6.1

IT Budget Itemised budget 2019/2020 AS went through the spreadsheet submitted for the meeting which provided details of items over £10K. £1,248,739 total budget (all) £629,090 total budget used to date (all) £265,927 contingency/unknown items AS advised that at this stage spend is on track, do not wish to relinquish any of the contingency due to the uncertainty over the next couple of months due to Brexit and Illuminet.

7. 7.1 7.2

AOB CB advises that there has been further engagement on sharing systems with other countries, currently having 3 options for encryption. These being WINZIP, EGRESS and SMIME. ACRO are currently going with EGRESS as a primary but could explore other options as part of negotiations if declined. CB has asked that a piece of work is to be carried out today to clarify which countries want which solution of the menu. JB update on command and control looking to go live on 21st October with the IOW being the first to roll out for CMP on the 22nd October.



7.3 7.4 7.5

JB advised that in relation to warning signals and markers there have been inconstancies when updating warning signals on PNC as guidance within ACRO doesn’t tie up with national guidance. Annie Fursey was approached regarding this and is to review internal guidance. ACTION: 19/077 All areas of ACRO to check and ensure guidance in regards to warning signals and markers when reviewing all processes and procedures so that they comply with national guidance. (JB) PND to change over on the 17th October for intel, changing to a newer desktop version. CB gave thanks to RC for the laptops that are being used in the Brexit team.

8. 8.1

Next Meeting 6th November 2019 at 10am in Ante Room

Page 1 of 6


ACRO Information and Technology Board Minutes Minutes of the meeting held at ACRO Criminal Records Office on Wednesday 4 September at 10am in the Ante Room.

1. Attendance 1.1 Present James Fulton (JF) Head of ACRO Susan Francis (SF) ACRO Senior Manager Karen Garrett (KG) ACRO Senior Manager Chloe Bowler (CB) ACRO Senior Manager Julia Barnard (JB) ACRO Senior Manager Tom Mason (TM) T/ACRO Senior Manager Karen Progl (KP) ACRO Senior Manager Katherine Nicolls (KN) Development Officer Jess Dinnage (JD) Management Assistant (Minutes)

2. Apologies 2.1 Apologies were received from Rob Price, Lucy Saunders, Anne Saxton, Alison

Anderson-Sanger and Claire Wills.

3. Minutes and Action Log 3.1 Previous Minutes The minutes of the previous meeting held on 9th July 2019 were agreed as an

accurate record after removing Karen Garrett from the apologies. 3.2 Action Log The action log was updated accordingly following discussion.

4. Information Management Update 4.1 Information Managers Update KP updated that the next data breach training will take place Wednesday 18th

September at 09:30. KP stated feedback is requested by HoS to ensure training is kept up-to-date.

4.2 The Data Breach Logger was successfully launched 1st August 2019 and KP has received positive feedback. It was identified that Excel needs to be closed completely after each use else this can cause delays when trying to input a breach. Due to this, Stuart Saunders has now implemented a clause whereby excel will automatically close when the breach is logged and therefore, this issue should be resolved.

ACTION 19/070: AAS To provide an update regarding the ongoing challenges with

excel and the data breach logger.

Page 2 of 6


4.3 KP confirmed regular comms will go out to staff regarding data breaches and with comms for the GSC will be distributed this month.

4.4 It was agreed at the August Establishment Meeting that a 6 month temporary

Development Officer could be recruited for Information Management to assist with the Data Protection Triage work. There were 2 applicants for the role, 1 was shortlisted and KP is to have a meeting with them 04.09.2019.

4.5 Deletion requests continue to rise year on year. There is a vacant 0.5FTE post within

the team due to staff’s reduction of hours. KP advised this may need to be recruited to.

4.6 The “O” Judicial Review hearing has been moved to Friday 8 November. 4.7 After repeated attempts to engage with the policy team, around how subject access

will be dealt with on LEDS, they don’t seem to have taken on any feedback. Anne Fursey has raised this as a significant risk and so, this will be taken to the Governance Board by TM.

4.8 KP reported on the DAF report breach. There are currently 2 issues with DAF reports

first, that DAF reports aren’t being produced for some of the International Information being recorded and the other, that when data is provided and the force updates that record, we are not receiving a DAF reporting the change and so, we don’t notify the Central Authority . There have been a few breaches whereby applicants have reported the PNC record was incorrect and we have had to deal with the outcome. Due to this, Claire Wills has requested that ACRO receive DAF reports for these changes and once these are being received, ACRO need to decide what actions we are going to undertake whether this be automated notifications or manual work. KP agreed this would be handed to Lucy upon her return.

ACTION 19/071: CW to provide a documented summary, at the next AITB IM

Meeting, to explain the DAF reporting breach detailing the volumes and risk that come to ACRO.

4.9 The board agreed the option of an ICO audit should be held off until the ICO guidance

on Part 3 of the Data Protection Act is completed.

5. Requests for Change 5.1 Environmental Scanning

KN made the Board aware that it was being considered for BA to be fined £183million however, they have not received this yet.

5.2 The Irish Data Protection Commission launched an investigation after Digital Rights Ireland made a complaint about The Department of Employment Affairs and Social Protection (Ireland) about a change to the Departments Privacy Notice. The

Page 3 of 6


Monetary Penalty Notice has not been issued yet and there are no updates as to how much this will be.

5.3 The Metropolitan Police Service are due to come to the end of their enforcement

notice on 30 September 2019. 5.4 At the last meeting, the board was informed that 43 forces were to be notified of

a suspension of work flow to Eurofins Ransomware, following a cyber-attack. The NPCC Platinum Group has been informed that workflows may now be redirected to Eurofins.

5.5 The ICO have updated clarifications on the time scales surrounding Subject Access.

The ICO considers the day of receipt of a subject Access Request as ‘Day One’ of the time scale to be complied with, even where that day is not considered a working day.

ACTION 19/072: TM to update any changes necessary for ACRO with regards to

the updated clarifications on time scales for Subject Access. 5.6 The Data Protection Act mandates that the ICO rewrites the Code of Practice that

was produced in 2011. The consultation has now begun however, there is not a deadline in which this must be released.

5.7 Certification bodies are currently working on accreditation documents and these will

then be signed off by the ICO for organisations to apply to be assessed. Once organisations have been assessed, should they pass, they will receive a certificate, seal or mark relevant to the scheme for which they have been assessed.

5.8 A refresher National Information Management Training video, as a follow up to the

Managing Information e- learning, is set to be available at the end of August 2019 and will be available for use on NCALT. KP and AAS will nominate persons in which need to undertake this training.

5.9 ‘Openness by Design’ is the ICO’s published 2019/20-2021/22 strategy and within

are 6 goals set for the next three years. Within this, it states the Data Protection Act placed a large burden on organisations however, their response is this should be embraced.

5.10 There have been numerous complaints from the public regarding organisations

voluntarily disclosing personal data to police forces. Whilst it is true in most instances, that data cannot be shared, when the police request personal data for emergency purposes or on-going community policing activities, the organisation can share personal data.

Page 4 of 6


5.11 Capital One have reported a data breach affecting 106 million individuals across America and Canada whereby, they lost individuals data such as names, addresses, phone numbers and national security numbers. This is the largest data breach in banking history.

6. Data Breach Update 6.1 In July a breach was rated as high amber and referred to the ICO. The breach relates

to incorrect offence and sentencing data received from Ireland that resulted in a data subject being added to VISOR incorrectly. This breach is still outstanding with the ICO.

6.2 In relation to the breach concerning the CHS print being sent in error, the ICO have

responded with no further action required. This was due to the mitigating actions that have already been put into place by ACRO.

6.3 The ICO action log has been updated and in total ACRO have received 29 actions

from the ICO, of which 14 have been completed and closed. ACTION 19/073: AAS to review outstanding ICO actions and the next IM AITB

Meeting. 6.4 Notifications have been sent to Managers that have staff with repeat breaches in

order to address this. 6.5 It was recommended that AITB add issues 11 and 12 to the corporate risk register

however, it was agreed issue 11, Amendments to PNC post DAF , is being dealt with internally. Issue 12, PNC within GSA, is currently being worked on by IT and Jason Merricks. JF recommended that AAS liaise with JB to determine what work has been done.

7. Data Breach Policy Update 7.1 The Data Breach policy has been updated and 3 main changes have been made. The

policy now states that Deputy Managers would risk assess data breaches, and that only those graded Amber or Red would be referred to the SMT.

The Data Breach Logger has been launched and now the process for reporting a

breach is more efficient and eliminates the duplication of data. Therefore, the policy has been changed to reflect the new reporting method.

