Title: Cyber Security
FOI request reference: F0047229
Response sent: November 2016
Outcome: Partially Successful
Hello Data and Information Officer
I am currently embarking on a research project around Cyber Security and was hoping you could provide me with some contract information relating to following information:
- Standard Firewall (Network) – Firewall service protects your corporate Network from unauthorised access and other Internet security threats
- Intrusion Detection – network intrusion detections systems http://searchsecurity.techtarget.com/feature/Enterprise-benefits-of-network-intrusion-prevention-systems (IDS) and network intrusion prevention systems (IPS) http://searchsecurity.techtarget.com/feature/Three-criteria-for-selecting-the-right-IPS-products services that detect Web application attacks and include anomaly-awareness in addition to handling older threats that haven’t disappeared.
- Web Applications Firewall – A Web application firewall (WAF) is a firewall that monitors, filters or blocks the HTTP traffic to and from a Web application.
- Threat Monitoring – organizations and security analysts to identify and protect against security threats.
- Anti-virus Software Application – Anti-virus software is a program or set of programs that are designed to prevent, search for, detect, and remove software viruses, and other malicious software like worms, trojans, adware, and more.
- Encryption Facilities – s a host based software solution designed to encrypt sensitive data before transferring it to tape for archival purposes or business partner exchange.
For each of the different types of cyber security services can you please provide me with:
- Who is the existing supplier for this contract?
- What does the organisation spend for each of contract?
- What is the description of the services provided for each contract?
- What is the expiry date of each contract?
- What is the start date of each contract?
- What is the contract duration of contract?
- What is the hardware brand? If available.
- What is the software brand? If available?
- The responsible contract officer? Full name, job title, contact number and direct email address.
Thanks you, they said that you will send me a confirmation email.
Thank you for your enquiry of 18 October 2016, in which you requested contract information relating to Cyber Security at The National Archives.
Your request has been handled under the Freedom of Information (FOI) Act 2000.
I can confirm that The National Archives holds information relevant to your request. We are pleased to be able to provide you with some of this information in the attached spreadsheet.
The FOI Act gives you the right to know whether we hold the information you want and to have it communicated to you subject to any exemptions which may apply. Unfortunately we are unable to provide you with all of the information you have requested as some information is exempt under sections 31(1) (a) and 40(2) of the FOI Act.
You asked for the full name, job title, contact number and direct email address of the responsible contract officer for each requested contract.
We are unable to provide you with this information because it would identify a junior member of staff and as such is exempt from release under section 40(2) of the FOI Act. For further information about why this exemption has been applied, please see the explanatory Annex at the end of this letter.
However, at The National Archives we apply the general principle that members of staff at Head of Department level and above are sufficiently senior for their names and/or job titles to already be in the public domain and are therefore not exempt from release.
The Head of ICT at The National Archives is Julian Muller, who is responsible for the contract information you have requested.
If you wish to contact The National Archives, please use the contact form at the following address:
Some of the information you have requested is also covered by the exemption at section 31(1) (a) of the FOI Act, which exempts information if its disclosure is likely to prejudice the prevention or detection of crime. This relates to all contract information regarding part 6 of your request about Encryption Facilities as well as specific details of expiry dates and hardware/software brands for the remaining contracts. For further information about why this exemption has been applied, please see the explanatory Annex at the end of this letter.
If you are dissatisfied with the handling of your request or the decision which has been reached, you have the right to ask for an internal review. Internal review requests must be submitted within two months of the date of this response and should be addressed to:
Public Services Development Unit
The National Archives
Please mark your complaint clearly. You have the right to ask the Information Commissioner (ICO) to investigate any aspect of your complaint. However, please note that the ICO is likely to expect internal complaints procedures to have been exhausted before beginning his investigation.
Freedom of Information Centre
Transfer and Access Department
The National Archives
Section 40(2): Personal Information where the applicant is not the data subject
Section 40 exempts personal information about a ‘third party’ (someone other than the requester), if revealing it would breach the terms of the Data Protection Act (DPA) 1998. The DPA prevents personal information from release if it would be unfair or at odds with the reason why it was collected, or where the subject had officially served notice that releasing it would cause them damage or distress. Junior members of staff would have no expectation that information about their positions would be made available in the public domain; to do so would be unfair and contravene the first data protection principle of the DPA 1998.
In this case the exemption applies because this information represents the personal information of a junior member of staff at The National Archives. Publishing the names of junior members of staff is considered an unfair use of personal data. As such, the names and positions of junior officials are withheld under section 40(2) of the FOIA.
For more information about the publication of junior staff names, please see the following link: https://ico.org.uk/media/for-organisations/documents/1187/section_40_requests_for_personal_data_about_employees.pdf
For more general information about the section 40 exemption, please see the following link: http://ico.org.uk/for_organisations/guidance_index/~/media/documents/library/Freedom_of_Information/Detailed_specialist_guides/personal-information-section-40-and-regulation-13-foia-and-eir-guidance.pdf
Section 31: Law Enforcement
We are unable to provide you with some of the information you have requested because it is exempt from disclosure under section 31(1) (a) of the FOI Act. Section 31 (1) (a) exempts information if its disclosure is likely to prejudice the prevention or detection of crime. This relates to all contract information regarding part 6 of your request about Encryption Facilities as well as specific details of expiry dates and hardware/software brands for the remaining contracts.
Section 31 is a qualified exemption and we are required to conduct a public interest test when applying any qualified exemption. This means that after it has been decided that the exemption is engaged, the public interest in releasing the information must be considered. If the public interest in disclosing the information outweighs the public interest in withholding it then the exemption does not apply and the information must be released. In the FOI Act there is a presumption that information should be released unless there are compelling reasons to withhold it.
The public interest has now been concluded and the balance of the public interest has been found to fall in favour of withholding information covered by the section 31(1) (a) exemption. Considerations in favour of the release of the information included the principle that there is a public interest in transparency and accountability in disclosing information about government procedure and contracts. However, release of this information would make The National Archives more vulnerable to crime. The crime in question here would be a malicious attack on The National Archives’ computer systems. As such release of this information would be seen to prejudice the prevention or detection of crime by making The National Archives’ computer systems more vulnerable to hacking therefore facilitating the possibility of a criminal offence being carried out There is an overwhelming public interest in keeping government computer systems secure which would be served by non-disclosure. This would outweigh any benefits of release. It has therefore been decided that the balance of the public interest lies clearly in favour of withholding the material on this occasion.
Further guidance on section 31 can be found here: