Please provide information relating to Devon County Council’s use of the ePEP Online System provided by eGov Solutions Ltd (Company No. 11651414) and/or EGov Digital Ltd.
1. Confirmation of whether Devon County Council currently uses (or has used since 2018) the ePEP Online System from eGov Solutions Ltd / EGov Digital Ltd, and if so, the dates of the current or most recent contract period.
2. Copies of any Data Protection Impact Assessments (DPIAs) conducted for the ePEP system (or redacted versions if necessary).
Information has already been provided in this previous Virtual School ePEP (electronic Personal Education Plan) system – Freedom of information Freedom of Information response.
3. Details of any security audits, penetration tests, or independent verification of the ePEP platform’s security undertaken by or on behalf of the Council since 2018.
4. Records of any checks made on the supplier’s security accreditations or certifications prior to procurement or contract renewal, specifically whether the Council verified:
ISO/IEC 27001 (Information Security Management System)
ISO/IEC 27701 (Privacy Information Management System)
Cyber Essentials / Cyber Essentials Plus
Or any other relevant security standard
5. Any correspondence or records (internal or with the supplier) discussing the supplier’s lack of UKAS-accredited ISO 27001/27701 certification (confirmed by UKAS in November/December 2025).
6. Details of any risk assessments or mitigations implemented regarding:
Shared staff login credentials
The “Squiddle Chat” feature (or any child-accessible interactive functions)
Data duplication/minimisation practices
7. Copies of any complaints, concerns, or whistleblower reports received by the Council regarding the security or safeguarding implications of the ePEP system since 2018.
In response to questions 3-7, this information is exempt from disclosure under Section 31(1) of the Freedom of Information Act 2000 (Prevention or Detection of Crime).
Devon County Council can confirm the requested information is held; however, this information constitutes valuable intelligence, that could be leveraged by a motivated cyber threat actor to inform a successful attack against Council infrastructure. Releasing this information would therefore increase the chances of the Council becoming the victim of a cyber-attack.
The Council has considered the public interest in releasing this information and recognises there is a public interest in openness and transparency. However, there is a stronger public interest in the Council maintaining the security and integrity of its IT systems. Significant weight should be applied to this public interest consideration given the current elevated cyber threat landscape facing public sector organisations.
Therefore, the balance of public interest weighs in favour of withholding this information from disclosure.