Making a Freedom of Information request
Before making a Freedom of Information request please visit our Data Intelligence Hub. The information you are looking for may already be there.
Visit the Data Intelligence Hub
If the information is not there you can make your freedom of information request the following ways. You can also make Environmental Information Requests (EIRs) through these ways.
Fill in our Freedom of Information request online form
You can also send a letter to the Customer Insight, Information and Investigations Team, Town Hall, Main Road, Romford RM1 3BB
Please make sure your request is specific and includes an email or postal address for us to respond to.
We will respond within 20 working days following the date of receipt. We will:
- confirm whether we have the information
- provide the information if we are able to
- advise of any exemptions stopping us providing the information
- advise your rights of appeal
- provide advice and assistance
NNDR Freedom of information requests
Our business liability data is updated every three months and is available online.
Costs
There is no standard cost to receive information and in many cases the information will be provided to you free of charge.
We can refuse a request if we estimate that it will cost us more than £450. This is called the cost limit.
Where the limit is exceeded we will contact you to let you know. We will request payment if you still want the information but we also give you an option of refining your request.
Payment is made by cheque or postal order.
Personal information
Requests for personal information eg the name of a ratepayer, will not be responded to and will be redacted as they are exempted under section 40 of the Data Protection Act.
Empty properties
Freedom of Information Act, Section 31(1)(a) - Prevention and Detection of Crime
Public authorities are not obliged to release information that could prejudice the functions of law enforcement, namely the 'Prevention and Detection of Crime'.
The release of such information would increase the likelihood of empty properties being:
- lived in by squatters and squatting in a residential property is a criminal offence
- targeted by vandals or graffiti artists and stripped of materials such as roofing, cables or piping, or otherwise vandalised or damaged
- targeted by criminals or terrorists for example allowing them to hide or store the proceeds of crime, or criminal or terrorist materials
Credits
Request for information about credits on accounts will not be responded to as they are exempted under Section 31 on the Freedom of Information Act.
Properties that hold a credit on their account are open to fraudulent claims for this refund.
Therefore to reduce the possibility of fraud, details are not passed out of credits.
FOI requests concerning IT security issues, attacks, ransom and malware and related topics
London Borough of Havering (LBH) has a very robust IT security system. We do not disclose specific IT security information or confirm the existence of cyber-attacks to prevent potential exploitation by criminals.
We use exemptions under the Freedom of Information Act 2000 to withhold such information.
LBH’s IT Security System is robust, and we regularly update our tools and products to ensure the safety and security of our data and systems.
We aim to be transparent, but we avoid disclosing too much information that could be exploited by criminals to gain unlawful access to our systems and sensitive data.
We do not release information about our IT security systems, suppliers, or update schedules.
This information is withheld under section 31 (1) (a) of the Freedom of Information Act 2000 to prevent crime.
We have conducted a public interest test and concluded that the public interest lies in upholding the exemption to prevent crime and protect data integrity and that this outweighs the benefits of transparency.
We will 'neither confirm nor deny' any information regarding cyber-attacks to prevent revealing potential vulnerabilities, as allowed under section 31(3) of the Freedom of Information Act 2000.
We believe that confirming or denying the existence of cyber-attack information would provide criminals with insights into our cyber security systems and processes, thereby increasing the risk of attacks.
Please see our full exemption notice and public interest test relating to the engagement of S31 for requests concerning IT Security, attacks, ransom, malware and related topics.
London Borough of Havering (LBH) has a very robust IT security system.
We use all the necessary products and tools to keep our systems safe and secure.
We update them regularly and we comply with the relevant guidance and codes of practice.
We have a duty under the UK GDPR regulation and Data Protection Act 2018 to keep people’s personal data safe and secure and we comply with that duty.
Although the council needs to show that it can do this and will comply with its obligations, at the same time we must be careful that too much transparency does not cause damage.
Most people are honest, and law abiding and don’t intend to misuse information to cause harm.
There are criminals who try and exploit system weaknesses to cause damage or make money.
Under Freedom of Information, giving information to one honest requester is the same as publishing it to everyone in the world.
If we provide information that tells criminals when we last updated our security software for example, they could use that to exploit any known weaknesses and try and hack our systems.
The council managed a vast amount of personal data because we carry out so many functions.
We have a lot of very sensitive data – for example about care we provide to vulnerable adults, or casework for childcare social workers.
The council must take all necessary steps to make sure we keep it this data safe and secure.
This means not telling people information that would allow criminals to gain unlawful access to our systems that may allow them access to the data we hold.
