Scottish Government - cyber security and social media: FOI release

Information request and response under the Freedom of Information (Scotland) Act 2002.

FOI reference: FOI/19/00804
Date received: 18/03/2019
Date responded: 04/04/2019
Information requested
1. What security rules, codes, protocols, procedures and precautions are taken to ensure that the CIA, GCHQ /Cabinet office are not eavesdropping / spying on staff, officials and ministers in your Department with social media media eg Google, Facebook as a conduit?
2. What summaries / reports does the department have about its cyber security? Please indicate the public facing reports.
3. Has the Department risk assessed the threat posed by social media, especially that owned by foreign corporations and countries and especially US and CIA? What summaries does the department have of this information, including any public facing ones?
4. What social media apps are allowed on the Departments phones and computers? Which are installed?
5. Are Facebook, Google and Twitter apps allowed to be installed and or used on Department computers and mobile phones?
6. Are private, ie individually owned, mobile phones and computers with social media apps installed such as Facebook, Google and Twitter allowed in Department meetings, committees, and in the office environment?
7. If the answer to Qu 5 and Qu 6 are yes, how does the Department stop companies / CIA spying utilising microphones, cameras, and GPS data on those devices?
8. Has the department informed staff of the risk of spying and eavesdropping via social media apps? If so please send a copy of the memo / paper.
9. Has the Department contributed material to the Cabinet Office as part of the cyber security strategy? If so what?
10. Has the Secretary, Ministers or the top 3 civil servants in the Department been briefed about QAnon?
11. If so please indicate the date and the type of recorded information that has been briefed so that any future request may be narrowed down, as per Section 16 of the UK freedom of Information Act and Information Commissioner Guidance.
12. Has the Department any other recorded information on Q / QAnon ? If so please indicate the date and the type of recorded information that has been briefed so that any future request may be narrowed down, as per Section 16 of the UK freedom of Information Act and Information Commissioner Guidance. (If there is a mass of information that will take the request over the time limit, please disregard this question)
Questions 1,7,8,11
While our aim is to provide information whenever possible, in this instance an exemption under section 30(c) of FOISA (prejudice to effective conduct of public affairs) applies to your request.
Disclosing this information would substantially prejudice our ability to carry out the effective conduct of public affairs.
Providing details about the information you have requested into the public domain could subsequently be used by threat actors, taking into consideration both the external and insider threat, to evade any controls we might or might not have in place. This could therefore enable them to target specific types of attack or data exfiltration methods and would constitute substantial prejudice to the effective conduct of public affairs.
Question 2
The Scottish Government takes all aspects of cyber security seriously and has numerous reports and summaries across this broad subject area.
None of these reports are public facing.
Question 3
Yes, the risk from social media has been assessed.
None of these reports are public facing.
Question 4
Departmenal computers and mobile phones have access to all mainstream social media platforms.
Social media platfroms are not installed on our departmental computers but users have access to these via their internet browser.
Users are permitted to install offical social media on their mobile phones from either the Google Play Store or Apple App Store. We do not have a definitive list of the apps installed.
Question 5
See answer to question 4 above.
Question 6
This is dependant on the classification on the meeting taking place. Guidance is provided to staff on whether it is appropriate for mobile phone and computers to be present in certain environments.
Question 9
The Scotish Government worked with the UK Government, including the Cabinet Office, to ensure appropriate alignment between Scotland’s 2015 cyber resilience strategy (“Safe, Secure and Prosperous”) and the UK’s National Cyber Security Strategy.
The Scottish Government has since published five action plans, available at, aimed at increasing Scotland’s cyber resilience. These action plans, which support the Scottish and UK strategies, cover the areas of learning and skills, public, private and third sector cyber resilience, and economic opportunity.
The UK National Cyber Security Centre and UK Cabinet Office were consulted during the development of the action plans, including by the provision of drafts for comment and advice, and have been updated regularly on progress during their implementation.
Question 10
Scottish Government’s Ministers, Permanent Secretary and Executive Team have had, and continue to have, a number of briefings related to cyber security threats, issues and actors. Cyber Security also features heavily on the agenda for our corporate Audit & Assurance Committee, on which all members of the Executive team sit. There has been no specific focus on QAnon.
Question 12
As per section 12 of FOISA we are unable to provide this information as it is estimated that the cost of locating, retrieving and providing the information requested under this question would exceed the £600 upper cost limit.
About FOI
The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at


Please quote the FOI reference
Central Enquiry Unit 
Phone: 0300 244 4000

The Scottish Government 
St Andrew's House 
Regent Road 

Back to top