Publication - FOI/EIR release

National Cyber Resilience Leaders Board and Advisory Board minutes: FOI release

Published: 14 October 2021
Directorate: Safer Communities Directorate
Part of: Public sector
FOI reference: FOI/202100233141
Date received: 24 August 2021
Date responded: 21 September 2021

Information request and response under the Freedom of Information (Scotland) Act 2002

Information requested

1. Can you tell me how much funding has been provided to the Scottish Business Resilience Centre by the Scottish Government over the past 7 years please?

2. Can you provide me with the minutes of the National Cyber Resilience Leaders Board and the National Cyber Resilience Advisory Board for the past 5 years please?

Response

In response to the first part of your request, the Scottish Business Resilience Centre has received a total of £2,919,124.47 grant funding from the Scottish Government over the past 7 years.

In response to the second part of your request, I attach minutes from the meetings of the National Cyber Resilience Leadership Board on 7 September 2016, 8 December 2016, 1 March 2017, 9 May 2017, 16 May 2017, 10 July 2017, 5 September 2017, 19 December 2017, 24 April 2018, 27 June 2018, 11 December 2018, 27 March 2019 and 18 June 2019 (13 documents), and the minutes from the meetings of the National Cyber Resilience Advisory Board on 17 September 2019, 10 December 2019, 10 March 2020, 9 June 2020, 15 September 2020, 8 December 2020, 9 March 2021 and 8 June 2021 (8 documents).

While our aim is to provide information whenever possible, in this instance we are unable to provide some of the information you have requested because exemptions under sections 31(1) (national security and defence), 36(2) (confidentiality) and 38(1)(b) (personal information) of FOISA apply to that information. The reasons why those exemptions apply are explained below.

An exemption under section 31(1) was applied in the minutes from the meeting on 8 June 2021 (page 4, paragraph 5). This section prevents disclosure of information that safeguards national security. The Scottish Government considers the balance of public interest against the national security, and we are not able to disclose details of the plans in this instance.

This exemption is subject to the ‘public interest test’. Therefore, taking account of all the circumstances of this case, we have considered if the public interest in disclosing the information outweighs the public interest in applying the exemption. We have found that, on balance, the public interest lies in favour of upholding the exemption. We recognise that there is some public interest in release because of the public expecting the public sector to be cyber secure. We are open about the national exercising taking place and remain committed to it under our Strategic Framework for a Cyber Resilient Scotland. However, this is outweighed by the public interest in protecting national security. In advance of the exercise, only a very limited number of people within the Scottish Government, including Ministers, are aware of the exercise’s details - as this knowledge could be exploited by criminal actors.

An exemption under section 36(2) was applied in the minutes from the meeting on 8 December 2020 (page 1, agenda point 2, paragraph 2). This section prevents disclosure of information that was obtained by a Scottish public authority and disclosing it would constitute an actionable breach of confidence. The Scottish Government considers the balance of public interest against the confidentiality that the other public bodies we work with expect from us and rely on to share certain operational details, and we are not able to disclose the redacted sentence in this instance. This exemption is not subject to the ‘public interest test’.

An exemption under section 38(1)(b) of FOISA was applied across all the minutes in multiple places. This section prevents disclosure of personal information, such as names, of third parties. The Scottish Government considers the balance of public interest against the rights of individuals to privacy and we are not able to share the information that is personal information relating to individuals who are not Senior Civil Servants or at an equivalent executive level in other public bodies, or have not publicly acknowledged their Board membership. This exemption is not subject to the ‘public interest test’.

An exemption under section 31(1) of FOISA was applied across all the minutes in multiple places. This section prevents disclosure of information that safeguards national security. The Scottish Government considers the balance of public interest against the national security, and we are not able to disclose names of two officials with roles in the UK National Cyber Security Centre (part of the Government Communications Headquarters, GCHQ) in this instance.

This exemption is subject to the ‘public interest test’. Therefore, taking account of all the circumstances of this case, we have considered if the public interest in disclosing the information outweighs the public interest in applying the exemption. We have found that, on balance, the public interest lies in favour of upholding the exemption. We recognise that there is some public interest in release because of the public expecting to know who sits on and participates in the works of the National Cyber Resilience Advisory Board (formerly the National Cyber Resilience Leadership Board) as well as in maintaining the overall expectations of the transparency and openness that surrounds the public sector. However, this is outweighed by the public interest in protecting the national security and protecting the identity of national cyber security officials working at the NCSC and GCHQ. Furthermore, the National Cyber Resilience Advisory Board is not a board within a public appointment system.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses.