IT Support Services

The request was refused by Isle of Anglesey County Council.

Dear Isle of Anglesey Council,

Please pass this on to the person who conducts Freedom of Information reviews.

I would like to request the following breakdown of the Council's hardware maintenance and costs:

A list of the models of the physical servers, storage devices, tape libraries, network switches and routers under support contracts; as well as the cost and duration of said contracts, with start and end dates and service level associated with the equipment. Could you also supply the names of the suppliers of aforementioned support services?

I would also request the name of the person/s in your organisation responsible for the maintenance support contracts.

Yours faithfully,

John Wicker

LEGA LPOLICY CYFRAITH POLISI,

Thank you for your recent request for information held by Isle of Anglesey
County Council.   For your information, this is not an automatically
generated response.
 
In accordance with the Freedom of Information Act 2000 and the
Environmental Information Regulations 2004, we aim to respond to your
request within 20 working days.  
 
Regards
Beryl Jones

>>> John Wicker <[FOI #102122 email]> 25/01/2012
16:13 >>>
     Dear Isle of Anglesey Council,
    
     Please pass this on to the person who conducts Freedom of
     Information reviews.
    
     I would like to request the following breakdown of the Council's
     hardware maintenance and costs:
    
     A list of the models of the physical servers, storage devices, tape
     libraries, network switches and routers under support contracts; as
     well as the cost and duration of said contracts, with start and end
     dates and service level associated with the equipment. Could you
     also supply the names of the suppliers of aforementioned support
     services?
    
     I would also request the name of the person/s in your organisation
     responsible for the maintenance support contracts.
    
     Yours faithfully,
    
     John Wicker
    
     -------------------------------------------------------------------
    
     Please use this email address for all replies to this request:
     [FOI #102122 email]
    
     Is [email address] the wrong address for Freedom of
     Information requests to Isle of Anglesey Council? If so, please
     contact us using this form:
     [1]http://www.whatdotheyknow.com/help/contact
    
     Disclaimer: This message and any reply that you make will be
     published on the internet. Our privacy and copyright policies:
     [2]http://www.whatdotheyknow.com/help/offic...
    
     If you find this service useful as an FOI officer, please ask your
     web manager to link to us from your organisation's FOI page.
    
    
    

show quoted sections

Our Ref: LJEFI/TrackIT25007

Dear Mr. Wicker,

 

I refer to your email dated 25/01/2012 which asked for information
relating to ICT contracts under the terms of the Freedom of Information
Act 2000 (FoIA).  For clarity purposes I have summarised your request
below;

 

“[Please supply] a list of the models of the physical servers, storage
devices, tape libraries, network switches and routers under support
contracts; as well as the cost and duration of said contracts, with start
and end dates and service level associated with the equipment. Could you
also supply the names of the suppliers of aforementioned support
services?  I would also request the name of the person/s in your
organisation responsible for the maintenance support contracts.”

 

Having reviewed your request, I consider that the information is exempt
from disclosure under sections 31 (1)(a),  31 (1)(d)  and 43 (2) of FoIA;

 

Exemptions under Section 31 (1)(a) & Section 31 (1)(d)

 

The exemptions under Section 31(1)(a) and 31(1)(d) state that;

 

“[information] is exempt information if its disclosure under this Act
would, or would be likely to, prejudice;

 

(a) the prevention or detection of crime

(d) the assessment or collection of any tax or duty or of any imposition
of a similar nature”

 

The Isle of Anglesey County Council is connected to the Government Secure
Extranet (GCSx) which allows the Revenues and Benefits section to securely
exchange sensitive personal data with the Department and Work and Pensions
(DWP).  A condition of the Council’s connection to GCSx is that it abides
to a stringent set of security control standards referred to as the Code
of Connection, or CoCo. 

 

Requirement 12.1 of CoCo states that the Council must ensure “measures are
put in place to minimise the details of the internal network structure,
components and security tools and techniques that are passed outside of
the organisation”. 

 

As information disclosed under FoIA is essentially disclosed to the world
at large, it is my view that disclosure of the information you request
would be a breach of the network obfuscation requirements mandated by
Required 12.1 of CoCo. 

 

Failure to comply with the GCSx CoCo would result in the Council’s
disconnection from the GCSx, with the consequence that the Council would
no longer be privy to information held by the DWP.  The inability to share
information with the DWP would seriously compromise the authority’s
ability to effectively collect revenue in the form of Council Tax and its
ability to detect and prosecute fraudulent benefit claimants.  It is this
which I believe qualifies the requested information under the Section 31
(1)(a) & (1)(d) exemptions.

