Home Decisions

Decision 103/2025

Decision 103/2025: Operating systems of computers

  
Authority: NHS Western Isles
Case Ref: 202401633
 

Summary

The Applicant asked the Authority for the numbers of computers using specified operating systems.  The Authority withheld the information on the basis that disclosure would, or would be likely to, endanger national security.  The Commissioner investigated and found, based on the submissions he received, that the Authority was not entitled to withhold the information requested on that basis.  He required the Authority issue the Applicant with a revised review outcome. 

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 31(1) (National security and defence); 47(1) and (2) (Application for decision by Commissioner).

Background

  1. On 5 November 2024, the Applicant made a request for information to the Authority.  He asked for the number of computers used by the Authority running the following Microsoft operating systems installed:

  • Windows 95

  • Windows 98

  • Windows XP

  • Windows 7

  • Windows 8 or 8.1

  • Windows 10.  

  1. On 6 November 2024, the Applicant submitted a further request for information to the Authority which asked for the number of computers used by the Authority with the Windows Vista operating system installed.
  2. The Authority responded separately to the requests on 12 November 2024.  It withheld the information requested under the exemption in section 31(1) of FOISA on the basis that disclosure could allow individuals to assess the strength of its defences and expose it to potential threats, which would harm its ability to protect and maintain essential services.
  3. On 13 November 2024, the Applicant wrote to the Authority requesting a review of its decision for both requests.  He stated that he was dissatisfied with the decision because he considered the exemption in section 31(1) of FOISA had been wrongly applied to withhold the information requested.
  4. The Authority notified the Applicant of the outcome of its review for both requests on 11 December 2024, which fully upheld its original responses.
  5. On 13 December 2024, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  He stated that he was dissatisfied with the outcome of the Authority’s review because he considered the exemption in section 31(1) of FOISA had been wrongly applied to withhold the information requested.  

Investigation

  1. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
  2. On 9 January 2025, the Authority was notified in writing that the Applicant had made a valid application.  The Authority was asked to send the Commissioner the information withheld from the Applicant.  The Authority provided the information, and the case was subsequently allocated to an investigating officer.
  3. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  The Authority was invited to comment on this application and to answer specific questions.  These related its reasons for applying the exemption in section 31(1) of FOISA and how it assessed the public interest.  

Commissioner’s analysis and findings

  1. The Commissioner has considered all the submissions made to him by the Applicant and the Authority. 

Section 31(1) – National security and defence

  1. Section 31(1) of FOISA provides that information is exempt information if exemption from section 1(1) (i.e. the right to request information from a Scottish public authority) is required for the purpose of safeguarding national security.
  2. The expression "national security" is not defined in FOISA. The Commissioner considers that the phrase covers matters such as:

  • defence of the realm

  • the prosecution of war

  • the disposition of the armed forces

  • nuclear weapons

  • security and intelligence services, and 

  • potential threats to the economic wellbeing of the UK (including terrorism, espionage and subversion).

  1. It should be noted that section 31(1) specifies that the information is exempt from disclosure if exemption is required for the purposes of safeguarding national security, a condition which has a narrower scope than information which relates to national security. (See the Commissioner's briefing on section 31(1) of FOISA.[1])

The Applicant’s submissions

  1. In his requirement for review, the Applicant referred to the Commissioner’s guidance on section 31 of FOISA and to the matters he considered the phrase “national security” covers (which are set out above at paragraph 12).  He argued that the information requested was therefore not covered by these matters and that the Authority’s computer systems are not a matter for national security.
  2. The Applicant also referred to Decision 151/2007[2], in which he said the Commissioner found that information is not exempt under section 31(1) of FOISA merely because it relates to measures to protect essential services.
  3. Absent a national security certificate signed by a member of the Scottish Executive (per section 31(2) of FOISA), the Applicant considered that the exemption in section 31(1) of FOISA did not apply to the information requested.
  4. In his application to the Commissioner, the Applicant explained that he considered the Authority had put “the cart before the horse”, by applying the public interest test without first checking that the exemption applied.  For the reasons set out in his requirement for review, he considered the exemption “unquestionably does not apply”.  He further stated that the Authority is a Health Board and that national security exemptions simply do not apply to the information requested.

