Skip to content

Risk and Information Security contact information

This Freedom of Information request asks for the Risk and Information Security contact details.

Request for information - Ref No: FO20939

Request

Thank you for your email of 2 January 2020, requesting information from Ordnance Survey in accordance with the Freedom of Information Act (FOIA) 2000, as set out in the extract below: 

Under the FOIA i'd like to request the following information please for each organisation that operates under this FOI email (if the answers are different for each organisation/there are multiple organisations). 

  1. Name of SIRO (Senior Information Risk Owner) or similar post (Chief Information Governance Officer etc), or responsible person for SIRO duties.
  2. Contact email of person named in request No. 1.
  3. Name of DPO (Data Protection Officer) or responsible person for DPO duties.
  4. Contact email of DPO.
  5. Name of person with overall responsibility for Cyber security or equivalent (excluding persons in q1 and q3).
  6. Contact email of person in Q5.
  7. Name of person with overall responsibility for information security or equivalent (excluding persons in q1, q3 and 5).
  8. Contact email of person in Q7.
  9. Name of person with overall responsibility for information Governance or equivalent (excluding persons in q1, q3, q5 and q7).
  10. Contact email of person in Q9
  11. Do you have appointed Information Asset Owners (IAO’s)?
  12. If yes, whom is responsible for leading the IAO structure and implementing any training requirements for the IAO’s?
  13. Are you or have you considered becoming ISO 27001 compliant or certified? If so whom is responsible for maintaining this? (as in, the person)
  14. Contact email of person in Q: 13.
  15. Are you required to connect to the PSN Code of Connection (CoCo)? If so whom is responsible for complying with its requirements? (as in, the person)
  16. Contact email of person in Q:15.

It would be preferable for q’s 2, 4, 6, 8, 10, 14 and 16 for you to disclose their personal organisation email,  however if this is not in line with your  FOI release policies a generic email is sufficient.

Our response

I confirm that Ordnance Survey does hold some of the information you have requested.  Where the information is not held or exempt from disclosure this is stated.  Taking each request in turn, I confirm the following: 

1. Name of SIRO (Senior Information Risk Owner) or similar post (Chief Information Governance Officer etc), or responsible person for SIRO duties.

I confirm Ordnance Survey does not hold this information.  There is currently no appointed SIRO.  

Under the duty to provide information and assistance in accordance with section 16 of the FOIA, I can confirm that the Chief Executive Officer (CEO), Steve Blair, has overall accountability for security as Accountable Officer. 

2. Contact email of person named in request No. 1.

SIRO: Information not held. 

Please see our contact us page.

3. Name of DPO (Data Protection Officer) or responsible person for DPO duties.

Leah Smith 

4. Contact email of DPO.

DPO@os.uk 

5. Name of person with overall responsibility for Cyber security or equivalent (excluding persons in q1 and q3).

Jo Shannon 

6. Contact email of person in Q5.

Please see our contact us page.

7. Name of person with overall responsibility for information security or equivalent (excluding persons in q1, q3 and 5).

I confirm Ordnance survey holds the name of the person requested above but this information is exempt from disclosure under section 40(2) (personal information) of the FOI Act, as the information constitutes personal data which is not already in the public domain.   

Section 40(2) provides that personal data is exempt information if one of the conditions set out in section 40(3) is satisfied. In our view, disclosure of this information would breach the data protection principles contained in the General Data Protection Regulations and Data Protection Act 2018. In reaching this decision, we have particularly considered: 

  • the reasonable expectations of the employees; given their positions; Ordnance Survey considered that none of the individuals would have a reasonable expectation that their personal data would be disclosed; 
  • the consequences of disclosure; and
  • any legitimate public interest in disclosure. 

Section 40(2) is an absolute exemption and therefore not subject to the public interest test.   

8. Contact email of person in Q7.

We consider the email address to be exempt under 40(2) (personal information) of the FOIA.  Please see above.

9. Name of person with overall responsibility for information Governance or equivalent (excluding persons in q1, q3, q5 and q7).

We consider the person’s name to be exempt under 40(2) (personal information) of the FOIA.   Please see question 7 above. 

10. Contact email of person in Q9

We consider the email address to be exempt under 40(2) (personal information) of the FOIA.  Please see question 7 above. 

11. Do you have appointed Information Asset Owners (IAO’s)?

Yes. 

12. If yes, whom is responsible for leading the IAO structure and implementing any training requirements for the IAO’s? 

We consider the name of the person to be exempt under 40(2) (personal information) of the FOIA.   Please see question 7 above. 

13. Are you or have you considered becoming ISO 27001 compliant or certified? If so whom is responsible for maintaining this? (as in, the person)

No. 

14. Contact email of person in Q: 13.

Not applicable. 

15. Are you required to connect to the PSN Code of Connection (CoCo)? If so whom is responsible for complying with its requirements? (as in, the person)

No. 

16. Contact email of person in Q:15.

Not applicable. 

Internal Review

Your enquiry has been processed according to the Freedom of Information Act (FOIA) 2000.  If you are unhappy with our response, you may request an internal review with our Internal Review Officer by contacting them, within two months of receipt of our final response to your Freedom of Information (FOI) request, as follows:

Internal Review Officer
Customer Service Centre
Ordnance Survey
Adanac Drive
Southampton
SO16 0AS

Contact us via our FoI form

Please include the reference number above. You may request an internal review where you believe Ordnance Survey has:

  • Failed to respond to your request within the time limits (normally 20 working days)
  • Failed to tell you whether or not we hold the information
  • Failed to provide the information you have requested
  • Failed to explain the reasons for refusing a request
  • Failed to correctly apply an exemption or exception

The Internal Review Officer will not have been involved in the original decision. They will conduct an independent internal review and will inform you of the outcome of the review normally within 20 working days, but exceptionally within 40 working days, in line with the Information Commissioner’s guidance.

The Internal Review Officer will either: uphold the original decision, provide an additional explanation of the exemption/s applied or release further information, if it is considered appropriate to do so.

Appeal to Information Commissioner›s Office (ICO)
If, following the outcome of the internal review you remain unhappy with our response, you may raise an appeal, within three months of receiving our response, with the Information Commissioner’s Office.

Further information can be found on the ICO website (ico.org.uk) under ‘Report a concern’ or you may wish to call the ICO helpline on 0303 123 1113.