The proceedings were held by video (CVP).  All parties joined remotely. The Tribunal was satisfied that it was fair and just to conduct the hearing in this way.  The hearing took a full day and so the Tribunal met separately at a later date to discuss and finalise its decision.

This appeal is against a decision of the Information Commissioner (the “Commissioner”) dated 25 May 2023 (IC-179033-S0X6, the “Decision Notice”). The appeal relates to the application of the Freedom of Information Act 2000 (“FOIA”). It concerns information about the Council’s Information Asset Register (“IAR”) requested from the London Borough of Hackney (the “Council”).

On 19 March 2022, the Second Respondent (Mr Banerjee) wrote to the Council and requested the following information (the “Request”):

The Council responded on 22 April 2022. They confirmed that they held the requested information. However, they withheld the entirety of the IAR under section 31(1)(a) FOIA (law enforcement) and 40(2) FOIA (personal data). Mr Banerjee requested an internal review on 2 May 2022. It appears that the Council has never responded to the review request despite being reminded by the Commissioner.

Mr Banerjee complained to the Commissioner on 1 July 2022. The Commissioner issued the Decision Notice on 25 May 2023. The Commissioner decided:

The Council appealed on 21 June 2023. The main grounds of appeal are that the Commissioner erred in concluding that there was only a hypothetical possibility of the prejudice in question occurring. The Council says that section 31(1)(a) is engaged and the information should be withheld under the public interest test.

The Commissioner’s response maintains that the Decision Notice was correct. The Commissioner says that there is not sufficient likelihood of the prejudice occurring, and the Council’s case relies on hypotheticals and has failed to provide sufficient evidence. The Commissioner also noted that a number of other local authorities publish their IAR, and it is also common for central government departments.

Mr Banerjee was joined as a party to the proceedings and submitted a response. He complains of the Council’s failure to conduct an internal review. He provides examples of other government departments and local councils which publish their IARs, and refers to a previous decision notice of the Commissioner where he found that section 31(1)(a) was engaged but the IAR of the Department for Digital, Culture, Media & Sport should be disclosed under the public interest test. He says that the Council has not provided compelling evidence why, even ifS31(1)(a) is engaged, the IAR could not be released under the public interest test. He also says that section 40 cannot be used to withhold the entire document.

The Council provided replies to both of these responses which maintain its position. The Council says that previous releases of IARs by public authorities are limited and the Council takes a different position as a recent victim of a cyber-attack.

The relevant provisions of FOIA are as follows.

Any person making a request for information to a public authority is entitled—

if that is the case, to have that information communicated to him.

Effect of the exemptions in Part II.

Law enforcement.

the prevention or detection of crime…

If on an appeal under section 57 the Tribunal considers—

that the notice against which the appeal is brought is not in accordance with the law, or

The approach to prejudice-based exemptions was set out in the First Tier Tribunal decision of Hogan v Information Commissioner [2011] 1 Info LR 588, as approved by the Court of Appeal in Department for Work and Pensions v Information Commissioner [2017] 1 WLR 1:

The Council has confirmed in its open skeleton argument that no issues concerning section 40(2) form the basis of this appeal. This is because the Commissioner agreed that the Council is entitled to rely on s40(2) FOIA with regards to the withholding of names of individual staff members contained within the IAR.

The issue is whether the Council was entitled to rely on section 31(1)(a) FOIA to withhold some or all of the IAR. This can be broken down into the following issues:

By way of evidence and submissions we had the following, all of which we have taken into account in making our decision:

An agreed bundle of open documents.

Open and closed witness statements from Robert Miller on behalf of the Council

An open skeleton argument from the Council.

Open and closed skeleton arguments from the Commissioner.

Oral submissions from all parties at the hearing.

We had a detailed witness statement from Robert Miller, who is the Strategic Director, Customer and Workplace, at the Council.

