Skip to content

Disaster Recovery / Cyber breach (FOI241248)

The Freedom of Information request asks for details of our disaster recovery exercises based on a cyber breach use case.

Request for information - Ref No: FOI241248


We received your request on 29/04/2024.

We have handled your request under the Freedom of Information Act (FOIA) 2000.

A copy of your request is set out in the extract below:

“Digital / email responses, and of ALL information held on subject Questions I would like information on:

1) How regularly do you perform Disaster Recover exercises based on a Cyber Breach use case, which involves recovery of data and servers from backups, and are these exercises performed manually or automated? - Quarterly - Bi-annually - Annually - Other – please specify

2) Within the last twelve months, have you proven that your current data and server backup and recovery solution can recover all your critical business services’ (typically 30-40% of all infrastructure) within your organisations Recovery Time Objectives and Recovery Point Objectives?

3) What is your level of confidence that your backups are protected sufficiently such that, as part of a sophisticated cyber breach which initially targets backups prior to compromising production data, you can fully recover? - Extremely confident - Somewhat confident - Neither confident nor unconfident - Somewhat unconfident - Extremely unconfident

4) Is your department actively using any software which is no longer supported by the developer of that software? (Software which no longer receives updates or patches from the developer.) For example, an old version of Windows”

Our response

For a request to be valid under the FOIA, it must be a request for information held in a recorded form and must include a description of the recorded information you are requesting. Where instead you have asked, for example at question 3), OS to ‘provide a level of confidence’ and confirm in accordance with the options detailed in your request, we do not consider this to be a valid request under section 8 of the FOIA. In any event, even if OS did consider the requests to be valid, I confirm that Ordnance Survey considers the information requested at 1-4 above to be exempt from disclosure under Section 31 (Law Enforcement) of the Freedom of Information Act (FOIA) 2000, as explained below:

Section 31(3)

In accordance with section 31(3) we neither confirm nor deny that we hold the requested information. The duty in Section 1(1)(a) of the FOIA to confirm whether or not OS holds the information, does not apply, by virtue of Section 31(3) of that Act. This should not be taken as an indication that the information you requested is or is not held by us.

Section 31(3) provides an exclusion from the requirement to confirm or deny whether information described in a request is held if to do so would, or would be likely to, prejudice any of the functions in sections 31(1), the relevant matter in this request is those set out at section 31(1)(a), the prevention and detection of crime, as explained below:

Section 31(1)(a)

Section 31(1)(a) exempts information if its disclosure would or would be likely to prejudice the prevention and detection of crime. In this case, we consider that disclosure of the information would be likely to aid a threat attacker and therefore make OS more vulnerable to crime.

Disclosure of the information would comprise measures to protect our systems, leaving us vulnerable to attack. It would be likely to assist someone in determining the level of effectiveness of detecting and defending against such attacks and it would be likely to assist a determined attacker and be a real and significant risk to our computer and security systems.

The above are qualified exemptions, and we are required to consider the public interest.

Public Interest Test

OS recognises the need for transparency; and that there is a public interest in knowing that OS has measures in place to protect information; however, confirming whether or not we hold this information would mean that our computer and security systems would be more vulnerable to malicious attacks, it would be likely to increase the number of malicious attacks and therefore facilitate the possibility of crime.

Section 31(1)(a) is a prejudice-based exemption, and there is a public interest inherent in avoiding the harm specified. OS considers that the prejudice would be likely to occur, and we are satisfied there is a greater public interest in protecting our computer and security systems by withholding the information under this exemption.

Internal review

Your enquiry has been processed according to the Freedom of Information Act (FOIA) 2000. If you are unhappy with our response, you may request an internal review with our Internal Review Officer by contacting them, within two months of receipt of our final response to your Freedom of Information (FOI) request, as follows:

Internal Review Officer
Customer Service Centre
Ordnance Survey
Adanac Drive
SO16 0AS

Contact us via our FoI form

Please include the reference number above. You may request an internal review where you believe Ordnance Survey has:

  • Failed to respond to your request within the time limits (normally 20 working days)
  • Failed to tell you whether or not we hold the information
  • Failed to provide the information you have requested
  • Failed to explain the reasons for refusing a request
  • Failed to correctly apply an exemption or exception

The Internal Review Officer will not have been involved in the original decision. They will conduct an independent internal review and will inform you of the outcome of the review normally within 20 working days, but exceptionally within 40 working days, in line with the Information Commissioner’s guidance.

The Internal Review Officer will either: uphold the original decision, provide an additional explanation of the exemption/s applied or release further information, if it is considered appropriate to do so.

Appeal to Information Commissioner’s Office (ICO)

If you are still dissatisfied after our internal review, you can complain to the Information Commissioner’s Office (ICO). You should make complaints to the ICO within six weeks of receiving the outcome of an internal review. The easiest way to lodge a complaint is through the ICO website.