1. Please confirm how the risk of data breach on the Capita One system is being managed.
Following receipt of communications from Capita One, Devon County Council took immediate steps to protect the confidentiality, integrity, and availability of our infrastructure.
We are unable to provide details of the steps that we took to mitigate the risk to the Council’s data. This is because we believe this information is exempt from disclosure under Section 31(1)(a) of the Freedom of Information Act 2000. Devon County Council believes that releasing this information into the public domain would reveal intelligence about how our IT infrastructure is configured. We are concerned that this would then provide cyber threat actors with valuable insights about how our systems are architected, that could be used against us by those actors, to increase the chances of them delivering a successful cyber-attack against the Council.
Whilst we recognise that there is a public interest in openness and transparency around the management of the Council’s IT infrastructure, we consider that there is a stronger public interest in the Council being able to maintain the confidentiality, integrity, and availability of its IT infrastructure. For this reason, we consider that the balance of public interest is best served by withholding this information from disclosure at this time.
2. Please share a copy of the risk register concerning this.
Devon County Council does not hold this information. This is because this matter was not recorded on our risk register.
3. Please confirm plans to test the market for alternative partner suppliers.
Devon County Council does not hold this information.