FOI reference: FOI-92
Date: 14 February 2023
Request
You have requested the following information:
- Who provides your WAN and internet connectivity and the annual spend on each?
- Who provides your SIP trunks and what is the annual spend?
- Who provides your WAN services, is this MPLS, SD WAN or Internet, and what is the annual spend?
- Who provides your LAN infrastructure and what is your annual spend?
- Who provides your WIFI infrastructure and what is your annual spend?
- Please confirm the manufacturer(s) of your wired network core and edge switching?
- When was your core network installed?
- Has it been updated subsequently?
- Who maintains your core network?
- When is the contract renewal date?
- Please confirm value of the initial project?
- Please confirm the value of annual support/maintenance services (in £)?
Response
I can confirm that we hold information falling within scope of your request.
Information we are able to supply
- Connectivity only via Datrix Limited (acquired by AdEPT). Cost £43k per year.
- We do not have SIP trunks.
- Please see response ‘a’ above.
- In-house.
- In-house.
- See 'Information we are not able to supply' below.
- Currently undergoing replacement.
- Currently undergoing replacement.
- In-house.
- Not applicable.
- Not applicable.
- Not applicable.
Information we are not able to supply
I can confirm that we hold the information you have requested. However, it is exempt from disclosure under section 31(1)(g) and (2)(b)–(c) of the FoIA.
Section 31(1)(g) and (2)(b)-(c) provides that:
“Information which is not exempt information by virtue of section 30 is exempt information if its disclosure under this Act would, or would be likely to, prejudice–
(1) (g) the exercise by any public authority of its functions for any of the purposes specified in subsection (2).
(2) (b) the purpose of ascertaining whether any person is responsible for any conduct which is improper,
(3) (c) the purpose of ascertaining whether circumstances which would justify regulatory action in pursuance of any enactment exist or may arise.”
Our objectives under section 5 of the Pensions Act 2004 include the protection of members’ benefits under occupational and personal pension schemes; to reduce the risk of circumstances arising in which claims may be made on the Pension Protection Fund; and to promote and improve the understanding and good administration of work-based pension schemes.
In exercising our functions with this objective in mind we conduct investigations, obtain advice and launch formal action. Releasing to the public at large details of our systems used to facilitate our investigations and other regulatory/enforcement work is not in the public interest as it could enable persons to take undue advantage of this information to try and disrupt our ability to perform our statutory functions either to evade regulatory action or just maliciously. Disclosure would have an adverse effect on our ability to effectively carry out our statutory duties. This would not be in the interest of schemes or their members.
There is a causal link between disclosure of IT security information and the risk to the security of TPR’s IT systems, as it is likely to be the case that there are those who would seek to maliciously or criminally interfere with data security systems in order to gain access to confidential data, disrupt operations or extract a ransom. Disclosure of certain IT security information is likely to facilitate this and there is therefore a causal link between disclosure and the nature of the prejudice meaning the exemption is engaged.
Hackers and other malicious parties may draw on information gathered from a wide range of sources to derive information about an organisation’s cyber security arrangements and resilience. Details of successful attacks, for example, can provide useful confirmation to malicious third parties about which of their methods have been successful. In some cases, a confirmation that information is not held might also lead to a conclusion that the institution is not operating what may reasonably considered as good practice (whether that is the case or not, from an internal perspective).
Malicious actors are highly motivated and may go to great lengths to gather intelligence. Therefore, although seemingly harmless, confirming or denying or alternatively disclosing this type of information may assist malicious actors when pieced together with existing or prospectively available information, whether gathered lawfully or not.
The exemption at section 31(1)(g) of the FoIA is a qualified exemption which requires a public interest test be carried out. The ‘public interest’ means the ‘public good’ and not just what is of interest to the public or the private interests of particular requesters.
We recognise the general public interest in promoting transparency, accountability and public understanding in how we carry out our functions. We also acknowledge the public interest in knowing that we manage our data responsibly and that this is protected by appropriate security.
The public interest summarised above needs to be weighed against what the ICO has referred to as the “stronger public interest” and “the substantial public interest” inherent in the exemption, for example, in not undermining confidence in government ICT systems by revealing information that would be useful to malicious actors’ intent on causing criminal damage to public bodies. The risk of criminal activity if the information is disclosed which could provide valuable information to those wishing to launch a cyberattack, for example, by building up a picture of the body’s capability and capacity in this area or indicating where to focus efforts when targeting IT systems.
Confirming or denying whether the body holds the information would be likely to assist those wanting to attack the IT systems – it would enable attackers to determine if their actions had gone undetected or not and could compromise measures to protect its system, leading them to be vulnerable to attack – confirming whether an incident had or had not taken place may assist someone in determining the level of effectiveness of detecting and defending against such attacks.
The ICO has also recognised regarding UK GDPR compliance that through keeping sensitive commercial information and personal data secure against attacks on the network there is a strong public interest in maintaining the security of confidential data and not increasing the vulnerability of security systems to criminal activity.
In conclusion, I do not consider there is a public interest to be served in disclosing the information requested considering the risks and likely prejudice identified. I consider the public interest in disclosing the information you have requested is outweighed by the public interest in maintaining the exemption under section 31(1)(g).