Freedom of Information and Cyber Security

There is an increased risk of disruptive cyber-attacks from making some types of information related to IT infrastructure or security arrangements publicly available. Therefore, if someone requests information from you under the Freedom of Information Act 2000 (FOIA) or Environmental Information Regulations 2004 (EIR), you may need to withhold the information using an exemption or exception.

In assessing the risk and deciding whether to disclose information, you should consider if providing the information will:

highlight potential weaknesses which may exist;
provide details of IT infrastructure and systems which could be used to launch a cyber-attack; and
provide details of previous attacks which may be used to determine vulnerabilities.

Remember that under FOIA, you must disclose requested information unless an exemption applies. Disclosures can reassure people about the effectiveness of security measures, the resilience of systems and the safety of personal information.

Which exemptions are most likely to apply?

Not all requests that involve information related to IT systems will require you to withhold information. However, a variety of exemptions or exceptions may apply, and you must apply them appropriately.

If you think you may need to withhold information for cyber security purposes, we suggest you consider the following sections of FOIA as your starting points: