FOI 6-26: A request for information relating to the AIMS Modernisation Project

Information Standards Freedom of Information Response

Our ref: FoI 06-26

25 March 2026

 

Freedom of Information Act 2000 (“FOIA”)

I am writing to confirm that the Northern Ireland Assembly Commission (Assembly Commission) has processed your request dated 24 January 2026 in line with the Freedom of Information Act 2000 (FOIA). Your request was as regards the governance, delivery oversight, and financial management of the AIMS Modernisation Project.  The full text of your request is at Annex 1. In the text below, we have adopted the numbering used in your questions. 

 

Our response

The Assembly Commission holds information in relation to your request as outlined below.

 

1. Project Objectives and Commitments

(a) The approved business case or outline business case for the AIMS Modernisation Project.

  • The AIMS project is part of the commitment of the Information Systems (IS) Office to the Assembly Commission’s five year Corporate Plan for upgrading its work environment and upskilling its workforce. The core objective of the project is to securely transition from ‘on premise’ services and applications to the Microsoft (MS) Azure cloud and to support a cloud first, enterprise architecture, moving into the future. It relies on the in-house development team, Infrastructure colleagues, and the business champions, in collaboration with an MS Partner to deliver.
  • Appendix 1a provides an extract from the AIMS Outline Business Case (OBC) paper which was approved by the Assembly Commission Senior Management Team (‘SMT’) and Assembly Commission.
  • Material has been redacted from the OBC approvals where that is necessary to protect commercial interests. This information exempt from disclosure under section 43(2) of the FOIA (commercial interests) – see (i) below. 

(b) The Project Initiation Document (PID) or equivalent

  • The IS Office currently uses a Project on Paper (PoP) in-person meeting to launch its projects. The PoP is considered equivalent to a Project Initiation Document (PID) and has been provided at Appendix 1b. This meeting is based on the approved business case papers (Appendix 1a). The PoP document becomes part of the permanent project documentation. A number of redactions have been made to this document pursuant to section 40 of the FOIA (personal information) – see (i) below.    

(c) Any centrally held statements of project scope, success criteria, or target deliverables.

  • The high-level project scope is outlined in the high-level Statement of Works, which has been provided at Appendix 1c (attached). The success criteria is mapped to the delivery of services transitioned to the Azure environment, as per the project plan and meeting the high-level corporate objectives.

(d) Any documented commitments regarding delivery milestones or timelines that were formally approved.

  • The project commenced in late 2024 and delivery is to be complete before the next mandate due to commence in May 2027. To support the delivery, the project team slowed the deliverable to span across a third financial year, ensuring it could meet the needs of the Assembly Commission. It managed the budget in line with this decision.

 

 

2. Procurement and Supplier Appointment

(a) Copies of procurement documentation held centrally that was used to appoint suppliers to the AIMS Modernisation Project.

  • This information is exempt from disclosure under section 21 of the FOIA, because it is reasonably accessible to you by other means.
  • The Assembly Commission utilised an existing collaborative contract, owned and managed by the Department of Finance (the Department).  This is the Northern Ireland Public Shared Services Network (NIPSSN) contract.  This contract was utilised by the Assembly Commission to purchase the services required for the ‘transition to the cloud’ under Modernisation.
  • Information relating to the procurement of the collaborative contract is published by the Department of Finance.The Assembly Commission may use this collaborative contract for the purchase of any of the services available under the contract.

(b) The evaluation criteria used in the procurement process (final versions only)

  • The Assembly Commission does not hold this information as it is not a requirement of the NIPSSN contract. To commission work under the NIPSSN contract simply requires a request to be sent to the Department outlining the requirement to ensure it is within scope and if so, the supplier provides a quotation which is either accepted or rejected.

(c) High‑level evaluation summaries, where available.

  • See response to 2(b).

(d) Contract start dates, durations, and any centrally held records of contract extensions or variations.

  • This information is exempt from disclosure under section 21 of the FOIA, because it is reasonably accessible to you by other means.  Details of provision for contract variations, extension etc. available under the NIPSSN contract.

(e) Final versions of signed contracts or statements of work, with redactions applied where necessary.

  • The Assembly Commission does not hold this information. The Assembly Commission is not a signatory as the NIPSSN contract is owned and managed by the Department.

 

3. Conflict of Interest Declarations

(a) Any centrally held conflict of interest declarations made by staff involved in procurement or contract management for the AIMS Modernisation Project.

