New conditions for Swedish authorities to outsource IT operations to private actors

On 1 July 2023, a new provision granting exemption from secrecy obligations entered into force in the Swedish Public Access to Information and Secrecy Act (2009:400). The provision was introduced under the new article Chapter 10 section 2 a, and reads as follows:

Secrecy does not prevent disclosure of information to an individual or to another authority entrusted on behalf of the disclosing authority with the task of merely technically processing or technically storing the information, unless, with regards to the circumstances, a disclosure is inappropriate.^[1]

Furthermore, a new provision in Chapter 44 Section 5 of the Public Access to Information and Secrecy Act was added, restricting the freedom to communicate information. However, this new provision will not be further analyzed here.

Since the secrecy breaking provision in Chapter 10 Section 2 a of the Public Access to Information and Secrecy Act is new, information on its interpretation is mainly collected from the government bill. In the government bill, it is stated that the new amendments aim to create better conditions for authorities to outsource or coordinate their IT operations and to strengthen the protection of the information provided to an individual when outsourcing IT operations. IT operations that can be subject to outsourcing are diary and case management systems or office support systems, which include e-mail, calendar and document management support. Coordinated IT operations are when one authority entrusts another authority to provide basic IT operational services to the commissioning authority, while outsourcing of IT operations refers to the situation where an authority entrusts a corresponding assignment to a private service provider. Hereafter, we will only discuss outsourcing as we consider it most relevant to private actors. As stated in the government bill, a service provider can, within the framework of outsourcing for example, provide a technical infrastructure or platform for IT operations or IT-based functions in the form of applications and services.

In the government bill, it is stated that authorities are prevented from disclosing information if it involves an unauthorized disclosure under the Public Access to Information and Secrecy Act. Information that is covered by secrecy and is made available to a service provider is considered to be disclosed. Such disclosure is only permitted unless secrecy prevents it. The bill mentions that an authority may be prevented from outsourcing IT operations because secrecy classified information cannot be separated from a larger amount of information or because the flow of information in the service is unpredictable. However, the new provision will perhaps minimize these kinds of obstacles to disclosure by granting exemption from secrecy obligations.

The recipient may solely technically process or technically store information on behalf of the disclosing authority. The meaning of the expression technical processing or technical storage is the same as in Chapter 2 Section 13, first paragraph of the Freedom of the Press Act. An assignment to technically process or technically store information may, for example, consist of introducing, managing, developing and eventually discontinuing an operational IT service. This may involve measures such as changes and additions to the functionality of an existing service, establishment of an additional service, integration with other services, configuration, test and development, provision of support services and security tests.

In order to determine whether the disclosure is inappropriate, an assessment of whether or not it is inappropriate to disclose the information shall be carried out by the authority responsible for the information and the assessment should be documented by the commissioning authority. The assessment aims to prevent information of a particularly sensitive nature from being exposed to unnecessary risks.

In the government bill it is stated that the assessment is more extensive in nature than a balance of interests that examines whether the interest in disclosing information outweighs the interest that secrecy is supposed to protect. Instead, the assessment should consider all the circumstances that are relevant in the individual case. Circumstances to be taken into account as a starting point are those relating to the commissioning authority and to the recipient of the information, as well as to the information that is or may be the subject of disclosure. The circumstances may also concern the IT service in question, the contractual relationship between the commissioning authority and the recipient or the general security situation (national or international).

Circumstances that may be important to consider are, for example, the type of information involved, the interests on which secrecy is based and the scope of the information. Something that speaks against a disclosure is if the information is of a particularly sensitive nature. For example, information that is of particular importance for national security when it comes to the Swedish defense. The measures taken by the recipient of the information to protect the information and whether the recipient is subject to a legal or contractual obligation of secrecy should also be taken into account. The contractual relationship between the parties shall be assessed and, in particular, contractual terms which risk depriving the disclosing authority of control of the information. Where the information is handled geographically can be important to consider and also if there are subcontractors who potentially can access the information. Consideration must be given to whether the information will be stored with information belonging to other customers and what risks this entails.

As a result of the new provision, authorities will hopefully be able to outsource their IT operations to private actors to a greater extent. It is important that private actors who wish to provide IT services to authorities adapt their services to the new regulation. The private actor may solely technically process or technically store information; the business operations and the service should be reviewed so that disclosure of information to the private actor cannot be seen as inappropriate when outsourcing.

Finally, it is recalled that an authority that intends to outsource its IT operations must still take into account other legislation when outsourcing IT operations, such as the Protective Security Act (2018:585) and the GDPR, despite the new provision.

^{[1] Please note that this is our own translation of the provision, it is not an official translation.}