DWP Central Freedom of
6-12 Tothil Street
Our Ref: FOI2022/97449
21 December 2022
Dear Ryan Jarvis,
Thank you for your Freedom of Information (FoI) request received on 6 December. You
“I am writing to respectful y make a formal request in accordance with the Freedom of
Information Act 2000.
The privacy of emails sent via the @dwp.gov.uk domain is at risk. This domain does not
appear to have MTA-STS configured. This means that email privacy (using TLS) is
vulnerable to downgrade, al owing an attacker to read the contents of emails.
My request is as fol ows:-
1. Please can the department confirm why it has opted not to use MTA-STS as a
potential CySec safeguard when communicating via email on the @dwp.gov.uk domain
2. Please can the department provide disclosure of its email security classifications
3. Please can the department provide disclosure of the number of security incident
reports made internal y and/or external y which relate to concerns surrounding email
security between the period May 2018 - May 2022.”
With regards to your first question, the Department may hold the information that you have
requested. However, the Department would withhold any information on the basis of the
provisions contained in Sections 31 and 24 of the Freedom of Information Act (“the Act”),
which covers the prevention of crime, and national security respectively. Section 31 and 24
are qualified exemptions, and as such, a public interest test needs to be applied. While there
is a legitimate public interest in knowing what types and versions of software the Department
uses, it is not in the public interest for the Department to provide details of these as this
would help to enable individuals to target the Department by means of electronic attack.
Confirming what types and versions are used, particularly concerning the software systems in
use, would assist an individual in testing the effectiveness of the Department’s defences
against such attacks. This is not in the public interest.
With regards to your second question, we can confirm that the Department holds this
information. However, the information is exempt under Section 21 of the Freedom of
Information Act because the information is reasonably accessible to you, as it is already in
the public domain.
However, to be helpful you can find the information you seek in the fol owing links
DWP email policy (publishing.service.gov.uk)
DWP Security Classification Policy (publishing.service.gov.uk)
With regards to your third question, we do hold the information for the period of May 2018 to
31st March 2019 however we did not have a security incident category for email disclosures
at this time so locating, retrieving and extracting this information along with the fol owing
years data would exceed the cost limit of £600 specified in the Freedom of Information and
Data Protection (Appropriate Limit and Fees) Regulations 2004.
We do hold the information for the period 1st April 2019 - 31st March 2020, however the
category used during this time was for both email and written disclosures and we are unable
to break down the figures for email only. There were 835 security incidents relating to email
and written (such as postal) during this time.
We do hold the information for the period 1st April 2020- 31st May 2022 and the number of
disclosures relating to email is broken down into years below;
01/04/2020 – 31/03/2021 =175
01/04/2021 – 31/03/2022 = 206
01/04/2022 – 31/05/2022 = 38
The above figures are the number of incidents we have recorded as “External Disclosures –
Email” which we believe most accurately answers your query.
DWP Central Freedom of Information Team
Department for Work and Pensions
Your right to complain under the Freedom of Information Act
If you are not happy with this response you may request an internal review by e-mailing
or by writing to: DWP Central FoI Team, Caxton
House, 6-12 Tothil Street, London, SW1H 9NA.
Any review request should be submitted within two months of the date of this letter.
If you are not content with the outcome of the internal review you may apply directly to the
Information Commissioner’s Office for a decision. General y, the Commissioner cannot make
a decision unless you have exhausted our own complaints procedure. The Information
Commissioner can be contacted at: The Information Commissioner’s Office, Wycliffe House,
Water Lane, Wilmslow, Cheshire SK9 5AF.
Website: ICO FOI and EIR complaints
or telephone 0303 123 1113.