3rd party cloud hosting providers at The National Archives

FOI request reference: F0054009
Publication date: October 2018

Request

I wish to submit a request to the organisation around their hosting contract(s) with 3rd party providers.

The type of contract I wish to see is below:

1. Dedicated hosting- Managed environment

2. Co-Location- hosting allows a business to still own their own server equipment; however, instead of storing it in their own data centre,
they instead are able to store it in rented space in a colocation hosting
centre.

3. Cloud Hosting- Cloud hosting services
http://www.interoute.com/unified-ict/computing/cloud-services provide
hosting for websites on virtual servers, which pull their computing
resource from extensive underlying networks of physical web servers.

Not all of these will be applicable to the organisation.

For the different types of hosting services, can you provide me with the
following information:

1. Type of hosting “Dedicated, Co-Location, Cloud Hosting, Other?

2. Who is the supplier of the contract? If possible, can you also
provide me with the name of vendor, if applicable?

3. What is the annual contract value for each contract?

4. What type of cloud environment?

*Private Cloud*- a distinct and secure cloud based environment in which
only the specified client can operate.

*Public Cloud* – where cloud services are provided in a virtualised
environment, constructed using pooled shared physical resources, and
accessible over a public network such as the internet.

*Hybrid*- integrated cloud service utilising both private and public clouds
to perform distinct functions within the same organisation.

5. What is the original start date of the contract agreement? If
there are more than one contract please provide me with the start date for
each contract.

6. What is the actual expiry date of the contract agreement? If there
are more than one contract please provide me with the expiry date for each
contract.

7. When will the organisation plan to review this contract? If there
are more than one contract please provide me with the review date for each
contract.

8. What is the contract period in years? Please include whether the
agreement has any extension periods?

9. What services are provided under the contract? Please do not put
hosting, information such as web hosting, file storage, hosted application.
The more information the better,

10. Can you please provide me with the contract officer responsible for
this contract? Complete contact details if possible name, title, contact
email and number.

Outcome

Successful

Response

Your request has been handled under the Freedom of Information (FOI) Act 2000. The FOI Act gives you the right to know whether we hold the information you want and to have it communicated to you, subject to any exemptions which may apply.

I can confirm that The National Archives holds information relevant to your request and we are pleased to be able to provide some of this information to you.

We are unable to provide you with some of the information you have requested because it is covered by section 31 (1) (a) of the Freedom of Information Act 2000.

Section 31 (1) (a) exempt information if its disclosure under this Act would, or would be likely to, prejudice the prevention or detection of crime.

For further about why this exemption has been applied, please see the explanatory annex at the end of this response.

http://www.nationalarchives.gov.uk/documents/third-party-cloud-hosting-providers.pdf (PDF, 0.14 MB)

Information regarding specific cloud hosting providers is exempt under section 31 (1) (a) of the FOI Act. Release of this information would make The National Archives more vulnerable to crime; namely, a malicious attack on The National Archives’ computer systems. Therefore, this information has been redacted from the table above. [Link to PDF above.]

EXPLANATORY ANNEX
Exemptions applied

Section 31: Law Enforcement

We are unable to provide you with information regarding specific cloud hosting providers because this information is exempt from disclosure under section 31 (1) (a) of the FOI Act. Section 31 (1) (a) exempts information if its disclosure is likely to prejudice the prevention or detection of crime.

Section 31 is a qualified exemption and we are required to conduct a public interest test when applying any qualified exemption. This means that after it has been decided that the exemption is engaged, the public interest in releasing the information must be considered. If the public interest in disclosing the information outweighs the public interest in withholding it then the exemption does not apply and the information must be released. In the FOI Act there is a presumption that information should be released unless there are compelling reasons to withhold it.

The public interest has now been concluded and the balance of the public interest has been found to fall in favour of withholding information covered by the section 31 (1) (a) exemption. Considerations in favour of the release of the information included the principle that there is a public interest in transparency and accountability in disclosing information about government procedure and contracts. However, release of this information would make The National Archives more vulnerable to crime. The crime in question here would be a malicious attack on The National Archives’ computer systems. As such, release of this information would be seen to prejudice the prevention or detection of crime by making The National Archives’ computer system more vulnerable to hacking. There is an overwhelming public interest in keeping government computer systems secure that would be served by non-disclosure. This would outweigh any benefits of release. It has therefore been decided that the balance of the public interest lies clearly in favour of withholding the material on this occasion.

Further guidance on section 31 can be found here: https://ico.org.uk/media/for-organisations/documents/1207/law-enforcement-foi-section-31.pdf