Skip to content

Cyber security contract information

This Freedom of Information request asks for details about contracts and procurement relating to cyber security.

Request for information - Ref No: FOI9904

Request

Thank you for your email of 14 June 2019 requesting information from Ordnance Survey in accordance with the Freedom of Information Act (FOIA) 2000, as set out in the extract below:

I am currently embarking on a research project around Cyber Security and was hoping you could provide me with some contract information relating to following information:

  1. Standard Firewall (Network) - Firewall service protects your corporate Network from unauthorised access and other Internet security threats
  2. Anti-virus Software Application - Anti-virus software is a program or set of programs that are designed to prevent, search for, detect, and remove software viruses, and other malicious software like worms, trojans, adware, and more.
  3. Microsoft Enterprise Agreement - is a volume licensing package offered by Microsoft.

The information I require is around the procurement side and we do not require any specifics (serial numbers, models, location) that could bring threat/harm to the organisation.

For each of the different types of cyber security services can you please provide me with:

  1. Who is the existing supplier for this contract?
  2. What does the organisation annual spend for each of contract?
  3. What is the description of the services provided for each contract? Please do not just state firewall.
  4. Primary Brand (ONLY APPLIES TO CONTRACT 1&2)
  5. What is the expiry date of each contract?
  6. What is the start date of each contract?
  7. What is the contract duration of contract?
  8. The responsible contract officer for each of the contracts above? Full name, job title, contact number and direct email address.
  9. Number of Licenses (ONLY APPLIES TO CONTRACT 3)

Our response

I confirm that Ordnance Survey does hold the information you have requested.

The table below sets out our response to each of your questions for each contract, where the information is exempt from disclosure this is stated:

  STANDARD FIREWALL (NETWORK) ANTI VIRUS SOFTWARE APPLICATION MICROSOFT ENTERPRISE AGREEMENT
1. SUPPLIER  Computacenter UK Ltd  Micro Focus Software Ltd  Microsoft
2. ANNUAL SPEND  £181K £8,942.50   £709,646.33
3.DESCRIPTION OF SERVICES Support contract for Checkpoint NGFW + Blades (IPS, AV, VPN etc)  Support for Trend OfficeScan/Apex One, Trend Service Protect licences  Licensing of Microsoft software products (Office 365 etc).
4. PRIMARY BRAND Checkpoint Trend Micro N/A
5. EXPIRY 31.12.2020 21.12.2020 30.11.2021
6. START DATE 1.1.2018 22.12.2017 1.12.2018
7. CONTRACT DURATION 3 years 3 years 3 years
8. RESPONSIBLE CONTRACT OFFICER Supplier Relationship Manager .Tel: 03456 05 05 05. Full name and direct email address are exempt under section 40(2) of the FOIA (see below for further information) Supplier Relationship Manager. Tel: 03456 05 05 05. Full name and direct email address are exempt under section 40(2) of the FOIA (see below for further information) Category Manager - Technology. Tel: 03456 05 05 05. Full name and direct email address are exempt under section 40(2) of the FOIA (see below for further information)
9. NUMBER OF LICENSES N/A N/A Exempt under section 43(2) of the FOIA (see below for further information)

Where the information is exempt from disclosure this is explained in full below:

Question 8: Section 40(2) Personal Information

The information relating to the full name and direct email is held by Ordnance Survey but is exempt from disclosure under section 40(2) (personal information) of the FOI Act, as the information constitutes personal data.  Section 40(2) provides that personal data is exempt information if one of the conditions set out in section 40(3) is satisfied. In our view, disclosure of this information would breach the data protection principles contained in the General Data Protection Regulations and Data Protection Act 2018. 

In reaching this decision, we have particularly considered:

  • the reasonable expectations of the employees: given their positions, Ordnance Survey considered that none of the individuals would have a reasonable expectation that their personal data would be disclosed;
  • the consequences of disclosure; and any legitimate public interest in disclosure.

Section 40(2) is an absolute exemption and therefore not subject to the public interest test. However, under the duty to provide information and assistance in accordance with section 16 of FOIA, we can provide the following information which may assist you in this matter. You can find out information in relation to our procurement process on our website in our ‘Guide to Suppliers’ which contains contact details for our Strategic Procurement and Supplier Management team.

Question 9: Section 43(2) (prejudice to the commercial interests of any person)

I confirm we do hold the number of licences for the Microsoft Enterprise Agreement contract however, we are unable to provide this information as we consider it to be exempt from disclosure under section 43(2) (prejudice to the commercial interest of any person).

Having consulted with our supplier we consider that the release of the number of licences in combination with the contract value provides information about the pricing of the licences under this contract. This information would be likely to cause commercial prejudice, as it provides an insight into the suppliers commercial pricing which could be used to the disadvantage of our supplier in its negotiations and could be used by the competitors of our supplier. In addition, the disclosure of this information would be likely to have an adverse impact on Ordnance Survey’s ability to negotiate the best price for future services.

Section 43(2) is a qualified exemption and we are required to consider the public interest. Ordnance Survey recognises the need for transparency; however, this must be balanced against the public interest in allowing the organisation and third parties to protect their commercial information. In this case, we are satisfied that there is greater public interest in withholding the information under this exemption

Internal review

Your enquiry has been processed according to the Freedom of Information Act (FOIA) 2000.  If you are unhappy with our response, you may request an internal review with our Internal Review Officer by contacting them, within two months of receipt of our final response to your Freedom of Information (FOI) request, as follows:

Internal Review Officer
Customer Service Centre
Ordnance Survey
Adanac Drive
Southampton
SO16 0AS

Contact us via our FoI form

Please include the reference number above. You may request an internal review where you believe Ordnance Survey has:

  • Failed to respond to your request within the time limits (normally 20 working days)
  • Failed to tell you whether or not we hold the information
  • Failed to provide the information you have requested
  • Failed to explain the reasons for refusing a request
  • Failed to correctly apply an exemption or exception

The Internal Review Officer will not have been involved in the original decision. They will conduct an independent internal review and will inform you of the outcome of the review normally within 20 working days, but exceptionally within 40 working days, in line with the Information Commissioner’s guidance.

The Internal Review Officer will either: uphold the original decision, provide an additional explanation of the exemption/s applied or release further information, if it is considered appropriate to do so.

Appeal to Information Commissioner›s Office (ICO)
If, following the outcome of the internal review you remain unhappy with our response, you may raise an appeal, within three months of receiving our response, with the Information Commissioner’s Office.

Further information can be found on the ICO website (ico.org.uk) under ‘Report a concern’ or you may wish to call the ICO helpline on 0303 123 1113.