Freedom of Information Request – Ref: FOI 034-2025
Thank you for your recent Freedom of Information request. Please find our response below.
You asked:
1. Current DPO arrangements
1.1 Is the organisation’s DPO and other staff that work on data protection compliance:
(a) An internal employee
(b) A DPO provided by an external service provider
(c) Hybrid (internal staff with external service provider support)
Our response:
(a) An internal employee
You asked:
1.2 Where services are provided by external providers, please share the following information:
(a) The Company name(s)
(b) Annual spend by your organisation (FY2022/2023 through to FY2024/2025)
(c) The highest day rate paid
(d) Contract dates (start/end/renewal terms)
(e) A brief description of the project or services provided (for instance, project title or internal reference)
(f) Services covered (e.g., audits, breach management, SAR management, delivery of DPIAs) • Please indicate what deliverables were produced • Procurement method (e.g., open competition, framework agreement, direct
award) and name of the procurement framework, if applicable.
Our response:
Not applicable
You asked:
2. Consultancy Spend
2.1 What is the organisation’s, total annual expenditure on data protection/GDPR consultancy services?
Our response:
Nil
You asked:
2.2 For SoW/projects which have a spend of more than £5k), please share the following information:
• Supplier company name
• The scope of the Project (e.g., "ICO investigation support", DPIA support, Internal Audit recommendation support) • Spend • Procurement method
Our response:
Not applicable
You asked:
3. Data Protection Compliance staffing
3.1 The Number of in-house data protection staff in the organisation? (FTE)
Our response:
6
You asked:
3.2 Are there any vacant roles?
Our response:
No
You asked:
3.3 Where there any ICO investigations, audits, or enforcement actions for the period from FY2022/2023 to FY 2024/2025?
Our response:
This information can be found in our annual reports, website link below:
https://www.ghc.nhs.uk/who-we-are/publications/
You asked:
4. Future Plans
4.1 Is your organisation planning to put out to tender for any DPO/GDPR services in the current financial year?
Our response:
No
You asked:
4.2 If yes please provide the following:
Expected timeline
Budget range
Key service requirements
Procurement method
Our response:
Not applicable
Next steps:
Should you have any queries in relation to our response, please do not hesitate to contact us. If you are unhappy with the response you have received in relation to your request and wish to ask us to review our response, you should write to:
Louise Moss
Head of Legal Services / Associate Director of Corporate Governance
c/o Gloucestershire Health and Care NHS Foundation Trust
Edward Jenner Court
1010 Pioneer Avenue
Gloucester Business Park
Brockworth, GL3 4AW
E-mail: louise.moss@ghc.nhs.uk
If you are not content with the outcome of any review, you may apply directly to the Information Commissioner’s Office (ICO) for further advice/guidance. Generally, the ICO will not consider your case unless you have exhausted your enquiries with the Trust which should include considering the use of the Trust’s formal complaints procedure. The ICO can be contacted at: The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.