Section 24

Information which is “required for the purposes of safeguarding national security” is not limited to military defence or protecting our systems of government. It includes guarding against actions which may impact on the UK and the people who live here. This could include the widespread disruption of public services caused by a significant cyber-attack.

However, to rely on this section, you must:

clearly address the “reasonable necessity” aspect of the exemption; and
carry out a public interest test.

Example

The House of Commons (HoC) received a request about incidents of lost or stolen IT equipment. While the HoC disclosed some information, they withheld specific technical details under section 24(1), including names of IT systems and tools, and details of individual assets and reporting processes.

The HoC argued that:

the ‘reasonable necessity' was covered because the Parliamentary network:
- - is part of the Critical National Infrastructure (CNI);
  - has previously been targeted for cyber-attacks; and
  - is still under high risk of attack
disclosure could aid attackers in crafting targeted phishing campaigns or exploiting known vulnerabilities; and
a breach could compromise sensitive data and disrupt parliamentary functions.

We accepted these arguments. We noted that disclosed information could be combined with other information which is already publicly available in a way that increased the risk of a disruptive cyber-attack (this is sometimes called the mosaic effect). The risk was also heightened due to previous cyber-attacks on Parliament.

The requester stressed the public’s right to understand how sensitive information is managed. The HoC acknowledged the importance of transparency and highlighted that they already proactively disclose information about loss and theft of devices. We concluded that the public interest in protecting national security and the integrity of the Parliamentary IT network outweighed the interest in further disclosure, and upheld the application of section 24 (1).