Cyber security contracts

FOI request reference: F0054339
Publication date: November 2018


Please provide information relating to the following:
1. Standard Firewall (Network) – Firewall service protects your corporate Network from unauthorised access and other Internet security threats
2. Anti-virus Software Application – Anti-virus software is a program or set of programs that are designed to prevent, search for, detect, and remove software viruses, and other malicious software like worms, trojans, adware, and more.
3. Microsoft Enterprise Agreement – is a volume licensing package offered by Microsoft.

The information required is around the procurement side and this request is not for specific information (serial numbers, models, location) that could bring threat/harm to the organisation.

For each of the different types of cyber security services can you please provide me with:

1. Who is the existing supplier for this contract?
2. What does the organisation spend for each of contract?
3. What is the description of the services provided for each contract? Please do not just state firewall.
4. Primary Brand (ONLY APPLIES TO CONTRACT 1&2)
5. What is the expiry date of each contract?
6. What is the start date of each contract?
7. What is the contract duration of contract?
8. The responsible contract officer for each of the contracts above? Full name, job title, contact number and direct email address.
9. Number of License (ONLY APPLIES TO CONTRACT 3)




The information relating to your request that we hold and are able to release is contained on the following spreadsheet:

Some of the information that was requested is covered by the exemption at section 31(1)(a) and 40(2) of the Freedom of Information Act.

Information regarding equipment and software models and specific start/end dates is exempt under section 31 (1) (a) of the FOI Act. This exempts information if its disclosure is likely to prejudice the prevention or detection of crime. Release of this information would make The National Archives more vulnerable to crime; namely, a malicious attack on The National Archives’ computer systems.

We are unable to provide the full contact details of the person responsible for the maintenance support contracts because release of this information would identify a junior member of staff, as such this information is exempt from release under section 40 (2) (Personal Data) of the FOI Act. However, we have applied the general principle that members of staff at Head of Department level and above are sufficiently senior for their names and/or job titles to already be in the public domain, as such their information is not considered exempt under section 40(2).

For further information about why these exemptions have been applied, please see the explanatory Annex below.

EXPLANATORY ANNEX – Exemptions applied:

Section 31: Law Enforcement

Section 31 (1) (a) exempts information if its disclosure is likely to prejudice the prevention or detection of crime.

Section 31 is a qualified exemption and we are required to conduct a public interest test when applying any qualified exemption. This means that after it has been decided that the exemption is engaged, the public interest in releasing the information must be considered. If the public interest in disclosing the information outweighs the public interest in withholding it then the exemption does not apply and the information must be released. In the FOI Act there is a presumption that information should be released unless there are compelling reasons to withhold it.

The public interest has now been concluded and the balance of the public interest has been found to fall in favour of withholding information covered by the section 31(1) (a) exemption. Considerations in favour of the release of the information included the principle that there is a public interest in transparency and accountability in disclosing information about government procedure and contracts.

However, release of this information would make The National Archives more vulnerable to crime; namely, a malicious attack on The National Archives’ computer systems. As such release of this information would be seen to prejudice the prevention or detection of crime by making The National Archives’ computer systems more vulnerable to hacking therefore facilitating the possibility of a criminal offence being carried out. There is an overwhelming public interest in keeping government computer systems secure which would be served by non-disclosure. This would outweigh any benefits of release. It has therefore been decided that the balance of the public interest lies clearly in favour of withholding the material on this occasion. Please note that this decision in no way implies that you would engage in any criminal or malicious activities. However as the Freedom of Information Act is an open access regime this exemption has been applied to protect our systems.
Further guidance on section 31 can be found here:

Section 40(2): Personal Information where the applicant is not the data subject

Section 40 exempts personal information about a ‘third party’ (someone other than the requester), if revealing it would breach the terms of the Data Protection Act (DPA) 1998.

The DPA prevents personal information from release if it would be unfair or at odds with the reason why it was collected, or where the subject had officially served notice that releasing it would cause them damage or distress. Junior members of staff would have no expectation that information about their positions would be made available in the public domain; to do so would be unfair and contravene the first data protection principle of the DPA 1998.
In this case the exemption applies because this information represents the personal information of a junior member of staff at The National Archives. Publishing the names of junior members of staff is considered an unfair use of personal data. As such, the names and positions of junior officials are withheld under section 40(2) of the FOIA.

For more information about the publication of junior staff names, please see the following link:

For more general information about the section 40 exemption, please see the following link:

General guidance:

Information held for the purposes of FOIA