Freedom of Information request Cybersecurity

Freedom of Information Request – Ref: FOI 141-2026

Thank you for your recent Freedom of Information request. Please find our response below.

You asked:

1. Certifications and DSPT status (please tick / fill)

Item Trust EHR/EPR Supplier
ISO 27001 — valid certification held? (Y/N)
ISO 22301 — valid certification held? (Y/N)
Cyber Essentials Plus — valid certificate held? (Y/N)
DSPT — submission completed for most recent assessment year? (Y/N)
DSPT — published status (Exceeded / Met / Approaching / Not Met)
DSPT — independent audit of submission undertaken? (Y/N) [supplier only] N/A

Our response:

You asked:

2. DSPT — narrative follow-up

If any DSPT requirements were recorded as ‘Not Met’ or ‘Approaching Standards’ in your most recent submission (Trust or supplier), please briefly describe the areas affected and confirm whether an improvement plan was submitted to NHS England.

Our response:

Not applicable.

You asked:

3. Clinical safety

a. Has the Trust produced a DCB0160-compliant Deployment Safety Case and Hazard Log for its primary EHR/EPR system?

Our response:

GHC have multiple main EHR/EPR systems in use but has not yet completed full legacy system DCB0160 reviews due to CSO and operational capacity. This is identified and acknowledged as a required workstream.

You asked:

b. Has the EHR/EPR supplier produced a DCB0129-compliant Clinical Safety Case Report and Hazard Log?

Our response:

Yes – GHC have DCB0129 compliant documentation for all main EHR/EPR in use.

You asked:

c. Please name the Clinical Safety Officer (CSO) for (i) the Trust and (ii) the EHR/EPR supplier.

Our response:

GHC CSO: Gemma Evans

Supplier CSO: multiple. Contact made in relation to specific project areas / updates as required.

You asked:

d. Has the Trust conducted simulation exercises or downtime training with clinical staff to prepare for a ransomware attack?

Our response:

The Trust carries out an annual exercise.

You asked:

4. Cybersecurity leadership and staffing

a. Does the Trust have dedicated cybersecurity staff (separate from general IT)? If yes, please give the FTE count.

Our response:

Yes, we do not hold FTE information as this is a shared service from Gloucestershire Hospitals NHS Foundation Trust.

You asked:

b. Does the EHR/EPR supplier have a Chief Information Security Officer (CISO), and is this role UK-based?

Our response:

We do not hold this information.

You asked:

c. Does the supplier have UK-based cybersecurity staff responsible for NHS-deployed systems? If yes, please give the FTE count.

Our response:

We do not hold this information.

You asked:

Please identify your primary EHR/EPR supplier when answering the supplier-related items above.

Our response:

TPP, Access Group.

Next steps:

Should you have any queries in relation to our response, please do not hesitate to contact us. If you are unhappy with the response you have received in relation to your request and wish to ask us to review our response, you should write to:

Louise Moss
Head of Legal Services / Associate Director of Corporate Governance
c/o Gloucestershire Health and Care NHS Foundation Trust
Edward Jenner Court
1010 Pioneer Avenue
Gloucester Business Park
Brockworth, GL3 4AW
E-mail: louise.moss@ghc.nhs.uk

If you are not content with the outcome of any review, you may apply directly to the Information Commissioner’s Office (ICO) for further advice/guidance. Generally, the ICO will not consider your case unless you have exhausted your enquiries with the Trust which should include considering the use of the Trust’s formal complaints procedure. The ICO can be contacted at: The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.