HR have reviewed the current policy, as a result of actions taken against staff who

have been responsible for a significant breach or series of breaches. The policy has been updated to include their requested amendments in respect of listing the performance management policy within related policies and updating manager’s responsibilities in respect of performance management.

These changes were agreed by AITB and KP agreed to circulate this.

Page 5 of 6


ACTION 19/075: KP to circulate updated data Protection Policy.

8. Privacy Notice Paper 8.1 Within GDPR, there is a requirement to publish a Privacy Notice and make this

available to data subjects stating how their personal information is used and their rights. To ensure compliance with this requirement, ACRO have provided a link on the website to our host forces privacy notice. KP proposed that AITB agree the content of the privacy notice to be used as the template for all ACRO privacy notices.

AITB agreed this template however, additional templates are to be made in different

languages to accommodate foreign nationals within International Services.

9. POLWARP 9.1 All forces are required to report data breaches and near misses that are risk rated

amber and red to the Home Office on a quarterly basis, also making Hampshire Constabulary aware. Additionally, the Home Office also require live time reporting of any breaches that could cause a significant harm to the individual or compromise systems. These should be reported on a come to notice basis however, ACRO have not begun this process yet.

AITB agreed this report can be sent to the Home Office without consultation of the

board.

10. Data Protection Officer Update 10.1 In some areas of ACRO court orders are causing confusion and a few have been

delayed in the Customer Services queue. A new Outlook mailbox is being created and the website will be updated, to ensure that solicitors know where to send them.

10.2 There have been an increase in requests for ACRO data and more recently,

International data that’s held on PNC. A system has now been implemented in the hope of processing these complex requests.

10.3 We have received notification from Beijing Gaowo IP Firm that they are dealing

with legal matters involving a trademark in China. ACRO was registered in China on 14th October 2018. This matter has been referred to the force solicitor.

10.4 ACRO have received 2 ICO cause for concern regarding ACRO’s handling of a

subject access request, which has received no further action, and a record deletion application, in which is under investigation.

11. AOB 11.1 JB raised that she had received some paperwork regarding data centres and

security issues.

Page 6 of 6


12. Next Meeting Date 12.1 Wednesday 9 October 2019 at 11am in Ante Room

Page 1 of 5


ACRO Information and Technology Board Minutes Minutes of the meeting held at ACRO Criminal Records Office on 7th August 2019 at 10am in the Ante Room.

1. Attendance 1.1 Present Rob Price (RP) ACRO CEO James Fulton (JF) Head of ACRO Susan Francis (SF) ACRO Senior Manager Karen Garrett (KG) ACRO Senior Manager Chloe Bowler (CB) ACRO Senior Manager Julia Barnard (JB) ACRO Senior Manager Tom Mason (TM) T/ACRO Senior Manager Alison Anderson-Sanger (AAS) Information Manager Sean De-Fraine (SdF) IT Technical Delivery Manager Derek Bucksey (DB) Technical Support Analyst Alex Ollis (AO) IT Systems Administrator Claire Wills (CW) Systems Development Advisor Dave Blackburn (DBl) GSA Ryan Curtin (RC) Service Delivery Manager, HC/TVP Mandie Rignall (MR) Management Assistant (Minutes)

2. Apologies 2.1 Apologies were received from Lucy Saunders, Karen Progl, Tim Feltham, Anne

Saxton, Alex Ollis, Steve South and Annie Fursey.

3. Minutes and Action Log 3.1 Previous Minutes The minutes of the previous meeting held on 9th July 2019 were agreed as an

accurate record after removing Karen Garrett from the apologies. 3.2 Action Log The action log was updated accordingly following discussion.

4. IT Update 4.1 General Update from IT & SM (inc JICT and GSA updates)

JB went through the IT & SM update paper which she had submitted for the meeting and discussions were as follows: 1.1 JB advised that the Hampshire/TVP ICT Timeline of IT Events & Milestones will

be worked on to provide a more legible, readable format and will incorporate

ACRO’s timelines.

Page 2 of 5


2.1 The new mobile rollout for ACRO and NaVCIS has been completed. Action 19/062: RC will investigate the use of business mobiles for private use. 2.2 The move of the ACRO website onto a supported platform is now in the testing phase ready to go live in August. JB thanked Jason Merricks for his hard work. 2.3 SdF has prepared for the upgrade of the ACRO virtual environment to Windows 2016 along with the GSA applications. JB advised this was due October 2019 but JF commented that this needed to be now or after Brexit and suggested December 2019. Action 19/063: SdF will look into arranging a new date (not Oct 2019) for the implementation of the ACRO virtual environment to Windows 2016. 2.4 The ServiceNow workshop took place on 16th July2019. Carrie Oslar has supplied the notes and slides from the workshop and DB will collate the feedback from the SMT on her behalf. The training in Test will commence on 20th August 2019 with a follow up meeting 11th September 2019 for any defect remedies prior to going live. Once the actual IT implementation phase is complete, this project will move to the Development Portfolio where Graeme Wallace will be the contact. Action 19/064: DB will collate the feedback on behalf of the SMT from the notes and slides relating to the ServiceNow workshop splitting them into either IT faults & requests or process streamlining. 2.5 Colossus went live for NaVCIS on 21st May 2019 with the Intelligence side. Case management is progressing in Test with a view to go Live September 2019. 2.6 BT are conducting a site survey of Forum 3 on Friday 16th August 2019 with regards to the cabling. 3.1 The designs drawn up regarding the Custody API Project were approved at the Architecture Board on 30th July 2019. A requested DPI has been completed and submitted to ACRO Information Management for triage. 3.2 Backups of the DMZ environment have been re-instated. 3.3 Work is still underway on the GSA packaging for the Windows 10 pilot but general testing of Word and Excel with office functionality can commence. 3.4 The Project Proposal form for Egress was submitted into Hampshire/TVP together with the Egress Technical documentation and JB is awaiting the response.

Page 3 of 5


Action 19/065: JB to chase Andrea Tompkins/Andrew Grimley regarding a response on the submission of the Egress Project Proposal form. 4.1 Further to the signing of the Forum 3 lease which will form a partial business continuity option, the equipment requirement is currently with Hampshire/TVP for approval. 4.2 - 4.6 The virtual servers at ACRO are being planned for an upgrade Oct/Nov 2019 which after discussion moved to Nov/Dec and would be subject to Brexit impact. In regards to DR/BC the original 5 options have now been reduced to just 1 which is to move everything into the Hampshire/TVP virtual environment which will mean using their computer storage, backup and replication. SdF will go through the report received from Hampshire/TVP which advised this would be the only option achievable this financial year and feedback concerns. ACRO regard this option achievable within this financial year but this is dependent on how quickly Hampshire/TVP JICT confirm the environment is ready for us and when GSA can facilitate the move of the applications. Action 19/066: JB to provide an update at the next meeting regards the report received from Hampshire/TVP advising there is only one option remaining this financial year regarding the upgrade of the virtual servers at ACRO. 5.1 ACRO’s licences of the GSA applications in use are now migrated across to ASP licences. Work is now commencing on the PNC upgrade from Win32 to ASP. DBl confirmed that the relevant GSA staff are being trained on PNC to assist with their understanding of how it works. The GSA staff also want to understand where breaches are coming from and how they occur as well as a better understanding of our business continuity requirements.

5. Information Management Update 5.1 Data Breach Update

AAS confirmed that the new Data Breach Logger went live on 1st August 2019. This has been well received with feedback including that it is now 30-40% quicker to complete. AAS thanked Stuart Saunders for all his hard work. Only one breach was referred to the ICO in June 2019 and in the reply received on 20th July 2019 they confirmed they had concluded no further action was necessary. In June 2019, there were 46 breaches, 5 near misses and 1 data dispute reported for the whole of ACRO. The largest cause was external errors eg the receipt of incorrect information from a third-party.

Page 4 of 5


6. Requests for Change 6.1 ECRIS retention schedule

CW confirmed that there had been some discrepancies in the retention guidelines schedule brought to the last meeting but this has now been amended and brought back to seek agreement from the Board that the weeding of data requirement can be progressed with GSA to implement and make ACRO compliant with the national guidance. Following a general discussion, this was agreed in principle, but costings needed to be known. Action 19/067: DBl to look into costings for GSA to implement the proposed weeding of data to make ACRO compliant with the national guidance. RC queried the Subject Access request regarding the “right to be forgotten”. JB confirmed that she had completed the deletion for ACRO. AAS questioned whether this should be across the board and therefore include removal from Hampshire as well as ACRO.

