News story

SSRO handling of commercially sensitive information

Statement on SSRO handling of commercially sensitive information

The Single Source Regulations Office (SSRO) was established by the Defence Reform Act 2014 (the Act) to be an independent arms-length expert and adjudicator on Ministry of Defence (MOD) single source defence procurement. Its mandate is to ensure that good value for money is obtained in government expenditure on qualifying defence contracts and that a fair and reasonable price is paid to the parties to those contracts.

To achieve these aims, the Act and the related Single Source Contract Regulations 2014 (the Regulations) which came into force on 18 December 2014, require that the SSRO be provided with the standard suite of reports described in Parts 5 and 6 of the Regulations for qualifying defence contracts and qualifying subcontracts.

The SSRO will also receive confidential and commercially sensitive information in accordance with the SSRO referrals procedure for referred matters from either a contractor or MOD under the Act and Regulations. The SSRO may also receive confidential and commercially sensitive information outside this formal referrals procedure as part of its interaction with industry and MOD stakeholders.

This statement is in response to comments made by industry stakeholders. It sets out how the SSRO handles the confidential and commercially sensitive information it receives and how it responds to obligations under the Freedom of Information Act 2000.

Confidential and commercially sensitive information

Schedule 5 of the Act and Part 10 of the Regulations make unauthorised disclosures of the information above a criminal offence. A person committing an offence will be liable to imprisonment or a fine or both. Under the terms and conditions of employment on joining the SSRO, employees commit to strict obligations for the protection of confidential information received during the course of their employment. In particular, they are expressly reminded that unauthorised disclosures of information under Schedule 5 of the Act and Part 10 of the Regulations is a criminal offence and are required to familiarise themselves with the relevant sections of the Act and Regulations.

The SSRO has in place policies and procedures for the declaration of interests. In its Corporate Governance Framework, the SSRO sets out the conduct expected of members and staff and prohibits them from using information gained in the course of their duty for personal gain. We require the same standards and conduct of our SSRO Referrals Committee panel members.

Non-executive members of the SSRO’s Board are appointed by the Secretary of State in accordance with Schedule 4 of the Defence Reform Act. The terms and conditions of appointment require compliance with the SSRO Code of Conduct for Board Members, which prevents the use, copying or disclosure of confidential information. The latter term is broadly defined in the Code of Conduct and includes anything marked “confidential”. Members may be removed from office for misconduct, which would include a breach of the Code of Conduct.

Committee members who are neither Board members nor employees are appointed by the SSRO pursuant to paragraph 11 of Schedule 4 to the Defence Reform Act. Committee members are subject to an obligation that all information acquired during their appointment with the SSRO is confidential and should not be released, communicated or disclosed to third parties. The SSRO may terminate the appointment of a committee member who commits a breach of his or her obligations.

The Code of Conduct for Board members similarly expressly prohibits members from using information gained in the course of public service for personal gain or using the opportunity to promote their own private interests. Board members are reminded that any breach of these obligations may be a criminal offence under insider dealing legislation. SSRO Referral Committee panel members must also adhere to these standards and conduct.

The SSRO has strict policies and procedures relating to information security. All users of SSRO equipment are required to help protect the information held on them and breaches will result in disciplinary action being taken. SSRO equipment may only be used by users approved and trained to use them, and only for those purposes and in accordance with SSRO policies. Strict controls are in place to govern the use of SSRO equipment and to protect when equipment is not in use. Compliance is monitored by the SSRO for prohibited or unauthorised use.

Commercially sensitive information is ring-fenced within the SSRO and in its secure data handling system. Government security classifications are applied and access is strictly limited on a need to know basis to the smallest number of dedicated employees and Board members necessary for the performance of SSRO statutory functions. All software, applications and information technology support purchased or subscribed to by the SSRO is required to comply with industry best practice security levels and is subject to security classification and access controls. Users are appropriately trained and are required to comply with SSRO handling instructions.

Where appropriate the SSRO will seek accreditation against relevant security standards and will publish the results on its website.

The SSRO has arrangements in place for dealing with government classified information developed in line with HMG Security Policy Framework, the Government Security Classification and CESG Cloud Security Principles.

The SSRO will also require any third parties engaged to provide services to the SSRO to adhere to the same standards and procedures in the handling and treatment of any confidential and commercially sensitive information the SSRO receives and that it is necessary for the third party to access in the course of providing services to the SSRO. Information security is a key consideration when the SSRO carries out procurement and providers are required by contract to comply with appropriate security conditions. The Defence Contracts Analysis and Reporting System (DefCARS) received full security accreditation from the MOD on 30 September 2015.

Freedom of information Act 2000

As expressly provided at paragraph 21 of Schedule 4 to the Act, the SSRO is subject to the Freedom of Information Act 2000 (FOIA). As such, the public may request to see information held by the SSRO.

While the SSRO advocates transparency in its activities and operations, it is mindful of the commercial sensitivity of the information it receives from contractors and the MOD in furtherance of its statutory functions. For the SSRO to succeed in its mandate, it is paramount that it both merits and maintains the confidence of its stakeholders. The SSRO will rely on relevant exemptions under the FOIA as necessary in order to deny inappropriate disclosures. In particular, Section 41 of the FOIA provides an absolute exemption in respect of information supplied and held under a legal duty of confidence. In addition, Section 43 provides a qualified exemption (subject to a public interest test) in respect of trade secrets and other commercially sensitive information where disclosure is likely to prejudice the interests of any person.

An equitable obligation of confidence (and therefore an exemption to the FOIA) may apply where information has the necessary quality of confidence and is provided in circumstances importing an obligation of confidence. A contractor may specify why it considers information submitted to the SSRO to be confidential and state in its request that it should be treated as such by the SSRO. We would give due weight to the contractor’s explanation and request for confidentiality when handling the information. Contractors should note, however, that information required by the Act and Regulations must be handled by the SSRO in accordance with the relevant legislative provisions.

In instances where the SSRO is subject to the FOIA and must deal with requests for information in accordance with the requirements of that Act, and to the extent permitted by the time for compliance under the FOIA, the SSRO shall consult the contractor where the SSRO is considering the disclosure of information under the Act which the contractor has provided to the SSRO under Part 2 of the Defence Reform Act 2014 and Single Source Contract Regulations 2014. The SSRO shall provide prior notification to the contractor of any decision to disclose information under the FOIA. Any representations on disclosure made by the contractor during consultation may not be determinative and the decision whether to disclose information in order to comply with the FOIA is a matter in which the SSRO shall exercise its own discretion, subjects always to the provisions of the FOIA.

The SSRO is confident that the exemptions to the FOIA, as well as our commitment to consult with contractors prior to the disclosure of any information under the FOIA, are sufficient to protect the confidential and commercially sensitive information it holds and will defend that position by any means necessary if required.

The SSRO holds its employees and officeholders to the highest standards of professional conduct and integrity at all times. It is mindful of the responsibility that the performance of its functions under the Act and Regulations carries. The interests of its stakeholders are paramount and appropriate policies, procedures and controls are in place and are monitored and reviewed in order to ensure that is and remains the case.