NOT PROTECTIVELY MARKED

Our Ref:
Date:

IM-FOI-2017-0148
20 April 2017

FREEDOM OF INFORMATION (SCOTLAND) ACT 2002 - INTERNAL REVIEW
In accordance with section 20(1) of the Freedom of Information (Scotland) Act 2002, I
understand that you have requested a review of the decision communicated to you on 17
March 2017 in respect of your original request for information, received 13 January 2017.
Original Request
Please also send me copies of any procurement documentation held by Police
Scotland that relates to purchases, or unsuccessful tenders or bids, from the firm
Cellebrite from any division of Police Scotland over the last three years.
Request for Review
With regards to the attached response I would like to request a review as I am
dissatisfied with the initial response.
Whilst I am happy to accept the response to the first part of my request, I would be
grateful if you could reconsider the response to the second part of my request.
To clarify, I'd be happy to accept materials where specific financial numbers are
redacted, if this helps to mitigate against concerns over commercial confidentiality.
My role is to consider the response issued and determine whether or not your request was
handled in accordance with the provisions of the Freedom of Information (Scotland) Act
2002.
As part of the review, I am also required to consider the quality of the administrative
process applied to your request and I note that your request was not responded to by the
20 working day legislative deadline.
The Force has therefore clearly failed on this occasion with regard to this legislative
obligation and for that I apologise.
In reviewing the response I have studied all documentation relevant to the request,
including that which documents both the research carried out and the decision making
process.
The decision I have to make is whether or not section 16 of the Act, in conjunction with the
exemption set out at section 33(1)(b), was correctly applied to your request.
I can first of all confirm that Police Scotland engagement with Cellebrite for the supply of
products and services was via a non-competitive action (NCA).

NOT PROTECTIVELY MARKED
scotland.police.uk

@PoliceScotland

PoliceScotland

 NOT PROTECTIVELY MARKED

Competition is a cornerstone of public sector procurement and goods, services and works
should be acquired by competition unless there are convincing reasons to the contrary.
Competition avoids any suggestion of favouritism and the encouragement of monopoly; it
also helps to promote efficiency and economy. The form of competition should be
appropriate to the value and complexity of the goods or services acquired.
Sometimes known as Single Tender Action, Non-Competitive Actions (NCAs) are required
when procurements need to be made which cannot satisfy the minimum competition
requirements. Great care is needed in authorising NCAs as it remains essential to achieve
value for money, and that the procurement process undertaken is fully defensible.
An NCA does not exempt the SPA or Police Scotland from procurement legislation or any
of the legal remedies available to potential bidders. It should be noted that there are
remedies available to aggrieved tenderers or potential bidders, hence the potential
penalties for non-compliance with the legislation are onerous. It is, therefore, important
that we ensure that we comply with the procurement rules and that all NCA requests can
be fully justified.
There were a total of 9 records identified as potentially relevant to your request as follows:
Invoice from Cellebrite - 2014
Invoice from Cellebrite - 2015
Invoice from Cellebrite - 2016
SPA Purchase Order - 2015
SPA Purchase Order - 2016
Email from Police Scotland to Cellebrite requesting quote
Email from Scottish Government approving NCA
Request for approval of non-competitive action (NCA) form
Request for approval of non-competitive action (NCA) form
In relation to the three invoices, I can first of all confirm that these consist of a list of goods
and services with individual unit prices, warranty information and banking information. On
that basis, I’m afraid I have to conclude that section 33(1)(b) of the Act was correctly
applied.
Similarly, in relation to the SPA purchase orders; these again list a series of goods and
services along with the respective unit prices. Again therefore, I consider that section
33(1)(b) of the Act was correctly applied in respect of these documents.
With regard to the two emails, I would first of all advise you that the Freedom of
Information (Scotland) Act 2002 gives a right to information, not to documents.
Where a public authority chooses not to provide copies of original documentation however,
it must ensure that any information which falls within the scope of the request and which is
contained in the document is disclosed completely and accurately.
In this case, I have chosen not to provide actual copies of the correspondence for ease of
response as they would have required hard-copy redaction in terms of the removal of
names, direct email addresses and telephone numbers etc.

NOT PROTECTIVELY MARKED
scotland.police.uk

@PoliceScotland

PoliceScotland

 NOT PROTECTIVELY MARKED

I can however provide you with the following information which meets the terms of your
request.
The content of the emails has been replicated word-for-word and for clarity, I can confirm
that the withheld information is as follows:
-

The names, email addresses and phone numbers of individuals
These individuals, do not occupy a senior or public facing role and, as such, I consider
that whilst you may have a legitimate interest in the disclosure of the personal data (the
individual’s names), disclosure would be unwarranted by reason of prejudice to the
rights and freedoms or legitimate interests of the data subject (Condition 6 of Schedule
2 of the Data Protection Act 1998).
As such, in terms of Section 16 of the Freedom of Information (Scotland) Act 2002 I am
refusing to provide you with the information sought and the exemption that I consider to
be applicable to the information requested by you is set out at Section 38(1)(b) of the
Act - Personal Data.
I also consider that section 30(c) of the Act is applicable with regards the direct phone
numbers and email addresses of individuals.