7. IT Budget 7.1 Itemised budget 2019/2020

SF went through the spreadsheet submitted for the meeting which provided details of items over £10K. £1.25million total budget (all) £620K total budget used to date (all) £250K contingency/unknown items SF advised that Finance will need to know if this contingency sum will be spent by September 2019 as the spending will result in the amount no longer being part of “contingency”. JB is to discuss this further with the Finance department. Action 19/068: JB to discuss with the Finance department whether the current “contingency” money will be spent by September 2019.

8. Translation Audit 8.1 Action Log

JB went through the open items on the log. Recommendation 12 – JB confirmed this will be reviewed post Brexit. Recommendation 15 – Following discussion, TM has been asked to investigate this further.

Action 19/069: JB will update the Translation Audit Log accordingly

Page 5 of 5


Action 19/070: TM will investigate recommendation 15 from the Translation audit log

9. Any Other Business None

10. Next Meeting Date 10.1 4th September 2019 at 10am in Ante Room

Page 1 of 5


ACRO Information and Technology Board Minutes Minutes of the meeting held at ACRO Criminal Records Office on the 9th July 2019 at 19am in the Ante room.

1. Attendance 1.1 Present Rob Price (RP) Chief Executive (Chair) Karen Progl (KP) ACRO Senior Manager Susan Francis(SF) ACRO Senior Manager Julia Barnard(JB) ACRO Senior Manager Tom Mason (TM) T/ACRO Senior Manager Alison Anderson-Sanger(AAS) Information Manager Tim Feltham(TF) Communications Manager Anne Saxton(AS) Finance Manager Claire Wills(CW) Systems Development Advisor Alex Ollis(AO) IT Systems Administrator Mandie Rignall (MR) Management Assistant (Minutes)

2. Apologies 2.1 Apologies were received from James Fulton, Lucy Saunders, Chloe Bowler, Karen

Garett

3. Minutes and Action Log 3.1 Previous Minutes The minutes of the previous meeting held on 5th June 2019 were agreed as an

accurate record. 3.2 Action Log The action log was updated accordingly following discussion.

4. Information Management 4.1 Information Managers Update Data Breach Training - AAS advised that the latest training took place yesterday, 27th

June 2019, covering a mixture of new staff and staff returning from long term absences. There are currently 2 members of staff who have not attended training.

Information Audit - AAS met with International Services to discuss the action plans

prepared from the audit. This action plan is now being progressed. Information Management Resources - Katherine Nicholls is now on board and the

temporary Data Entry Clerk left at the end of their contract in June.

Page 2 of 5


Data Breach Reporting automation - Stuart Saunders has done an amazing piece of work to automate data breach reporting. This is currently at the testing stage and once all issues have been resolved, it can go live. The new automation will reduce double keying, allow auto populate and the drop down choices will enable information analysis.

Information Asset Owner Training - this was provided by Aristi for the SMT and

Information Manager. It was established that the CEO is the Senior Information Risk Owner and the SMT are Information Asset Owners for their respective portfolio.

Government Security Classification - During the IAO training, the Government

security classifications were discussed in respect of what classifications should be used and the implications of their use. AAS will research these classifications further.

Action 19/058: AAS to research Government Security Classifications, their use and the implications of use.

To refresh the knowledge in respect of the classifications and their use, ACRO has

two options as listed below:

A - Get all staff to retake the e-learning package as refresher training

B - Produce an information sheet to be available on the intranet and publish in On the Record.

The Board all agreed to option B.

4.2 Environmental Scanning AAS made the Board aware that it was being considered for BA to be fined

£183million. The reduced figure of 1.5% was in respect of the breach being due to a cyber-attack.

Derbyshire Constabulary’s ICO audit highlighted their areas of ‘Good Practice’ and

commended the dual title-ship of their Information Manager as Data Protection Officer. Following the impact of the ICO audit on Hampshire Office of the Police and Crime Commissioner in March 2019, AAS has obtained copies of the templates used thus allowing ACRO to carry out further work prior to inviting them to carry out an audit here.

4.3 Data Breach Report AAS advised that ACRO did not refer any data breaches to the ICO in May 2019,

however, on 20th June 2019 ACRO self-referred data breach DB/19/357 to the ICO. The breach occurred when a CHS print was attached to a subject access disclosure in error.

4.3.1 The ICO Action Log had been updated and was attached as appendix A. In total ACRO

has received 23 actions from the ICO of which 13 have been completed. The Board

Page 3 of 5


discussed the items in orange to agree if they could be closed or if further actions were needed.

Action 19/059: KP and AAS to update the ICO action log following Board

discussions of those items in orange. 4.3.2 AAS presented the updated analysis recommendations for Lost in post and Data

breaches which now includes the comments received from all business areas with the exception of IT as these are yet to be received. Some SMT have requested clarification on their recommendations.

Action 19/060: KP to go back to SMT to clarify the recommendations for Lost in

Post and Data Breaches and formulate an action plan. In May 2019, there were 72 breaches and 5 near misses for the whole of ACRO. This

represents a 36% increase in breaches compared to April 2019. ACRO are now required to report all near misses to the Home Office on a quarterly

basis, that would have been risk rated amber or red, if they had resulted in a breach. The risk rating of the near misses will be completed by Information Management. This first report will be submitted in July 2019.

5. Data Protection Officer 5.1 Data Protection Officer update KP advised that this reporting period is from 3rd May (the last AITB meeting) to 4th

July 2019. Information Asset Owner Training - held on 25th June 2019, the SMT and Information

Manager received a one day training session provided by Aristi in respect of their responsibilities as Information Asset Owners.

Lawful basis questionnaires - the lawful basis questionnaires for both General

Pharmaceutical Council and Nursing & Midwifery Council were reviewed and Information Management informed that they can proceed with the relevant ISA renewals.

DPIA for ACRO processes - the Development team submitted a DPIA for the business

partner engagement. As it will involve access to criminal record data, the lawful basis for access to Part 3 data had to be established.

Enforced Subject Access - in April, 39 subject access applicants indicated that their

SAR was enforced, 4 of these were reported to the ICO. In May, 31 subject access applicants indicated that their SAR was enforced, 2 of these were reported to the ICO.

Page 4 of 5


Freedom of Information Requests - a FOI request was received from an individual wanting statistical data on the timeliness of responding to subject rights requests since GDPR was signed off in 2016. (Not to be confused with when it was implemented in May 2018).

Ad hoc advice - 36 ad hoc enquiries were responded to, ranging from routine to

complex queries. A record of all triage queries and responses is retained. Finance queried whether we could charge DBS for back record conversion requests as these equate to 3,700 checks per annum. As the records are from an archived police database and under GDPR/DPA we have a legal requirement to maintain accurate up to date records, we cannot charge DBS for requesting that we update them.

Audit:

The Home Office expressed concern that Forces are not applying the correct rag rating when scoring incidents for the quarterly PolWARP return. Having reviewed Home Office guidance and conducted an audit we are confident that ACRO is correctly applying the risk matrix to breaches.

ISA’s and MOU’s state that ACRO will audit them to ensure that they are complied with. A new audit template has been drafted in consultation with the business. It is in the process of being developed. This will be completed in advance of any renewals and will ensure that any issues are identified and resolved.

ICO Cause for Concern - we have been advised to update our privacy notice to reflect

that we must respond within one calendar month. ICO Official Notice - on 2nd July 2019 we were informed by the Data Protection

National Group that an ICO Official Notice was about to be issued to 43 Forces in respect of a breach relating to Eurofins Ransomwear. This was issued because the ICO had failed to obtain sufficient information from the NPCC in order to fully assess the breach that had been reported. Forces are now required to comply with the notice. This should not affect ACRO as we are hosted by Hampshire Constabulary but it does provide us with an insight into the type of action that the ICO can and will take.

6. EGRESS & ECRIS 6.1 Research paper CW advised that during the presentation to the AITB in June 2019 of a paper showing

which business areas would make use of the Egress facility in Outlook, further information was requested on the costs and benefits of using Egress. CW confirmed that the costs would be £33,480 for 360 users and that there would be many benefits including:

Compliance with current security requirements

Savings in postage for the sending of contracts etc as hard copies rather than electronically due to email security

Page 5 of 5


Current staff time savings - avoidance of data breaches related to sending to incorrect or insecure email addresses £2,015

Post No Deal Brexit staff time savings - time saving on unwinzipping to send via post or to check the purpose £135,770

RP confirmed the Board agreed to go ahead.

6.2 Retention guidelines report for ECRIS GSA and the ECRIS RI CW advised that currently ECRIS GSA records are retained indefinitely. Under MoPI

and NPCC RRD guidelines, certain data should be weeded. The weeding of data is also needed to reduce the growing amount of data storage needed. The recommendation is that the Board approve the guidelines as per the ECRIS retention schedule 6.2.1 below and agree that this be progressed with GSA to implement thus making ACRO compliant with the national guidance.

6.2.1 ECRIS retention schedule This was presented by CW together with the retention guidelines report as above.

CW and KP are to make some amendments and RP requested for the revised version to be brought back to the next AITB (IT) meeting for decisions to be made on the recommendations with a view to signing it off.

Action 19/061: CW and KP are to make some amendments to the ECRIS retention schedule and the revised version is to be submitted as an agenda item at the next AITB (IT) meeting in August 2019.

7. IT Budget 7.1 Itemised budget 2019/2020 JB and AS presented the budget to the members of the Board. Those over £10K

were reviewed and the whole budget is to be discussed in more detail at the next AITB (IT) meeting in August 2019.

8. Any Other Business 8.1 none

9. Next Meeting Date 9.1 7th August 2019, 10am, Ante Room, ACRO (IT)

Page 1 of 4


ACRO Information and Technology Board Minutes

Minutes of the meeting held at ACRO Criminal Records Office on 5th June 2019 at 9:30am in the Ante Room, including the Servicenow presentation at the beginning.

1. Attendance1.1 Present

James Fulton (JF) Head of ACRO Karen Progl (KP) ACRO Senior Manager Susan Francis (SF) ACRO Senior Manager Chloe Bowler (CB) ACRO Senior Manager Julia Barnard (JB) ACRO Senior Manager Tom Mason (TM) T/ACRO Senior Manager Sarah Bravo-Segura (SBS) T/ACRO Senior Manager Cathy Roberts ACRO Deputy Manager Anne Saxton (AS) Finance Manager Alison Anderson-Sanger Information Manager Derek Bucksey Technical Support Analyst Sean De-Fraine IT Technical Delivery Manager Steve South (SS) Head of ICT Service Delivery (Hants/TVP Ryan Curtin (RC) Service Delivery Manager, HC/TVP Mandie Rignall (MR) Management Assistant (Minutes)

For the ServiceNow demonstration only Carrie Oslar (CO) ICT Hants/TVP Vicky Sampson T/ACRO Deputy Manager Sally Scoffham Head of Section Customer Services

2. Apologies2.1 Apologies were received from Rob Price, Lucy Saunders, Alex Ollis, Claire Wills and

Annie Fursey.

3. ServiceNow demonstration3.1 SS introduced CO and explained that ServiceNow had been procured approximately

12 months ago and this project commenced in August 2018. The product iscommunity led, operating at core level with all developers and users contributingto the global platform. It comprises of a self-service portal, a catalogue and allowsproductivity of analysts to be compared which also highlights training needs. It isavailable to current ICT users and can enable fulfillers to gain statistics analysis. Itcan also transact externally. CO gave a live demonstration on how to useServiceNow advising that this was phase 1 and that the next phase was to look intothe browsing features to have a no more than a 3 drop down approach. With JF

Page 2 of 4


enquiring how it could be used for a public facing query in Customer Services rather than an actual service being provided, SS advised that today was merely a taster session but a second meeting could look into tailoring individual requirements. JF felt we needed to know more and for a ServiceNow expert to spend time at ACRO understanding our needs and showing how it could work for us for public facing items and internal processes.

JF thanked SS and CO confirming that the demonstration had been highly

informative. CO, RC and JB will arrange an initial brainstorming workshop to take place at ACRO.

ACTION 19/055: CO, RC and JB to arrange an initial brainstorming workshop to

take place at ACRO.

4. Minutes and Action Log 4.1 Previous Minutes The minutes of the previous meeting held on 9th May 2019 were agreed as an

accurate record following one amendment. 4.2 Action Log The action log was updated accordingly following discussion.

5. IT Update 5.1 General Update

SdF is still working on the server update, which will span over two weekends and is looking at September when supplier support is available. SdF will provide updates closer to the time regarding any business impact.

GSA now has approval from National auditors as to what they can access on PNC development platform. This piece of work is not imminent.

BT line options with varying degrees of resilience are being investigated in relation to business continuity and capacity for Forum 3.

Collosus has now gone live with NaVCIS. CB advised that on the Intelligence side, there has been some concerns relating to linkage issues and what the product is providing. This is being investigated. JB will also look into the searching issues being experienced.

ACTION 19/056: JB will look into the searching issues being experienced by Intelligence Unit when using Collosus.

6. Information Management Update 6.1 Data Breaches AAS confirmed that all Data Breach results are back from the ICO. The two that were

outstanding have both returned with NFA and an apology was received from them for taking so long.

Page 3 of 4


In April 2019 there were 53 breaches and 10 near misses for the whole of ACRO. AAS is progressing with Stuart Saunders the automation of the reporting process to

reduce double keying between report and log. There was discussion about the presentation graph for transaction/incident

comparison and it was felt that the information may be misinterpreted as there was the use of both left and right axis but with different growth rates. It was agreed that the verbal explanation was sufficient.

7. Requests for Change 7.1 In relation to the EGRESS paper, CB confirmed that her team had consulted with the

business areas to see if they felt there was a purpose/need to buy it. All portfolios felt there would be benefit. If there is a no deal Brexit on 31st October 2019, this will solve some issues with security in exchanging criminal conviction information with other EU member states. CB reiterated that this was purely the email functionality of EGRESS. The proposal is to purchase EGRESS for the purpose of email security enabling greater GDPR compliance and allow staff to send information in a more seamless manner. CB advised that member states had chosen this method as their preferred option for receiving the information. There was discussions relating to the rules of security settings within various departments and their individual needs. There was a suggestion for a phased approach to use EGRESS for emails now and look at other areas such as police certificates at a later date.

JB confirmed that the costs provided in September 2018 was £27,500 per year for

310 users. A second option of £13,750 for 310 users was also available but with a limited service. These options had previously been discussed at length and the cheaper option had been discounted.

JF confirmed this would be operationally beneficial, it will need to be built into the

budget and we would need to know the efficiency savings that are gained. There is support to progress with an implementation plan. CB would like the IT department to lead until it is in place then engage with the Development team.

8. Review of 2019/20 Budget 8.1 AS confirmed the following figures:

maintenance and support, £300K for May ‘19-Apr ’20 ordered and invoiced

b/fwd costs of £113K

prepaid relating to 2021 is £25K

£337K firm PO’s which includes £300K from GSA

£436K budget used to date

9. Any Other Business

Page 4 of 4


JB queried how the national reporting stats should work through Hampshire and how does SS report. SS asked JB to send him the email she had received and he will investigate.

ACTION 19/057: JB to send email to SS regarding the requirement of national stats reporting.

10. Next Meeting Date 10.1 9th July 2019 at 10am in Ante Room

Page 1 of 5


ACRO Information and Technology Board Minutes Minutes of the meeting held at ACRO Criminal Records Office on the 9th May 2019 at 1pm in the Ante room.

1. Attendance 1.1 Present Rob Price (RP) Chief Executive (Chair) Karen Progl (KP) ACRO Senior Manager Tom Mason (TM) T/ACRO Senior Manager Sarah Bravo-Segura (SBS) T/ACRO Senior Manager Sean de-Fraine (SdF) IT Technical Delivery Manager Tim Feltham Communications Manager Anne Saxton Finance Manager Mandie Rignall (MR) Management Assistant (Minutes) Jess Dinnage (JD) Management Assistant (Observing)

2. Apologies 2.1 Apologies were received from James Fulton, Lucy Saunders, Susan Francis, Chloe

Bowler, Julia Barnard, Alison Anderson-Sanger, Karen Garett, Annie Fursey

3. Minutes and Action Log 3.1 Previous Minutes The minutes of the previous meeting held on 3rd April 2019 were agreed as an

accurate record following the amendment that James Fulton had agreed that the “show and tell” would be at the next AITB (IT) meeting on 5th June 2019.

3.2 Action Log The action log was updated accordingly following discussion.

4. Information Management 4.1 Information Managers Update

KP confirmed that the latest data breaching training took place on 25th April 2019 which covered a mix of new staff and those returning from long term absences although it was disappointing that staff who were on the register did not attend. TM felt this may have been due to no individual invites, however, KP advised that HoS had been responsible for booking staff onto the training. TF felt it was the manager’s responsibility to arrange the booking slot and disseminate the information as necessary.

Action: KP to ask AAS to liaise with TF to arrange comms to ensure that managers are aware of the booking slot system and that they are responsible for their staff’s attendance.

Page 2 of 5


The actions on Information Audit have been slow due to capacity but KP will be meeting with SBS, Ben Weir and Fiona Doyle in May to discuss the appropriate policy documentations for their business area.