Freedom of Information Act requests
1. IT security issues
We are frequently asked for information about IT security issues in LBH.
We are often asked about what IT security systems we have in place, the suppliers and versions of our IT security, how often we update and amend our security, whether we have identified issues or vulnerabilities and what we have done to strengthen those.
The council has considered these issues carefully and we have decided that we do not release this information.
This is because we consider it is exempt under section 31 of the Freedom of Information Act 2000.
We have explained why below.
Refusal Notice Section 31(1)(a) – Law Enforcement
Section 31(1)(a) says that we do not need to provide information that would be likely to prejudice the functions of law enforcement - the prevention and detection of crime.
LBH believes that releasing this information would increase the likelihood of:
- criminals using the information to target attacks against council systems, for example, knowing when we last updated a security system would allow criminals to know what vulnerabilities existed at that time and target attacks on those. It is important LBH does not do anything that would allow personal data it holds to be accessed illegally.
- knowing if LBH’s systems do not have vulnerabilities will increase the chances of other more vulnerable organisations being targeted by criminals
Public Interest Test
As Section 31 is a qualified exemption we need to consider the public interest test.
Factors in favour of disclosure
- It would help transparency and accountability of the council.
- It would reassure people about whether our systems are vulnerable or not.
- It would provide information about how effective our security systems are.
Factors in favour of withholding
- There is an inherent public interest in crime prevention.
- There is public interest in avoiding the costs (financial, distress, inconvenience, publicity, regulatory) associated with any attacks.
- There are public interests in preventing any threat to the integrity of council data.
- There is public interest in ensuring the council can comply with its duties to take all necessary steps to safeguard data.
We believe that the balance of public interest lies in upholding the exemption and not releasing the information.
2. Malware and ransom attacks
We are also often asked questions about malware, ransom ware, attacks and the like.
We are asked if we have had any cyber-attacks, and how many, if they have succeeded and what actions we have taken.
We can be asked if we have been the victim of ransomware, whether attacks were successful, if we paid ransoms, how often, when, to whom and for how much.
We have decided that we do not tell requesters if we hold this information or not.
Under Freedom Information Act this is called a ‘neither confirm nor deny’ response.
We can do this under section 31 of the Act.
We have explained why below.
Refusal Notice Section 31(3) – Law Enforcement
The council believes that telling requesters if we hold information about cyber-attacks, ransom ware and the like will cause damage.
This is because saying if we do or do not hold information would give cyber criminals insight into vulnerabilities which may, or may not, exist.
This would we likely to damage our cyber security systems and plans.
Therefore, we use the exemption in section 31(3).
This allows us to refuse to confirm or deny if the information is held.
The council is allowed to refuse to say if it holds information about this or not.
When we use a neither confirm or deny response you should not assume that we do, or do not, hold any information.
Section 31(3) is a qualified exemption which means we must do a public interest test where we compare the public interest for and against disclosing.
The public interest test is not about whether we should disclose any information that we might hold.
It is a test of whether we should say if we hold the information or not.
Factors in favour of confirming or denying if we hold relevant information.
- It would help transparency and accountability of the council.
- It would reassure people about whether our systems are vulnerable or not.
- It would provide information about how effective our security systems are.
Factors against confirming or denying if we hold relevant information.
- Saying if we hold information would provide information about how effective our security systems are. This would be likely to give cyber criminals insights into the strengths of the council’s cyber security and any potential weaknesses that may exist. This would increase the chances of cyberattacks. One of the reasons that cyber security measures are in place is to protect the integrity of personal and sensitive personal information so increasing the chances of an attack would have potentially serious repercussions.
- If the council confirms that it holds a lot of information then this could show criminals its systems are particularly vulnerable, encouraging attacks.
- If the council confirms that it holds little information this could either show it has poor reporting and recording procedures which will encourage an attack, or it could show it has robust procedures which could encourage an attack to try out criminals’ new techniques or could encourage criminals to target other councils’ systems which would increase crime elsewhere.
- There is public interest in complying with our legal obligations to keep personal data secure and to take appropriate measures which includes keeping areas confidential where necessary.
We believe that the balance of public interest lies in upholding the exemption and not confirming or denying if we hold this information.
Your rights
If you have made a FOI request and you are not happy with how your request was handled, you can request an Internal Review within 2 months of being directed to by replying back to the email/address stated on our response.
Please quote your case reference number.
If you are not satisfied with the Internal Review outcome you have the right to contact the Information Commissioner’s Office at casework@ico.org.uk, telephone 0303 123 1113, or post to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
The ICO website may also be useful.