Freely subscribe to our NEWSLETTER

Apricorn has submitted FoI requests to 14 government departments for the past four years and additionally, in 2022, to 27 local authorities. The aim of the research was to establish the state of public sector data security, the number of data breaches/incidents suffered and to ascertain if there had been any progress or improvement made in this area.

33 departments and authorities responded to the FoI requests, but 20 of those referenced one or more section clauses by way of refusing to answer some, or all, of the questions posed.

The Ministry of Justice (MoJ), for example, which previously responded to the FoI requests declined to respond to questions around data and device loss in 2022, noting that they could neither confirm nor deny if the MoJ held the information requested. The clause cited was section 31(3) of the FOIA and Section 31 (1) (a) FOIA (prevention and detection of crime).

Section 31(3) is usually cited when the disclosure of information would expose a department to potential threats of a criminal nature. For example, releasing information about the nature and detail of cyber security measures/processes that a department has put in place may identify areas of potential vulnerability. The information could be exploited by adversaries with hostile intentions, with direct impact on associated security weaknesses and the secure running of departments’ IT estate.

“It is concerning that a government department with the stature of the MoJ was not willing to disclose publicly information regarding the number of breaches it suffered. The fact it declined to do so based on Section 31(3) implies that its cybersecurity processes may not be up to scratch to protect said public data. Surely it would be preferable to be more transparent in order to demonstrate where progress has been made or where changes need to happen?”

A further 11 government departments and authorities referenced section 31 by way of declining to respond to some or all questions. Others cited the cost and time to respond being too high to justify answering the requests. Section 12 of the Act makes provision for public authorities to refuse requests for information where the cost of dealing with them could exceed the appropriate limit, which for central government is set at £600. This represents the estimated cost of one person spending 3.5 working days in determining whether the department holds the information, and locating, retrieving and extracting it.

“If the necessary data security processes are in place in terms of storing and retrieving information, this should be easily accessible and should not be a costly or timely process. If a government organisation cannot easily locate data to disclose and respond to these requests, the public should be questioning both its efficiency and its security. Equally, if departments aren’t able to answer how many data breaches they have suffered, are these being disclosed correctly, or at all? If so, they should be logged and made publicly available.”

In another example, the UK Health Security Agency (UKHSA), in accordance with Section 1(1)(a) of the Act, stated that the information requested was exempt from disclosure in accordance with Section 24 for the purposes of safeguarding national security. It considered this information could pose a threat to the security of UKHSA infrastructure and stated that such information could be considered as the reconnaissance phase from the published 5 or 7 phase Cyber Kill Chain model proposed by Lockheed-Martin back in 2011.

There have been multiple cases over the past two years of government departments refusing or blocking requests for public information. In fact, according to governmental data published in April 2023, records show that less than 40% of FOI requests logged in 2022 were granted in full, with more than half partially or fully withheld.

In 2021, an investigation found that government departments had spent at least half a million pounds since 2016 trying to block the release of information under transparency laws.

Lewisham council also made the headlines in 2022 after it ‘kept hundreds of people in the dark by failing to reply to information requests.’ Whilst two government departments (The Department for International Trade (DIT) and the Department for Business, Energy and Industrial Strategy (BEIS) were also reprimanded by the Information Commissioner’s Office (ICO) for not responding to FoI requests on time.

In 2021, The Clearing House, which circulates details of FoI requests by journalists, campaigners and others around Whitehall and advises on how to respond to them, lost a legal battle to prevent the release of documents about an “Orwellian” unit. They were accused of obstructing the release of material requested by the public under the FoI Act.
Open Democracy secured a tribunal judgement demanding the government release information on the clearing house’s operations because it believed the department was obstructing access to information it was entitled to seek under FoI rules.

“The main purpose of Freedom of Information requests, as cited by the ICO ‘is that people have a right to know about the activities of public authorities, unless there is a good reason for them not to.’ Some of these responses, or lack of response, act as calls for change. The process needs to be managed more effectively by those departments concerned and public data should be made public and easily accessible,” concluded Fielding.