The temporary Development Officer, Katherine Nichols, started on 7th May. She will work on auditing the April data breaches and recording lessons learned as well as updating the ACRO retention schedule.

The temporary Data Entry Clerk, due to finish in June 2019, is continuing his work to dispose of obsolete records for International Services relating to EIMS notifications.

Following discussions relating to the change in the reporting process of breaches at the last AITB (IM) a working group has been formed covering SMT and Deputy Mangers. At the first meeting all agreed that the new process would work and the Deputy Managers gave assurance that they would be able to manage the demand of data breaches escalated to them. The group discussed changes that could be made to ease the process. Now that the initial report has been agreed corresponding changes will be made to the data breach policy and log.

There will be an oral hearing before the Upper Tribunal for ‘O’ on Friday 21st June to decide if the Claimant should be granted permission to bring a judicial review. JF and KP will be attending.

Outstanding complaint ‘DM’ – This is in respect of the complaint that his subject access had been delayed, this was due to the request for local force data not being sent to force. This case has been dealt with by way of local resolution. There is no misconduct with staff but some recommendations will be made to the business area regarding processes and training.

The communications team have worked on the organisational learning document which is planned to go live ahead of the AITB meeting on 9th May 2019.

4.2 Data Breach Update The report provided an update on data breaches from 1st – 30th April 2019 together

with a detailed breakdown by business area for this reporting period. This report relies on the information in the spreadsheet, therefore, a “third party” assumed to be a courier or postal issue but could be a member of staff and JB had previously raised that an “IT issue” could actually have been human error in an IT system. KP advised that the ICO decisions are now recorded within an action log (point 4.6 within today’s agenda) to ensure that managers/staff can track the actions are being progressed. RP asked to take a quick look at the action log at this point rather than later in the meeting and SBS was able to provide a verbal update for DB/18/001. RP

Page 3 of 5


is pleased that an action log is now in place but would like confirmation of the actions being carried out to be part of this update.

KP advised that a common trait for data breaches is the auto populate and a

recommendation from the ICO is to have this turned off. There followed discussions that this was not a preferred change, TM explained that thousands of emails are sent and are still within secure channels even if inadvertently sent to the wrong Embassy for example and are therefore a low risk. KP also explained that the removal would significantly increase time taken by manually inputting the address every time as well as increasing the possibility of errors due to miss typing.

KP informed the Board that with new management in the Intelligence Unit came a

review of their processes and the recording of breaches. Tim Judd decided that the Unit would retrospectively check their work and is now working towards new procedures and associated maintenance. RP would like to thank Tim for his leadership in this area.

KP advised that the ICO may have NFA’d our referrals but this is only because we

have been able to demonstrate that we have taken appropriate actions to manage the risk.

4.3 Environmental Scanning KP confirmed that information had previously been sourced from the ICO’s website

but following a DP & FOI group meeting, there is to be a new monthly source from where AAS can obtain the data.

KP advised the Board that Poland had received the first fine for GDPR. The company

involved was fined for using personal data for another purpose without attempting to notify the data subject. This may be relevant in relation to privacy notices in custody and we need to take practical steps to make subjects aware of the use of their data for example, adding a note on our Subject Access website.

There followed discussions around two case studies, Bounty UK Ltd and London

Borough of Newham. TF queried if there could be some context added to the examples. RP wishes to pick out the lessons learnt and contextualise the risk register.

The DBS has decided to continue using its existing system after falling out with the

contractor brought in to replace it with a modern system. The project with contractor TCS is running over four years late and £229 million over budget. The Home Office is ultimately responsible for the DBS which issued over four million certificates in 2017/18. The certificates are widely used to check prospective staff in the public, private and voluntary sectors such as schools and care homes. KP is looking closely into prison vetting and reviewing this as part of an ongoing requirement into annual renewals of ISA’s.

Page 4 of 5


4.4 Analysis on 2018/19 Data Breaches and Lost in Post for feedback from Board The analysis completed by Paul Moorman was seen by RP to be a significant piece of

work and KP wanted to draw everyone’s attention to the recommendations. These are being looked into by the Deputies but some of them would attract a substantial financial implication. KP offered to take the recommendations and divide them into business areas, create a table and then circulate to SMT for comment.

Action: KP to take the recommendations and divide them into business areas,

create a table and then circulate to SMT for comment. RP confirmed in view of the detail of the analysis, it will not be discussed today, but

will await the recommendations to be circulated in table format by KP and these will be reviewed at the next AITB (IM) meeting. TM would like it noted that sometimes doing nothing is an option, for example, the postal errors is low when taking into consideration the high volume sent and particularly abroad. RP wishes to thank Chloe’s team for the analysis carried out.

4.5 Publishing ISA/MoU on website for decision KP advised that in the interests of transparency, it would be good practice to share

all our Information Sharing Agreements (ISA) and Memorandum of Understanding agreements (MOU). Permission will be sought from the agency or country prior to publishing and all personal or sensitive information would be redacted. Five agencies who have recently signed or renewed agreements have consented to them being published. The Board was in agreement that this could be done. KP is to send details to the comms mailbox regarding these.

Action: KP to send details to the comms mailbox regarding the publishing of ISA’s

and MOU’s that have agency or country permission.

4.6 ICO Action Log RP confirmed this style of reporting the actions is agreed to and should continue.

5. Data Protection Officer 5.1 KP explained that the purpose of the report is to update the Board having started to

assess the needs for Data Protection provision for ACRO and the requirement for a permanent Information Management Portfolio due to the SMT needing to have sight of the type of work coming through the team and the idea of the demand.

KP advised that a Data Protection Triage takes place weekly for a whole day during

which there is a review all of the requests and the subsequent recording of all advice provided. Lawful basis questionnaires are reviewed prior to creating or renewing an ISA to determine whether there is a lawful basis for processing. KP provided details of a couple of examples which were The General Medical Council and HMPPS.

Page 5 of 5


KP informed the Board that the role also includes Data Adequacy, Privacy Notices and Freedom of Information Requests. Work is also carried out regarding Court Orders.

6. Translation Audit 6.1 SBS advised that AF had run an audit report from December 2018 highlighting

several significant issues with our translation services and that those issues continue. Regarding the audit log, SBS, although not content with the service, is happy that we have progressed this as far as possible in International. SBS confirms that the contract is due for renewal in March 2020, therefore, the tender process will need to start soon but the Procurement representative from Hampshire has not turned up for the previously arranged meetings. RP understood that the current company has a poor track record and have been identified as using unregulated staff, LS’s view had been that they were responsive in trying to improve things but SBS believes they are in breach of contract. With regards to the recommendations, SBS questioned the term “ACRO Translations Contract Manager” and who this would be. KP questioned recommendation #1 referencing an auditor which SBS confirmed had been taken back within her Portfolio as BAU. RP requests that AF update the log to show that action #1 shows that this is now BAU pending review of contract.

Action: AF to update translation audit action log to show #1 is now BAU pending

review of contract. AS raised concerns with recommendation #2 regarding the engagement with ITL and

to claiming reimbursement.

7. Any Other Business 7.1 KP informed the Board she was meeting Amanda Cooper and Nav Malik to inform

them that the PNC Retention Board would like to propose the amendment of the 100 Year Rule to 120 and ask for the next steps. This change comes with a caveat that weeding takes place and to then look at non-conviction data which in the main is 5 years.

8. Next Meeting Date 8.1 5th June 2019, 10am, Ante Room, ACRO (IT)

Page 1 of 4



Minutes of the meeting held at ACRO Criminal Records Office on the 3rd April 2019 at 10am in the Ante Room.


James Fulton (JF) Head of ACRO Karen Progl (KP) ACRO Senior Manager Susan Francis (SF) ACRO Senior Manager Chloe Bowler (CB) ACRO Senior Manager Julia Barnard (JB) ACRO Senior Manager Tom Mason (TM) T/ACRO Senior Manager Sarah Bravo-Segura (SBS) T/ACRO Senior Manager Anne Saxton (AS) Finance Manager Alison Anderson-Sanger Information Manager Alex Ollis (AO) IT Systems Administrator Derek Bucksey Technical Support Analyst Claire Wills (CW) Systems Development Advisor Steve South (SS) Head of ICT Service Delivery (Hants/TVP Ryan Curtin (RC) Service Delivery Manager, HC/TVP Mandie Rignall (MR) Management Assistant (Minutes)

2. Apologies2.1 Apologies were received from Rob Price, Lucy Saunders, Sean De-Fraine and Annie

Fursey.

3. Minutes and Action Log3.1 Previous Minutes

The minutes of the previous meeting held on 6th March 2019 were agreed as anaccurate record following one amendment.

