Log In

Reset Password

Government may challenge ICO on cyberattack records order

The Government is considering challenging the Information Commissioner in court after she ordered the Cabinet Office to reveal if it held records of communications about last year’s cyberattack.

Gitanjali Gutierrez, in an interim order, which is the first of its kind to be issued here, has given the public authority until October 9 to declare whether the documents exist and share them with her office, or explain why it is unable to do so.

A Cabinet Office spokeswoman told The Royal Gazette a judicial review was being considered about certain aspects of the order.

The spokeswoman said in a statement: “The ICO's order is based on a series of adverse inferences drawn against the public authority and appears to require the Cabinet Office to confirm facts already found by the ICO.”

The matter stems from a public access to information request made by the Gazette in early October last year for copies of all communications about the cyberattack from September 20 — the date of the hack — to October 12, 2023.

The Cabinet Office failed to respond until it was ordered to do so by the ICO in February.

It then refused to disclose the records on the grounds that doing so would interfere with national security, ministerial responsibility and law enforcement.

The newspaper asked Ms Gutierrez to review the decision and, during her inquiry, the Cabinet Secretary, Marc Telemaque, cited section 38 of the Pati Act, which gives public authorities the right to refuse to acknowledge if records exist if they would be exempt from disclosure.

Ms Gutierrez issued a decision on September 11 this year, which found that reliance on that section was “not appropriate” in this case.

She wrote that when the Cabinet Office invoked section 38, on May 15, “it was already in the public domain that there had been a cyberattack on the Government’s IT systems and that there had been communications about the attack to and from the Cabinet and other public service leaders and ministers.

“The incident received extensive media coverage. Confirming or denying whether the records described in the request existed would therefore not constitute a disclosure of new information and there would be no harm to the public interest.”

Ms Gutierrez found that the “ … issue of the cybersecurity incident was a matter of such significance that acknowledging that communications between senior members of the Government existed is required to further the purposes … of the Pati Act and the interpretation of ‘public interest’ in … the Pati Regulations 2014, including eliminating unnecessary secrecy and promoting accountability of and within the Government”.

The Gazette specifically sought communications to and from the Premier, the Cabinet Secretary, the Head of the Public Service and acting head, the Deputy Head of the Public Service, and the Permanent Secretary for the Cabinet Office during a three-week period.

Ms Gutierrez wrote that the Cabinet Secretary told her office he did not “see a compelling reason for the disclosure of whether records exist, because if such records exist, there are multiple exemptions which apply”.

He stuck to that position after the Information Commissioner shared a preliminary view that it was wrong.

The interim order was issued in response; Ms Gutierrez wrote that it was the “first instance” of her using that power under the Public Access to Information Act.

She found it necessary because she had to decide if section 38 was applicable before she could consider the exemptions relied on for non-disclosure by the Cabinet Office.

Ms Gutierrez wrote that section 38 required the public authority to show, to a high level of certainty, that any relevant record would be exempt from disclosure.

There have been cases where public authorities, including the Bermuda Monetary Authority and the Bermuda Police Service, have been able to show that, but the Information Commissioner said the Cabinet Office had not provided evidence in this case.

Ms Gutierrez wrote: “ … in the absence of submissions from the Cabinet Office explaining how every potential responsive record would, if it existed, be exempt under one of the provisions above, the Information Commissioner is not satisfied that the Cabinet Office has justified its reliance on section 38 of the Pati Act”.

The Cabinet Office spokeswoman said: “The Pati Act contains legal exemptions and asserting that these would apply to records if they exist does not preclude a public authority's reliance on Section 38 of the Act in response to a request of this nature.”

She said the applicable exemptions were clearly set out in response to the Gazette’s request, adding: “The order is being reviewed and, subject to ongoing legal advice, the Cabinet Office will further communicate its position to the ICO.”

Ms Gutierrez said yesterday: “My reasoning is in the interim order and, unfortunately, it would not be appropriate to comment further while the Cabinet Office’s response is pending.”

·To view the Cabinet Secretary’s decision, the ICO interim order, the ICO’s press release, and the earlier ICO decision, see Related Media

Royal Gazette has implemented platform upgrades, requiring users to utilize their Royal Gazette Account Login to comment on Disqus for enhanced security. To create an account, click here.

You must be Registered or to post comment or to vote.

Published September 26, 2024 at 8:18 am (Updated September 26, 2024 at 8:18 am)

Government may challenge ICO on cyberattack records order

Users agree to adhere to our Online User Conduct for commenting and user who violate the Terms of Service will be banned.