Information request and response under the Freedom of Information (Scotland) Act 2002
FOI Reference: FOI/202400392042
Date received: 5 January 2024
Date responded: 2 February 2024
Information Requested
In the agency's most recent annual report, Annual Report and Accounts November 2023 (socialsecurity.gov.scot) it referred to how:
'During 2022-23, the Internal Investigations team progressed a number of allegations of internal fraud/theft, and unauthorised data access. Full investigations were conducted and reports of findings passed for progress under disciplinary procedures where appropriate.'
It went on: 'One such investigation identified losses relating to Information Technology equipment. The investigation identified missing hardware with an estimated value of £38,000. Two related instances of suspected theft have been identified. Referrals to Police Scotland have been made and investigations are ongoing.'
Request for information 1: How many allegations were investigated of internal fraud?
Request for information 2: How many allegations were investigated of internal theft?
Request for information 3: How many allegations were investigated of unauthorised data access?
Request for information 4: How many for each category resulted in disciplinary action, including dismissal?
Request for information 5: Please specify the number of dismissals, if there are any and if there is a difficulty with releasing small numbers please confirm dismissals or not.
Request for information 6: Please can you tell me what dates the alleged IT thefts were reported to police and to which geographical police office they were reported and incident numbers allocated. This will allow me to check progress of the investigation with police. I do not want further details of the allegations, merely information the police have asked for to allow them to update on their inquiries.
Response
We have interpreted your requests for information to relate to the work of the Internal Investigations team.
Requests for information 1, 2, 3, 4 and 5
An exemption under section 30(c) of FOISA (prejudice to effective conduct of public affairs) applies to the information requested. Disclosing this information would substantially prejudice our ability to prevent fraudulent activity. Prevention is at the forefront of our approach to fraud and anything that could undermine that prevention activity significantly limits our ability to protect our assets.
Established fraud risk management theory maintains that a threat actor’s decision to commit fraud is informed by their assessment of three main factors: motivation, rationalisation and opportunity. This includes the risks posed by any Insider Threat where abuse of their position and their access to our assets requires appropriate preventative tactics.
The assessment of a threat actor’s opportunity relates to the perceived ease of achieving success balanced against the risk of detection and severity of punishment. Increased opportunity to exploit vulnerabilities, and/or decreased risk of detection and punishment (or simply a perception of this) will have directly aggravating impacts on our internal fraud risk profile. Any perception on how internal fraud is investigated could increase the number of threat actors who would seek to test our defences which could in turn undermine the effectiveness of our internal fraud response due to those increased volumes of attacks.
This exemption is subject to the ‘public interest test’. Therefore, taking account of all the circumstances of this case, we have considered if the public interest in disclosing the information outweighs the public interest in applying the exemption. We have found that, on balance, the public interest lies in favour of upholding the exemption. We recognise that there is a public interest in disclosing information as part of open, transparent and accountable government, and to inform public debate. However, there is a greater public interest in maintaining the Agency’s ability to prevent any fraudulent activity and thus protecting the public purse from potentially increased loss.
Request for information 6:
The suspected thefts of Information Technology equipment which you referenced in your request were reported to the Police. The first report was to Stewart Street Police Station on 6 January 2022. No CRN number was provided in relation to that report. A second report was made to London Road Police Station on 29 December 2022. The corresponding crime reference number is PSPBA00650122.
About FOI
Social Security Scotland is committed to publishing its response to requests. The Scottish Government also publishes responses to requests. You can view the responses at http://www.gov.scot/foi-responses.