Office for Nuclear Regulation

This website uses non-intrusive anonymous cookies to improve your user experience. You can visit our cookie privacy page for more information, including details on how to opt-out.

Information Technology

Date released
25 March 2020
Request number
Release of information under
Freedom of Information Act 2000

Information requested

Under the Freedom of Information Act 2000 I seek the following information:

  1. Are the Data Centre's operated by or for the organisation fit for purpose? For example, is there a Business Continuity Plan, is there Disaster Recovery in place or is it a single site?
  2. Is there any capital investment in data centres planned in the next 36 months? For example, Mechanical & Electrical or refresh of equipment within the DC such as network, storage area network?
  3. Is data privacy and or information security compliance a priority for the organisation’s board?
  4. On your Organisation’s risk register, are there any Information Technology related risks?
    i) If time/ cost allows, please list the top three related risks.
  5. Are the cyber security vulnerabilities within the organisation’s existing Information Technology estate increasing?
    i) Has the organisation had a security breach in the past 12 months?
  6. Did the organisation meet its Information Technology savings target in the last Financial Year?
  7. What percentage of Information Technology budget is currently allocated to “on-premises” capability vs “cloud” capability?
  8. Does the organisation have the skills and resource levels necessary for moving to the cloud?
  9. What percentage of the Information Technology department headcount are software developers?
  10. In relation to contracts with Amazon Web Services, Microsoft for Azure and/or Google for Google Cloud, was the monthly expenditure higher than budgeted?
    i) If yes, has the organisation been able to subsequently reduce the cost whilst maintaining service levels for users?

Information released

Please see below for our response for each question.

Question 1:

ONR’s IT services, including data centres are provided and operated by the Health and Safety Executive (HSE). There is a backup site.

Question 2:

ONR’s IT Services are provided by HSE, you may wish to contact them to obtain this information. Details of how to contact HSE are included on their website .

Question 3:

Yes, data privacy and information security compliance are priorities for ONR’s board.

Question 4:

ONR’s risks are published in our Corporate Plan. The 2019/20 Corporate Plan  is available via our website, in particular please see section 7 - Corporate Risks. ONR’s Corporate Plan for 2020/21 is scheduled to be published early this summer and will be available to download on the Corporate Publications page of our website.

Question 5:

We don’t believe the risk is increasing. We have not had any security incidents that have resulted in a breach of data.

Question 6:

Not applicable.

Question 7:

ONR’s core services are on-premise, which are supplemented by some specialist SaaS services.

Question 8:

We would need assistance to complete such a migration.

Question 9:

There are currently no software developers in ONR’s IT department.

Question 10:

ONR’s IT services are provided by HSE. However, I can confirm that in relation to contracts with Amazon Web Services, Microsoft for Azure and/or Google for Google Cloud, the monthly expenditure is within budget.

Exemptions applied


PIT (Public Interest Test) if applicable