-

The cost of the license renewal
Refused in terms of section 33(1)(b) for the reasons set out in the original response.

-

The exact model of the products in use and the quantity
This information is considered exempt in terms of section 35(1)(a)&(b) of the Act - Law
Enforcement. Whilst I accept that confirming the use of Cellebrite products is not in
itself harmful, the company offer a variety of products, each with different capabilities
and I consider that disclosure of the exact models in use by Police Scotland along with
the number of products available for use would provide a clear insight as to the
operational capabilities of Police Scotland with regards the examination of mobile
devices.

As intimated above, I have not replicated the introductory and closing details - ‘Hi’,
‘Hello’, ‘Regards’ etc, nor have I included email ‘signatures’. Any spelling/ grammatical
errors are the author’s own, as is any emphasis.

Email 2
18/03/2016 11:51
Scottish Government, Police Division, Finance, Assets & Sponsorship Team to ICT
Procurement Specialist (Police Scotland), Head of ICT Commercial Strategy and
Procurement (Police Scotland) and Procurement and Contracts Executive (Police
Scotland)
Re the NCA contract extensions requests submitted for SG consideration, we are content
to approve them basis of the information provided.

NOT PROTECTIVELY MARKED
scotland.police.uk

@PoliceScotland

PoliceScotland

 NOT PROTECTIVELY MARKED

12. Cellebrite Mobile Forensics Tool
Contract extension with Cellebrite Ltd for one year from 1st April 2016 – 31st March 2017
with an option for an extension for 1 or 2 years. Cost per year ** REDACTED **. Total possible
cost - ** REDACTED **.

18/03/2016 08:46
ICT Procurement Specialist (Police Scotland) to Scottish Government, Police
Division, Finance, Assets & Sponsorship Team, Head of ICT Commercial Strategy
and Procurement (Police Scotland) and Procurement and Contracts Executive
(Police Scotland)
Attachment - see PDF document
Please find attached NCA documents that were approved at the SPA Finance &
Investment Committee yesterday 17th march 2016. I would be grateful if you could review
these for Scottish Government approval when you get the chance.
I apologise for the quantity of these, we have a large proportion of our contracts that expire
at this time of year. I have attached a summary paper which should hopefully assist.

Email 2
25/02/2016 11:26
Business Officer - Commercials (Police Scotland) to 3 x Cellebrite employees plus
Cybercrime Forensics Co-ordinator (Police Scotland)
The Scottish Police Authority (“SPA”) is requesting a quotation for the supply of the goods
listed below to meet the following requirements:
Annual SW

** REDACTED **

** REDACTED ** ** REDACTED **

license renewal to expire 31/03/2017. GBP ** REDACTED **

s/n: ** REDACTED **
Your quotation should be submitted on the basis that if it is accepted by or forms part of a
contract with SPA, unless otherwise agreed in writing by SPA, such contract will be on the
terms and subject to the conditions set out in the document entitled “Scottish Police
Authority: Terms and Conditions for Purchasing [ICT Goods and any related Services]
[Professional Services]”. This document is available on request.
These terms and conditions shall apply to any such contract with SPA to the exclusion of
any other terms and conditions including any terms and conditions on which your quotation
is given.
This request for quotation does not constitute an offer to purchase capable of acceptance.
Note - The Scottish Police Forces merged to form a single Force, the Police Service of
Scotland, from 1st April 2013 under the ‘Police and Fire Reform (Scotland) Act 2012’ (the
Act). At this time, under the Act, the Scottish Police Services Authority became part of the
NOT PROTECTIVELY MARKED
scotland.police.uk

@PoliceScotland

PoliceScotland

 NOT PROTECTIVELY MARKED

newly formed Scottish Police Authority. One of the Principal functions of the Scottish
Police Authority, as body corporate under the Act, is to maintain the Police Service of
Scotland. This includes providing and maintaining anything necessary for the carrying out
of Police Functions and entering into contracts.
Redacted versions of the two ‘request for approval of NCA’ forms are also attached.
Again, the redactions are in terms of sections 33(1)(b), 30(c), 35(1)(a)&(b) and 38(1)(b) of
the Act.
Taking all of the above into account, I must conclude that more information could have
been provided in response to your original request. That said, I am generally satisfied that
your request was handled in accordance with the Freedom of Information (Scotland) Act
2002 and in terms of section 21(4)(a) of the Act, I uphold the original response insofar as I
agree that section 33(1)(b) of the Act was correctly applied in respect of some of the
information identified.
Should you require any further assistance concerning this matter please contact
Information Management - Dundee on 01382 596657 quoting the reference number given.
If you remain dissatisfied following the review of this case, you then have six months in
which you may appeal to the Scottish Information Commissioner who can be contacted as
follows:
Online appeal service - www.itspublicknowledge.info/Appeal
Scottish Information Commissioner
Kinburn Castle
Doubledykes Road
St Andrews
Fife
KY16 9DS

Telephone: 01334 464610
Email: enquiries@itspublicknowledge.info

Should you wish to appeal against the Scottish Information Commissioner's decision, there
is an appeal to the Court of Session on a point of law only.

NOT PROTECTIVELY MARKED
scotland.police.uk

@PoliceScotland

PoliceScotland