Single Source Regulations Office
SSRO handling of commercially sensitive information
The Single Source Regulations Office (SSRO) was established by the Defence Reform Act 2014 (the Act) to be an independent arms-length expert and adjudicator on Ministry of Defence (MOD) single source defence procurement. Its mandate is to ensure that good value for money is obtained in government expenditure on qualifying defence contracts and that a fair and reasonable price is paid to the parties to those contracts.
To achieve these aims, the Act and the related Single Source Contract Regulations 2014 (the Regulations) which came into force on 18 December 2014, require that the SSRO be provided with the standard suite of reports described in Parts 5 and 6 of the Regulations for qualifying defence contracts and qualifying sub-contracts.
The SSRO will also receive confidential and commercially sensitive information in accordance with the SSRO referrals procedure for referred matters from either a contractor or MOD under the Act and Regulations. The SSRO may also receive confidential and commercially sensitive information outside this formal referrals procedure as part of its interaction with industry and MOD stakeholders.
This statement is in response to comments made by industry stakeholders. It sets out how the SSRO handles the confidential and commercially sensitive information it receives and how it responds to obligations under the Freedom of Information Act 2000.
Confidential and commercially sensitive information
Schedule 5 of the Act and Part 10 of the Regulations make unauthorised disclosures of the information above a criminal offence. A person committing an offence will be liable to imprisonment or a fine or both.
Under the terms and conditions of employment on joining the SSRO, employees commit to strict obligations for the protection of confidential information received during the course of their employment. In particular, they are expressly reminded that unauthorised disclosures of information under Schedule 5 of the Act and Part 10 of the Regulations is a criminal offence and are required to familiarise themselves with the relevant sections of the Act and Regulations.
The SSRO has in place policies and procedures for the declaration of interests. In its corporate governance framework, the SSRO sets out the conduct expected of members and staff and prohibits them from using information gained in the course of their duty for personal gain. We require the same standards and conduct of our SSRO Referral Committee panel members.
The Code of Conduct for Board members similarly expressly prohibits members from using information gained in the course of public service for personal gain or using the opportunity to promote their own private interests. Board members are reminded that any breach of these obligations may be a criminal offence under insider dealing legislation. SSRO Referral Committee panel members must also adhere to these standards and conduct.
The SSRO has strict policies and procedures relating to information security. All users of SSRO equipment are required to help protect the information held on them and breaches will result in disciplinary action being taken. SSRO equipment may only be used by users approved and trained to use them, and only for those purposes and in accordance with SSRO policies. Strict controls are in place to govern the use of SSRO equipment and to protect when equipment is not in use. Compliance is monitored by the SSRO for prohibited or unauthorised use.
Commercially sensitive information is ring-fenced within the SSRO and in its secure data handling system. Government security classifications are applied and access is strictly limited on a need to know basis to the smallest number of dedicated employees and Board members necessary for the performance of SSRO statutory functions. All software, applications and information technology support purchased or subscribed to by the SSRO is required to comply with industry best practice security levels and is subject to security classification and access controls. Users are appropriately trained and are required to comply with SSRO handling instructions.
Where appropriate the SSRO will seek accreditation against relevant security standards and will publish the results on its website.
The SSRO will also require any third parties engaged to provide services to the SSRO to adhere to the same standards and procedures in the handling and treatment of any confidential and commercially sensitive information the SSRO receives and that it is necessary for the third party to access in the course of providing services to the SSRO.
Freedom of information Act 2000
As expressly provided at paragraph 21 of Schedule 4 to the Act, the SSRO is subject to the Freedom of Information Act 2000 (FOIA). As such, the public may request to see information held by the SSRO.
However, whilst the SSRO advocates transparency in its activities and operations, it is mindful of the commercial sensitivity of the information it receives from contractors and the MOD in furtherance of its statutory functions. For the SSRO to succeed in its mandate, it is paramount that it both merits and maintains the confidence of its stakeholders. The SSRO will rely on relevant exemptions under the FOIA as necessary in order to deny inappropriate disclosures. In particular, section 41 of the FOIA provides an absolute exemption in respect of information supplied and held under a legal duty of confidence. In addition, section 43 provides a qualified exemption (subject to a public interest test) in respect of trade secrets and other commercially sensitive information where disclosure is likely to prejudice the interests of any person.
The SSRO is confident that these exemptions to the FOIA are sufficient to protect the confidential and commercially sensitive information it holds and will defend that position by any means necessary if required.
The SSRO holds its employees and officeholders to the highest standards of professional conduct and integrity at all times. It is mindful of the responsibility that the performance of its functions under the Act and Regulations carries. The interests of its stakeholders are paramount and appropriate policies, procedures and controls are in place and are monitored and reviewed in order to ensure that is and remains the case.