Email archiving (FOI)Email archiving (FOI)
Produced by the Freedom of Information officeAuthored by Government of Jersey and published on
04 June 2020.Prepared internally, no external costs.
Request
A
To what extent are email traffic and communications by States employees recorded by the States back up cryoserver or other system and for how long?
B
Does the cryoserver or other system record deleted traffic?
C
Under what circumstances may email communication not be recorded on the cryoserver and indeed by pass retention?
D
And under what circumstances may information be deleted from the cryoserver?
E
And under what circumstances may deleted material be otherwise recorded?
F
Under what circumstances may the period of retention be extended?
G
Is the cryoserver the sole background mechanism for recording information?
H
How is access to the cryoserver regulated, who controls access and on what terms?
I
Does the cryoserver record in bound and outbound material?
J
Is there similarly a system for recording the existence of phone traffic on incoming and outgoing calls both for land line and mobile calls?
Response
A to J
It is considered that providing this information may cause a security risk and therefore it has been refused under Article 42 (Law Enforcement) of the Freedom of Information (Jersey) Law 2011 (the Law).
Article applied
Article 42 Law enforcement
Information is qualified exempt information if its disclosure would, or would be likely to, prejudice –
a) the prevention, detection or investigation of crime, whether in Jersey or elsewhere;
It is recognised that there is a public interest in providing information in a transparent manner, however this public interest is not considered to outweigh the interests of the government in preventing cyber-crime. It is considered that release of this information may increase risks, particularly in view of major cyber-attacks that have occurred in other jurisdictions in recent years.
The Government of Jersey continuously assesses risk to its network and technical infrastructure and manages a risk treatment plan to ensure every effort is made to maintain a secure and reliable service for its staff and users of its services.
Request for Internal Review
I write to challenge this decision .
In making the request you will note that I have not requested any technical details for example the name of the provider or the technical underpinning of the retention scheme .
Protection from cyber crime based on evidence of crime in other jurisdictions is vague and unclear .
The existence and operation of the scheme is distinct the technical underpinning .
I have asked for nothing that would identify the provider or the technical operation of the scheme , by that I mean the programming.
The existence of the scheme should be a matter of public record . It is highly probable states staff members are aware of the scheme .
We’re the scheme to be operated covertly that itself would be a concern for surveillance , proportionality and justification .
Please then answer the requests I have made .
Internal Review response
This review has been completed by two senior staff members of the Government of Jersey, independent of the original decision making process.
The original response has been reviewed and assessed at each point to identify whether the application of exemptions had been correctly applied. The following changes have been made:
A
To what extent is email traffic and communications by States employees recorded by the States back up cryo server or other system and for how long?
The requested information is publicly available in response to a States question in the following link:
WQ to the Chief Minister by Deputy M.R Higgins of St Helier
B
Does the cryo server or other system record deleted traffic?
Please refer to (A) above.
C
Under what circumstances may email communication not be recorded on the cryo server and indeed by pass retention?
Article 42 (Law Enforcement) of the Freedom of Information (Jersey) Law 2011 has been applied.
D
And under what circumstances may information be deleted from the cryo server?
The Right to Erasure under article 32 of the Data Protection (Jersey) Law 2018 exists in relation to cryoserver as well as written records.
Further details in relation to this right are available within the Data Protection (Jersey) Law 2018.
E
And under what circumstances may deleted material be otherwise recorded?
All IT systems are backed up therefore any material deleted may be retrieved.
F
Under what circumstances may the period of retention be extended?
Retention periods may be extended if there is a legal or business requirement to do so. Any changes must be agreed at a senior level.
G
Is the cryo server the sole background mechanism for recording information?
Article 42 (Law Enforcement) of the Freedom of Information (Jersey) Law 2011 has been applied.
H
How is access to the cryo server regulated, who controls access and on what terms?
Article 42 (Law Enforcement) of the Freedom of Information (Jersey) Law 2011 has been applied.
I
Does the cryo server record in bound and outbound material?
Please refer to (A) above.
J
Is there similarly a system for recording the existence of phone traffic on incoming and outgoing calls both for land line and mobile calls?
A system is in place which records the number of incoming and outgoing calls within the Government of Jersey.
The reviewers considered that the application of the Article 42 exemption was appropriate for questions 3, 7 and 8 and should be upheld.