Cyber security contracts (FOI231194)

This Freedom of Information request asks for details of our cyber security contracts

Request for information - Ref no: FOI231194

December 22, 2023

Information request

Thank you for your email of 16 October 2023, requesting information from OS in accordance with the Freedom of Information Act (FOIA) 2000, as set out in the extract below:

“I am currently embarking on a research project around Cyber Security and was hoping you could provide me with some contract information relating to following information:

  • Standard Firewall (Network) - Firewall service protects your corporate Network from unauthorised access and other Internet security threats
  • Anti-virus Software Application - Anti-virus software is a program or set of programs that are designed to prevent, search for, detect, and remove software viruses, and other malicious software like worms, trojans, adware, and more.
  • Microsoft Enterprise Agreement - is a volume licensing package offered by Microsoft. 

The information I require is around the procurement side and we do not require any specifics (serial numbers, models, location) that could bring threat/harm to the organisation.

For each of the different types of cyber security services can you please provide me with:

  1. Who is the existing supplier for this contract?
  2. What does the organisation annually spend for each of the contracts?
  3. What is the description of the services provided for each contract?
  4. Primary Brand (ONLY APPLIES TO CONTRACT 1&2)
  5. What is the expiry date of each contract?
  6. What is the start date of each contract?
  7. What is the contract duration of contract?
  8. The responsible contract officer for each of the contracts above? Full name, job title, contact number and direct email address.
  9. Number of Licenses (ONLY APPLIES TO CONTRACT 3)”

Our response

I confirm that OS does hold the information you have requested. Where information is exempt from disclosure, this is stated.

Taking each request in turn, I confirm the following:

Contract 1 – Standard Firewall (Network)

Q1.  Who is the existing supplier for this contract?

I confirm that our firewall contract supplier is Computacenter

Q2. What does the organisation annually spend for each of the contracts?

OS annually spends £441,000 exclusive of VAT on this contract.

Q3. What is the description of the services provided for each contract?

The contract provides the gateway and security to all OS systems both from an external customer and internal employee perspective.

Q4.  Primary Brand (ONLY APPLIES TO CONTRACT 1&2)

The primary Brand is Checkpoint.

Q5. What is the expiry date of each contract?

The expiry date for this contract is 26 June 2026.

Q6.  What is the start date of each contract?

The start date for this contract is 27 June 2023.

Q7.   What is the contract duration of contract?

The contract duration is 3 years.

Q8.  The responsible contract officer for each of the contracts above? Full name, job title, contact number and direct email address.

The information relating to the contact name, is held by OS but is exempt from disclosure under section 40(2) (personal information) of the FOIA, as the information constitutes personal data. I confirm the team responsible for dealing with contract is the Software Asset Management team.

Section 40(2) provides that personal data is exempt information if one of the conditions set out in section 40(3) is satisfied. In our view, disclosure of this information would breach the data protection principles contained in the General Data Protection Regulations and Data Protection Act 2018

In reaching this decision, we have particularly considered:

  • the reasonable expectations of the employees: given their positions, OS considered that none of the individuals would have a reasonable expectation that their personal data would be disclosed;
  • the consequences of disclosure; and
  • any legitimate public interest in disclosure.

Section 40(2) is an absolute exemption and therefore not subject to the public interest test.

However, under the duty to provide information and assistance in accordance with section 16 of FOIA, you can find out information in relation to Cyber Security on our website: Ordnance Survey | See A Better Place

Contract 2 - Anti-virus Software Application

Q1.  Who is the existing supplier for this contract?

The supplier of this contract is Softcat Limited.

Q2.  What does the organisation annually spend for each of the contracts?

OS annually spends circa £200,000 exclusive of VAT on this contract.

Q3.  What is the description of the services provided for each contract?

The contract provides anti-virus protection for OS.

Q4.  Primary Brand (ONLY APPLIES TO CONTRACT 1&2)

The primary brand is Microsoft Corporation.

Q5.  What is the expiry date of each contract?

The expiry date for this contract is 30 November 2024.

Q6.  What is the start date of each contract?

The start date for this contract is 1 December 2021.

Q7.   What is the contract duration of contract?

The contract duration is 3 years.

Q8.  The responsible contract officer for each of the contracts above? Full name, job title, contact number and direct email address.

The information relating to the contact name, is held by OS but is exempt from disclosure under section 40(2) (personal information) of the FOIA, as the information constitutes personal data. I confirm the team responsible for dealing with contract is the Software Asset Management team.

Section 40(2) provides that personal data is exempt information if one of the conditions set out in section 40(3) is satisfied. In our view, disclosure of this information would breach the data protection principles contained in the General Data Protection Regulations and Data Protection Act 2018

In reaching this decision, we have particularly considered:

  • the reasonable expectations of the employees: given their positions, OS considered that none of the individuals would have a reasonable expectation that their personal data would be disclosed;
  • the consequences of disclosure; and
  • any legitimate public interest in disclosure.

Section 40(2) is an absolute exemption and therefore not subject to the public interest test.

However, under the duty to provide information and assistance in accordance with section 16 of FOIA, you can find out information in relation to Cyber Security on our website: Ordnance Survey | See A Better Place

Contract 3 - Microsoft Enterprise Agreement

Q1.   Who is the existing supplier for this contract?

The supplier of this contract is Softcat Limited.

Q2.  What does the organisation annually spend for each of the contracts?

OS annually spends £1.67m exclusive of VAT on this contract.

Q3.   What is the description of the services provided for each contract?

The contract provides OS with FSCM, CRM, Modern Workplace and Server software.

Q4.  What is the expiry date of each contract?

The expiry date of this contract is 30 November 2024.

Q5.  What is the start date of each contract?

The start date of this contract is 1 December 2021.

Q6.   What is the contract duration of contract?

The contract duration is 3 years.

Q7.   The responsible contract officer for each of the contracts above? Full name, job title, contact number and direct email address.

The information relating to the contact name, is held by OS but is exempt from disclosure under section 40(2) (personal information) of the FOIA, as the information constitutes personal data. I confirm the team responsible for dealing with contract is the Software Asset Management team.

Section 40(2) provides that personal data is exempt information if one of the conditions set out in section 40(3) is satisfied. In our view, disclosure of this information would breach the data protection principles contained in the General Data Protection Regulations and Data Protection Act 2018

In reaching this decision, we have particularly considered:

  • the reasonable expectations of the employees: given their positions, OS considered that none of the individuals would have a reasonable expectation that their personal data would be disclosed;
  • the consequences of disclosure; and
  • any legitimate public interest in disclosure.

Section 40(2) is an absolute exemption and therefore not subject to the public interest test.

However, under the duty to provide information and assistance in accordance with section 16 of FOIA, you can find out information in relation to Cyber Security on our website: Ordnance Survey | See A Better Place

Q8. Number of Licenses (ONLY APPLIES TO CONTRACT 3)

The number of licences is 3,780, subject to head count changes.

All information requests

See our previous responses to Freedom of Information (FOI) requests.

Can't find what you need?

Contact us directly to speak to our friendly customer service team.