FOI release

SIA processes and plans regarding data protection compliance

Published 2 November 2023

1. Request

1. Does your organisation use any applications or software to record Record of Processing Activity (ROPA)? If so, please state the product name(s) and version number(s)(if known).

2. Does your organisation use any applications or software to support preparation for, or maintenance of ISO 27001 and/or ISO 27701 compliance? If so, please state the product name(s) and version number(s) (if known).

3. Does your organisation use any applications or software associated with data breach management?

4. Does your organisation use any applications or software associated with Freedom of Information management? If so, please state the product name(s) and version number(s) (if known).

5. Does your organisation use any applications or software for Policy Management? If so, please state the product name(s) and version number(s) (if known).

6. Does your organisation use any eLearning for Data Protection and Security Awareness? If so, please state the product name(s) and version number(s) (if known).

7. Has your organisation reviewed / explored the market regarding the provision of technology which supports the delivery of Information Governance functions? If yes – please specify what actions have been taken. If no - does your organisation have any plans to review / explore this market in the next 3 years?

8. Has your organisation allocated budget / financial resources regarding the commissioning / procurement of technology which supports the delivery of Information Governance functions? If yes - please specify what actions have been taken. If no - does your organisation have any plans to allocate budget / financial resources in the next 3 years?

9. Has your organisation developed a business case (outline or otherwise) regarding the commissioning / procurement of technology which supports the delivery of Information Governance functions? If yes - please specify what actions have been taken. If no - does your organisation have any plans to develop a business case in the next 3 years.

10. Will there be any opportunities to engage with your organisation regarding the commissioning / procurement of technology which supports the delivery of Information Governance function in the next 3 years?

2. Response

I can confirm that the SIA does hold some of this information and some is also exempt from disclosure.

2.1 Question 1

No, the SIA does not use an overarching application or software to record ROPA activities.

2.2 Question 2

No, the SIA do not have ISO27001 or ISO27701. As such, there are no applications in place to support this.

2.3 Question 3

This information is exempt from disclosure under Section 31(3) of the Freedom of Information Act 2000. Section 31(3) of the FOIA relates to Law Enforcement, and Section 31(3) removes the public authority’s duty to confirm or deny whether information is held if to do so would or would be likely to prejudice law enforcement.

It is the SIA’s view that the confirmation or denial of the possession of information relating to SIA’s data breach management, would be likely to compromise the SIA’s information security strategies and information relating to data subjects by giving cyber criminals insight into vulnerabilities which may, or may not, exist.

Although the bona fides of the request may be genuine, FOI responses are public information and are made to the world. Section 31(3) is a qualified exemption, as such we have gone on to perform a public interest test in order to assess the public interest arguments for and against declaring whether or not the requested information is held.

In applying this exemption, we have had to balance the public interest in withholding the information against the interest in favour of disclosure.

Factors in favour of disclosure:

• Confirmation of possession would demonstrate a commitment to transparency with regard to the SIA’s undertakings and could provide assurance that the SIA have robust IT infrastructures in place to protect data subjects.

Factors in favour of withholding:

• Maintaining the integrity and security of any SIA’s systems.
• Preventing cyber-attacks and similar against the SIA’s systems.
• Revealing whether or not the information requested is held or applicable to the SIA would be likely to offer cyber criminals’ insight into not only the strengths of the SIA’s security systems but also any potential weaknesses that may exist. This could ultimately result in a future cyber-attack. One of the reasons that security measures are in place is to protect the integrity of personal and sensitive personal information.

It is clear to see how the occurrence of a future cyber-attack would prejudice the SIA’s legal duty to safeguard personal information from loss, theft, inappropriate access, or destruction, which is why Section 31(3) has been employed in this case.

2.4 Question 4

Yes, SharePoint and Microsoft Excel applications.

2.5 Question 5

Yes, NETconsent Policy Management.

2.6 Question 6

Yes, Astute eLearning.

2.7 Question 7

We do have this in place for Microsoft Teams and Microsoft Azure, however, there has been no formal exploration of specific tools that deliver information governance. We do have in place aiding technologies.

2.8 Question 8

No and there are no plans to allocate budget or financial resources to it in the next 3 years.

2.9 Question 9

No and there are no plans to develop a business case in the next 3 years.

2.10 Question 10

We publish our contract opportunities on the Government Contracts Finder portal. You can create an account to get email updates and save your searches. You can still search and apply for contracts without an account.

[Reference: FOI 0455]