Jump to the following:

We use cookies to improve this website. Read about cookies

Breaches of the Data Protection Act

Request for Information - FOI16648

Request

Thank you for your email of 28 February 16, requesting information from Ordnance Survey in accordance with the Freedom of Information Act FOIA 2000:

I am writing under the Freedom of Information Act 2000 to request details of breaches of the Data Protection Act within in your organisation; specifically I am asking for:

1. a) Approximately how many members of staff do you have?
1. b) Approximately how many contractors have routine access to your information?

2. a) Do you have an information security incident/event reporting policy/guidance/management document(s) that includes categorisation/classification of such incidents?

2. b) Can you provide me with a copy of the latest version of these document(s)? (This can be an email attachment or a link to the document on your publicly-facing website).

3. a) Do you know how many data protection incidents your organisation has had since April 2011? (Incidents reported to the Information Commissioners Office (ICO) as a Data Protection Act (DPA) breach).
Answer: Yes, No, Only since (date).

3. b) How many breaches occurred for each Financial Year the figures are available for?
Answer FY11-12: FY12-13: FY13-14: FY14-15

4. a) Do you know how many other information security incidents your organisation has had since April 2011? (A breach resulting in the loss of organisational information other than an incident reported to the ICO, e.g. compromise of sensitive contracts or encryption by malware).
Answer: Yes, No, Only since (date).

4. b) How many incidents occurred for each Financial Year the figures are available for?
Answer FY11-12: FY12-13: FY13-14: FY14-15

5. a) Do you know how many information security events/anomaly your organisation has had since April 2011? (Events where information loss did not occur but resources were assigned to investigate or recover, e.g. nuisance malware or locating misfiled documents.)
Answer: Yes, No, Only since (date).

5. b) How many events occurred for each Financial Year the figures are available for?
Answer FY11-12: FY12-13: FY13-14: FY14-15.

6. a) Do you know how many information security near-misses your organisation has had since April 2011? (Problems reported to the information security teams that indicate a possible technical, administrative or procedural issue).
Answer: Yes, No, Only since (date).

6. b) How many near-misses occurred for each Financial Year the figures are available for?
Answer FY11-12: FY12-13: FY13-14: FY14-15.

If the specific answers to 4, 5 and 6 are not readily available, I am content for these questions to be modified/replaced with similar questions that are derived from your organisation's categorisation/classification system within the documents requested in question 2. I would need to first make an FoI request for question 2 in order to frame suitable questions 4, 5 and 6, then make a second request. Similarly calendar year can replace financial year. Please state in the reply if this option has been implemented. My preferred format to receive this information is electronically, but if that is not possible I will be willing to accept hard copy.

Our response

I can confirm that Ordnance Survey does hold some of the information you have requested. Where information is not held, this is stated.

I am pleased to provide you with the attached PDF with regards to your request.

1. a) Approximately how many members of staff do you have?
Answer: 1,200.

1. b) Approximately how many contractors have routine access to your information?
Answer: 138.

2. a) Do you have an information security incident/event reporting policy/guidance/management document(s) that includes categorisation/classification of such incidents?
Answer: Yes

2. b) Can you provide me with a copy of the latest version of these document(s)? (This can be an email attachment or a link to the document on your publicly-facing website).
Answer: Please see the Data Breach Escalation and External Reporting Process Policy (PDF) attached to this email. Please note that some of the information within the Policy has been redacted as it is exempt under section(s) 40 (2) of the Freedom of Information Act 2000 and is therefore withheld.

Section 40 (2) of the FOIA, provides an absolute exemption, where the disclosure of information would contravene any of the data protection principles under the Data Protection Act (DPA) 1998. In this case, we have exempt information constituting the personal data of living individuals, the release of which would be in breach of the Data Protection Principles.

In applying this exemption, we have considered whether disclosure of the personal data in question would be 'fair' (as described in Schedule 1 of the Data Protection Act). We have given particular consideration to the likely expectations of the data subjects, and their grades, regarding the disclosure of their personal information in this manner in reaching our decision to withhold this information.

3. a) Do you know how many data protection incidents your organisation has had since April 2011? (Incidents reported to the Information Commissioners Office (ICO) as a Data Protection Act (DPA) breach).
Answer: Yes

3. b) How many breaches occurred for each Financial Year the figures are available for?
Answer: FY11-12: 0 FY12-13: 0 FY13-14: 0 FY14-15: 0

4. a) Do you know how many other information security incidents your organisation has had since April 2011? (A breach resulting in the loss of organisational information other than an incident reported to the ICO, e.g. compromise of sensitive contracts or encryption by malware).
Answer: Yes

4. b) How many incidents occurred for each Financial Year the figures are available for?
Answer: FY11-12: 1 FY12-13: 0 FY13-14: 0 FY14-15: 1

5. a) Do you know how many information security events/anomaly your organisation has had since April 2011? (Events where information loss did not occur but resources were assigned to investigate or recover, eg nuisance malware or locating misfiled documents).
Answer: Yes

5. b) How many events occurred for each Financial Year the figures are available for?
Answer: FY11-12: 2 FY12-13: 1 FY13-14: 1 FY14-15: 4

6. a) Do you know how many information security near misses your organisation has had since April 2011? (Problems reported to the information security teams that indicate a possible technical, administrative or procedural issue).
Answer: This information is not held.

6. b) How many near-misses occurred for each Financial Year the figures are available for?
Answer: FY11-12: FY12-13: FY13-14: FY14-15:

Internal review

Your enquiry has been processed according to the Freedom of Information Act (FOIA) 2000. If you are unhappy with our response, you may request an internal review with our FOI Internal Review Officer, by contacting them as follows:

FOI Internal Review Officer
Customer Service Centre
Ordnance Survey
Adanac Drive
Southampton
SO16 0AS

Email: foi@os.uk

Please include the reference number above. You may request an internal review where you believe Ordnance Survey has:

  • Failed to respond to your request within the time limits (normally 20 working days)
  • Failed to tell you whether or not we hold the information
  • Failed to provide the information you have requested
  • Failed to explain the reasons for refusing a request
  • Failed to correctly apply an exemption or exception

The FOI Internal Review Officer will not have been involved in the original decision. They will conduct an independent internal review and will inform you of the outcome of the review normally within 20 working days, but exceptionally within 40 working days, in line with the Information Commissioner’s guidance.

The FOI Internal Review Officer will either: uphold the original decision, provide an additional explanation of the exemption/s applied or release further information, if it is considered appropriate to do so.

Appeal to Information Commissioner's Office (ICO)
If, following the outcome of the internal review you remain unhappy with our response, you may raise an appeal with the Information Commissioner’s Office at:

The Case Reception Unit
Customer Service Team
The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Email: mail@ico.gsi.gov.uk

Telephone helpline: 0303 123 1113 or 01625 545745 for advice, Monday to Friday.

Thank you for your enquiry.

Search Freedom of Information requests

Back to top
© Ordnance Survey 2016
Be sure to take a look at our Terms of Use and Privacy Policy