Case number: 170402
In his FOI request of 29 December 2016, the applicant sought access to a number of reports held by the Department. As the Department failed to issue a decision on the request, the applicant sought an internal review of the deemed refusal of his request on 5 April 2017. The Department issued an internal review decision on 10 May 2017 in which it explained that the request spanned a number of Divisions. Among other things, the Department identified three reports that were to be considered by its Internal Audit Unit and stated that no decision had yet been taken on those reports.
On 21 June 2017, the applicant sought a review by this Office in respect of that portion of his request which was not replied to in any respect. He subsequently clarified that he required a review in relation to the reports relevant to Internal Audit. Following engagements with this Office, the Department released one of the three reports referred to above in full and granted partial access to the two remaining reports. On 14 August 2017, the applicant confirmed that he wanted this Office to proceed with a review of the Department's decision in respect of the redacted information which was not disclosed to him.
On initial examination of the file, the Investigator, Ms Lynch, noted that a number of other reports identified in the applicant's original request were also relevant to Internal Audit, and no response appeared to have issued in respect of those reports. The Department was asked to clarify the matter. In response, the Department stated that three further reports requested were relevant. On 28 September 2017, it released two further reports in full to the applicant. It also stated that the third report sought did not exist and claimed that section 15(1)(a) applied to this report.
In conducting this review, I have had regard to the correspondence between the applicant and the Department and to the correspondence between this Office and both the applicant and the Department on the matter. I have also had regard to the contents of the records at issue. I have decided to conclude the review by making a formal, binding decision.
The Department redacted Section 7 (paragraphs 7.1 to 7.10) from the Report entitled "Central DoJE and DoJE IT Shared Services" (item 9 of the original FOI request), and paragraphs 4.5 and 10.2 from the Report entitled "Financial Shared Services - ICT non-Oracle and non-Core Financial systems" (item 18 of the original FOI request) under sections 32(1)(a)(ix) and 32(1)(c). This review is concerned solely with the question of whether the Department was justified in redacting the relevant parts of the two reports, and whether it was justified in refusing the applicant's request for a report of a "Strategy Development Quality Control Process to review and assist in implementing audit recommendations to ensure effective controls in financial management and payroll systems" (item 6 of the original FOI request) under section 15(1)(a) on the ground that no such report exists.
Section 15(1)(a) of the FOI Act provides that a request for access to records may be refused if the record concerned does not exist or cannot be found after all reasonable steps to ascertain its whereabouts have been taken. My role in such cases is to review the decision of the FOI body and to decide whether that decision was justified. This means that I must have regard to the evidence available to the decision maker and the reasoning used by the decision maker in arriving at his or her decision.
On the question of the report sought at item 6 that the Department stated does not exist, it explained that matter referred to was a body of work that was completed over a two year period and that no report exists. The applicant has not presented this Office with any evidence to suggest that a report of the type sought should exist. Therefore, I accept the Department's explanation of the matter and I find that it was justified in refusing that part of the applicant's request under section 15(1)(a) on the ground that no such report exists.
The Department cited sections 32(1)(a)(ix) and 32(1)(c) as grounds for refusing access to the various parts of the two remaining reports at issue. As I consider section 32(1)(c) to be of most relevance, I will address that section first.
Section 32(1)(c) provides that a request may be refused if the FOI body considers that access to the record sought could reasonably be expected to facilitate the commission of an offence. This Office considers that the question to be considered is not whether an offence will occur, but whether the release of the record could reasonably be expected to facilitate, or make easier, the commission of an offence. To rely on this exemption, the FOI body should identify the nature of the relevant offence. It should also show how release of the information could make the commission of the offence easier and why it considers its expectation of the harm arising to be reasonable.
In a submission to this Office, the Department stated that the redacted information in the reports contains evidence regarding the Information Technology (IT) systems operating within the Department's headquarters in Dublin and within its Financial Shared Services (FSS) function based in Killarney, and information on the security components that protect all IT systems within FSS and the Department as a whole.
The Department argued that the release of the information would effectively signpost what is used to secure all IT systems and how it is configured. It argued that access to such information would be of great assistance to any would-be attacker who might attempt to gain access to, or otherwise compromise, its IT systems. It referred to publicly available details of recent cyber attacks to demonstrate the reasonableness of its expectation of a cyber attack occurring. I understand that intentional accessing or interfering with information systems or data held on such systems without lawful authority is an offence.
Having carefully examined the redacted information at issue, I am satisfied that paragraphs 7.3 to 7.8 of Section 7 of item 9 and paragraph 4.5 of item 18 contain information the release of which could reasonably be expected to facilitate the commission of an offence. I find that section 32(1)(c) applies. Section 32(1) is subject to section 32(3) which provides that consideration must be given to the possibility that the public interest would be better served by the release of the information rather than by it being withheld, in the event that one of three conditions is fulfilled. I am satisfied that no such circumstances arise in this case, and that section 32(3) does not apply.
However, I am not satisfied that the information contained in paragraphs 7.1, 7.2, 7.9, and 7.10 of item 9 and paragraph 10.2 of item 18 is sufficiently specific or detailed to give rise to the harm identified. I find that section 32(1)(c) does not apply to those paragraphs. As the Department also cited section 32(1)(a)(ix) as a ground for redacting the records, I will now proceed to consider the applicability of that exemption to the paragraphs that I have found not to be exempt under section 32(1)(c).
Section 32(1)(a)(ix) provides that a request may be refused if the FOI body considers that access to the record sought could reasonably be expected to prejudice or impair the security of a building or other structure or a vehicle, ship, boat or aircraft. Where an FOI body relies on section 32(1)(a)(ix), it should identify the building, structure, vehicle, ship, boat or aircraft and then identify the potential harm that might arise from disclosure and, having identified that harm, consider the reasonableness of any expectation that the harm will occur. To justify its decision to refuse access to a record under section 32(1)(a)(ix), the FOI body must show how or why releasing the record concerned could reasonably be expected to cause the harm which it has identified.
It seems to me that the Department's submission focusses on the need to protect the security of its IT systems which comprise a combination of physical IT infrastructure and software, rather than any particular building or structure. I do not accept that these IT systems can be considered a structure for the purposes of section 31(1)(a)(ix). Even if I did, it remains the case that the relevant paragraphs do not, in my view, contain specific or detailed information about the IT infrastructure and software. I find that section 32(1)(a)(ix) does not apply.
Finally, for the sake of completeness, I note that the Department argued that section 36 also applied to information on licences contained in the redacted information. As I have already found any such information to be exempt under section 32(1)(c), I do not consider it necessary for me to address the application of section 36 as the information to which I have found section 32 not to apply does not contain any information on licences.
Having carried out a review under section 22(2) of the Freedom of Information Act 2014, I hereby vary the decision of the Department. I find that section 15(1)(a) applies to Item 6. I find that section 32(1)(c) applies to paragraphs 7.3 to 7.8 of item 9 and paragraph 4.5 of item 18. I direct the release of the information contained in paragraphs 7.1, 7.2, 7.9 and 7.10 of item 9 and paragraph 10.2 of item 18.
Section 24 of the FOI Act sets out detailed provisions for an appeal to the High Court by a party to a review, or any other person affected by the decision. In summary, such an appeal, normally on a point of law, must be initiated by the applicant not later than eight weeks after notice of the decision was given, and by any other party not later than four weeks after notice of the decision was given.