Skip to main content

Freedom of information request

Cyber security services and enterprise software platforms at The National Archives

Freedom of information request reference
CAS-270098
Request resolved

Request

  1. Standard Firewall (Network)
    1. Firewall services that protect the organisation’s network from unauthorised access and other internet security threats.
  2. Anti-virus Software Application
    1. Programs designed to prevent, detect, and remove viruses, malware, trojans, adware, and related threats.
  3. Microsoft Enterprise Agreement
    1. A volume licensing agreement that may include:
      1. Microsoft 365 (Office, Exchange, SharePoint, Teams)
      2. Windows Enterprise
      3. Enterprise Mobility + Security (EMS)
      4. Azure services (committed or pay-as-you-go)
  4. Microsoft Power BI
    1. Or any alternative business intelligence platform used for data connectivity, dashboards, and reporting.

For each of the above areas, I kindly request the following:

  1. Who is the existing supplier for this contract?
  2. What is the annual spend for each contract?
  3. What is the description of the services provided?
  4. Primary brand (where applicable)
    1. What is the start date of the contract?
    2. What is the expiry date of the contract?
    3. What is the total duration of the contract?
  5. Please include at least their job title, and where possible, name, contact number, and direct email address
    1. How many licences or users are included (where applicable)

Outcome

Some information provided.

Response

  1. Standard Firewall (Network)
    Firewall services that protect the organisation’s network from unauthorised access and other internet security threats.
    1. Who is the existing supplier for this contract?
    2. What is the annual spend for each contract?
    3. What is the description of the services provided?
    4. Primary brand (where applicable)
      1. What is the start date of the contract?
      2. What is the expiry date of the contract?
    5. What is the total duration of the contract?
      1. How many licences or users are included (where applicable)

This information is covered by the exemption at section 31(1) of the FOI Act.

  1. Anti-Virus Software Application
    Programs designed to prevent, detect, and remove viruses, malware, trojans, adware, and related threats.
    1. Who is the existing supplier for this contract?
    2. What is the annual spend for each contract?
    3. What is the description of the services provided?
    4. Primary brand (where applicable)
      1. What is the start date of the contract?
      2. What is the expiry date of the contract?
      3. What is the total duration of the contract?
      4. How many licences or users are included (where applicable)

This information is covered by the exemption at section 31(1) of the FOI Act.

2. Microsoft Enterprise Agreement
A volume licensing agreement that may include: Microsoft 365 (Office, Exchange, SharePoint, Teams), Windows Enterprise, Enterprise Mobility + Security (EMS) and Azure Services (committed or pay-as-you-go)
a. Who is the existing supplier for this contract?
b. What is the annual spend for each contract?
c. What is the description of the services provided?
d. Primary brand (where applicable)
i. What is the start date of the contract?
ii. What is the expiry date of the contract?
iii. What is the total duration of the contract?
e. How many licences or users are included (where applicable)

Information about all contracts and agreements with a value of over £10,000 are published in the public domain and is covered by the exemption at Section 21 of the FOI Act. This information is already published in the public domain as per the below link: Microsoft Enterprise Agreement Renewal – Contracts Finder

3. Microsoft Power BI
Or any alternative business intelligence platform used for data connectivity, dashboards and reporting
a. Who is the existing supplier for this contract?
b. What is the annual spend for each contract?
c. What is the description of the services provided?
d. Primary brand (where applicable)
i. What is the start date of the contract?
ii. What is the expiry date of the contract?
iii. What is the total duration of the contract?
e. How many licences or users are included (where applicable)

Information about all contracts and agreements with a value of over £10,000 are published in the public domain and is covered by the exemption at Section 21 of the FOI Act. This information is already published in the public domain as per the below link: Microsoft Enterprise Agreement Renewal – Contracts Finder

Who is the responsible contract officer? Please include at least their job title, and where possible, name, contact number and direct email address.

We are unable to provide you with this information because it would identify a junior member of staff and as such is exempt from release under section 40 (2) of the FOI Act. However, at The National Archives we apply the general principle that members of staff at Head of Department level and above are sufficiently senior for their names and/or job titles to already be in the public domain and are therefore not exempt from release.

The Head of IT Operations at The National Archives is David Moore.
The National Archives’ full contact options can be found on our website here.

Annexe

Exemptions applied

Section 21: Information readily available to the applicant by other means

Section 21 of the Freedom of Information Act 2000 (FOIA) does not oblige a public authority to provide information if it is already reasonably accessible by other means. In this case the exemption applies because the information is already available.

Further guidance can be found at:
Information accessible to the applicant by other means (section 21) | ICO

Section 40 (2): Personal Information where the applicant is not the data subject

Data Protection Legislation prevents personal information from release if it would be unfair or at odds with the reason why it was collected, or where the subject had officially served notice that releasing it would cause them damage or distress.

In this case the exemption applies because this information represents the personal information of junior members of staff at The National Archives.

Publishing the names and contact details of junior members of staff is considered an unfair use of personal data. Junior members of staff would have no expectation that information about their positions would be made available in the public domain; to do so would be unfair and contravene Art. 5 of the General Data Protection Regulation. As such, the names, positions and contact details of junior officials are withheld under section 40 (2) of the FOI Act.

Further guidance can be found at:
Personal data of both the requester and others (ico.org.uk)

Section 31: Law Enforcement

We are unable to provide you with information regarding software vendors, brands and specific start/end dates because this information is exempt from disclosure under section 31(1) (a) of the FOI Act. Section 31(1) (a) exempts information if its disclosure would or would be likely to prejudice the prevention or detection of crime.

Section 31 is a qualified exemption and we are required to conduct a public interest test when applying any qualified exemption. This means that after it has been decided that the exemption is engaged, the public interest in releasing the information must be considered. If the public interest in disclosing the information outweighs the public interest in withholding it then the exemption does not apply and the information must be released. In the FOI Act there is a presumption that information should be released unless there are compelling reasons to withhold it.

The public interest has now been concluded and the balance of the public interest has been found to fall in favour of withholding information covered by the section 31(1)(a) exemption. Considerations in favour of the release of the information included the principle that there is a public interest in transparency and accountability in disclosing information about government cyber security. However, release of this information would make The National Archives more vulnerable to crime. The crime in question here would be a malicious attack on The National Archives’ computer systems. As such release of this information would be seen to prejudice the prevention or detection of crime by making The National Archives’ computer system more vulnerable to hacking. There is an overwhelming public interest in keeping government computer systems secure which would be served by non-disclosure. This would outweigh any benefits of release. It has therefore been decided that the balance of the public interest lies clearly in favour of withholding the material on this occasion.

Further guidance on section 31 can be found here: https://ico.org.uk/for-organisations/foi/freedom-of-information-and-environmental-information-regulations/section-31-law-enforcement/

Back to top