Mayor of London logo London Assembly logo
Home

FOI - GLA Information Security and Records Management policies [Feb 2022]

Key information

Request reference number: MGLA280122-2600

Date of response:

Summary of request

Your request

Can you provide me with a copy of the following policies :

  • IT Disaster Recovery Plan (for example, DR plan, backup)
  • IT Incident Response Plan (for example, Cyber Attack, DDOS, Ransomeware)
  • Clean desk policy
  • Access control policy (access to business applications or network resources)

Please detail:

  • Current measures in place to protect confidential information.
  • How you monitor staff access to business applications in your Council and ensure staff have a right of access.
  • How you implement and carry out checks to ensure staff are adhering to your clean desk policy.
  • Please forward any communications to staff regarding your Clean Desk policy.

Our response

The GLA is withholding the information you have requested regarding:

  • IT Disaster Recovery Plan 
  • IT Incident Response Plan

The information is withheld under section 31(1)(a) of the Freedom of Information Act 2000. Exemption section 31(1)(a) exempts information if its disclosure is likely to prejudice the prevention or detection of crime.

Section 31 is a qualified exemption and we are required to conduct a public interest test when applying any qualified exemption.

The public interest test required by the Act is set out in section 2(2). The test is whether 'in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information'.

Considerations favouring disclosure

The GLA acknowledges there is a legitimate interest to the public regarding being transparent and accountable to the public.

The GLA is also mindful of the assumption in favour of disclosure in section 2(2)(b) of the Act.

Considerations favouring non-disclosure

In applying this exemption, the GLA has considered whether it is in the public interest to disclose this information and has concluded that; the public interest in maintaining the exemption, for the purposes of securing GLA’s IT measures; outweighs the public interest argument in favour of disclosing the information.

The GLA considers that if this information is disclosed it would allow vulnerability to potential crime; namely, a malicious attack on GLA’s computer systems. Disclosure would expose areas of potential weakness either real or perceived that may become targets for crime or for an attack.

As such, the GLA considers that:

  • Disclosure would provide a malicious third party with information which may assist them in carrying out a criminal act against the GLA. In addition, the GLA needs to consider that any disclosure of information in response to an FOI request is a disclosure into the public domain.
  • Details from GLA Incident Response plan and intelligence could provide useful confirmation to malicious third parties about what resources the GLA is expending to counteract threats.

In light of the above response, we can confirm as follows:

The systems at the GLA are subject to a rigorous auditing regime to ensure we follow best practice in these areas.

In this case, we find that the balance of the public interest favours maintaining the exemption provisions of section 31(1)(a) in relation the withheld information.

Please note that this decision in no way implies that you would engage in any criminal or malicious activities. However as the Act is an open access regime, this exemption has been applied to protect our systems.

The Governance Steering Group has approved a policy which sets out the GLA’s commitment to protect its information, which sets out the GLA’s commitment to protect its information.

The purpose of the Information Security Policy is to ensure that the Greater London Authority’s Information is kept safe and secure and that appropriate procedures and guidance are in place to:

  • protect its integrity, availability and confidentiality;
  • minimise the potential consequences of Information security breaches by preventing their occurrence in the first instance or, where necessary, containing and reducing their impact; and
  • ensure that personal data is afforded the protection required by the Data Protection Act 1998.

As such, all new staff are made aware of protocol:

  • Desk surfaces must be left tidy at the end of each working day.
  • Confidential documentation should be locked away prior to leaving your work area.
  • Access control policy (access to business applications or network resources).

The GLA’s Information Security Policy and Records Management Policy can be found below:

If you have any further questions relating to this matter, please contact us, quoting reference MGLA280122-2600.

Need a document on this page in an accessible format?

If you use assistive technology (such as a screen reader) and need a version of a PDF or other document on this page in a more accessible format, please get in touch via our online form and tell us which format you need.

It will also help us if you tell us which assistive technology you use. We’ll consider your request and get back to you in 5 working days.