Please provide information about the procurement and use of the ePEP (electronic Personal Education Plan) system by Devon County Council’s Virtual School, introduced and going live in September 2017:
1. Confirmation of the procurement route (e.g., direct call-off from the G-Cloud framework or another method).
2. Confirmation that the supplier at the time was eGov Digital Limited (Company No. 08945929, incorporated 19 March 2014, dissolved 10 September 2019 – see https://find-and-update.companyinformation.service.gov.uk/company/08945929).
3. Details of all payments made to eGov Digital Limited (or supplier ID 350821) from 2017 to 2019, including dates, amounts, invoice references, and descriptions. (Note: A payment of £4,000 appears in March 2018 transparency data under Children’s Services.)
4. Any records of due diligence, pre-contract checks, or evaluations conducted in 2016-2017 before entering the arrangement.
This includes: Risk assessments (particularly for data security and processing sensitive personal data of looked-after children)
5. Supplier financial checks or credit reports
6. References from other local authorities
7. Evaluations of alternative system
8. Compliance checks (e.g., data protection/GDPR, information security, value for money)
9. Checks on supplier certifications or accreditations (e.g., ISO 27001, Cyber Essentials, or UKAS accreditation)
10. Internal approvals, business cases, or rationale for selection (especially if no competitive tender was required)
11. Copies of any non-commercially sensitive sections of the call-off contract, award notice, or agreement from 2017 (or earlier).
This information is exempt from disclosure under Section 31(1) of the Freedom of Information Act 2000 (Prevention or Detection of Crime).
Devon County Council can confirm the requested information is held; however, this information constitutes valuable intelligence, that could be leveraged by a motivated cyber threat actor to inform a successful attack against Council infrastructure. Releasing this information would therefore increase the chances of the Council becoming the victim of a cyber-attack.
The Council has considered the public interest in releasing this information and recognises there is a public interest in openness and transparency. However, there is a stronger public interest in the Council maintaining the security and integrity of its IT systems. Significant weight should be applied to this public interest consideration given the current elevated cyber threat landscape facing public sector organisations.
Therefore, the balance of public interest weighs in favour of withholding this information from disclosure.