3.2 Action Log The action log was updated accordingly following discussion.

4. IT Update4.1 General Update using work schedule timeline

JF informed the Board that as a result of an action from Governance Board, JB wouldnow provide her update in the timeline bubble chart format which demonstrates thekey milestones for IT, support from TVP and some National Programmes.

JB went through the bubble chart and also highlighted:

The GSA Brexit changes were successful

Page 2 of 4


30 new mobile phones have been received, Alex Ollis is liaising with individuals to replace

The ACRO website transfer to a supported platform is all in place

Any Windows server upgrade downtime will be planned for weekends and a plan of managing that rollout is to be provided by JB in advance

SS will provide a “show and tell” regarding ACRO ServiceNow at the next meeting

ACTION 19/046: SS to provide a “show and tell” regarding ACRO ServiceNow at the next meeting (9th May 2019). Subsequently agreed by JF that this would take place at the next IT meeting which is 5th June 2019. JF advised that ACRO is still looking into the use of a Business Partner to review our processes and they will look into whether 365 is an appropriate choice for ACRO. There was discussions around the room regarding the requirement of SIMs in laptops or dongles offered if the user does not have a smartphone. JF requested for the following to also be added to the bubble chart:

Business Partner Review

GSA move to ASP

NDI GSA PNC changes for Brexit

Business Continuity DR

£0.5 million disaster budget JF asked JB how this current snapshot of the timeline will be updated to become a progressive document. CB offered for the Development team to monitor and keep it updated. CB would like meeting dates to be added to the timeline.

4.2 EGRESS paper JF confirmed this paper is regarding how we would communicate with European

countries should ECRIS be turned off in terms of securely emailing both Nationally and Internationally. Hampshire and TVP have confirmed that the use of the product would be supported by themselves and the costs would be £27,500 p/year based on 310 users providing file and folder protection. Following discussions, the principle was supported and approval given for JB to proceed with looking into this further and to assess any impact on each business area.

ACTION 19/047: JB to carry out further investigations into the use of EGRESS and

obtain any impact from each business area. National Programme Roadshow update paper – JF confirmed for noting ACRO PSNfP

Code of Connection will be put on hold at this time and ACRO will work in the timeline of Hampshire/TVP ICT for o365.

Page 3 of 4


5. Information Management Update 5.1 Data Breaches JF believed everyone would have had the opportunity to read the paper. KP

announced that JB had made her aware of a new quarterly report requirement to the National Institute as highlighted at the National Information Assurance Forum. KP will investigate further as to the actual requirements and if the ACRO reporting spreadsheet needs to be amended to reflect these. JB advised that the assumption had been that Hampshire were completing the reporting on our behalf.

ACTION 19/048: KP to provide update on investigation into the requirement of a

quarterly report as highlighted at the National Information Assurance Forum. SBS requested that Ben Weir and Fiona Doyle be sighted on the breaches analysis

from Paul Moorman when completed. TM highlighted that 6.2 in the paper quotes 14 due to human error and believes this

should be 5. KP informed the board that the first GDPR fine had been issued by Poland at £187k. JF queried the communication strategy on organisational learning, AAS confirmed

that ACRO would mirror the Force and use their template. JF would like the first email to go out within the next 4 weeks.

ACTION 19/049: AAS to send out the first comms re organisational learning from

data breaches within the next 4 weeks.

6. Requests for Change 6.1 Brexit change regarding unknown in place of birth CB advised that this was covered in the Brexit Gold meeting yesterday when it was

requested that approval be given for a GSA development day so an automatic rejection function can be installed.

7. Review of 2018/19 Budget 7.1 AS confirmed the following figures:

budget for year 2018/19 was £960K

amount invoiced in 2018/19 is £669K

£182K was paid in 2017/18 relating to 2018/19

£112K has been paid in 2018/19 relating to 2019/2020

Total budget used is £799k against original £960k planned The underspend difference relates to:

£150k hardware purchase that did not come to fruition

Page 4 of 4


£48k NDI work did not happen

£44k Yogas and Laptops did not happen However, Testa, £105k was an additional spend in the year. JB will be producing an itemised budget list for 2019/2020 and will bring this to the

next AITB meeting (although AITB-IM). ACTION 19/050: JB to produce an itemised budget list for 2019/2020 for

presentation at the next AITB meeting on 9th May 2019. JF advised that the Joint ICT bill has been received for £308k. AS confirmed that a

meeting is being held to discuss what is included within this charge before payment is made.

8. Any Other Business CB accepts that the EGRESS investigation will progress as noted earlier in the

meeting, however, in the interim there are some difficulties in exchange being experienced, not just with Poland but some other countries as well. CB advised that the Development team had come up with three other solutions to be explored; PSNP, Private key encryption and electronic signatures, however these have been pushed back by IT. CB would like to know why each has been rejected and what other solution can be offered to the countries involved. SS offered to speak to Amanda Cooper if RC is no longer able to assist.

CB wished to say thank you to the person in TVP responsible for sorting out the

phone hunt group for development. SF queried if everything with GSA was now BAU. CB advised this will depend on a

business partner which will not be decided until autumn 2019.

9. Next Meeting Date 9.1 9th May 2019 at 10am in Ante Room

Page 1 of 5



Minutes of the meeting held at ACRO Criminal Records Office on the 6P

thP March 2019 at 10am in the Boardroom.

1. UAttendance 1.1 UPresent

Rob Price (RP) Chief Executive (Chair) James Fulton (JF) Head of ACRO Lucy Saunders (LS) ACRO Senior Manager Susan Francis (SF) ACRO Senior Manager Chloe Bowler (CB) ACRO Senior Manager Julia Barnard (JB) ACRO Senior Manager Karen Progl (KP) ACRO Senior Manager Alison Anderson-Sanger (AAS) Information Manager Ryan Curtin (RC) Service Delivery Manager, HC/TVP Mandie Rignall (MR) Management Assistant (Minutes)

2. Apologies2.1 Apologies were received from Steve South, Toby Backhouse, Anne Saxton and

Claire Wills

3. Minutes and Action Log3.1 UPrevious Minutes

The minutes of the previous meeting held on 12P

thP February 2019 were agreed as an

accurate record.

3.2 UAction Log The action log was updated accordingly following discussion.

4. Information Management4.1 UInformation Management Update

Data Breach Training - AAS advised that two catch-up training sessions arebooked for 20 P

thP and 28P

thP March 2019. The next session will then be in June,

a date is yet to be confirmed. Training has raised the level of awareness ofbreaches and staff at all levels now regularly seek advice and support as towhether a situation constitutes a breach. This is really encouraging.

Information Audit - A temporary Research Officer vacancy was advertisedand the successful applicant is currently going through pre-employmentchecks. Once in post the main focus will be to audit the data breaches andrecord lessons learned for the annual data breach review report. Thetemporary Data Entry Clerk, Rob Jones is currently working with Claire Wills

Page 2 of 5


on disposing of obsolete records for International Services relating to EIMS notifications.

NPCC Data Protection officer (DPO) - Toby Backhouse will be leaving the NPFDU on 7 P

thP March and we take this opportunity to pass on our thanks to

him for all the support provided and for the substantial work he has completed in the weekly triage meetings. We wish him the best of luck for his new role. There have been 16 triage meetings since 16P

thP October covering

a wide range of data protection matters. AAS has contacted Aristi who provide virtual data protection officer services. They have confirmed that they will require a scoping visit to develop a bespoke service to cover legal basis, ISA, DPIA and SIRO reviews to be able to provide a quote. To give an indication the general support they offer range from £20,280pa for top level service to basic telephone service £10,985 (excluding expenses and VAT) if you are GDPR compliant. KP confirmed that it is not necessary to use an outside agency yet as both herself and AAS are currently able to manage. RP offered to endorse external support.

Judicial Review – “O” - There is no further update on the judicial review for ‘O’, however he has since made a further complaint against ACRO about a disclosure to Lambeth Council, who are also subject to a separate judicial review with ‘O’. We have not made a disclosure to Lambeth Council but ‘O’ is not accepting of this and is escalating his complaint to the Information Commissioner’s Office.

Outstanding Complaints - On 8P

thP February ‘DM’ complained that his subject

access had been delayed, this was due to the request for local Force data not being sent to Force. On 15P

thP February he was sent a letter apologising for the

delay and requesting further details of his complaint against a member of staff. The complainant then raised a formal complaint via Professional Standards and this is currently being investigated by way of local resolution.

