Although all London councils have disaster recovery procedures in place for electoral data, 40 percent have not tested them in the last 12 months, according to freedom of information requests made by disaster recovery specialists Databarracks.
The freedom of information requests were sent to all London Boroughs, the majority of which obliged with details on their business continuity practices, specifically in relation to electoral data.
Managing director of Databarracks, Peter Groucutt, says that 40 percent is an alarmingly high number to have failed to test, especially with the UK General Election taking place on 7th May. “It’s worrying that with the general election just a day away, many local councils have not tested that their procedures actually work in the event of a disaster. As expected, all councils that responded to our request had thorough backup and disaster recovery plans in place – which is excellent – but without testing, they could be proved useless at their time of need," said Mr Groucutt. “We always recommend performing a DR test at least once a year. At any time in the year councils are under scrutiny to keep sensitive data secure and systems running smoothly. So the run-up to a General Election, when the electoral roll is most important, it is vital to ensure your procedures are water-tight.”
Another concerning finding from the freedom of information requests is that the current RTOs (recovery time objectives) and RPOs (recovery point objectives) of many of the boroughs were relatively long.
Groucutt comments: “Most of the councils that did respond to us told us that their recovery time objective for electoral data was 24 hours, with some even as long as 7 days or in one case up to 2 weeks. It was also interesting to see that different councils have very different classifications for how critical the electoral register is. For some it is a ‘Priority 1’ system and requires the fastest recovery possible but for others there is no prioritisation, and for some the register is not included on their continuity list or would only be recovered on a ‘best-effort basis’. We put a lot of faith in IT infrastructure to just work. Imagine if a council thought its RPO was 30 minutes but when it came down to it, it was actually 48 hours? If they haven’t tested their DR capabilities, they really have no idea of how they’d cope should disaster strike at the very time that would cause most damage.”