The Authority’s submissions

  1. The Authority said that it relies on a diverse supply chain to deliver services, which involves the exchange of sensitive, personal and confidential information. Maintaining the security of this information is therefore extremely important.
  2. The Authority considered that disclosure of the information requested would be likely to present an additional risk of cyber-attacks, which might amount to criminal offences (e.g. under the Computer Misuse Act 1990 or the Data Protection Act 2018) and are rated as a “Tier 1 threat” by the UK Government.  In this context, disclosure would provide information about the Authority’s supply chain, technologies, cyber strategy and potential vulnerabilities – allowing these to be “mapped for weakness”.
  3. The Authority explained that it therefore wanted to be “very careful” in considering disclosure of the information requested as the information was of “the most sensitive nature” and disclosure could prove to be “catastrophic”.
  4. The Authority referred to the Commissioner’s guidance on section 31 of FOISA and noted that a ministerial certificate does not have to be in place for the exemption to apply.  It also noted that “national security” is not defined in FOISA and said that many NHS systems are regional and national and there are possibilities that threats could cross boundaries and grind essential and emergency services to a halt, risking services and highly sensitive information.

The Commissioner’s view 

  1. The Commissioner has carefully considered all of the submissions made by the Applicant and the Authority, as well as the information withheld under the exemption.
  2. The Commissioner fully understands the importance of the exemption contained in section 31(1) of FOISA.  Equally, however, while recognising that it is there to protect vital interests, it still requires substantial arguments to support its application, specific to the circumstances.  In this case, and based on the submissions it provided, the Authority has failed to persuade the Commissioner that exemption from section 1(1) is required for the purpose of safeguarding national security – which is what is required for the exemption to apply.  While the Authority provided submissions on the harm that it considered would follow from disclosure, the arguments made on why disclosure would constitute a threat to national security were generic and limited.
  3. The Commissioner would like to reiterate that he has reached this conclusion on the basis of the submissions he has received in this case: it falls to the Authority to satisfy the Commissioner that it has met the requirements of the legislation in each individual case.  His finding in this case does not mean that the exemption in section 31(1) of FOISA will never be relevant in such situations.
  4. Consequently, the Commissioner is not satisfied that the Authority was entitled to withhold the information requested under the exemption in section 31(1) of FOISA.  As he is not satisfied that the information is exempt from disclosure under section 31(1), he is not required to consider the public interest test in section 2(1)(b).
  5. Notwithstanding his finding regarding the exemption in section 31(1) of FOISA, the Commissioner recognises the Authority’s concern regarding disclosure of the information requested into the public domain.
  6. The Commissioner recently issued Decision 076/2025[3], which regarded a request to a different Scottish public authority for effectively the same information as requested in this case.  However, the information in that case was withheld under the exemption section 35(1)(a) of FOISA, on the basis that disclosure would, or would be likely to, prejudice substantially the prevention or detection of crime.
  7. The Commissioner recognised that it is well known that Microsoft operating systems are vulnerable to cyber-attack once Microsoft ceases to provide security updates and support for these products and that, in recent years, there has been a steady trend of cyber-enabled and cyber-dependant crime increasing in Scotland and the wider UK. He was satisfied that disclosure of the public authority’s cyber position into the public domain could be used by malicious actors to the substantial prejudice of the public authority and accepted that the exemption in section 35(1)(a) of FOISA was engaged.  
  8. Given the similarities between the requests and the public authorities to which they were made, the Commissioner’s view is that the same considerations may apply to the information requested in this case as to the information assessed in Decision 076/2025 (which, as stated above, he found was properly withheld under the exemption in section 35(1)(a) of FOISA).
  9. In the circumstances, the Commissioner requires the Authority to issue a revised review response to the Applicant (otherwise than in terms of section 31(1) of FOISA).

Decision 

The Commissioner finds that the Authority failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant. 

The Commissioner finds that the Authority failed to comply with Part 1 (and, in particular, section 1(1)) of FOISA by withholding the information requested under the exemption in section 31(1) of FOISA. 

The Commissioner therefore requires the Authority to issue a revised review response to the Applicant, otherwise than in terms of section 31(1) FOISA, by 13 June 2025

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of intimation of this decision.

 

Enforcement 

If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Authority has failed to comply.  The Court has the right to inquire into the matter and may deal with the Authority as if it had committed a contempt of court.

 

Euan McCulloch 

Head of Enforcement 


29 April 2025