Environmental Scanning – nothing of note. UNational Work update KP advised that the PNC review is now progressing, KP and Mark Williams will be meeting once a month, will write the rules and send out to the other work packages for testing and hopefully provide progress. KP advised that the APP on MOPI is out of date. This has been reviewed and rewritten to bring it in line with Force feedback on required changes making records management more achievable. This new set guidance has been put on hold at the request from AC Amanda Cooper.

4.2 UData Breach and Information Management Communications AAS confirmed there is now a communications plan in place to maintain the focus

now that all staff have received their data breach training. Depending on the results of the survey data breach workshops could be provided for deputy managers to cascade the learning down to their team. AAS has engaged with the communications

Page 3 of 5


team to gather their ideas for how to feedback to the business lessons learnt from significant data breaches. If there is an impact on the staff, then it will be important to highlight what that would be. JF confirmed that there needs to be a promotion of organisational learning. This reporting will demonstrate that ACRO are being proactive in trying to reduce the elements that cause data breaches. JF added that any survey should not coincide with the Durham Survey.

4.3 UData Breaches March 2019

Summary - AAS advised that there have been 342 data breaches, 58 near misses, 12 disputes and 890 lost in post recorded in the data breach log in total of year to date.

Data Breaches Reported to ICO - In the period since the last report, there has been one data breach referred to the ICO and we have received an ICO decision for a previously reported breach. In relation to DB.19.027 ACRO self-referred to ICO as a third party received a Police Certificate for Mr P which detailed a number of child sexual offences. This was reported previously to the meeting however to appraise of the current position the final report has been sent to the ICO. As soon as an update is received from the ICO it will be reported to the AITB.

Data Breaches in National Services - During the reporting period 15 breaches have been logged by National Services. 13 breaches have been risk assessed as green and 2 amber. Of the above breaches 7 are as a result of a third party the remaining 8 are due to human error. However, despite being due to a third party, ACRO may still be seen as at fault as it could be deemed we should have checked.

Data Breaches in International Services - Over the reporting period 37 breaches have been logged by International Services. 36 breaches have been risk assessed as green and 1 amber. Of the above breaches 8 are due to system errors, 22 are as a result of a third party the remaining 7 are due to human error.

Data Breaches in Intelligence - Over the reporting period 16 breaches have been logged by Intelligence. 14 breaches have been risk assessed as green, 1 amber and 1 yet to be assessed. Of the above breaches 2 are as a result of a third party the remaining 14 are due to human error. The significant increase in the reporting of data breaches in Intelligence is due the acting deputy manager requesting his team to review all historic files for a self-induced audit.

Near Misses - No reported near misses in the reporting period.

Lost in Post - No specific pattern can be identified.

Data Breach Reporting for next business year – AAS confirmed that to bring data breach reporting in line with other reporting within ACRO it is proposed that the data breaches be reported in set month periods. This will allow for comparison to volumes to be ascertained.

RP asked JB to check the BBC report yesterday regarding Verify Action: JB to check the BBC report yesterday regarding Verify

Page 4 of 5


4.4 UData Breach report template AAS confirmed that in the data protection breach policy an audit of data breaches

will be undertaken for the business year (April to March). The report will provide a breakdown of breaches relating to the organisational, portfolio, business area and staff. This report will provide a bench mark for subsequent years to demonstrate that there is a reduction in occurrences of data breaches that are within the organisations control. In the data breach report AAS updated that in the forthcoming business year breaches will be reported in calendar months. This will allow comparisons to be drawn against previous months and years in a graph format. This information will be incorporated with the data breach report monthly and can be broken down into business areas to be provided to the SMT for discussion with their deputy managers. KP was concerned that the performance data would only be shown once a year and suggested that AAS sets up meetings with Deputies to allow more regular reporting. CB suggested an operational deputies working group and it was agreed this could be Ben Weir, Tim Judd and Tom Mason.

4.5 UData Breach Policy Update AAS advised that the data breach reporting has been reviewed to establish if it is

necessary for all breaches to be escalated to SMT to assess and report. A revised reporting process was trialled in National Services and was proven to be successful. In the updated policy the HOS/Supervisors report breaches to a Deputy Manager who will complete the risk assessment. If the breach is rated green they will complete part 2 of the breach log and breach report. Green rated breaches will no longer require input from SMT. Breaches rated as amber or red will be escalated to SMT by the Deputy Manager for advice and if necessary to investigate and report. Breaches reported out of hours are now to be risk rated by the HOS/Supervisor or deputy manager if available. If the breach is rated amber or red the HOS/Supervisor/Deputy Manager should telephone the Data Protection Officer or Head of ACRO for advice. Green breaches should be referred to the Deputy Manager for the business. LS commented that the Heads of Section were not confident on making the decisions. General discussions were had regarding who was to have the responsibility, CB suggested a few people could become points of reference for those completing the forms, JF suggested for it to be discussed at the HoS away day. AAS to speak to Ben Weir and Fiona Doyle regarding the policy change and what would be a standardised reporting process. There was further discussions relating to out of hours decisions and should someone be on call. JF advised that if necessary, either he or KP should be contacted.

4.6 UData Adequacy report AAS confirmed that the right questions are being asked when the Development team

are engaging with countries to update the MOU’s. TB will forward some more questions that can be asked to build on the research already being done. The National Group have provided feedback from both Abby Turner and DAC Martin. AAS has also looked at the ICO who will need to review their guidelines.

Page 5 of 5


5. Any Other Business 5.1 CB explained that further to the USA data access problem re Data Protection

Adequacy, we can have this but need to physically collect, this is being collected from Croydon next Thursday. This could not be sent through normal channels due to the size of the data set.

JF requested that JB provides her updates to the Board as of the next meeting, in a

work schedule format. CB will send JB a delivery schedule template.

6. Next Meeting Date 6.1 3 P

rdP April 2019, 10am, Ante Room, ACRO (IT)

Page 1 of 4


Minutes of the meeting held at ACRO Criminal Records Office on the 12th February 2019 at 10am in the Ante Room.


Rob Price (RP) Chief Executive (Chair) James Fulton (JF) Head of ACRO Karen Progl (KP) ACRO Senior Manager Susan Francis (SF) ACRO Senior Manager Chloe Bowler (CB) ACRO Senior Manager Julia Barnard (JB) ACRO Senior Manager Anne Saxton (AS) Finance Manager Sean De-Fraine (SDF) IT Technical Delivery Manager Alex Ollis (AO) IT Systems Administrator Claire Wills (CW) Systems Development Advisor Ryan Curtin (RC) Service Delivery Manager, HC/TVP Mandie Rignall (MR) Management Assistant (Minutes)

2. Apologies2.1 Apologies were received from Steve South, Lucy Saunders, Alison Anderson-Sanger

and Annie Fursey.


The minutes of the previous meeting held on 9th January 2019 were agreed as anaccurate record.

3.2 Action LogThe action log was updated accordingly following discussion.

4. IT Update4.1 IT Team Out of Hours working and Call Out

JB has requested GSA to produce costs for cover 7am – 7pm and are due to bereceived by next week. JB stated that her team currently start at 8am or 8:30am ifteam members are on annual leave. In relation to operational hours, RP queriedwhat the benefit would be to have an out of hour’s capability. CW advised that GSAwere not available until 9am. Both CB and KP expressed concerns that at 7am,almost half the workforce are in and are unable to work if there are issues. SdFsuggested that a formal structure would be required if the team were to cover 7am-7pm. There was discussions held around if onsite support was a necessity or on callfacility to staff with remote network access. RP requested for JB to produce a report


Page 2 of 4

of costs, implications for IT and GSA with expectations and where there are gaps including an SLA with a starting time of 7am.

Action: JB to produce a report of costs, implications for IT and GSA with

expectations and where there are gaps including an SLA. SdF advised on the issues surrounding the monthly updates and patching which are

carried out on the 3rd Saturday of each month which will impact overtime. 4.2 General Update 4.2.1 Jamaica JB confirmed that this is now all delivered and signed off. RP expressed his thanks

for everyone’s commitment out in Jamaica. JB thanked AS and Lisa Hunniford for all there assistance on the finance. JF has thanked GSA and will be following up with contacts in Jamaica. JF explained that they now have the system and can tweak to suit. The technical, legal handing across (the Contract Novation) will happen in approximately June 2019. There will be more development work, in particular safeguarding. There has been confirmation from the Jamaicans that 40% of the monies received from Police Certificates will now go into JCM. JB will be producing a highlight report and a lessons learnt report.

Action: JB to produce both a highlight report and a lessons learnt report. 4.2.2 ACRO server upgrades JB confirms communication from TVP regarding Microsoft support and that

Hampshire’s infrastructure will not allow us to upgrade with the system required so this will be put on hold, particularly with Brexit and other current issues. This will now be in the new financial year. JB confirmed that the equipment has already been purchased.