  • The Assembly Commission does not hold this information. However, you may wish to contact the Department directly, as they may hold further records relating to the procurement process and subsequent award regarding the NIPSSN collaborative contract.

(b) Governance documents describing the process for identifying and managing conflicts of interest.

  • See response to 3(a). 

(c) The job titles (not names) of staff who participated in supplier evaluation or contract award decisions.

  • See response to 3(a). 

 

4. Governance and Oversight

(a) Documents describing the project’s governance structure (e.g., governance diagrams or role descriptions).

  • The roles and responsibilities matrix is attached as Appendix 4a.

(b) Terms of reference for any boards or groups overseeing the project.

  • The Assembly Commission does not hold this information.  The project is managed internally by a program board consisting of members of SMT and senior Assembly Commission staff with responsibility to deliver the Corporate Strategy.

(c) Membership lists for these boards or groups (job titles only where appropriate).

  • The AIMS project is governed by a Project Sponsor, and a Project Owner. It is overseen by the Project Manager, three subject matter experts and a Technical Lead. The project roles have been identified in Appendix 4a (attached).

(d) Any centrally held summaries, extracts, or final versions of assurance, audit, or health‑check reports relating to the project.

  • The Assembly Commission does not hold this information.

 

5. Delivery Reporting

(a) Final versions of status or highlight reports submitted to senior responsible owners (SROs) or senior management.

  • The Project Manager reports to the board in writing on a monthly basis with a further quarterly report in person regarding project progress. These reports have been provided at Appendix 5a (attached).
  • A number of redactions have been made to this information pursuant to section 40 and section 43 of the FOIA (see (i) and (ii) below).

(b) Any centrally held summaries of delivery milestones or progress reviews.

  • Project Progress Reports have been provided at Appendix 5a (attached) as outlined above.

(c) Any centrally held risk or issue summaries provided to senior management.

  • The activity log contains risks and decisions by category, likelihood and severity. This forms part of the living project documentation. This is accessible and contributed to by the entire Project Team including the Project Board.
  • A number of redactions have been made to this information pursuant to section under section 31 of the FOIA (see (i) below.
  • A representative sample is provided in Appendix 5a (attached).

 

6. Financial Information

  • The Assembly Commission considers the projects financial figures to be exempt from disclosure under section 43 of the FOIA (commercial interests) - see (ii) below).

 

7. Resourcing and Workforce Decisions

(a) Any centrally held documents relating to decisions to increase contractor involvement on the project.

  • The Assembly Commission does not hold this information.

(b) Workforce planning documents or capability assessments that were formally approved.

  • The Assembly Commission does not hold this information.

(c) Any centrally held documentation explaining funding decisions relating to project resourcing.

  • See the response at 1(a).

 

8. Requirements and Business Engagement

(a) Final versions of business requirements documents.

  • The Assembly Commission does not hold this information.
  • Business requirements are defined in the current functionality of the existing on-premises version of the applications. This project will migrate these functions to a cloud environment, modernising the technology they run on and making them readily available for the development team to continuously evolve, after transition. The existing product champions are supporting the transition.

(b) Stakeholder engagement or communication plans.

  • The Assembly Commission does not hold this information.  The product champions meet with the application analyst regularly to review work from the previous cycle as an extended part of the development team. Formal minutes are not prepared.

(c) Final versions of acceptance criteria or sign‑off documents held centrally.

  • The Assembly Commission holds the Activity logs capturing decisions.   However, these logs are exempt from disclosure under section 31 of the FOIA for these reasons given at (i) below.

 

9. Risk and Issue Management

(a) Any centrally held high‑level summaries or extracts from the project’s risk register.

  • As previously outlined, the activity log contains risks and decisions by category, likelihood and severity. The AIMS Activity Log Time Sample has been outlined at Appendix 5a (attached).

(b) Any centrally held summaries of issue logs or escalation records provided to senior management.

  • See response to 9(a).

 

Applicable exemptions

(i)       Section 31 (Law enforcement)

The Assembly Commission has redacted information on technical and organisational security measures and details of software on the basis that this information is exempt from disclosure under section 31(1)(a) of the FOIA. This provides as follows—

‘(1)  Information which is not exempt information by virtue of section 30 is exempt information if its disclosure under this Act would, or would be likely to, prejudice—

(a)  the prevention or detection of crime…’

The section heading ‘law enforcement’ is construed broadly, and extends to physical, technical and organisational steps to prevent crime.   In this regard the Assembly Commission notes ICO Guidance on section 31(1)(a) of the FOIA under which this exemption may be used ‘to withhold information that would make anyone, including yourself, more vulnerable to crime’, and further notes the recent ICO decision notice in IC-319774-D8S8.

