Request for information - Ref No: FOI231130
Thank you for your email of 26 January 2023, requesting information from Ordnance Survey in accordance with the Freedom of Information Act (FOIA) 2000, as set out in the extract below:
“Please find below my FOI request regarding malicious emails sent to the department.
The date range for the request is for 2022. The data shall include a breakdown by individual departments (e.g. separate departments, agencies, or public bodies within the main government agency), if applicable. Where data isn't available for the entire year, please provide the data and timescale it relates to (e.g. X emails over the last 90 days).
- How many malicious emails have been successfully blocked/detected?
- If possible, please provide a breakdown of figures by malicious email type, e.g. spam, malware, phishing, and ransomware.
- What percentage of malicious emails were opened by staff?
- What percentage of malicious links in the emails were clicked on by staff?
- How many email accounts/employees are there within your department?”
I confirm that Ordnance Survey considers the information requested at questions 1 to 4 above, to be exempt from disclosure under Section 31 (Law Enforcement) of the Freedom of Information Act (FOIA) 2000, as explained below:
I confirm that Ordnance Survey only holds the information requested at question 1 and 2 for a period of 90 days, however, we are unable to comply with your request and provide the requested information for the last 90 days; we are continually reviewing our security profile, and now consider the information you have requested to be exempt from disclosure.
In accordance with section 31(3) we neither confirm nor deny that we hold the requested information falling within questions 2 and 3 of your request.
The duty in Section 1(1)(a) of the FOIA to confirm whether or not OS holds the information, does not apply, by virtue of Section 31(3) of that Act. This should not be taken as an indication that the information you requested is or is not held by us.
Section 31(3) provides an exclusion from the requirement to confirm or deny whether information described in a request is held if to do so would, or would be likely to, prejudice any of the functions in sections 31(1), the relevant matter in this request is those set out at section 31(1)(a), the prevention and detection of crime, as explained below:
Section 31(1)(a) exempts information if its disclosure would or would be likely to prejudice the prevention and detection of crime. In this case, we consider that disclosure of the information would be likely to make OS more vulnerable to crime; namely a malicious attack on our computer systems. Disclosure of the information would comprise measures to protect our systems, leaving us vulnerable to attack. It would be likely to assist someone in determining the level of effectiveness of detecting and defending against such attacks, and would be likely to assist a determined attacker, and be a real and significant risk to our computer and security systems.
This is a qualified exemption, and we are required to consider the public interest.
Public Interest Test
OS recognises the need for transparency; and that there is a public interest in knowing that OS has measures in place to prevent against such attacks and protect information; however, confirming whether or not we hold this information would mean our computer and security systems would be more vulnerable to malicious attacks, therefore facilitating the possibility of crime.
Section 31(1)(a) is a prejudice-based exemption, and there is a public interest inherent in avoiding the harm specified. OS considers that the prejudice would be likely to occur, and we are satisfied there is a greater public interest in protecting our computer and security systems by withholding the information under this exemption.
How many email accounts/employees are there within your department
I confirm OS hold this information, as at 31 January 2023, OS has 1435 employees and 67 directly employed contractors holding OS email accounts.
Your enquiry has been processed according to the Freedom of Information Act (FOIA) 2000. If you are unhappy with our response, you may request an internal review with our Internal Review Officer by contacting them, within two months of receipt of our final response to your Freedom of Information (FOI) request, as follows:
Internal Review Officer
Customer Service Centre
Please include the reference number above. You may request an internal review where you believe Ordnance Survey has:
- Failed to respond to your request within the time limits (normally 20 working days)
- Failed to tell you whether or not we hold the information
- Failed to provide the information you have requested
- Failed to explain the reasons for refusing a request
- Failed to correctly apply an exemption or exception
The Internal Review Officer will not have been involved in the original decision. They will conduct an independent internal review and will inform you of the outcome of the review normally within 20 working days, but exceptionally within 40 working days, in line with the Information Commissioner’s guidance.
The Internal Review Officer will either: uphold the original decision, provide an additional explanation of the exemption/s applied or release further information, if it is considered appropriate to do so.
Appeal to Information Commissioner’s Office (ICO)
If, following the outcome of the internal review you remain unhappy with our response, you may raise an appeal, within three months of receiving our response, with the Information Commissioner’s Office.
Further information can be found on the ICO website (ico.org.uk) under ‘Report a concern’ or you may wish to call the ICO helpline on 0303 123 1113.