I would like to ask for information on data security spending & training pertaining to Transport for London, on behalf of Redscan Ltd. Please could you complete the table below to provide the following information: Do you have Cyber Essentials certification? Have you ever been unsuccessful in applying for Cyber Essentials certification? Do you have Cyber Essentials Plus certification? Have you ever been unsuccessful in applying for Cyber Essentials Plus certification? How many penetration tests has your organisation had from an external third-party in the last 12 months? The total number of full-time and part-time employees employed by your organisation with professional cyber security qualifications (as of 19th December 2019 or latest figures available) The total number of full-time and part-time employees employed by your organisation who have completed cyber security training over the last 12 months (prior to 19th December 2019 or latest figures available) Total money spent on cyber security in the last 12 months (prior to 19th December 2019 or latest figures available)

---

TfL Ref: 2869-1920

Thank you for your request received by Transport for London (TfL) on 19 December 2019 asking for information about our data security spending & training across TfL.

Your request has been considered in accordance with the requirements of the Freedom of Information (FOI) Act and our information access policy.  I can confirm we do hold the information you require.

Unfortunately, to provide the information you have requested would exceed the ‘appropriate limit’ of £450 set by the Freedom of Information (Appropriate Limit and Fees) Regulations 2004.

Under section 12 of the FOI Act, we are not obliged to comply with a request if we estimate that the cost of determining whether we hold the information, locating and retrieving it and extracting it from other information would exceed the appropriate limit. This is calculated at £25 per hour for every hour spent on the activities described.

We have estimated that it would significantly exceed the cost limit to provide a response to your current request.   This is because for example for question 6, there is no central register of staff who hold professional cyber security qualifications across TfL. There are likely to be members of staff who hold cyber security qualifications who have not undertaken the training in respect of a work related capacity e.g. staff wanting to move into cyber security and undertaking study themselves to facilitate that. In order to provide the figures you have requested, we would have to check with every individual member of staff to see if they hold any qualifications of this nature. This action in itself would exceed the cost limit in retrieving and compiling this information.

Similarly, for question 7, there is no way of us knowing if members of staff have carried out some other cyber security training other than our own ‘eZone’ internal cyber security training delivery system without again checking with every member of staff across TfL.  

Finally, you’ve asked for information on ‘total money spent on cyber security’. This could include many things from across the entire organisation for example training, promotional items for our awareness month roadshow, and all the additional costs added to contracts by our supply chain in order to meet cyber security requirements we’ve placed on them which would be extremely difficult to quantify.

To help bring the cost of responding to your request within the £450 limit, you may wish to consider narrowing its scope so that we can more easily locate, retrieve and extract the information you are seeking. If you want to refine your request or make a Freedom of Information Act request in future, please bear in mind that the Freedom of Information Act allows you to request recorded information held by us. You should identify the information that you want as clearly and concisely as you can, prioritising information that is of most importance to you.

Although your request can take the form of a question, rather than a request for specific documents, we do not have to answer your question if it would require the creation of new information or the provision of a judgement, explanation, advice or opinion that was not already recorded at the time of your request.

Please also note that if you were to submit a revised request for similar information, this is likely to result in the strong consideration of one or more exemptions under the FOI legislation. You may want to look at some ICO Decision Notices  upholding exemptions broadly on the subject of cyber security issues before you consider how to refine any new request: https://ico.org.uk/media/action-weve-taken/decision-notices/2018/2258599/fs50665770.pdf and https://ico.org.uk/media/action-weve-taken/decision-notices/2016/1623677/fs_50600199.pdf.

Please note that we will not be taking further action until we receive your revised request.

In the meantime, if you have any queries or would like to discuss your request, please do not hesitate to contact me.

Please see the attached information sheet for details of your right to appeal as well as information on copyright and what to do if you would like to re-use any of the information we have disclosed.

Yours sincerely

Sara Thomas

FOI Case Management Team

General Counsel

Transport for London

Back to top

---