Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
FOI Reference: 333/2024
Request:
Response 1 & 3:
Dyfed Powys Police can neither confirm nor deny that it holds any other information with regard to an exempt body as the duty in Section 1(1)(a) of the Freedom of Information Act 2000 does not apply by virtue of the following exemptions:
Section 24(2) National Security
Section 31(3) Law Enforcement
Harm in Confirming or Denying that Information is held
To confirm or deny whether any further information is held in respect of successful or attempted cyber-attacks resulting in Data Breaches would provide actual knowledge of where an attempt has been made, it if it has or has not been successful. Confirming that such information is not held may assist potential attackers by indicating that an attack had gone undetected. Equally, confirming information is held would enable understanding of where attacks have been successful, and possible weaknesses exist. Attackers may then be able to tailor their methods to increase their chances of success.
To confirm or deny whether information is held in respect of any leaked data as a result of an attack would, in effect, confirm that there had been successful cyber-attacks made against the force, which would present harm as detailed above.
Furthermore, in order to counter criminal and terrorist behaviour it is vital that the police and other agencies have the ability to work together, where necessary covertly, in order to obtain intelligence within current legislative frameworks to ensure the arrest and prosecution of offenders who commit or plan to commit acts of terrorism, whereby their modus operandi may involve cyber-attacks on secure databases. In order to achieve this goal, it is vitally important that information sharing takes place with other police forces and security bodies within the United Kingdom in order to support counter-terrorism measures in the fight to deprive terrorist networks of their ability to commit crime. To confirm or deny specific details of any breaches of information technology and security would be extremely useful to those involved in terrorist activity as it would enable them to map vulnerable information security databases.
Public Interest Considerations
Section 24(2) National Security
Factors in favour of confirming or denying that information is held:
The public are entitled to know how public funds are spent and how resources are distributed within an area of policing. To confirm information is held regarding successful cyber-attacks causing Data Breaches would enable the general public to hold the police to account ensuring all such breaches are recorded and investigated appropriately. With the call for transparency of public spending this would enable improved public debate.
Factors against confirming or denying that information is held:
Security measures are put in place to protect the community we serve. As evidenced within the harm to confirm whether any cyber-attacks have been successful would highlight to terrorists and individuals intent on carrying out criminal activity vulnerabilities within the police which could be further exploited.
Taking into account the current security climate within the United Kingdom, no information (such as the citing of an exemption which confirms information pertinent to this request is held, or conversely, stating ‘no information is held’) which may aid a terrorist should be disclosed. To what extent this information may aid a terrorist is unknown, but it is clear that it will have an impact on a force’s ability to monitor terrorist activity.
Irrespective of what information is or isn’t held, the public entrust the Police Service to make appropriate decisions with regard to their safety and protection and the only way of reducing risk is to be cautious with what is placed into the public domain.
The cumulative effect of terrorists gathering information from various sources would be even more impactive when linked to other information gathered from various sources about terrorism. The more information disclosed over time will give a more detailed account of the tactical infrastructure of not only a force area but also the country as a whole.
Any incident that results from such a disclosure would, by default, affect National Security.
Section 31 (3) – Law Enforcement
Factors favouring confirming or denying that information is held:
Confirmation that information exists relevant to this request would lead to a better informed public which may encourage individuals to provide intelligence in order to reduce such security breaches.
Factors against confirming nor denying that information is held:
Confirmation or denial that information is held in this case would suggest the police take their responsibility to protect information and information systems from unauthorised access, destruction, etc., dismissively and inappropriately.
Balancing Test
The points above highlight the merits of confirming or denying the requested information exists. The Police Service is charged with enforcing the law, preventing and detecting crime and protecting the communities we serve. As part of that policing purpose, information is gathered which can be highly sensitive relating to high profile investigative activity. Weakening the mechanisms used to monitor any type of criminal activity, and specifically terrorist activity would place the security of the country at an increased level of danger.
In addition anything that places that confidence at risk, no matter how generic, would undermine any trust or confidence individuals have in the Police Service. Therefore, at this moment in time, it is our opinion that for these issues the balance test favours neither confirming nor denying that information is held.
Response 2:
Dyfed-Powys Police can neither confirm nor deny that it holds any other information with regard to an exempt body as the duty in Section 1(1)(a) of the Freedom of Information Act 2000 does not apply by virtue of the following exemptions:
Section 23(5) Information supplied by or concerning certain Security Bodies.
Section 24(2) National Security
Section 31(3) Law Enforcement
In addition to the exemptions and explanation already provided for Questions 1 & 3, Section 23(5) Information supplied by or concerning certain Security Bodies has been applied to the response to question 2.
Section 23 is a class based absolute exemption and there is no requirement to consider the public interest in this case. Sections 24 and 31 are both prejudice-based, qualified exemptions and therefore require Dyfed-Powys Police to establish the harm in disclosure, and the public interest for and against disclosure, which has been provided for the response for question 1 & 3.
Response 4 & 5:
This information is exempt under the Freedom of Information Act 2000 by virtue of the following exemptions:
Section 24(1) - National Security
Section 31(1) - Law Enforcement
Sections 24 and 31 are both prejudice-based, qualified exemptions and therefore require Dyfed-Powys Police to establish the harm in disclosure, and the public interest for and against disclosure.
