Last updated: 17-09-2024. From web page: Refused Foi Requests.

Freedom of information requests concerning IT Infrastructure, IT security issues, attacks, ransomware, malware, and related topics

Introduction

Policy Details

Item Details
Version 1.0
Approved by Director of Digital
Lead officer Information Lawyer (Data Protection Officer)
Contact Information@southampton.gov.uk
Date last amended 3rd July 2024
Approval date 3rd July 2024
Effective date 3rd July 2024
Review date 3rd July 2025

Introduction

Southampton City Council operates a large number of IT systems. To ensure our data and services are protected, the Council uses all necessary tools to keep our systems and infrastructure safe and secure. We regularly update our estate to comply with the relevant guidance and codes of practice. We also have a duty under the UK General Data Protection Regulations and the Data Protection Act 2018 to keep people’s personal data safe and secure and we comply with that duty.

As a public body the City Council must demonstrate that it keeps its systems and infrastructure safe and complies with prevailing obligations, but at the same time we must be careful that transparency does not provide an opportunity for nefarious groups or individuals to attack the Council.

Disclosures made under the Freedom of Information Act 2000 are made to the world, not just the individual requesting the information. As such, whilst the Council accepts that most requesters will have a genuine purpose for requesting the information, it’s disclosure would still increase the vulnerability of the Council’s IT security infrastructure, as it would allow cyber-criminals to identify and exploit weaknesses within the Council’s systems and infrastructure.

For example, if the Council provides information regarding recent security software updates, cyber criminals could use this information to exploit any known weaknesses and attack the Council. Similarly, information relating to our infrastructure, or the tools and methods we deploy to keep the Council safe, could identify further weaknesses for cyber criminals to exploit.
The Council’s data is vast and often of a sensitive nature. As such, we must take all necessary steps to ensure that this information remains secure and is suitably protected from unlawful access or loss.

Freedom of Information Act Requests

IT infrastructure and IT security issues

Southampton City Council is frequently asked to supply detailed information about our IT infrastructure and IT security. We are often asked about what technology we deploy, what IT security systems we have in place, the suppliers and versions of our IT security, how often we update and amend our security, whether we have identified particular issues or vulnerabilities and what we have done to strengthen our systems.
The Council has considered these issues carefully and we have decided not to disclose this information. This is because we consider the information to be exempt under section 31 of the Freedom of Information Act 2000. Please see the Council’s justification for applying Section 31 below:

Refusal Notice Section 31(1)(a) – Law Enforcement

Section 31(1)(a) states that a local authority need not provide information that would be likely to prejudice the functions of law enforcement, in this case, the prevention and detection of crime.

Southampton City Council believes that disclosing information about our security systems and infrastructure could allow criminals to identify vulnerabilities within our estate and use this information for targeted attacks. If these attacks were successful, cyber criminals may unlawfully gain access to Council systems containing sensitive personal and commercially confidential data. The Council therefore considers that disclosing these types of information would increase the risk of further criminal offences.

Public Interest Test

Section 31 is a qualified exemption which means we must consider the public interest in disclosure.

Factors in favour of disclosure

  • Evidencing the Council’s transparency and accountability.
  • Reassuring the public and our partners that the Council’s systems are secure.
  • Providing information about how effective our security systems are.

Factors in favour of withholding

  • The public interest in crime prevention.
  • Avoiding disruption to public services.
  • Avoiding costs associated with any attacks (for example, recovery, revenue, regulatory fines).
  • Preventing any threat to the integrity of Council data.
  • Ensuring the Council can comply with its duties to take all necessary steps to safeguard data.

The Council is satisfied that the balance of public interest lies in upholding the exemption and not releasing the information.

To provide assurance that Council systems are secure, we are happy to release details of the compliance standards the Council currently meets at the time of any request being submitted.

Malware, ransom attacks etc.

Southampton City Council is frequently asked to supply information about malware, ransom ware and any other previous cyber-attacks. Examples of common questions include whether we have been subjected to any cyber-attacks within a given period, the volume, whether they succeeded and what actions we have undertaken to protect the Council. We may be asked if we have been the victim of ransom ware, whether attacks were successful, if we paid ransoms, how often, when, to whom and for how much.

The Council has considered these issues carefully and we have decided that we should “neither confirm, nor deny” whether the requested information is held by the Council. This is because we consider the information to be exempt under section 31 of the Freedom of Information Act 2000.

Please see the Council’s justification for applying Section 31 below:

Refusal Notice Section 31(3) – Law Enforcement

The Council believes that disclosing whether we hold information about cyber-attacks, malware or ransomware may give cyber criminals insight into vulnerabilities within our systems which would pose a threat to our cyber security infrastructure. The Council therefore considers that confirming whether we hold the requested information would, or would be likely to, prejudice the prevention or detection of crime - section 31(1)(a). Therefore, in line with section 31(3), the Council considers that the duty to “confirm or deny” does not arise.

Public Interest Test

Section 31 is a qualified exemption which means we must consider the public interest in disclosure.

Factors in favour of confirming or denying if we hold relevant information.

  • Evidencing the Council’s transparency and accountability.
  • Reassuring the public and our partners that the Council’s systems are secure.
  • Providing information about how effective our security systems are.

Factors against confirming or denying if we hold relevant information.

  • The public interest in crime prevention.
  • Avoiding disruption to public services.
  • Avoiding costs associated with any attacks (for example, recovery, revenue, regulatory fines).
  • Preventing any threat to the integrity of Council data.
  • Ensuring the Council can comply with its duties to take all necessary steps to safeguard data.

The Council is satisfied that the balance of public interest lies in upholding the exemption and not releasing the information.

To provide assurance that Council systems are secure, we are happy to release details of the compliance standards the Council currently meets at the time of any request being submitted.

Your Rights

Internal Review

If you are dissatisfied with the handling of your request, you have the right to ask for an internal review. Internal review requests should be submitted within two months of the date of receipt of the response to your original request and should be submitted to dataprotection@southampton.gov.uk.

Please remember to quote the reference number above in any future communications.

Complaint to the Information Commissioners Office

If you are not content with the outcome of the internal review, you have the right to apply directly to the Information Commissioner for a decision.

The Information commissioner can be contacted by using the details available at https://ico.org.uk/make-a-complaint/ or by post at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF