Freedom of information requests

UHB cloud usage and data storage details

Questions

Provide an update regarding aspects of your Trust’s Cloud usage and Data storage details?

1. For each element of IT infrastructure below, please provide the requested details:

1. For each of the elements below, please provide details about your cloud provider:
2. For each element detailed below, how does your organisation manage its data storage?
3. For each of the network supply systems listed below, please provide the requested details

Response

The Trust can neither confirm nor deny whether we hold the information you have requested for the following reasons:

Section 31 (1) (a) Law enforcement - the prevention or detection of crime:

Disclosure of this information would be likely to prejudice the prevention or detection of crime.

Section 31(3) of the Act recognises the need to exclude the duty to confirm or deny if any information is held where to do so would, or would be likely to, prejudice any of the matters mentioned in 31(1).

It is in our view that to confirm or deny the extent to which University Hospitals Birmingham NHS Foundation Trust has been subject to cyber security breaches and the nature of such attacks would provide information that is contrary to taking appropriate measures to manage these risks.

There is significant public interest in understanding more about cyber-crime and its potential effect on public organisations, however there is also substantial public interest in not prejudicing any public organisation’s ability to protect itself from cyber-crime.

Providing any information could reveal facts about an organisation’s cyber security stance, for example, even to reveal the total number of incidents could give an indication to the world at large of the strength of an organisation’s cyber defences.

There is also a danger that by revealing any information to the world at large it may alert attackers that organisations are aware of their activity and they could then modify their behaviour accordingly, for example by destroying evidence pertinent to a future prosecution.

Therefore S31 (1) (a) of the FOIA is engaged as disclosure of the information requested would be likely to prejudice the prevention or detection of crime.

 

The public interest test:

 

Factors in favour of maintaining the exemption

There is a strong general public interest in supporting public bodies to effectively protect the data they hold and to make efficient use of public funds to prevent costly attacks of this type.

In relation to health care organisations this public interest is magnified as the data held are sensitive medical records and a malicious attack on IT infrastructure could affect the delivery of medical treatment, leading in the worst case scenario to the loss of lives.

Factors in favour of disclosure

The public have a right to know how public funds are spent.

There is also always a favourable public interest in disclosure arising from requests made under the Freedom of Information Act; in the spirit of transparency and openness.

The public may benefit from knowing how well resourced cyber-security is in a particular public organisation.

 

Conclusion

In this instance the Trust considers that the balance of public interest clearly lies in maintaining the exemption in the effectiveness of law enforcement and the prevention of crime.

The Trust does hold the annual spending and contract details for our IT infrastructure and systems however, we are withholding this information, under exemption 43 (commercial interests) of the Freedom of Information Act: The Information is exempt information if its disclosure under this Act would, or would be likely to, prejudice the commercial interests of any person (including the public authority holding it).

Section 43(2) (Commercial Interests)

The Trust considers annual spending and contract details for our IT infrastructure and systems is commercially sensitive in nature. This information could be used by competitors to gain a significant unfair advantage when products are put out to re-tender.

Section 43(2) is a qualified exemption and is subject to the public interest test. This means that not only does the information have to prejudice one of the purposes listed, but before the information can be withheld, the public interest in preventing that prejudice must outweigh the public interest in disclosure.

The public interest test:

Considerations in favour of disclosure:

• The public need to know that we are spending public money wisely and getting best value, without fear or favour.
• The need for public authorities to be transparent in their dealings.

Considerations against disclosure:

• Disclosing this information would likely give the provider organisations competitors a significant unfair advantage during re-procurement of the products.
• It could weaken the Trust’s position as potential companies would not have confidence that the Trust would keep sensitive financial data private.
• This could prejudice the Trust’s ability to obtain best price and value.
• It could reduce pricing innovation in tendering parties’ bids when the service is put out for re-procurement.
• The inherent public interest in avoiding prejudice to the provider organisation and the Trust.
• Releasing the information in Schedule 3(a) would likely result in prejudice to the commercial interests of the provider organisation.

Conclusion

The Trust recognises that there is a public interest in the disclosure of information which facilitates the accountability and transparency of public bodies for decisions taken by them. However, there is also a public interest in the Trust being able to work within competitive markets where that results in a financial or resource benefit which is put to the wider public interest. Having undertaken the balancing exercise, the Trust has concluded that the public interest in maintaining the exemption outweighs the public interest in disclosing the requested information having regard to the effect that the disclosure of the information would not be in the public interest.

Given that the definition of ‘public’ under the Act is considered to be the public at large, rather than just the individual applicant or a small group of people and that ‘public interest’ is not necessarily the same as what interests the public, it is considered that to release this sensitive information into the public domain is likely to result in prejudice to the commercial interests of both the Trust and the supplier organisation which is not outweighed by the wider public interest for disclosure.

1. 	Main provider	Annual spend 2022- 2023	Contract end date	Additional notes
   Desktop management	Microsoft	Exempt under S43	N/A
   Networking	Cisco	Exempt under S43	January 2025
   Data Centre	Inhouse	Exempt under S43	N/A
   Server Management	Solarwinds	Exempt under S43	N/A
   IT Security	Exempt under S31	Exempt under S31	Exempt under S31
   Email and collaboration	Microsoft	Exempt under S43	N/A
   Processing and computer capacity	Dell	Exempt under S43	N/A

   
   
   
   

1. 	Main provider	Contract end date	Additional notes
   Data storage	Microsoft	N/A
   Networking	Microsoft	N/A
   Backup and archive	Veeam	2026
   Application databases	N/A	N/A
   Big data analytics databases	N/A	N/A
   Email and collaboration	Microsoft	N/A
   Processing and computer capacity	Microsoft	N/A

   
   
   
   

2. 	On Premises	Off Premises	Main Supplier	Annual spend 2022-2023	Contract end date	Additional notes
   In-house data centre	Yes	Yes	Inhouse and ARK DC	Exempt under S43	Rolling
   Shared service	N/A	N/A	N/A	N/A	N/A
   Data storage management	Yes	Yes	Dell	Exempt under S43	2028

   
   
   

3. 	Main provider	Annual spend 2022- 2023	Contract end date	Additional notes
   Data network (broadband)	British Telegram	Exempt under S43	Variable
   WiFi (hardware)	Cisco	Exempt under S43	January 2025
   CoIN (if applicable) – Community of Interest Network	N/A	N/A	N/A
   Other (please specify)	Cisco	Exempt under S43	Exempt under S43