Procurement information on Data Protection Services (FOI-25-21)

Procurement information on data protection services

Request for information - Ref no: FOI-25-21

May 16, 2025

Information request

We received your request on 23 April 2025.

We have handled your request under the Freedom of Information Act (FOIA) 2000.

A copy of your request is set out in the extract below:

“Under the Freedom of Information Act 2000, please provide the following information about your procurement of any

(i) external Data Protection Officer (DPO),

(ii) Data protection GDPR compliance services for the period FY2022-23 to FY2024-25:

1.⁠ ⁠Current DPO arrangements

1.1 Is the organisation’s DPO and other staff that work on data protection compliance:

(a) An internal employee

(b) A DPO provided by an external service provider

1.2 Where services are provided by external providers, please share the following information:

(a) The Company name(s)

(b) Annual spend by your organisation (FY2022/2023 through to FY2024/2025)

(d) Contract dates (start/end/renewal terms)

(e) A brief description of the project or services provided (for instance, project title or internal reference)

(f) Services covered (e.g., audits, breach management, SAR management, delivery of DPIAs) •⁠ ⁠Please indicate what deliverables were produced •⁠ ⁠Procurement method (e.g., open competition, framework agreement, direct award) and name of the procurement framework, if applicable.

2.⁠ ⁠Consultancy Spend

2.1 What is the organisation’s, total annual expenditure on data protection/GDPR consultancy services?

2.2 For SoW/projects which have a spend of more than £5k), please share the following information:

- Supplier company name
- The scope of the Project (e.g., "ICO investigation support", DPIA support, Internal Audit recommendation support)
- Spend
- Procurement method

3. Data Protection Compliance staffing

3.1 The Number of in-house data protection staff in the organisation? (FTE)

3.2 Are there any vacant roles? (Yes/No)

3.3 Where there any ICO investigations, audits, or enforcement actions for the period from FY2022/2023 to FY 2024/2025?

4.⁠ ⁠Future Plans

4.1 Is your organisation planning to put out to tender for any DPO/GDPR services in the current financial year?

4.2 If yes please provide the following:

Expected timeline

Budget range

Key service requirements

Procurement method”

Our response

I confirm that Ordnance Survey (OS) does hold some of the information you have requested. Where the information is not held this is stated. Taking each request in turn, I confirm the following:

1.⁠ ⁠Current DPO arrangements

1.1 Is the organisation’s DPO and other staff that work on data protection compliance:
(a) An internal employee
(b) A DPO provided by an external service provider
(c) Hybrid (internal staff with external service provider support)

I can confirm that OS’ DPO and other staff that work on data protection compliance are internal employees.

OS does not use external service providers.

2.⁠ ⁠Consultancy Spend

I can confirm that OS does not hold the information requested as we do not use consultancies in relation to data protection/GDPR services. All Data Protection/GDPR services are dealt with in house.

3.⁠ ⁠Data Protection Compliance staffing

3.1 The Number of in-house data protection staff in the organisation? (FTE)

I can confirm that OS employs two full time staff members.

3.2 Are there any vacant roles? (Yes/No)

Yes, currently 1 of the 2 roles is vacant.

3.3 Where there any ICO investigations, audits, or enforcement actions for the period from FY2022/2023 to FY 2024/2025?

I confirm there were no ICO investigations, audits, or enforcement actions for the period from FY2022/2023 to FY2024/2025.

4.⁠ ⁠Future Plans

4.1 Is your organisation planning to put out to tender for any DPO/GDPR services in the current financial year?

I can confirm that OS is not planning to put out to tender for any DPO/GDPR services in the current financial year.

Next steps

Internal review

If you are unhappy with our response, you may request an internal review with our Internal Review Officer by contacting them, within two months of receipt of our final response to your request, as follows:

Internal Review Officer
Customer Service Centre
Ordnance Survey
Adanac Drive
Southampton
SO16 0AS

Please include the reference number above. You may request an internal review where you believe Ordnance Survey has:

Failed to respond to your request within the time limits (normally 20 working days)
Failed to tell you whether or not we hold the information
Failed to provide the information you have requested
Failed to explain the reasons for refusing a request
Failed to correctly apply an exemption or exception

The Internal Review Officer will not have been involved in the original decision. They will conduct an independent internal review and will inform you of the outcome of the review normally within 20 working days, but exceptionally within 40 working days, in line with the Information Commissioner’s guidance.

The Internal Review Officer will either: uphold the original decision, provide an additional explanation of the exemption/s applied or release further information, if it is considered appropriate to do so.

Appeal to Information Commissioner’s Office (ICO)

If, following the outcome of the internal review you remain unhappy with our response, you may raise an appeal, within three months of receiving our response, with the Information Commissioner’s Office (ICO). You should make complaints to the ICO within six weeks of receiving the outcome of an internal review.

Visit the ICO website to report a concern.

Call the ICO helpline on 0303 123 1113.

All information requests

See our previous responses to Freedom of Information (FOI) requests.

Search for FOI responses