Search the Herefordshire and Worcestershire Health and Care NHS Trust website

Advanced options

Freedom of Information - HACW-2766

FOI request:

Intranet Questions

  1. How many people are employed by your organisation, including full time and part time?
  2. What is your current intranet solution? (Sharepoint, Wordpress, Interact, Invotra, Oak etc)
  3. How long have you been using this intranet solution?
  4. When is your intranet contract up for renewal?
  5. What is your annual intranet budget?
  6. What is your procurement process? Please can you include any portals used to list tenders and/or
  7. any suppliers/consultants used to procure.
  8.  Do you share intranet/IT services with other organisations, if so who?
  9. Which team and/or individual(s) are responsible for managing your intranet internally?
  10.  Are you using the Office 365 suite? If so, which applications from the suite are in use?
  11. Which team and/or individual(s) are responsible for your intranet’s procurement within the organisation?
  12.  Is your Active Directory hosted on-premise, or in the cloud?
  13.  Could you provide us with a link to your Digital Workplace Strategy?

Website / Accessibility Questions

  1. What software are you currently using for your website?
  2. What team/individual is responsible for maintaining your website?
  3. Do you work with an external supplier to maintain your website, if so when does your contract expire?
  4. When did you last conduct an accessibility audit against your public website?
  5. What team/individual is responsible for digital accessibility across your public facing services?
  6. What is your budget for digital accessibility?
  7. What is your annual marketing/communications budget for creating content for residents?
  8. Do you work with external marketing/communications suppliers to create content for your public facing services?
  9. When was the last time you conducted a content audit on your website to remove outdated content?

Trust response:

Intranet Questions

  1. Section 21 – Information accessible to applicant by other means.  This information is already published on our website and is considered exempt from disclosure under section 21(1) of the Freedom of Information Act as it is reasonable accessible to you by other means.  This information is available in the Trust Annual report (page 65) published on the Trust website which can be accessed via the following link: Policies, Strategies and Reports | Herefordshire and Worcestershire Health and Care NHS Trust (hacw.nhs.uk)
  2. Herefordshire and Worcestershire Health and Care NHS Trust can neither confirm nor deny whether information is held under section 31(3) of the FOIA. The full wording of section 31 can be found here: http://www.legislation.gov.uk/ukpga/2000/36/section/31

S31(3) of the FOIA allows a public authority to neither confirm nor deny whether it holds information where such confirmation would be likely to prejudice any of the matters outlined in section 31(1). This includes information the disclosure of which would or would be likely to prejudice the prevention or detection of crime.

 

As section 31(3) is a qualified exemption, it is subject to a public interest test for determining whether the public interest lies in confirming whether the information is held or not.

Factors in favour of confirming or denying the information is held

The Trust considers that to confirm or deny whether the requested information is held would indicate the prevalence of cyber- attacks against the Trust’s ICT infrastructure and would reveal details about the Trust’s information security systems. The Trust recognises that answering the request would promote openness and transparency with regards to the Trust’s ICT security.

Factors in favour of neither confirming nor denying the information is held

Cyber-attacks, which may amount to criminal offences for example under the Computer Misuse Act 1990 or the Data Protection Act are rated as a Tier 1 threat by the UK Government. The Trust like any organisation may be subject to cyber-attacks and, since it holds large amounts of sensitive, personal and confidential information, maintaining the security of this information is extremely important.

In this context, the Trust considers that confirming or denying whether the requested information is held would provide information about the Trust’s information security systems and its resilience to cyber-attacks. There is a very strong public interest in preventing the Trust’s information systems from being subject to cyber-attacks. Confirming or denying the type of information requested would be likely to prejudice the prevention of cybercrime, and this is not in the public interest.

Balancing the public interest factors

The Trust has considered that if it were to confirm or deny whether it holds the requested information, it would enable potential cyber attackers to ascertain how and to what extend the Trust is able to detect and deal with ICT security attacks. The Trust’s position is that complying with the duty to confirm or deny whether the information is held would be likely to prejudice the prevention or detection of crime, as the information would assist those who want to attack the Trust’s ICT systems. Disclosure of the information would assist a hacker in gaining valuable information as to the nature of the Trust’s systems, defences and possible vulnerabilities. This information would enter the public domain and set a precedent for other similar requests which would, in principle, result in the Trust being a position where it would be more difficult to refuse information in similar requests. To confirm or deny whether the information is held is likely to enable hackers to obtain information in mosaic form combined with other information to enable hackers to gain greater insight than they would ordinarily have, which would facilitate the commissioning of crime such as hacking itself and also fraud. This would impact on the Trust’s operations including its front line services. The prejudice in complying with section 1(1)(a) FOIA is real and significant as to confirm or deny would allow valuable insight into the perceived strengths and weaknesses of the Trust’s ICT systems.

  1. This solution has been in use since 2020.
  2. The Trust contract runs until June 2022 with the option to extend for two further years.
  3. £5,500.
  4. Process will be a quotation exercise undertaken on the Atamis e-tendering system, or use of a suitable framework agreement.
  5. In house.
  6. Herefordshire and Worcestershire Health and Care NHS Trust can neither confirm nor deny whether information is held under section 31(3) of the FOIA  - see question 2 response above.
  7. Marketing and Communications Team.
  8. Yes, in line with all NHS licences, office suite is used.
  9. Which team and/or individual(s) are responsible for your intranet’s procurement within the organisation?
  10.  Herefordshire and Worcestershire Health and Care NHS Trust can neither confirm nor deny whether information is held under section 31(3) of the FOIA  - see question 2 response above.
  11. The Digital Strategy is presented to Trust Board annually and can be accessed via the following link: Board Papers - Herefordshire and Worcestershire Health and Care NHS Trust | Herefordshire and Worcestershire Health and Care NHS Trust (hacw.nhs.uk)

See Enclosure G in January 2021 Trust Board papers for Digital Strategy; Enclosure Gi in January 2022 Trust Board papers for annual review.

Website / Accessibility Questions

  1. Herefordshire and Worcestershire Health and Care NHS Trust can neither confirm nor deny whether information is held under section 31(3) of the FOIA  - see question 2 response above.
  2. Marketing and Communications Team.
  3. The Trust contract runs until June 2022 with the option to extend for two further years.
  4. The last audit was conducted in 2020.
  5. Digital accessibility is managed by the Trusts Marketing and Communications Team, Organisational Development Team and IT Team.
  6. No designated budget.
  7. Content is produced in house by the Trust’s Marketing and Communications Team and does not have an allocated budget.
  8. No.
  9. This is regularly undertaken by the Trust’s Marketing and Communications Team.

Please be aware that although this information is accurate at the time it is provided, it may not be in the future and should not be relied upon.