Hardware and software used by the Security Industry Authority
Published 20 July 2023
© Crown copyright 2023
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/hardware-and-software-used-by-the-security-industry-authority/hardware-and-software-used-by-the-security-industry-authority
1. Request
Under the Freedom of Information Act, I would request you to respond to the questions included in the attachment.
2. Response
I can confirm that the SIA does hold the information you have requested in respect of questions 1, 2 and 4 only. Answers to these questions have been provided in the attached spreadsheet as requested.
In respect of question 3, this information is exempt from disclosure under Section 31(3) of the Freedom of Information Act 2000. Section 31 of the FOIA relates to Law Enforcement, and section 31(3) removes the public authority’s duty to confirm or deny whether information is held if to do so would or would be likely to prejudice law enforcement.
It is the SIA’s view that the confirmation or denial of the possession of information relating to the SIA’s security systems, would be likely to compromise the SIA’s information security strategies by giving cyber criminals insight into vulnerabilities which may, or may not, exist.
Although the bona fides of the request may be genuine, FOI responses are public information and are made to the world. Section 31(3) is a qualified exemption, as such we have gone on to perform a public interest test in order to assess the public interest arguments for and against declaring whether or not the requested information is held.
In applying this exemption, we have had to balance the public interest in withholding the information against the interest in favour of disclosure.
Factors in favour of disclosure:
- Confirmation of possession would demonstrate a commitment to transparency with regard to the SIA’s undertakings, and could provide assurance that the SIA has robust IT infrastructures in place.
Factors in favour of withholding:
- Maintaining the integrity and security of the SIA’s systems.
- Preventing cyber-attacks and similar against the SIA’s systems.
- Revealing whether or not the information requested is held or applicable to the SIA would be likely to offer cyber criminals’ insight into not only the strengths of the SIA’s cyber security but also any potential weaknesses that may exist. This could ultimately result in a future cyber-attack. One of the reasons that cyber security measures are in place is to protect the integrity of personal and sensitive personal information.
- It is clear to see how the occurrence of a future cyber-attack would prejudice the SIA’s legal duty to safeguard personal information from loss, theft, inappropriate access, or destruction, which is why Section 31 has been employed in this case.
On balance the public interest in maintaining the exemption outweighs that in confirming or denying whether information is held and therefore the SIA neither confirms nor denies whether this information is held. In all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information.
[Reference: FOI 0426]