Social Security Scotland - IT Health Check reports: FOI release

Information requested

You asked for: Under FOISA please provide all IT Health Check reports supplied under the IT Health Checks for Social Security Scotland contract.

Response

While our aim is to provide information whenever possible, in this instance we are unable to provide it because exemptions under sections s.30(c) and s.33(1)(b) of FOISA applies to that information. The reasons why those exemptions applies are explained in the Annex to this letter.

Reasons for not providing information - Annex
Section 30(c) – substantial prejudice to the effective conduct of public affairs

An exemption under section 30(c) of FOISA (prejudice to effective conduct of public affairs) applies to all of the information requested. Disclosing this information would substantially prejudice our ability to carry out the effective conduct of public affairs.

Providing details about the information you have requested into the public domain could subsequently be used by and aid cyber attackers in understanding significantly more about the defences we have in place to protect our organisation against malicious cyber activity. It could be used as intelligence to craft attacks against specific technologies that we use that would be visible in the reports, or indeed to evade any protective monitoring we may have in place.

In addition, the information could be used to determine our, or those of our commercial partners, methodologies used for assessing the security of our systems, allowing attackers to focus their efforts around those methodologies potentially increasing their chances of successful attack. This could therefore enable them to craft specific types of attack or data exfiltration methods which if successful would constitute substantial prejudice to the effective conduct of public affairs and an increased risk to citizen information.

This exemption is subject to the ‘public interest test’. Therefore, taking account of all the circumstances of this case, we have considered if the public interest in disclosing the information outweighs the public interest in applying the exemption. We have found that, on balance, the public interest lies in favour of upholding the exemption. We recognise that there is a public interest in disclosing information as part of open, transparent and accountable government. However, there is a greater public interest in protecting the process of releasing this information and ensuring that the Scottish Government is able to conduct this aspect of its business effectively.

Section 33(1)(b) – commercial interests

An exemption under section 33(1)(b) of FOISA (commercial interests) applies to all of the information requested. This exemption applies because disclosure of this particular information would, or would be likely to, prejudice substantially the commercial interests of the companies. Disclosing this information would be likely to give the company’s competitors an advantage in future similar tendering exercises by providing information submitted in confidence which explains the techniques and methodologies used to conduct their business, in this case security testing, which could include details of perceived unique selling points. Releasing this information would substantially prejudice the company’s ability to submit competitive tenders and so could significantly harm their commercial business.

This exemption is subject to the ‘public interest test’. Therefore, taking account of all the circumstances of this case, we have considered if the public interest in disclosing the information outweighs the public interest in applying the exemption. We have found that, on balance, the public interest lies in favour of upholding the exemption. We recognise that there is a public interest in disclosing information as part of open and transparent government, and to help account for the expenditure of public money. However, there is a greater public interest in protecting the commercial interests of companies which tender for, or enter into, Scottish Government contracts, to ensure that we are always able to obtain the best value for public money.

About FOI
The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses.