Disclosure of Leidos Report: FOI review

Information requested

Disclosure of the Leidos Report. You have sought a review as you do not consider the response constituted a comprehensive response and did not adequately apply the criteria required by the relevant exemptions.

Response

I have concluded that the original decision should be confirmed, with modifications. Following a review of the information and the reasons for withholding I do consider that disclosure of the information in the Leidos Report is exempt under section 30 (c) of the Freedom of Information (Scotland) Act 2002- (FOISA) as disclosure would substantially prejudice or be likely to prejudice substantially the effective conduct of public affairs. However, I am withdrawing our reliance on section 33(1)(a) and confirm that we are relying at this stage on the exemption at section 30(c) to continue to withhold the report.

The Leidos Report

It may be helpful if I outline in the first instance the purpose of what is now come to be known as the Leidos Report about its scope and purpose.

This report was commissioned by Scottish Government following an issue affecting the level of service and case management system known as the LS/CMI system.

I understand the LS/CMI system is the IT system which supports risk assessment and case management for individuals with a risk of offending. It is used by Social Work and Prison staff as part of a wider set of processes to inform a number of decision points within the criminal justice system including sentencing decisions, access to programmes and decisions about release from prison. I understand that around January/February 2022 two issues with the system had been identified which impacted on the systems.

As part of the remedial work in relation to the systems issues, Scottish Government contracted a firm to conduct and end-to-end review of the LS/CMI system. The firm instructed produced the report which is a Functional Specification of the LS/CMI system. This is the Leidos Report. The review was conducted to identify defects so that the appropriate risk management could be undertaken. The review found a number of defects which are described in the report and a risk assessment of those defects. The report is the basis for consideration of the remedial work required to the IT system. The report did not describe how the defects should be fixed as these issues would be addressed in the triage and remediation phase.

The investigation of the impact of the IT errors on the system is still being undertaken by Scottish Government and this includes the potential impact of any error on the risk assessments of individuals. The investigation and remedial work required for the LS/CMI system is also still ongoing. Use of the system involves paper-based work. The move to the paper-based system was remedial action taken to mitigate the risks due to the defects identified in the system back in February 2022. Scottish Government are continuing work with IT partners to resolve the issues and allow for risk assessment to move back on-line.

Exemption under section 30(c) of FOISA

I have taken into account the issues you raise at paragraphs 2.2.1 (a); 2.2.2 (a); 2.2.3 (a); 2.2.4 (a) and 2.2.5(a) about the application of the tests to be applied to the exemption under section 30(c). In relation to the issue you raise under point 2.2.1.(b) I can advise that whilst the report by Leidos into the defects in the system has been completed, the investigation by the Scottish Government into the impact of the defects is not complete and that includes remedial work to get the system operational online once again.

It is considered that the information contained in the Leidos Report is exempt from disclosure on the basis that under section 30(c) of FOISA disclosure would be likely to prejudice substantially the effective conduct of public affairs. As outlined in the FOISA Guidance on section 30 published by the Scottish Information Commissioner, there is no definition of substantial prejudice, but the prejudice caused by disclosing the information must be of real and demonstrable significance, rather than simply marginal.

Firstly, the report contains information about the workings of the LS/CMI system. This is highly sensitive information. As narrated above this system is used to support risk assessment of individuals at various points within the criminal justice system. The information in the Leidos report provides a detailed insight into the functionality of the software and how professionals use it. If this information were to be put in the public domain it would reveal how the provision of information could impact on risk score. This would have the real potential of allowing those subject to risk assessment to be able to manipulate the provision of information which would impact on risk score. This in turn would therefore have the potential to undermine the effective conduct of those professional users of the system and by consequence confidence in the risk assessments of offenders themselves.

The report also contains detail about the defects in the process and the level of risk of that defect according to the risk matrix used by Leidos. As outlined in the original response dated 29 December 2022 Scottish Government are still in the process of collecting all the evidence to allow an evaluation of what the defects were in the process and the impact of those defects in the process. I consider that releasing this information into the public domain could prejudice substantially the effective conduct of public affairs.

The effective conduct of public affairs includes a range of policy decisions for Ministers directly related to this issue, not limited to decisions about moving back to the IT system from the paper- based system as and when this is possible but to a wider range of implications from the original errors occurring. It is considered that this process could be impacted if the material in the Leidos report was published at this time and resulted in outside considerations, for example speculation about the cause of the defects and their impact on use of the system before the full investigation and remedial work required are carried out. Such considerations could hinder this process and potentially delay the return to the use of the IT system.

Further the publication of the material relating to the defects and the level of risk it posed could lead to speculation by individuals who were subject to the risk assessment on the impact of the defects on the decision making in their case. This could lead to unnecessary distress to individuals. It may also lead to speculative requests about the impact on individuals before this impact has been fully and properly investigated and thereafter considered by Scottish Government about what action it should take in relation to individuals whose risk assessment may have been affected by the defects.

In terms of impact on effective public affairs a similar I note that a similar issue was considered in the Commissioner’s decision 193/2013. In that case the applicant was seeking information from the Risk Management which could have led to the release of information about the working of inter alia the LS/CMI method. Whilst decided on different considerations relating to the functions of the RMA, the Commissioner considered that the information was exempt under section 30(c) of FOISA.

Public Interest Test

As the exemption under section 30(c) is not an absolute exemption, the public interest test must be applied.

FOISA does not define the term “public interest”, but it has been described as “something which is of serious concern and benefit to the public.” It has also been said that the public interest does not mean what is of interest to the public, but what is in the interest of the public.

I have considered whether the public interest in disclosing outweighs the public interest in not disclosing the information requested.

I have considered whether it is in the public interest to release the information relating to the details of the LS/CMI information.

I have taken into account that disclosure of the information relating to the operation of the system of risk assessment may in general ensure that those public authorities who operate the system are transparent and accountable for them.

However, there is a clear public interest in retaining the confidentiality of the methods of risk assessment under LS/CMI. It is considered that it would not be in the public interest to disclose information that could have major implications for robustness of the systems used to assess risk of individuals at key points in the criminal justice system, which could have major implications for the protection and safety of the public.

I have therefore concluded that the public interest in disclosing that information is outweighed by that in maintaining the exemption in section 30(c) of FOISA.

In relation to the release into the public domain of the information about the defects and the risks posed by the defect as narrated in the Leidos Report, I have taken into account that disclosure of the information may well be in the public interest as it would provide information to the public about the operation of the IT system and the reasons why it is not available. I have also considered that this would be of serious concern to and is of general public interest.

I have also taken into account your position raised in 2.2.5(a) of your response, that the disclosure of the Leidos report would allow your client to assess and defend claims made against it by the Scottish Government with the intention of avoiding litigation and this would be in the public interest as it would avoid public expense of litigation.I understand that currently there is no such litigation in the courts at this time. I therefore do not consider your client’s interest in the report at this time to be a particularly strong factor weighing in the public interest to make the information available publicly.

There are however a number of compelling factors which I have considered would operate to outweigh that public interest.

Whilst the investigation and remedial work continues it is not considered to be in the public interest to put this information in the public domain. It could potentially cause distress to individuals who may have been subject to the risk assessment process and may consider that there has been a negative impact on them due to the defects. There are sensitive and careful considerations about how to handle such information to ensure that distress is minimised and to avoid speculation by individuals who were not affected. Whilst the investigation into who may have been affected and to what extent they were affected continues then I consider this factor has significant weight in determining where the public interest lies at this time.

I therefore consider that the public interest in not disclosing the information about the extent and nature of the defects outweighs the public interest in disclosing at this time.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses.