Procurement Data
Case reference FOI2026/00327
Received 12 February 2026
Published 16 March 2026
Request
Please provide the following information. 1. Please provide the record from the organisation's Contract Register or equivalent procurement log entry pertaining to the current contract for the Endpoint Detection and Response (EDR) solution (Include Supplier, Product Name, Start Date, Expiry Date, Annual spend 2025/2026 [£], Additional notes [including any framework used]) DEFINITION: The practice of securing organisational assets such as laptops, desktops, mobile phones, and servers against malicious activity. It encompasses tools and strategies designed to detect, prevent, and respond to threats directly on the device itself.
2. Please provide the following information for the current maintenance and licensing agreement for the primary Perimeter Firewall/Intrusion Prevention System (IPS) solution (Include Supplier, Product Name, Start Date, Expiry Date, Annual spend 2025/2026 [£], Additional notes [including any framework used]) DEFINITION: The processes and technologies used to protect the boundaries (the perimeter) of an organisation's internal network from unauthorised external access. It involves monitoring and controlling incoming and outgoing network traffic.
3. Please provide the following information for the service agreement covering the Cloud Security Posture Management (CSPM) platform or equivalent third-party cloud security monitoring too (Include Supplier, Product Name, Start Date, Expiry Date, Annual spend 2025/2026 [£], Additional notes [including any framework used]) DEFINITION: The set of security measures designed to protect data, applications, and infrastructure running in cloud environments (e.g., AWS, Azure, GCP). It also includes securing internally and externally facing applications themselves (application security).
4. Please provide the following information for the service agreement covering your Identity & Access Management (IAM) software (Include Supplier, Product Name, Start Date, Expiry Date, Annual spend 2025/2026 [£], Additional notes [including any framework used]) DEFINITION: A framework of policies and technologies that ensures the right users have the appropriate access to the right resources at the right time. It involves managing digital identities, authentication (verifying identity), and authorisation (granting access).
5. Please provide the record from the organisation's Contract Register or equivalent procurement log entry pertaining to the current contract for your current Managed Security / SOC Services (Include Supplier, Product Name, Start Date, Expiry Date, Annual spend 2025/2026 [£], Additional notes [including any framework used]) DEFINITION: The outsourcing of security monitoring and management to a third-party expert. A Security Operations Center (SOC) is a centralised function (internal or outsourced) responsible for continuous monitoring, threat analysis, and managing security incidents. 6. Please provide the record from the organisation's Contract Register or equivalent procurement log entry pertaining to the current contract for your current Vulnerability & Compliance Management service (Include Supplier, Product Name, Start Date, Expiry Date, Annual spend 2025/2026 [£], Additional notes [including any framework used]) DEFINITION: The continuous, cyclical practice of identifying, classifying, prioritising, remediating, and mitigating software weaknesses (vulnerabilities). Compliance Management ensures that security practices adhere to specific internal policies, regulatory requirements (like GDPR), and industry standards.
Response
The NHS Trust can neither confirm nor deny whether information is held under section 31(3) of the FOIA. The full wording of section 31 can be found here: http://www.legislation.gov.uk/ukpga/2000/36/section/31
S31(3) of the FOIA allows a public authority to neither confirm nor deny whether it holds information where such confirmation would be likely to prejudice any of the matters outlined in section 31(1). This includes information the disclosure of which would or would be likely to prejudice the prevention or detection of crime.
As section 31(3) is a qualified exemption, it is subject to a public interest test for determining whether the public interest lies in confirming whether the information is held or not.
Factors in favour of confirming or denying the information is held
The NHS Trust considers that to confirm or deny whether the requested information is held would indicate the prevalence of cyber- attacks against the NHS Trust’s ICT infrastructure and would reveal details about the Trust’s information security systems. The NHS Trust recognises that answering the request would promote openness and transparency with regards to the NHS Trust’s ICT security.
Factors in favour of neither confirming nor denying the information is held
Cyber-attacks, which may amount to criminal offences for example under the Computer Misuse Act 1990 or the Data Protection Act 2018, are rated as a Tier 1 threat by the UK Government. The NHS Trust like any organisation may be subject to cyber-attacks and, since it holds large amounts of sensitive, personal and confidential information, maintaining the security of this information is extremely important.
In this context, the NHS Trust considers that confirming or denying whether the requested information is held would provide information about the NHS Trust’s information security systems and its resilience to cyber-attacks. There is a very strong public interest in preventing the NHS Trust’s information systems from being subject to cyber-attacks. Confirming or denying the type of information requested would be likely to prejudice the prevention of cybercrime, and this is not in the public interest.
Balancing the public interest factors
The NHS Trust has considered that if it were to confirm or deny whether it holds the requested information, it would enable potential cyber attackers to ascertain how and to what extend the NHS Trust is able to detect and deal with ICT security attacks. The NHS Trust’s position is that complying with the duty to confirm or deny whether the information is held would be likely to prejudice the prevention or detection of crime, as the information would assist those who want to attack the NHS Trust’s ICT systems. Disclosure of the information would assist a hacker in gaining valuable information as to the nature of the NHS Trust’s systems, defences and possible vulnerabilities. This information would enter the public domain and set a precedent for other similar requests which would, in principle, result in the NHS Trust being a position where it would be more difficult to refuse information in similar requests. To confirm or deny whether the information is held is likely to enable hackers to obtain information in mosaic form combined with other information to enable hackers to gain greater insight than they would ordinarily have, which would facilitate the commissioning of crime such as hacking itself and also fraud. This would impact on the NHS Trust’s operations including its front line services. The prejudice in complying with section 1(1)(a) FOIA is real and significant as to confirm or deny would allow valuable insight into the perceived strengths and weaknesses of the NHS Trust’s ICT systems.
Documents
This is Oxford University Hospitals NHS Foundation Trust's response to a freedom of information (FOI) or environmental information regulations (EIR) request.
You can browse our other responses or make a new FOI request.