Request
1. Does your organisation use any applications or software to record Record of Processing Activity (ROPA)?
If so, please state the product name(s) and version numbers(s) (if known)
2. Does your organisation use any applications or software to support preparation for, or maintenance of ISO 27001 and/or ISO 27701 compliance?
If so, please state the product name(s) and version numbers(s) (if known)
3. Does your organisation use any applications or software associated with data breach management?
4. Does your organisation use any applications or software associated with Freedom of Information management?
If so, please state the product name(s) and version numbers(s) (if known)
5. Does your organisation use any applications or software for Policy Management?
If so, please state the product name(s) and version numbers(s) (if known)
6. Does your organisation use any eLearning for Data Protection and Security Awareness?
If so, please state the product name(s) and version numbers(s) (if known)
7. Has your organisation reviewed / explored the market regarding the provision of technology which supports the delivery of Information Governance functions?
If yes – please specify what actions have been taken?
If no – does your organisation have any plans to review / explore this market in the next 3 years?
8. Has your organisation allocated budget / financial resources regarding the commissioning / procurement of technology which supports the delivery of Information Governance functions?
If yes – please specify what actions have been taken?
If no – does your organisation have any plans to allocate budget / financial resources in the next 3 years?
9. Has your organisation developed a business case (outline or otherwise) regarding the commissioning / procurement of technology which supports the delivery of Information Governance functions?
If yes – please specify what actions have been taken?
If no – does your organisation have any plans to develop a business case in the next 3 years?
10. Will there be any opportunities to engage with your organisation regarding the commissioning / procurement of technology which supports the delivery of Information Governance function in the next three years?
Outcome
Some information provided
Response
1. Does your organisation use any applications or software to record Record of Processing Activity (ROPA)?
This information is exempt under Section 31(1)(a).
Section 31(1)(a) exempts information if its disclosure under this Act would or would be likely to, prejudice the prevention or detection of crime. This exemption has been applied to details of which software brands and applications TNA uses. For this exemption to be engaged it is necessary to prove that disclosure would or would be likely involve a level of harm. The harm/prejudice test for this exemption involves the consideration that release could put at risk law-enforcement matters, namely the prevention or detection of crime.
We have determined that release of the aforementioned information would be likely to prejudice the prevention or detection of crime by making The National Archives’ computer systems more vulnerable to hacking. Please see the explanatory annexe at the bottom of the page for further details.
2. Does your organisation use any applications or software to support preparation for, or maintenance of ISO 27001 and/or ISO 27701 compliance?
This information is exempt under Section 31(1)(a).
3. Does your organisation use any applications or software associated with data breach management?
This information is exempt under Section 31(1)(a).
4. Does your organisation use any applications or software associated with Freedom of Information management?
This information is exempt under Section 31(1)(a).
5. Does your organisation use any applications or software for Policy Management?
This information is exempt under Section 31(1)(a).
6. Does your organisation use any eLearning for Data Protection and Security Awareness?
This information is exempt under Section 31(1)(a).
7. Has your organisation reviewed / explored the market regarding the provision of technology which supports the delivery of Information Governance functions? If yes – please specify what actions have been taken?
Yes.
The National Archives does not hold information relating to this question.
8. Has your organisation allocated budget / financial resources regarding the commissioning / procurement of technology which supports the delivery of Information Governance functions? If no – does your organisation have any plans to allocate budget / financial resources in the next 3 years?
No.
The National Archives does not hold information in relation to this question.
9. Has your organisation developed a business case (outline or otherwise) regarding the commissioning / procurement of technology which supports the delivery of Information Governance functions? If no – does your organisation have any plans to develop a business case in the next 3 years?
No.
The National Archives does not hold information in relation to this question.
10. Will there be any opportunities to engage with your organisation regarding the commissioning / procurement of technology which supports the delivery of Information Governance function in the next three years?
The National Archives publishes procurement opportunities on the approved Crown Commercial Service (CCS) Gateway and opportunities to engage with The National Archives on these procurement activities are available through the CCS Gateway.
More information on public procurement through the CCS Gateway can be found here: Crown Commercial Service – CCS
Explanatory annexe
Exemptions applied
Section 31: Law Enforcement
We are unable to provide you with information regarding software brands because this information is exempt from disclosure under section 31(1)(a) of the FOI Act. Section 31(1)(a) exempts information if its disclosure would or would be likely to prejudice the prevention or detection of crime.
Section 31 is a qualified exemption and we are required to conduct a public interest test when applying any qualified exemption. This means that after it has been decided that the exemption is engaged, the public interest in releasing the information must be considered. If the public interest in disclosing the information outweighs the public interest in withholding it then the exemption does not apply and the information must be released. In the FOI Act there is a presumption that information should be released unless there are compelling reasons to withhold it.
The public interest has now been concluded and the balance of the public interest has been found to fall in favour of withholding information covered by the section 31(1)(a) exemption. Considerations in favour of the release of the information included the principle that there is a public interest in transparency and accountability in disclosing information about government cyber security. However, release of this information would make The National Archives more vulnerable to crime. The crime in question here would be a malicious attack on The National Archives’ computer systems. As such release of this information would be seen to prejudice the prevention or detection of crime by making The National Archives’ computer system more vulnerable to hacking. There is an overwhelming public interest in keeping government computer systems secure which would be served by non-disclosure. This would outweigh any benefits of release. It has therefore been decided that the balance of the public interest lies clearly in favour of withholding the material on this occasion.
Further guidance on section 31 can be found here: https://ico.org.uk/for-organisations/foi-eir-and-access-to-information/freedom-of-information-and-environmental-information-regulations/section-31-law-enforcement/