FI15952

Request

I am conducting a research project into how public sector organisations procure cyber security services and enterprise software platforms. As part of this, I would be grateful if you could provide the most recent contract information you hold for the following areas:

1. Standard Firewall (Network)

Firewall services that protect the organisation’s network from unauthorised access and other internet security threats.

2. Anti-virus Software Application

Programs designed to prevent, detect, and remove viruses, malware, trojans, adware, and related threats.

3. Microsoft Enterprise Agreement

A volume licensing agreement that may include:

  • Microsoft 365 (Office, Exchange, SharePoint, Teams)
  • Windows Enterprise
  • Enterprise Mobility + Security (EMS)
  • Azure services (committed or pay-as-you-go)

4. Microsoft Power BI

Or any alternative business intelligence platform used for data connectivity, dashboards, and reporting.

For each of the above areas, I kindly request the following:

  1. Who is the existing supplier for this contract?
  2. What is the annual spend for each contract?
  3. What is the description of the services provided?
  4. Primary brand (where applicable)
  5. What is the start date of the contract?
  6. What is the expiry date of the contract?
  7. What is the total duration of the contract?
  8. Who is the responsible contract officer? Please include at least their job title, and where possible, name, contact number, and direct email address
  9. How many licences or users are included (where applicable)?

Response

The information you have sought is attached to this email. 

Information about the Council’s anti-virus software and firewall are considered exempt from disclosure under Section 31(1)(a) of the Freedom of Information Act.  The Council does not release information about what IT security systems we have in place, the suppliers and versions of our IT security, how often we update and amend our security, whether we have identified particular issues or vulnerabilities and what we have done to strengthen those. This is because we consider disclosing this information would make the council a target of crime. Therefore, this information is exempt from disclosure under section 31 of the Freedom of Information Act 2000. 

Section 31(1)(a) says that we do not need to provide information that would be likely to prejudice the functions of law enforcement- the prevention and detection of crime. 

The council believes that releasing this information would increase the likelihood of: 

  • criminals using the information to target attacks against council systems. For example, knowing when we last updated a security system would allow criminals to know what vulnerabilities existed at that time and target attacks on those. It is important the council does not do anything that would allow personal data it holds to be accessed illegally.
  • knowing if the council’s systems do not have particular vulnerabilities will increase the chances of other more vulnerable organisations being targeted by criminals 

Public Interest Test 

As Section 31 is a qualified exemption we need to consider the public interest test. 

Factors in favour of disclosure: 

  • It would help transparency and accountability of the council
  • It would reassure people about whether our systems are vulnerable or not
  • It would provide information about how effective our security systems are 

Factors in favour of withholding: 

  • There is an inherent public interest in crime prevention.
  • There is public interest in avoiding the costs (financial, distress, inconvenience, publicity, regulatory) associated with any attacks
  • There is public interests in preventing any threat to the integrity of council data
  • There is public interest in ensuring the council can comply with its duties to take all necessary steps to safeguard data 

We believe that the balance of public interest lies in upholding the exemption and not releasing the information.  

In addition, details about members of staff are exempt from disclosure under Section 40(2) of the Freedom of Information Act as the Council considers the names and contact details of individual members of staff to be personal data.  The names of staff working in public authorities are personal data as defined by Article 4(1) of GDPR and also Section 3 of the Data Protection Act 2018 and the release of this data would contravene the data protection principles.   The Digital and Technology Team are responsible and can be contacted at digital@dover.gov.uk, 01304 821199.

Attachments

Attachment