He covered the following issues in his open witness statement:

Mr Banerjee explained his position at the hearing. He does not disagree that the IAR contains sensitive information and could be useful to bad actors, but his issue is whether there is a version with redactions that would be publishable. He is a resident of the Council who was potentially impacted by the cyberattack and wishes to understand the nature and extent of his personal data that may have been impacted. He says that, although the Council’s privacy notices contain some detail, they are not specific on what data is held. He also says that the Council’s policy on responding to data subject access requests requires a request to be about specific data points. He wants to understand where all data about him could be contained. He is particularly interested in the data elements (e.g. name, address, bank details) and retention periods, especially in the context of the cyberattack. In relation to the public interest, he believes that other data subjects would find this useful, and there is a general public interest in what information is held on data subjects. He says that the FCDO publication achieves this by showing data points and retention periods, which allows data subjects to request information.

We have seen a copy of the withheld information, together with the closed statement from Mr Miller and other closed exhibits to this statement. We held two closed sessions during the hearing – one to hear evidence from Mr Miller, and one for closed submissions.

The following is a gist of the closed sessions. An oral gist of the closed evidence session was also provided to Mr Banerjee during the hearing.

In accordance with section 58 of FOIA, our role is to consider whether the Commissioner’s Decision Notice was in accordance with the law. As set out in section 58(2), we may review any finding of fact on which the notice in question was based. This means that we can review all of the evidence provided to us and make our own decision. We deal in turn with the issues.

What are the applicable interests within the exemption, i.e. what is the actual harm relied on by the Council? The harm relied on by the Council is the risk that disclosure of this information would aid potential cyberattacks and enable attackers to identify potential targets. This is not in dispute. It would clearly prejudice the prevention of crime as cyberattacks are unlawful.

Is there a causal relationship between the disclosure and the prejudice, and is this real, actual or of substance? The Commissioner accepted in his decision that the potential prejudice to the prevention of unlawful cyberattacks relates to the interests that section 31(1)(a) is designed to protect, and we agree. The Commissioner also accepted that the threats from cyberattacks are real, and additional disclosed information could in theory allow better targeting of attacks. We agree that it is plausible to argue that there is a causal link between disclosure of the information and the increased risk of cyberattacks, meaning that the prejudice if the IAR were to be disclosed is real, actual and of substance.

Would disclosure cause this prejudice, or would it be likely to do so? The Council relies on the lower “would be likely to” threshold. This means the risk does not need to be more probable than not, but there does need to be a “real and significant risk” of prejudice. This is the key issue in dispute between the Council and the Commissioner.

The Council says that the evidence from Mr Miller has demonstrated that the Council’s case does not rely on hypotheticals. There is a developing cyber threat environment and increase in attacks on local authorities. The evidence shows that most public bodies do not publish their IARs, and the examples given by the Commissioner do not contain the same detail as the Council’s IAR. The Council takes the view that those who have published IARs (such as Cheshire East Council) have exposed themselves to significant risks. The Council’s response to the reply from Mr Banerjee explains how this would allow potential attackers to target the most sensitive data and also reveal that they will be able to obtain all financial details about that council. There is also the context and ongoing impact of the 2020 cyberattack which is explained in closed evidence.

The Commissioner says that the Council has shown a general threat from hacking and that some of the IAR information is sensitive, but it is only speculation that the IAR would be meaningful to a hacker. The Commissioner’s position is that Mr Miller’s evidence does not establish a causal connection between disclosure and the risk of a cyberattack. He says that the Council should take a granular approach of analysing the information fully, rather than taking a blanket approach of withholding all of the information, even when a large data set is involved. The public authority is required to carry out the exercise of separating out the disclosable information. This can be published as a separate set of information, as FOIA does not require publication of the full IAR with redactions shown.

As set out above, Mr Banerjee accepts that some of the information in the IAR could be useful to bad actors, but he believes it would nevertheless be possible to publish a version with redactions.

In closed session the positions of the Commissioner and the Council came slightly closer together after we had viewed the withheld information. The Commissioner had identified eight categories of information, and took the position that six of these should be disclosed (rather than the full IAR). The Council accepted that they should look at the information in a more granular way. We consider this in more detail in the closed annex to this decision.