Action: RC to investigate the upgrade of Server 2016 or 2019. 4.2.3 DMZ upgrade JB advised the equipment has been purchased, the licenses are complete and the

upgrade will be actioned as soon as possible once the servers are available. 4.2.4 List of laptops JB will request again which posts have been identified to have laptops in order to

review for business continuity purposes. 4.2.5 RP request of information presentation RP requested for all JB’s updates to be presented in a spreadsheet format to assist

with audit, accountancy, delivery dates and ownership purposes. This would greatly assist with aligning the jobs with finance as well as IT.


Page 3 of 4

Action: JB to produce a working spreadsheet for the updates. 5. Information Management Update 5.1 RP expressed concerns that the escalation policy was having a high impact on SMT.

However, Data Compliance is paramount and our criteria is clearly defined. JF would like there to be organisational learning from our mistakes and has asked the communications team to look into a strategy around advising staff where/how things have gone wrong in order to provide awareness. JF suggested a need to run a Data Breach part 2 programme so staff can see the significance and consequences of a breach. KP felt that it would be more beneficial for AAS to have regular catch-ups with the Deputies to discuss the reviewing of individuals and their training as well as any required amendments to processes. She also advised that the paper submitted it not the latest version. RP requested KP to let him have details of any one business area underperforming in terms of breaches.

Action: KP to advise RP of any one business area underperforming in terms of

breaches. KP wishes to change the policy so that Head of Section completes part 1 and the

report, the Deputy completes part 2 and files if green or forwards to SMT if red or amber. JF agreed with this principle providing there was a greater QC’ing process to check the greens.

6. Requests for Change 6.1 CW advised that some automation has been introduced in January 2019 for asylum

checks. It needs to be moved to a different point in the process for which GSA will charge ½ day but costs will be recouped within 15 days. RP agreed.

7. Review of 2018/19 Budget 7.1 SF and AS confirmed the following figures:

• budget for year 2018/19 is £961K • amount invoiced in 2018/19 is £259K • £182K was paid in 2017/18 relating to 2018/19 • £64K has been paid in 2018/19 relating to 2019/2020 • there is further spend of approximately £630K anticipated for the remainder

of the year Discussions about the further spend items: 7.2.1 GSA Development for automation of Notifications Out - £62K JB advises this will be placed on order before year end. 7.2.2 GSA development for automation for PNC Services – approx. £30K this year JB advises this will be placed on order before year end.


Page 4 of 4

7.2.3 Desktop PC hardware refresh to enable Windows 10 install - £153K RC confirmed that even though Windows 10 pilot is not yet signed off, the hardware

can still be ordered. JB confirmed she will progress order. 7.2.4 Website platform work - £40K JB advised this would not be completed this financial year, she estimates that 50%

will be complete by year end. 7.2.5 GSA Licences – approx. £100K JB confirmed this would be ordered this financial year. 7.2.6 TESTA - £130K JB confirmed order would be placed this financial year. Update – the final figure was actually £105K 7.2.7 Laptops and mobile phones - £38K RC confirmed these were available, JB confirmed these would be ordered this

financial year. 8. Any Other Business None 9. Next Meeting Date 9.1 6th March 2019, 10am, Ante Room, ACRO (IM)


Page 1 of 3


Minutes of the meeting held at ACRO Criminal Records Office on the 9th January 2019 at 10am in the Ante Room.


Rob Price (RP) Chief Executive (Chair) Lucy Saunders (LS) ACRO Senior Manager Susan Francis (SF) ACRO Senior Manager Chloe Bowler (CB) ACRO Senior Manager Julia Barnard (JB) ACRO Senior Manager Alison Anderson-Sanger (AAS) Information ManagerRyan Curtin (RC) Service Delivery Manager, HC/TVP Jenny Brocks (JB) Management Assistant Tanya Smith (TS) Personal Assistant (Minutes)

2. Apologies2.1 Apologies were received from Steve South, James Fulton, Anne Saxton


The minutes of the previous meeting held on 10th December 2018 were agreed as anaccurate record.

3.2 Action LogThe action log was updated accordingly following discussion.

4. Information Management4.1 Information Management Update

AAS confirmed 100% of staff are now data breach trained. There will be anotherwash up shortly for any new starters/long term sick/maternity etc. Feedback will beobtained from staff who have been trained to gather information on areas thatrequire to be covered in more detail. RP formally thanked AAS for all her hard workin obtaining the 100% rate and for taking on the training at such short notice.

Collation of data for the audit is now 100% complete. The action plans forInternational Services and National Services will be drafted this month and thenpresented to the SMT.

A temporary Research Officer vacancy has been advertised and will assist thebusiness areas to complete the documentation required under the new legislation.


Page 2 of 3

Furthermore a new Data Entry Clerk has been appointed and currently working in International Services disposing of obsolete records.

The triage system with the NPCC Data Protection Officer has been in place for a

number of months and is proving successful. A procedure has been drafted for the screening process for new agencies which have proven to shorten the time required for the Data Protection Officer to make an advised decision.

KP updated colleagues on the case of ‘O’. This has now been transferred to the Upper

Tribunal in November. ACRO’s Legal Advisor will ask the Upper Tribunal to inform who they consider to be the Controller so that a decision can be made to delete the conviction.

4.2 Data Breaches Update AAS confirmed that since 1st April 2018, there have been 231 data breaches, 50 near

misses, 11 disputes and 766 lost in post recorded. A total of 5 data breaches have been referred to the ICO. Since the last update, 30 breaches have been identified in National Services and 54 in International Services. A discussion was had by colleagues as to the breaches still occurring and how certain types of breaches occur such as sending to an incorrect recipient/address. It should be remembered that the number of types of breaches are minimal compared to the amount of data that is processed on a daily basis. It will be beneficial to look at trends and numbers once a full year has been concluded. KP confirmed there will also be a report to be discussed at the Strategic Meeting which will include new recommendations.

4.3 Environmental Scanning AAS presented a report to colleagues on environmental scanning in respect of Data

Protection issues from the last AITB to date. It should be noted that there have not been any enforcements under the new Act so monetary penalties are still under the old Act. Furthermore AAS stated the EU will aim to reach a decision on whether to endorse UK Data Protection standards before the end of 2020 according to proposals agreed by Brexit negotiators. It was agreed that the report is beneficial and colleagues would like this to continue at future AITB IM meetings however RP felt it could be every other meeting unless there was of something to note. This report was for colleagues to note.

4.4 National Information Management Update KP confirmed that the ICO, following an increase in their establishment to cope with

the high demand, have created a new directorate for high profile investigations, such as that with Cambridge Analytics. The risks announced are being incorporated into the national risk registers at IMORCC and DP/FOI groups.

There is still no national portfolio lead for Information Sharing and as such is being

maintained by the NPFDU. The Data Protection Authorised Professional Practice and Manual of Guidance documents are still under development. The College of Policing


Page 3 of 3

are supporting the development of these documents however there is growing concern that the documents currently in use are at least 12 months out of date.

The National Subject Access Group has been rebranded as the National Subject

Rights Group. Forces currently have significant backlogs and are self-referring to the ICO at the point the response deadline has been exceeded. This is due to the momentous increase of Subject Access requests and not having sufficient resourcing to meet the demands.

In terms of national projects, NLEDS is currently a RED rating on its Project

Assessment Review which means they have been deemed unable to achieve on scope, in budget or on time. NLED’s are now, as a result of this, rescoping their budgets and timelines. The Digital Evidence Transfer Service Common Platform will be delayed but will continue to be progressed by Her Majesty’s Courts and Tribunal Service’s Crime Programme.

A recommendation has been put to the Home Office to apply the Public Records Act

to the Police Service. This has been considered in the past but the current feeling is that the Police Service will be encouraged to voluntarily adhere to the requirements of the Act however there will be cost implications.

The PNC retention review has been extended to July 2019 with the terms of

reference being endorsed by the Data Protection and FOI Portfolio Group. ACO Cooper has written to all Chief Officers requesting that they do not delete court convictions until the review has been concluded and the Controller/s have been identified.

4.5 NPCC Data Protection Officer Update TB stated that KP and AAS have covered the majority of the update. However TB did

confirm that he will be leaving the NPFDU/ACRO in the next month so recruitment is underway to find a replacement.

5. Any Other Business 5.1 No other business was discussed. 6. Next Meeting Date 6.1 12th February 2019, 10am, Boardroom, ACRO (IT)


Documents

ACRO Information and Technology Board Minutes · ACTION 19/071: CW to provide a documented summary, at the next AITB IM Meeting, to explain the DAF reporting breach detailing the