Overall Harm
Any disclosure under Freedom of Information is a disclosure to the public at large. To disclose information relation to the total budget spent on cyber support, protection and computer systems and the number of people employed to oversee cyber support and programmes would undermine the core principles of policing, one of which is preserving national security.
The threat from terrorism cannot be ignored. It is generally recognised that the international security landscape is increasingly complex and unpredictable. Since 2006, the UK Government has published the threat level - Threat Levels | MI5 - The Security Service. The UK continues to face a sustained threat from violent extremists and terrorists. Based upon current intelligence, the national threat level is currently set at Substantial.
Dyfed-Powys Police is charged with enforcing the law, preventing and detecting crime and protecting the communities we serve. To disclose information that would assist offenders would seriously threaten the effective delivery of operational law enforcement, and would show limitations of Police capabilities within this specific area. If this information were to be gathered nationally, it would allow those with a criminal intent to map where funding and employment is the lowest. This would further encourage criminal activity by exposing potential vulnerabilities nationally.
Police Forces have a duty to protect Officers, staff and members of the public from harm. To provide a disclosure that would be to the detriment of providing an efficient policing service would be a failure in providing this duty of care.
Public Interest Test
Section 24(1) - National Security
Factors favouring disclosure:
Disclosing the total budget Dyfed-Powys Police have allocated to our cyber support, protection and computer systems would not pose a cyber-security risk in itself. Therefore, it would not actually harm national security.
Disclosing the number of people Dyfed-Powys Police has employed to oversee our cyber support would inform the public that we are taking this area of concern, and the threat posed by criminals (including terrorist groups), seriously.
Factors against disclosure:
Placing the total budget allocated for our cyber support, protection and computer systems into the public domain would allow offenders (including terrorist groups) to identify if Dyfed-Powys Police have limited funding in this area, compared with other Forces nationally. This could provide an indication of our departments lack of understanding of cyber-security threats, therefore placing the public at a greater risk and rendering security measures in place as less effective.
Informing the public of the number of people employed to oversee cyber support within Dyfed-Powys Police would provide an indication to our understanding of cyber-security threats, risk appetite and activity. This would leave us vulnerable to an attack if there are limited resources available. If this information were gathered on a national scale, a ‘league table’ could be created demonstrating the Forces that have limited funding for this area and/or limited resources in terms of employees in this area. This would increase the risk of those Forces being targeted, therefore resulting in an increased risk to national security being compromised.
Section 31(1) - Law Enforcement
Factors favouring disclosure:
Disclosing the total budget allocated for our cyber support, protection and computer systems would show the public how public funds are being spent in this area in order to prevent and detect crime. This would show Dyfed-Powys Police is being as open and transparent as possible with the public.
Disclosing the number of people employed by Dyfed-Powys Police to oversee cyber support would demonstrate how many people we have dedicated to preventing crime and detecting criminals for this particular area of concern. This would show that we are being as open and transparent with the public as possible, and would allow the public to be better informed with regards to this specific area.
Factors against disclosure:
To place the total budget spent on cyber support, protection and computer systems into the public domain would allow individuals to deduce sensitive information regarding the expenditure of Dyfed-Powys Police. This could show a limited investment in this particular area, therefore providing an indication of the level of understanding within that department.
To inform the public of the number of individuals employed by Dyfed-Powys Police to oversee cyber support would also be informing those with a criminal intent of this information. This would allow offenders to gain valuable information in relation to this particular area, which they would then use to avoid detection. If we had a lower number of employees in this area, the Force would be left open to an attack as we would be identified as being vulnerable. This would then hinder our ability to prevent and detect crime.
Balance Test
Dyfed-Powys Police are charged with enforcing the law, preventing and detecting crime and protecting the communities we serve. The Force will not divulge any information that would place the safety of an individual (Officer, staff or member of the public) and/or the Force at risk, or that would undermine national security.
Whilst there is a public interest in being open and transparent with the public, in addition to the public seeing how the Force are engaging with the threat from criminals, there is a stronger public interest in safeguarding both national security and the integrity of the Force. It must also be reiterated that a disclosure under Freedom of Information is not only a disclosure to the requester but to the world.
For these reasons, it is our opinion that the public interest lies in favour of non-disclosure of the information that has been requested.
Section 17 of the Freedom of Information Act 2000 requires Dyfed-Powys Police, when refusing to provide information (because the information is exempt) to provide you the applicant with a notice which: (a) states that fact, (b) specifies the exemption in question and (c) states (if that would not otherwise be apparent) why the exemption applies.
In accordance with the Freedom of Information Act 2000 this letter acts as a Refusal Notice for those aspects of your request. Exemptions applied:
Section 23(5) - Information Supplied by, or concerning certain Security Bodies
Section 24(1) and Section 24(2) - National Security
Section 31(1) and Section 31(3) - Law Enforcement
It should be noted that as a result of the systems adopted by Dyfed-Powys Police in relation to the recording of such information that the information released may or may not be accurate.
(This is a response under the Freedom of Information Act 2000 and disclosed on 22/05/2024)