Section 31(1) is a qualified exemption, and the Assembly Commission has accordingly considered whether the public interest in maintaining the exemption outweighs than that in providing the information.

The Assembly Commission notes the following factors relevant to maintaining the exemption—

  • The Assembly Commission, as the devolved legislature for Northern Ireland, processes a considerable volume of matters of local and national political controversy, as well as maintaining systems which support the work of elected Members and may contain sensitive information about their constituents.  The Assembly Commission’s IT infrastructure accordingly holds sensitive personal, operational, and financial information on Members, and employees, and manages systems containing information about private individuals.
  • Disclosure of technical configurations, system designs, security tools, or known vulnerabilities would give hostile actors insights they could directly exploit. Preventing such exploitation is obviously aligned with the public interest in maintaining the security and integrity of public‑sector systems. Identifying the types of software in use can allow cyber-criminals to narrow down and identify known vulnerabilities within the specific software and attempt to exploit these.
  • Cyber‑attacks such as ransomware, phishing, and network intrusion can cause harm including financial loss, service disruption, and potential compromise of personal data.  These issues arise in this case.  In addition, the potential reputational damage to the Assembly and its Members from a cyber-attack is immense, and clearly real, actual, and of substance. Disclosure of cyber-security information that weakens the Assembly Commission’s defensive posture would increase the likelihood of successful cyber-attacks, undermining the general public interest in ensuring safe, resilient public services and the particular public interest in the effective functioning of the legislature. 
  • Cyber incidents place a substantial financial burden on public authorities through remediation, system restoration, incident response, and potential regulatory penalties. It is in the public interest to minimise the likelihood of such incidents by not releasing information that would facilitate crime.
  • The National Cyber Security Centre (NSCC) has consistently advised against sharing detailed or sensitive cyber‑security information publicly, as doing so enables threat actors to refine their attack methods.  This sort of information falls within the scope of the request.   Complying with NCSS guidance supports the wider national interest in maintaining robust cyber defences across the public sector.

The Assembly Commission notes the following factor relevant to disclosing the information—

  • There is a general public interest in transparency, accountability, and understanding how public authorities manage cyber‑security risk, particularly where public money is involved.
  • Openness also promotes public confidence and supports scrutiny of how systems and defences are resourced.

In this case, the Assembly Commission has determined that the public interest in maintaining the exemption outweighs the public interest in disclosure.

 

(ii)  Section 40 (personal information)

The Assembly Commission has redacted some personal data from the documents provided to you on the basis that it is personal data and there is no lawful ground for its processing. Personal data is defined by the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) as information relating to one or more identifiable living individuals.

Section 40(2) of the FOIA provides any information is exempt information if it constitutes personal data of which the applicant is not the data subject and satisfies one of the three conditions.  

The Assembly Commission is satisfied that one such condition is satisfied. It is not therefore necessary to consider the other potentially applicable conditions. The relevant condition is set out at section 40(3A) of the FOIA, and is that ‘…disclosure of the information to a member of the public otherwise than under this Act would contravene any of the data protection principles.’   

The data protection principles are set out at Article 5 of the UK GDPR. They require, inter alia, that processing be lawful, fair and transparent. Processing is lawful only if one or more of the conditions set out at Article 6 of the UK GDPR is satisfied. The Assembly Commission is satisfied that the processing of the personal data redacted from these documents is not ‘necessary’ for any purpose set out in Article 6.

 

(iii)        Section 43 (commercial interests)

The Assembly Commission has redacted certain information from the documents provided to you on the basis that it is exempt from disclosure under section 43 of the FOIA. Section 43(2) provides as follows—

‘Information is exempt information if its disclosure under this Act would, or would be likely to, prejudice the commercial interests of any person (including the public authority holding it)’.

Section 43(2) of the FOIA 2000 is a qualified exemption and the Assembly Commission has accordingly considered whether the public interest in maintaining the exemption outweighs that the public interest in providing the information.