 

In addition to the above, it is also my opinion that the disclosure of
information relating to the makeup of the Council’s ICT Infrastructure
into the public domain could aid a would-be cyber criminal in mounting an
attack on the Council’s ICT systems and undermine the steps which the
Council has taken to protect the security of its systems, information
assets and the personal information of its citizens. 

 

It is for this reason that I believe that the information is further
qualified for exemption under Section 31(1)(a) of FoIA “the prevention or
detection of crime “ in order to prevent the Council being targeted by
criminals who engage in malicious activity covered by legislation such as
the Computer Misuse Act 1990. 

 

When considering the possibility of the Council falling victim to a
successful cyber-attack I am mindful that the theft or disclosure of
sensitive personal data held by the Council could also result in the
Council being in breach of its responsibilities under the Data Protection
Act 1998, namely the 7^th Data Protection Principle;

 

“Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against
accidental loss or destruction of, or damage to, personal data.”

 

As of January 2010, the Information Commissioner (ICO) has the power to
issue fines of up to £500,000 where a breach of data has occurred and it
is felt by the commissioner that the data controller has not sufficiently
met their responsibility to protect sensitive personal data.  I believe
that the disclosure of details of the network infrastructure on which
sensitive personal data is stored could not be considered to be taking
“appropriate technical … measures … against unauthorised or unlawful
processing … or destruction” and should a future data breach be aided by
the information disclosed as part of this request the Council would be at
serious risk of being prosecuted and fined.

 

Exemption under Section 43 (2)

 

The exemption under Section 43 (2) states that;

 

“Information is exempt information if its disclosure under this Act would,
or would be likely to, prejudice the commercial interests of any person
(including the public authority holding it).”

It is my belief that releasing details of the amounts spent on ICT
contracts could indicate to current, and potential future suppliers a
baseline amount at which to base future tender bids, providing them with a
bargaining tool which would undermine the authority’s ability to maintain
an even handed negotiating position and prevent it fulfilling its Best
Value duty under the Local Government Act 1999.

 

Disclosing details of ICT contracts currently in place into the public
domain could have a direct impact on the ability of the current suppliers
to compete on a “level playing field” when the current contracts come to
be re-tendered.  Disclosure of such information by this authority and
others could allow competitors to work out the pricing methodology used
and to gain an unfair advantage in tendering situations.  It is my view
that disclosing the values of contracts held by each supplier could
prejudice the supplier’s commercial interests to the point where they
could be discouraged from entering into future tender processes with the
Council, threatening the ability of the Council to obtain the best price
from the market.

 

Public Interest Test

 

The exemptions considered above are not absolute and are subject to a
Public Interest Test (PIT) which considers the balance of public interest
in favour of disclosure against the interest in maintaining the exemptions
from disclosure.  I have summarised below the factors considered in
deciding upon where the public interest lies with regard to this request.

 

For disclosure

 

-       There is great public interest in transparency of how public money
has been spent, particularly at a time where public spending is under
constant scrutiny and debate.

 

-       There is public interest in providing transparency in decision
making in how the authority has followed procurement and tendering
procedures.

 

Against

 

-       The consequences of a cyber-attack aided by the disclosure of this
information could seriously disrupt the Council’s ability to provide core
services on which the public rely upon.

 

-       The Council has a duty to protect the sensitive personal data of
its citizens and it is in the public interest that the authority
undertakes to maintain the integrity and security of the infrastructure on
which that data sits.  A breach in the security of this data could result
in a catastrophic fine being levied on the Council; something I do not
believe is in interest of Anglesey ratepayers.

 

-       It is in the public interest that the commercial activities of
private contractors are not caused prejudice, particularly when some
suppliers may be active in the local economy and employ local people.

 

-       The public has a great interest in the local authority being able
to effectively collect revenue and detect fraud.  Failure to comply with
CoCo and disclosing details of the Council’s ICT network would result in
disconnection from the GCSx and would undermine its ability to do this.

 

-       The public has an interest in the Council achieving value for
money when tendering for contracts and services.  It is important that
potential suppliers are not discouraged from tendering for Council
contracts because the details of their successful bid will potentially be
disclosed to competitors and the world at large.

