Secure email services

FOI request reference: CAS-176451-K1L4Y8
Publication date: March 2024

Request

1. What is your current email provider (e.g. Outlook or G-suite)?
2. Do you have a solution for secure email in place (Y/N)?
3. Who is your current email security provider (e.g. Egress)?
4. When is the contract up for renewal?
5. Typically what is the chosen duration of these contracts 12, 24, or 36 Months?
6. Name and contact details of the person responsible?
7. Current annual spend for this contract?
8. Current number of licenses for this contract?
9. Did you purchase via a reseller, or partner (if yes, please specify who e.g. Phoenix, softcat etc.)?
10. Are you planning on assigning specific budgets for securing email communication in 2024?
11. Do you procure through the G-Cloud framework (if not, how do you procure & plan to procure secure email in the future)?

Outcome

Some information provided.

Response

1. What is your current email provider (e.g. Outlook or G-suite)?

Disclosing software systems, product names, vendors and versions may reveal information that would prejudice the prevention or detection of crime and is exempt under section 31 (1) (a) of the FOI Act.

2. Do you have a solution for secure email in place (Y/N)?

Yes.

3. Who is your current email security provider (e.g. Egress)?

We do not have a specific email security provider.

4. When is the contract up for renewal?

Not applicable – see answer to Question 3.

5. Typically what is the chosen duration of these contracts 12, 24, or 36 Months?

We do not hold this information.

6. Name and contact details of the person responsible?

We are unable to provide you with this information because it would identify a junior member of staff and as such is exempt from release under section 40(2) of the FOI Act. However, at The National Archives we apply the general principle that members of staff at Head of Department level and above are sufficiently senior for their names and/or job titles to already be in the public domain and are therefore not exempt from release. The Head of IT Operations at The National Archives is Julian Muller.

The National Archives’ full contact options can be found on our website here: Contact Us – The National Archives

7. Current annual spend for this contract?

Not applicable – see answer to Question 3.

8. Current number of licenses for this contract?

Not applicable – see answer to Question 3.

9. Did you purchase via a reseller, or partner (if yes, please specify who e.g. Phoenix, softcat etc.)?

Not applicable – see answer to Question 3.

10. Are you planning on assigning specific budgets for securing email communication in 2024?

No, not specifically for securing email communication.

11. Do you procure through the G-Cloud framework (if not, how do you procure & plan to procure secure email in the future)?

Yes.

Explanatory annexe

Exemptions applied

Section 31: Law Enforcement

We are unable to provide you with information regarding software, suppliers and vendors because this information is exempt from disclosure under section 31(1) (a) of the FOI Act. Section 31(1) (a) exempts information if its disclosure would or would be likely to prejudice the prevention or detection of crime.

Section 31 is a qualified exemption and we are required to conduct a public interest test when applying any qualified exemption. This means that after it has been decided that the exemption is engaged, the public interest in releasing the information must be considered. If the public interest in disclosing the information outweighs the public interest in withholding it then the exemption does not apply and the information must be released. In the FOI Act there is a presumption that information should be released unless there are compelling reasons to withhold it.

The public interest has now been concluded and the balance of the public interest has been found to fall in favour of withholding information covered by the section 31(1)(a) exemption. Considerations in favour of the release of the information included the principle that there is a public interest in transparency and accountability in disclosing information about government cyber security. However, release of this information would make The National Archives more vulnerable to crime. The crime in question here would be a malicious attack on The National Archives’ computer systems. As such release of this information would be seen to prejudice the prevention or detection of crime by making The National Archives’ computer system more vulnerable to hacking. There is an overwhelming public interest in keeping government computer systems secure which would be served by non-disclosure. This would outweigh any benefits of release. It has therefore been decided that the balance of the public interest lies clearly in favour of withholding the material on this occasion.

Further guidance on section 31 can be found here: Section 31 – Law enforcement | ICO

Section 40(2): Personal Information where the applicant is not the data subject

Section 40 exempts personal information about a ‘third party’ (someone other than the requester), if revealing it would breach the terms of Data Protection Legislation. Data Protection Legislation prevents personal information from release if it would be unfair or at odds with the reason why it was collected, or where the subject had officially served notice that releasing it would cause them damage or distress. Personal information must be processed lawfully, fairly and in a transparent manner as set out by Art. 5 of the United Kingdom General Data Protection Regulation (UK GDPR).

In this case the exemption applies because the requested material contains information which would identify junior members of staff.

Publishing the names and contact details of junior members of staff is considered an unfair use of personal data. Junior members of staff would have no expectation that information about their positions would be made available in the public domain; to do so would be unfair and contravene the first data protection principle of the Data Protection Act. As such, the names, positions and contact details of junior officials are withheld under section 40 (2) of the FOI Act.

Further guidance about the publication of junior staff names can be found here: Section 40 – Requests for personal data about public authority employees | ICO

In this case the exemption applies because the requested material contains the personal and the sensitive personal information of a number of identified individuals assumed still to be living. These individuals have a reasonable expectation of privacy which would not include the release of this information into the public domain by The National Archives during their lifetime. To do so would be likely to cause damage and/or distress and would be a breach of the first data protection principle, which is concerned with the fair, lawful and transparent processing of information of this kind.

Further guidance on the application of this exemption cab be found here: Section 40 and Regulation 13 – personal information | ICO