Menu
UK Parliament

Procurement of IT services (2023)

Request

  1. Can you please list the number of devices deployed by your organisation for the following [listed devices]?
  2. Does your organisation have plans to procure any of the below services, if yes then please provide information
    in the below format [listed services]?
  3. Does your organisation have any plans to procure the below services, if yes then please provide required information in the below format [listed services]?
  4. Does your organisation have any plans to procure below services, if yes then please provide information in the below format [listed services]?

 

Response

Please note that while the House of Commons and the House of Lords are two separate public authorities for the purposes of the Freedom of Information Act 2000 (FOIA), IT expenditure (including cyber security) is the responsibility of the Parliamentary Digital Service (PDS), which is a joint, bicameral service which maintains the parliamentary network, which is used by both Houses. Some of the information provided covers both Houses of Parliament, while some covers the House of Commons only, and where this is the case this has been noted in our response.

Some information is held by the House of Commons.

We hold information for Q1 of your request - Deployed devices (csv, 2KB)

We do not hold the remaining information in the way you have requested. While we hold information on services we intend to procure we do not hold a breakdown of these services by the categories you have specified, nor can they be easily and clearly discerned into these categories without a specialised input. In order to fulfil this part of your request we would be required to review and analyse all relevant information we hold on procurements, and make a sophisticated judgement to determine which (if any) fell within the scope of your request. The FOIA does not oblige us to carry out this analysis or create this information.

Please note additionally that some of the information requested, specifically the number of devices related to our network and security infrastructures, has been withheld from disclosure in accordance with Sections 31 and 24 FOIA. Further details about the use of these exemptions are detailed below.

Section 31 – Law Enforcement

The House considers that disclosing information on our network and security infrastructures, specifically the numbers for these, would be likely to prejudice the prevention or detection of crime and the apprehension of offenders. This information is therefore also exempt by virtue of Section 31(1)(a) and (b) FOIA. This is a qualified exemption and the public interest test applies.

We have considered the public interest in disclosing this information. There is a general public interest in ensuring that details on IT equipment used by the House is open, transparent and accessible to the general public. The release of this information may help the public to better understand the IT and logistical needs of Parliament, gaining a greater understanding of the functioning of the modern parliamentary system as a result. Furthermore, as these system were financed from the public purse, we accept that it is also in the public interest to be able to scrutinise these purchases in order to ensure that these were sensible and fit for purpose.

We have also considered the public interest in withholding the information. Firstly, disclosing the number of devices related to our security infrastructure would benefit malicious groups and cyber attackers looking to target our systems. It would allow potential cyber attackers to gain a better understanding of the size, scale and complexity of the security infrastructure of the parliamentary network, and would allow them to coordinate attacks against the network more effectively, as well as aiding them in avoiding detection. This is also true of disclosing the number of devices related to networking infrastructure which, when paired with information regarding security infrastructure, may provide an even clearer picture of the parliamentary network itself, thereby further aiding malicious groups with attacks against the network. Releasing this information would therefore prejudice the detection and prevention of crime as it would allow cyber attackers to more easily construct a cyber-attack against the parliamentary network, along with increasing their likelihood of avoiding detection during any such attack.

In these circumstances therefore, it is our view that the public interest in maintaining the exemption outweighs the public interest in disclosing the information.

Section 24 – National Security

We also consider that not disclosing information on the number of devices for our network and security infrastructures is necessary for the purpose of safeguarding national security. This information is therefore exempt by virtue of Section 24 (1) FOIA. This is a qualified exemption and the public interest test applies.

We have considered the public interest in disclosing this information. As stated before, there is a general public interest to ensure that information on IT equipment used by the House is open, accountable, and accessible to the general public. The release of this information may help the public to better understand the IT and logistical needs of Parliament, gaining a greater understanding of how Parliament functions as a result. Furthermore, as any infrastructure we used has been financed from the public purse, we accept that it is also in the public interest to be able to scrutinise IT purchases made by the House of Commons in order to ensure that these were sensible and and fit for purpose.

We have also considered the public interest in withholding this information. The Information Commissioner’s Office (ICO) states that a section 24(1) exemption is appropriate if a public authority “considers [that] releasing the information [requested] would make the UK or its citizens more vulnerable to a national security threat”. As stated before, disclosing the number of devices related to our security infrastructure would benefit malicious groups and cyber attackers looking to target our systems, as disclosing this would allow potential cyber attackers to gain a significantly greater understanding of the size and scale of the security infrastructure of the parliamentary network and significantly aid them in coordinating attacks against the network significantly as a result, and in turn increasing risk of the parliamentary network to cyber-attacks as a result. The parliamentary network forms part of the Critical National Infrastructure and has been identified as an asset which faces a high level of threat from cyber-attacks and which, if breached, would cause damage to the national interest. The network is used by MPs and their staff, as well as MPs in their capacity as Ministers, for the purposes of communication, scrutinising the work of the government and also in their parliamentary functions. Any breach of the network caused by the release of this information would therefore compromise and affect many of the core processes of the House of Commons, and also likely government by extension. This would severely disrupt the ability of Parliament to function, and also possibly allow criminal groups to access confidential or sensitive information on the network, including personal constituency data, possibly classified material, and numerous others. As any and all of these outcomes would severely compromise national security as a result, it is therefore in the greater public interest to withhold this information in this instance.

For these reasons, we have concluded that the public interest in withholding the information outweighs the public interest in disclosure.