Display Single Record

FOI Request

Disclosure ID
FOI/06321
Request Date
October 2, 2023
Subject
Cybersecurity
Description

1. In 2023, what annual cybersecurity budget has been allocated to your NHS Trust?

2. Can you also provide your Trust’s annual cybersecurity budget for the years:
a.2022
b.2021
c.2020
d.2019
e.2018
f.2017

3. In 2023, how is your annual cybersecurity budget spent:
a.What percentage goes towards cybersecurity training for employees?
b.What percentage goes towards technology investments?
c.What percentage goes towards employee resources for your cybersecurity team?

4. How many employees work in your NHS Trust?

5. How many employed, full-time members of staff make up your NHS Trust’s cyber/infosecurity team?

6. How many hours of cybersecurity training are employees of your NHS Trust required to undertake every year?

7. Has your NHS Trust paid any ransom demands to cybercriminals in the last five years?
a.If yes, how much did you pay in total?

8. Has your NHS Trust had any patient records compromised / stolen by cybercriminals in the last five years?
a.If yes, how many records were compromised / stolen?

Response
  1. How many employees work in your NHS Trust? – 8453

With regards to all other questions “The requested information relating to our Trust’s ICT systems and the security of these systems is exempt from disclosure under Section 24 (Safeguarding National Security) and Section 31 (Prevention and Detection of Crime) of the Freedom of Information Act (FOIA).

 

If disclosed, this information could be used to identify ways of breaching our Trust’s ICT security measures, which would thereby put us at increased risk of cyber-attack. This would potentially put invaluable patient and staff data at risk, which the Trust has a legal duty to protect under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018), and other confidential data which is essential to the running of Trust services.

 

The disclosure of information which may undermine the integrity of our ICT systems, and NHS ICT systems on a national scale, is exempt under Section 24. The disclosure of information which would make our Trust more vulnerable to crime is exempt under Section 31, as releasing the requested information may prejudice our ability to prevent cyber-crime targeting our systems.

These are qualified exemptions; the public interest in withholding information must outweigh the public interest in disclosure. It is the opinion of the Trust that the public interest in protecting the integrity of our information and ensuring our ability to provide healthcare services justifies the application of these exemptions.”

Attachment 1
Attachment 2
Attachment 3
Attachment 4
Attachment 5
Attachment 6
Attachment 7
Attachment 8
Attachment 9