DWP Central Freedom of Information Team

e-mail: [DWP request email]

Our Ref: 528

22 April 2009

Dear Mr Metcalfe

Freedom of Information Request - 528/09

Y[Author ID1: at Tue Apr 21 09:41:00 2009 ]y[Author ID1: at Tue Apr 21 09:41:00 2009 ]ou asked for the documentation that describes the fields that are provided by the Jobcentre Plus (JCP) [Author ID1: at Tue Apr 21 09:46:00 2009 ]website interface API by which JCP job listings are displayed on Directgov, as well as on the websites of partners selected by Department for Work and Pensions ([Author ID1: at Tue Apr 21 09:46:00 2009 ]DWP)[Author ID1: at Tue Apr 21 09:46:00 2009 ].

Unfortunately, [Author ID2: at Tue Apr 21 11:12:00 2009 ]Th[Author ID2: at Tue Apr 21 11:12:00 2009 ]is[Author ID2: at Tue Apr 21 11:09:00 2009 ] [Author ID2: at Tue Apr 21 11:12:00 2009 ]information relating to documentation describing [Author ID2: at Tue Apr 21 11:09:00 2009 ]API[Author ID2: at Tue Apr 21 11:11:00 2009 ] fields [Author ID2: at Tue Apr 21 11:09:00 2009 ]is being withheld under the exemption in Section 31 (1) (a) of the Freedom of Information Act. This is being applied because the information, if disclosed, could assist those intent on undermining information security. Disclosure would also prejudice the Department's efforts to protect information in general and personal data in particular, as it could allow the Department's data handling procedures to be exploited for criminal purposes. Section 31 exempts from disclosure information which would or would be likely to prejudice the prevention or detection of crime. I believe that releasing a copy of the documentation that you have requested could facilitate the commission of an offence by rendering the Department's systems vulnerable to attack.

The exemption in Section 31 is a qualified exemption and therefore I have considered the public interest. There is a public interest in understanding that there are robust arrangements in place for the management of information risks, and that the public can have confidence in those arrangements. There is a public interest in maintaining confidence that this Department has policies and procedures in place to deal with threats which may compromise the security of the Department's information.

At the same time, there is a public interest in ensuring that the prevailing particular threats to information are identified, and measures put in place to mitigate those threats, and that they are dealt with appropriately. In most situations, the best interests of those potentially affected will be served by not making these threats - or the strategies and measures which the Department has deployed to address those threats - public. There is also a clear public interest in ensuring that potential vulnerabilities in systems or processes can be addressed without exposing them publicly, and thereby providing an avenue by which those intent on doing harm, or committing illegal acts, might exploit those vulnerabilities.

I have concluded that ensuring that threats to the Department's information can be identified and mitigated without undue media pressure on those potentially affected or involved in developing counter-measures, is in general, of greater public interest. This Department takes very seriously its responsibility as a registered data controller to protect personal data. These obligations are set out in the Seventh Principle of the Data Protection Act. Publication of its detailed measures to address information vulnerabilities is not in the public interest, and will not support the Department's clearly stated responsibilities and the specific obligations as set out in the Act.

You also asked for a list of the bodies which have access to this API, whether they be government departments, agencies or private companies.

You said that `I understand that Jobcentre Plus's website has an interface (API) by which JCP job listings are displayed on Directgov, as well as on the websites of partners selected by DWP.' This is not correct, as we actually have two APIs.[Author ID2: at Tue Apr 21 10:58:00 2009 ]

It may help if we clarify the two [Author ID2: at Tue Apr 21 10:58:00 2009 ]different API'[Author ID2: at Tue Apr 21 10:58:00 2009 ]s we have[Author ID2: at Tue Apr 21 10:58:00 2009 ]involved[Author ID2: at Tue Apr 21 10:58:00 2009 ]:

a) The first is [Author ID2: at Tue Apr 21 10:59:00 2009 ]an API that links JCP [Author ID1: at Tue Apr 21 09:45:00 2009 ]d[Author ID1: at Tue Apr 21 09:47:00 2009 ]JobCentre [Author ID2: at Tue Apr 21 10:59:00 2009 ]C[Author ID2: at Tue Apr 21 10:59:00 2009 ]Plus[Author ID2: at Tue Apr 21 10:59:00 2009 ] data (held in a database that supplies JobCentre Plus systems)[Author ID2: at Tue Apr 21 10:59:00 2009 ] to the Jobs & Skills (J&S) search on Directgov (and that is all it does)[Author ID2: at Tue Apr 21 10:59:00 2009 ] (the “IJB API”)[Author ID2: at Tue Apr 21 11:01:00 2009 ] [Author ID2: at Tue Apr 21 11:04:00 2009 ]; [Author ID2: at Tue Apr 21 10:59:00 2009 ]and[Author ID2: at Tue Apr 21 11:00:00 2009 ]

b) the second being the [Author ID2: at Tue Apr 21 11:00:00 2009 ]and a[Author ID2: at Tue Apr 21 11:00:00 2009 ] Jobs &Skills[Author ID1: at Tue Apr 21 09:44:00 2009 ]J&S[Author ID1: at Tue Apr 21 09:44:00 2009 ] APIs[Author ID2: at Tue Apr 21 11:00:00 2009 ] that link the Direct Gov Jobs & Skills search with [Author ID2: at Tue Apr 21 11:00:00 2009 ]other authorised third party users (the “J&S API”). [Author ID2: at Tue Apr 21 11:01:00 2009 ] can use.[Author ID2: at Tue Apr 21 11:01:00 2009 ]

We have broken down the list of who has access to both APi's below:[Author ID2: at Tue Apr 21 11:01:00 2009 ]

There are no external parties with authorised access to the IJB API.[Author ID2: at Tue Apr 21 11:01:00 2009 ]

Authorised users with access to the [Author ID2: at Tue Apr 21 11:02:00 2009 ]Users of the[Author ID2: at Tue Apr 21 11:02:00 2009 ] Jobs & Skills API are:

Users of the Internet Job Bank [Author ID2: at Tue Apr 21 11:03:00 2009 ](IJB) [Author ID1: at Tue Apr 21 09:49:00 2009 ][Author ID2: at Tue Apr 21 11:03:00 2009 ]API:[Author ID0: at ]

[Author ID2: at Tue Apr 21 11:03:00 2009 ]

In respect of the [Author ID2: at Tue Apr 21 11:03:00 2009 ]IJB API[Author ID2: at Tue Apr 21 11:03:00 2009 ] [Author ID2: at Tue Apr 21 11:03:00 2009 ](and apart Steria Jobs & Skills) [Author ID2: at Tue Apr 21 11:03:00 2009 ]the normal access to the IJB API is:[Author ID0: at ]

If you are not satisfied with my handling of your request and reasons for not giving you all the information, please tell me why within two calendar months of the date of this letter. I will then arrange for someone to conduct an internal review of your request and my handling. The review will be conducted by another officer, usually of a more senior grade to myself. This person will have taken no part in my original decision. You will be advised of their decision in writing.

If you are still not content with the outcome of the internal review you have the right to apply directly to the Information Commissioner to look into the way your request has been handled. Please note that generally the Commissioner cannot make a decision unless you have first exhausted DWP's own complaints procedure. The Commissioner can be contacted at:

FoI Complaints Resolution

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF
Fax: 01625 545 510

email:[email address]

If you have any queries about this letter, please contact me. Please remember to quote the reference number above in any future communications.

Yours sincerely

DWP Central FoI Team