We find that some, but not all, of the information in the IAR would be likely to cause the prejudice. This is based on the ongoing and growing threat of organised cybercrime. It is also based on the context of what happened with the 2020 cyberattack on the Council, which is discussed in more detail in the closed annex. The Council concedes that it should have taken a more granular approach to disclosure of the information. We agree. We considered the content of the IAR in the closed hearing, and find that much of the information could be disclosed without being likely to cause prejudice to prevention of cyberattacks. However, some of the information does meet this test. We have explained the detail of our reasoning in the closed annex, as doing so in the open decision would reveal the content of the withheld information.

We have identified principles for categories of information that can be withheld and asked the Council and the Commissioner to agree a version of the IAR that can be disclosed based on these principles. We are not able to provide full details of our reasoning in the open decision. In the closed annex, we explain the reasoning in full and provide some indications as to how these principles should be applied to the IAR. We can set out here the following broad principles for information that should be withheld:

If section 31(1)(a) is engaged, in all the circumstances of the case, does the public interest in maintaining the exemption outweigh the public interest in disclosing the information? We have found that disclosure of certain types of information would be likely to increase the risk of cyberattacks and so prejudice the Council’s ability to prevent such attacks. We therefore need to consider whether this information should nevertheless be disclosed under FOIA under the public interest test.

The Council accepts that there are important factors in favour of disclosure, including those of transparency and accountability. However, they say this interest is reduced due to much of the information being already available online. The Council says it has been as transparent as possible within the constraints of the need for appropriate cyber security. The Council relies on the list of significant public interest harms set out in Mr Miller’s evidence, the most important being the Council’s ability to provide essential services. The Council also relies on further harms including the “mosaic effect” as identified in closed evidence. The Council says that these various harms plainly outweigh the limited public interest in disclosing the disputed information.

The Commissioner recognises that there is a public interest in ensuring personal data held by public authorities is protected, but this interest is reduced if the likelihood of prejudice is marginal. Transparency helps the public to see that government (including local government) takes decisions that are in the best interests of the public, and the Council has wrongly assumed that it must withhold information from the public in order to protect them from hackers.Citizens can be better informed by knowing what information is held by the Council, exercising any rights under the UKGDPR, and scrutinising the steps taken by the Council to protect information. The Council has not given enough weight to citizen agency. The Commissioner also says that the key information is the description of information held, which has been published by high profile government departments without any evidence of negative impacts.

Mr Banerjee makes a similar point to the Commissioner – that he and other citizens want transparency about the specific types of data that is held about them by the Council, particularly in light of the 2020 cyberattack.

We acknowledge the importance of transparency. We take the point of both the Commissioner and Mr Banerjee that there is significant public interest in citizens knowing specifically what types of data are held about them, particularly in light of the cyberattack, so that the Council’s actions can be scrutinised.

We have taken a more limited view than the Council on which information can be withheld. This does not include basic descriptions of the data held, and so publication of this information will go a considerable way towards meeting the public interest in transparency. For the information which can be withheld, there is a significant public interest in doing so in order to prevent future cyberattacks. There are a number of harms caused by cyberattacks which there is important public interest in avoiding, as explained by Mr Miller in his witness statement. These include preventing harm to residents and businesses, and ensuring that the Council can provide its essential services. We have also considered specific public interest harms relating to the 2020 cyberattack, as explained in the closed annex. Having considered all of these public interests together, we therefore find that the public interest in maintaining the exemption outweigh the public interest in disclosing the information.

We allow the appeal in part and issue the Substituted Decision Notice set out at the start of this decision.

The issuing of this decision has been delayed while the Council and Commissioner agreed a final version of the information for disclosure. There were also issues with the readability of this document when it was provided to the Tribunal, which has caused a further delay. The Council should ensure that the information is provided to the Appellant in a fully readable format.