Somerset County Council: Freedom of InformationRequest

Internal Review: Findings

SomersetDirectref:2757162– Service ref: 140211

Information requested by:Mr Dave Orr

Review carried out by: Louisa Gosling:Information GovernanceOfficer

1. Summary of process

  • Request received: 14/02/2014
  • Response sent: 17/04/2014
  • Review requested:17/04/2014

2. Review of Response

In your emaildated 09/04/2014, you raised the following issues:

I can understand with-holding details of the network hardware and operating systems on a security basis. However, I do not see that applying to the operating systems of the desktop PCs. As you have supplied operating system details for the servers they connect to, then that omission of data is not consistent or justified.

Can you please update the spreadsheet for PC operating system details as they pose little or no security risk.

3. Considerations

  1. Did the Council answer your request within the required timescale of 20 working days?
  2. Did the Council confirm or deny it held the information?
  3. Did the Council provide the information requested?
  4. If the Council did not provide the information was the refusal clear?
  5. If the Council applied an exemption was it correct and was it explained?
  6. Did the Council provide a public interest test (if applicable)? Did it provide a sound evaluation of the arguments for and against disclosure?
  7. Did the Council offer appropriate advice and assistance?
  8. Did the Council advise you of the internal review process and your right of appeal to the ICO?
  1. The Council did not answer your request within the required timescale of 20 working days. We apologise for not meeting the statutory time limit set by the FOI Act. Somerset County Council receives some 75 – 125 requests every month some of which are very complex and we are working with limited resources.
  1. The Council confirmed that it held some of the information requested.
  1. The Council provided some of the information requested.
  1. Where the Council did not provide the information the refusal was clear. In some cases the Council stated that it did not hold the information requested and also gave an explanation of why this is so. In other cases the Council stated that it was withholding information because it was judged to be exempt under sections 38(1), S40(2) and S43(2) of the Freedom Of Information Act (FOIA).
  1. The Council applied the 3 exemptions above to information which was withheld in the hardware assets log provided. This review finds that the exemptions under sections 38(1) and 43(2) were correctly applied to information concerning: the network hardware and operating systems; and the operating systems of desktop PCs and Laptops (see exemptions discussion below).

This review finds that the exemption under Section 40(2), which relates to personal information, was not correctly applied to the information withheld. Whilst its disclosure may constitute a risk to the protection of personal data, the information in question does not constitute personal data per se.

This review agrees that it was inconsistent to withhold the aforementioned information whilst still providing information on the operating systems of the servers since the same security concerns apply to disclosure of the former and the latter. Therefore, please find attached a revised spreadsheet with all information regarding the operating systems of the Council’s hardware assets withheld. We apologise for this oversight in our original response. We would also request that you replace the original spreadsheet, (which contains information on the operating systems of our servers which was not intended for public disclosure), with this revised one.

This review also considers that that there are two additionalFOIA exemptions which may be appliedto all of the information withheld in the revised spreadsheet. These are FOIA Section 31 (Law Enforcement), and Section 24 (National Security). (Please see exemptions discussion below)

  1. The Council did provide a public interest test for the three exemptions which were applied to the information withheld. This included an evaluation of the arguments for and against disclosure. This review has expanded on this, and included public interest tests for the additional exemptions under S31 and S24, in the exemptions discussion provided below.
  1. The Council offered appropriate advice and assistance.
  1. The Council advised you of the internal review process and your right of appeal to the ICO.

4. Additional discussion on the exemptions applied to information regarding Operating Systems

It is understood that disclosure of the information on the operating systems of the Council’s servers, desktop PCs and laptops, as well as the information concerning the network hardware and operating systems, would constitute a security risk by leaving the Council’s computer systems more vulnerable to a malicious hacking attack. This means that the disclosure of any of this information would:

  • make the Council more vulnerable to crime (Section 31)
  • risk the health and safety of the Council’s service users who rely on the functioning of our computer systems (Section 38)
  • risk harming the electronic systems on which the day-to-day business of the Council relies (Section 43)
  • pose a security threat to the PSN which constitutes a risk to national security (Section 24)

Section 31(Law enforcement).

Section 31(1)(a) states that information is exempt if its disclosure is likely to prejudice the prevention or detection of crime. ICO guidance states that this can be used to protect information on a public authority’s systems which would make it more vulnerable to crime. It can be used by a public authority that has no law enforcement function:

  • To protect the work of one that does.
  • To withhold information that would make anyone, including the public authority itself, more vulnerable to crime

The crime in question here would be a malicious attack on the Council’s computer systems. Since the disclosure of the withheld information would make the Council’s systems more vulnerable to such crime this review finds that the exemption is engaged.

The exemption is subject to the public interest test. There is an overwhelming public interest in keeping government computer systems secure which would be served by non-disclosure. This outweighs the public interest in accountability and transparency which would be served by disclosure.

Section 38 (Health and Safety).

Section 38(1) states that information is exempt if its disclosure would be likely to:

a)Endanger the physical or mental health of any individual

b)Endanger the safety of any individual

If the Council’s computer systems were to be unavailable due to a malicious attack this would be detrimental to service users’ health as the Council would be unable to access essential information in this regard. Therefore this review finds that the exemption is engaged.

This exemption is subject to the public interest test. Arguments for disclosure concern accountability and transparency for the public to know what the Council is spending public funds on. Arguments against disclosure concern the risk to the health and safety of the Council’s service users should the Council’s computer systems be harmed as a result of malicious hackers making use of the information concerning the operating systems of the Council’s computers.

This review finds that the balance of the public interest lies in withholding the information.

Section 43 (Commercial Interests)

Section 43(2) states that information is exempt if its disclosure would, or would be likely to, prejudice the commercial interests of any person (including the public authority holding it).