The Assembly Commission notes the following factors relevant to maintaining the exemption—

  • It is more likely than not that disclosure of the information sought would lead to costs for goods and services provided to the Assembly Commission being used as a benchmark for future bids to supply goods and services to the Assembly Commission.  This is likely to result in higher procurement costs. It would erode any commercial advantage the Assembly Commission has in such negotiations, have a negative effect on value for money procurements, and impact negatively on the public purse.
  • While there is a significant public interest in ensuring proper scrutiny of the Assembly Commission’s use of public money, this can be achieved in a manner which is less likely to prejudice the commercial position of the Assembly Commission and third parties – via scrutiny of the Assembly Commission’s budget by the Assembly’s Audit Committee, audit of the Assembly Commission’s financial statements by the Northern Ireland Audit Office and compliance with public procurement legislation, including publication of contract awards.  

The Assembly Commission notes the following factor relevant to disclosing the information—

  • There is significant public interest in ensuring proper scrutiny of the Assembly Commission’s use of public money and the manner in which it carries out public expenditure.

In this case, the Assembly Commission has determined that the public interest in maintaining the exemption outweighs the public interest in disclosure.

 

Further Information

You have the right to request an internal review of this decision by the Assembly Commission.  If you wish to request such a review, please write to me at the above address.  If, after that review, you are dissatisfied with the way in which the Assembly Commission has handled your request for information, you may complain to the Information Commissioner’s Office (ICO) at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

Your request for information and our response may be published in the disclosure log maintained by the Assembly Commission under a publication scheme agreed with the ICO. The request and our response will be anonymised. 

Yours sincerely

INFORMATION STANDARDS

 

Annex 1: your request

“I am writing to request information under the Freedom of Information Act 2000 regarding the governance, delivery oversight, and financial management of the AIMS Modernisation Project.

This request is made in the public interest to understand how delivery commitments, governance structures, and public expenditure have been managed.

To ensure the request is manageable, I am seeking final versions of documents held centrally, rather than drafts or documents stored only in individual mailboxes.

 

1. Project Objectives and Commitments

 

Please provide the following final versions only:

-       The approved business case or outline business case for the AIMS Modernisation Project

-       The Project Initiation Document (PID) or equivalent

-       Any centrally held statements of project scope, success criteria, or target deliverables

 

Any documented commitments regarding delivery milestones or timelines that were formally approved

 

2. Procurement and Supplier Appointment

Please provide:

 

-       Copies of procurement documentation held centrally that was used to appoint suppliers to the AIMS Modernisation Project

-       The evaluation criteria used in the procurement process (final versions only)

-       High‑level evaluation summaries, where available

-       Contract start dates, durations, and any centrally held records of contract extensions or variations

-       Final versions of signed contracts or statements of work, with redactions applied where necessary

 

3. Conflict of Interest Declarations

 

Please provide:

-       Any centrally held conflict‑of‑interest declarations made by staff involved in procurement or contract management for the AIMS Modernisation Project

-       Governance documents describing the process for identifying and managing conflicts of interest

-       The job titles (not names) of staff who participated in supplier evaluation or contract award decisions

 

4. Governance and Oversight

 

Please provide:

-       Documents describing the project’s governance structure (e.g., governance diagrams or role descriptions)

-       Terms of reference for any boards or groups overseeing the project

-       Membership lists for these boards or groups (job titles only where appropriate)

-       Any centrally held summaries, extracts, or final versions of assurance, audit, or health‑check reports relating to the project

 

5. Delivery Reporting

 

Please provide:

-       Final versions of status or highlight reports submitted to senior responsible owners (SROs) or senior management

-       Any centrally held summaries of delivery milestones or progress reviews

-       Any centrally held risk or issue summaries provided to senior management

 

6. Financial Information

 

Please provide:

-       The approved project budget

-       High‑level summaries of actual spend to date, broken down by supplier where this information is held centrally

-       Any centrally held records of approvals for additional spend, contract extensions, or budget changes

 

7. Resourcing and Workforce Decisions

 

Please provide:

-       Any centrally held documents relating to decisions to increase contractor involvement on the project

-       Workforce planning documents or capability assessments that were formally approved

-       Any centrally held documentation explaining funding decisions relating to project resourcing

 

8. Requirements and Business Engagement

 

Please provide:

-       Final versions of business requirements documents

-       Stakeholder engagement or communication plans

-       Final versions of acceptance criteria or sign‑off documents held centrally

 

9. Risk and Issue Management

 

Please provide:

-       Any centrally held high‑level summaries or extracts from the project’s risk register

-       Any centrally held summaries of issue logs or escalation records provided to senior management.”