 

Having considered the public interest both for, and against disclosure of
the information you have requested I have concluded that the overall
public interest lies in maintaining the exemptions outlined above and
non-disclosure of the information.

 

In considering your request for the contact details for persons
responsible for ICT contracts within Council I would inform you that the
Council takes its responsibility under the FoIA seriously and it also
recognises that the individuals whose details you have requested have
rights under the Data Protection Act 1998.  Significantly, the individuals
have a right to object to direct marketing under Section 10 of the Data
Protection Act.  In this regard, could you please advise us on how the
individuals could exercise their statutory rights.

 

If you are dissatisfied with any aspect of this response to your request
for information, and / or the decision made to withhold information, you
may ask for an internal review. Please address your correspondence to the
Customer Care Officer, Legal Services, Council Offices, Llangefni, Ynys
Môn LL77 7TW (E-mail: [1][email address])

If you are not content with the outcome of any internal review you have
the right to apply directly to the Information Commissioner, Wycliffe
House, Water Lane, Wilmslow SK9 5AF. Please note that the Information
Commissioner is likely to expect internal review procedures to have been
exhausted before beginning his investigation.

 

Yours sincerely

 

LEE JOHN EVANS

Dadansoddwr | Analyst

T: 01248 752672  M: (07747) 118 446

E: [2][email address]

Gwasanaethau TGC | ICT Services

CYNGOR SIR YNYS MÔN

ISLE OF ANGLESEY COUNTY COUNCIL

Swyddfeydd y Cyngor, Llangefni, Ynys Môn.  LL77 7TW

Council Office, Llangefni, Anglesey, LL77 7TW

 

 

 

 

 

 

This email and any files transmitted with it are confidential and may be
legally privileged. They may be read copied and used only by the intended
recipient. If you have received this email in error please immediately
notify the system manager using the details below, and do not disclose or
copy its contents to any other person.

The contents of this email represent the views of the sender only and do
not necessarily represent the views of Isle of Anglesey County Council.
Isle of Anglesey County Council reserves the right to monitor all email
communications through its internal and external networks.

Mae'r neges e-bost hon a'r ffeiliau a drosglwyddyd ynghlwm gyda hi yn
gyfrinachol ac efallai bod breintiau cyfreithiol ynghlwm wrthynt. Yr unig
berson sydd 'r hawl i'w darllen, eu copio a'u defnyddio yw'r person y
bwriadwyd eu gyrru nhw ato. Petaech wedi derbyn y neges e-bost hon mewn
camgymeriad yna, os gwelwch yn dda, rhowch wybod i'r Rheolwr Systemau yn
syth gan ddefnyddio'r manylion isod, a pheidiwch datgelu na chopio'r
cynnwys i neb arall.

Mae cynnwys y neges e-bost hon yn cynrychioli sylwadau'r gyrrwr yn unig ac
nid o angenrheidrwydd yn cynrychioli sylwadau Cyngor Sir Ynys Mon. Mae
Cyngor Sir Ynys Mon yn cadw a diogelu ei hawliau i fonitro yr holl
negeseuon e-bost trwy ei rwydweithiau mewnol ac allanol.

References

Visible links
1. mailto:[email address]
2. mailto:[email address]

Lee,

"In considering your request for the contact details for persons
responsible for ICT contracts within Council I would inform you that the
Council takes its responsibility under the FoIA seriously and it also
recognises that the individuals whose details you have requested have
rights under the Data Protection Act 1998. Significantly, the individuals
have a right to object to direct marketing under Section 10 of the Data
Protection Act. In this regard, could you please advise us on how the
individuals could exercise their statutory rights."

I am requesting a name only, not a contact number or e-mail address.

Yours sincerely,

John Wicker

Dear Mr. Wicker,

As the contact would depend on the nature of the contract I would inform you that all ICT contracts would ultimately fall under the responsibility of the Head of Service (ICT), Mr David Gardner.

Yours sincerely,

LEE JOHN EVANS
Dadansoddwr | Analyst
T: 01248 752672 M: (07747) 118 446
E: [email address]
Gwasanaethau TGC | ICT Services
CYNGOR SIR YNYS MÔN
ISLE OF ANGLESEY COUNTY COUNCIL
Swyddfeydd y Cyngor, Llangefni, Ynys Môn. LL77 7TW
Council Office, Llangefni, Anglesey, LL77 7TW

show quoted sections