Disclosure of information revealing the details of the Council’s operating systems puts the Council at risk of a malicious attack on it’s computer systems. This would compromise the Council’s ability to provide its services and carry on business-as-usual should the electronic systems be harmed. The cost of system recovery if its computer system were hacked would also be detrimental to the Council’s commercial interests.

This exemption is subject to the public interest test. There is an overwhelming public interest in keeping government computer systems secure which would be served by non-disclosure. This outweighs the public interest in accountability and transparency which would be served by disclosure.

Section 24 National Security

The Council believes that disclosure of information about the operating systems of our servers, desktop PCs and laptops may attract hacking and intrusion attacks from parties wishing to exploit specific vulnerabilities. This could consequently allow those intruders access to the extended PSN and Government secure network at GSi, which, therefore, constitutes a risk to national security.

By virtue of section 24(1), information is exempt from disclosure if the exemption from the duty to disclose the information is required for the purpose of safeguarding national security. “It should be noted that, in order to engage section 24(1), it is the exemption, rather than the ‘information’ which has to be required for the purpose of safeguarding national security. In the Commissioner’s view, the wording in section 24(1) suggests that the focus is on the effect of disclosure rather than the original purpose of the information”[1].

ICO guidance advises that“Required for the purposes of” is interpreted as meaning reasonably necessary. Although there has to be a real possibility that the disclosure would undermine national security, the impact does not need to be direct or immediate.

“Whilst it is important to demonstrate that there would be a real possibility of harm to national security should the information be disclosed, there is no need to prove that there is in fact a specific, direct or imminent threat to national security. It is sufficient in the Commissioner’s opinion that the disclosure is capable of indirectly creating a real possibility of harm to national security”[2]

“The Information Commissioner considers that the term ‘national security’ includes; The security of the United Kingdom and its people; and the protection of the United Kingdom’s legal and constitutional systems”[3].

Any threat to the safety and security of the Government Public Services Network (PSN) poses a risk to both of these elements of national security.

Information identifying the operating systems of the Somerset County Council’s computer systems could be used, in conjunction with other information in the public domain, or combined with information already held, by those with malicious intent, to launch an attack on these computer systems which could in turn threaten the security of other Government computer systems linked by the PSN.

Both the ICO and the First Tier Tribunal have confirmed the use of such “mosaic” arguments when considering the harm posed by information disclosure under Section 24[4]. In Decision Notice FS50368290, (27 July 2011) the Commissioner “agrees with the public authority that publicly available information both on the internet and elsewhere remains a powerful source of intelligence for those intending to target the security of the UK”.

Whilst, in this case, the disputed information itself may be considered insignificant in the context of national security it should be noted that “it is the potential value of the disputed information in the hands of those who constitute a threat to national security that must be considered. There is no requirement for the public authority to demonstrate that there is a specific and imminent threat from disclosure, it is sufficient that the public authority has been able to demonstrate that, the disputed information in the wrong hands could indirectly create a real possibility of harm to national security”[5].

Section 24 is also subject to the public interest test. It is the interests of the UK and its citizens that are of concern.

Arguments for disclosure of the information in question concern the public interest in ensuring the accountability and transparency of a public body and the decisions it makes concerning its IT assets and how it spends its money regarding such assets.

Arguments against disclosure concern the fact that there is a strong public interest in not disclosing information that may be used by those who pose a threat to the well-being of individuals and the nation. “There is a significant public interest in preventing the disclosure of information which could potentially assist individuals or groups intent on damaging national security.”[6]

More specifically, in this case there is a clear public interest in protecting the security of Government computer systems. As previously noted, the Somerset County Council’s computer system also provides access to the Public Services Network (PSN), an assured network over which diverse government bodies trust that they can safely share services in order to collaborate more effectively and efficiently. This is a key component of the Government ICT Strategy and has been created as a security model for the sharing of services across the public sector.

This review finds that the public interest in disclosure is outweighed by the public interest in non-disclosure.

Ministry of Justice FOI exemptions guidance on use of section 24 states that “when seeking to use section 24… the National Security Liaison Group (NSLG) must be consulted”[7]. During this consultation the text of this internal review was presented to the NSLG for their consideration. The NSLG have consequently confirmed that they “are in agreement with the internal review response”.

4. Conclusion

Overall this review concludes that it partially upholds your complaint. We do appreciate that it was inconsistent to withhold information on operating systems of end devices whilst still providing operating system details for the servers they connect to. However we do not agree that that the disclosure of PC operating system details “poses little or no security risk”. Indeed, this review finds that the disclosure of any information on the operating systems of the hardware assets of the Council poses a security risk, and that there are a number of exemptions under the FOIA which may be applied to withhold this information.

We apologise for the oversight in our original FOI response whereby information on the operating systems of the servers was provided to in the hardware assets log spread sheet sent to you. We have now provided (in attachment) an updated version of the spreadsheet which constitutes the correct response to your FOI request.

If you are not content with the outcome of this Internal Review, you have the right to apply directly to the Information Commissioner’s Office for a further decision. The Information Commissioner can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

-

Helpline on 0303 123 1113

Yours sincerely

Peter Grogan

Information Governance Manager

County Hall

Taunton

Somerset

TA1 4DY

1 of 7

[1] ICO Decision Notice FS50368290, 27 July 2011

[2] Op cit

[3] Op cit

[4] In Peter Burt v Information Commissioner and the MoD (EA/2011/004 20/09/2011) the First Tier Tribunal accepted there was a risk that certain technical information could be combined with other information to give a complete picture of how to build a nuclear device.

[5] ICO Decision Notice FS50368290, 27 July 2011

[6] ICO Decision Notice FS50368290, 27 July 2011

[7] Ministry of Justice Freedom of Information Exemptions Guidance, Section 24: National Security, March 2012