Who provides your digital evidence management (DEMS) system?
West Yorkshire Police are unable to provide you with this information as this is exempt by virtue of Section 31(1)(a)(b) Law Enforcement. Please see Appendix A, for the full legislative explanation as to why West Yorkshire Police are unable to provide the information.
What date does this contract end and are there any extension periods to this date as part of the contract?
The contract for DAMS ends on 30th May 2027 + 4 x 12 Month Extensions.
The contract for BWV ends on 30th September 2023.
What is the net spend on your current DEMS contract?
The net spend for DAMS is £3,799,977. The net spend for BWV is £2,121,121.05.
What procurement route do you intend to use when going to market for a new solution?
This information is not held.
Who is the main contact in charge of your DEMS contract and the current solution?
IT Project Managers are in charge of these contracts and can be contacted using the 101 contact number.
Appendix A
The Freedom of Information Act 2000 creates a statutory right of access to information held by public authorities. A public authority in receipt of a request must, if permitted, state under Section 1(a) of the Act, whether it holds the requested information and, if held, then communicate that information to the applicant under Section 1(b) of the Act.
The right of access to information is not without exception and is subject to a number of exemptions which are designed to enable public authorities, to withhold information that is unsuitable for release. Importantly the Act is designed to place information into the public domain. Information is granted to one person under the Act, it is then considered public information and must be communicated to any individual, should a request be received.
DECISION
Your request for information has been considered and I regret to inform you that West Yorkshire Police cannot comply. This letter serves as a Refusal Notice under Section 17 of the Freedom of Information Act 2000.
Section 17 of the Act provides:
(1) A public authority which, in relation to any request for information, is to any extent relying on a claim that information is exempt information must, within the time for complying with Section 1(1), give the applicant a notice which:-
(a) States the fact,
(b) Specifies the exemption in question, and
(c) States (if that would not otherwise be apparent) why the exemption applies.
REASONS FOR DECISION
The reason that we are unable to provide you with this information is covered by the following
Exemption:
S31(1)(a) – Law Enforcement
Section 31 is a qualified, prejudice-based exemption and there is a requirement to conduct a harm and public interest test.
Harm
For West Yorkshire Police consider any possible harm that might arise as a result of placing the requested information into the public domain. This process considers the potential harm to:
• Individuals
• The community as a whole
• West Yorkshire Police and the wider policing service
• Other bodies
Policing is an information-led activity, and information assurance (which includes information security) is fundamental to how the Police Service manages the challenges faced. In order to comply with statutory requirements, the College of Policing Authorised Professional Practice for Information Assurance has been put in place to ensure the delivery of core operational policing by providing appropriate and consistent protection for the information assets of member organisations, see below link:
https://www.app.college.police.uk/app-content/information-management/
Commercial DEMS Providers are vitally important in the Criminal Justice system - not only do they play a crucial role by supporting UK Policing with the security and storage of vast amounts of digital evidence that can be gathered or generated during investigations, but they help manage the chain of custody; keeping relevant audit logs so that the digital evidence can be relied upon in Court.
Whilst not in any way questioning the motives of the applicant, it must be taken into account when considering potential harm that a disclosure under the Freedom of Information Act 2000 is made to the world at large, rather than a private correspondence. Specific details of the DEMS used by West Yorkshire Police would be extremely useful to those involved in criminality as it would enable them to create a map of those most critical to the Law-and-Order sector, and specifically target those proving the most assistance.
The risk of such is significant and real, whether it is in relation to the DEMS or any other aspect of policing within the context of digital evidence, such as the use of Forensic Service Providers. For example, in 2019 Eurofins (one of the UKs largest FSPs) suffered a highly sophisticated ransomware attack which severely disrupted UK Policing and the Criminal Justice system.
https://www.helpnetsecurity.com/2019/06/24/eurofins-ransomware-attack/
https://www.theguardian.com/science/2019/jul/05/eurofins-ransomware-attack-hacked-forensic-provider-pays-ransom
As demonstrated, the threat of cyberattacks is clear and remains ever present, which if successful, such an attack would have devastating consequences for law enforcement as a whole.
Factors favouring disclosure:
Confirming the names of DEMS providers would be of interest to the public, namely give insight into the solutions used by the police to manage and store vast amounts of digital evidence.
Factors favouring non-disclosure:
Measures are put in place to protect the community we serve and as evidenced within the harm, to provide the information requested would allow individuals intent on disrupting law enforcement to target specific companies using the information obtained to maximise the impact.
Taking into account the current security climate within the United Kingdom, and the previous Eurofins cyber-attack, no information which may aid criminality should be disclosed. It is clear that it would have an impact on a Force’s ability to carry out the core duty of enforcing the law and serving the community.
The public entrust the Police Service to make appropriate decisions with regard to their safety and protection and the only way of reducing risk is to be cautious with what is placed into the public domain.
Balancing Test:
The Police Service is charged with enforcing the law, preventing and detecting crime and protecting the communities we serve. In order to effectively and robustly carry out those duties, external services are utilised which are vital to investigating criminal activity. Weakening the mechanisms used to investigate any type of criminal activity would have a detrimental impact on law enforcement as a whole. To provide the information requested, despite the known risks of cyber-attacks, would undermine any trust or confidence the public have in the Police Service. Therefore, at this moment in time, it is our opinion that the balance test favours against disclosure.