Gloucestershire Health and Care- NHS Trust logo
with you, for you
Responses > Procurement

Freedom of Information request Procurement

Response published: 21 April 2026
Contracts

FOI Request

Dear FOI Team, Please provide the following information. 1. Please provide the record from the organisation's Contract Register or equivalent procurement log entry pertaining to the current contract for the Endpoint Detection and Response (EDR) solution (Include Supplier, Product Name, Start Date, Expiry Date, Annual spend 2025/2026 [£], Additional notes [including any framework used])  DEFINITION: The practice of securing organisational assets such as laptops, desktops, mobile phones, and servers against malicious activity. It encompasses tools and strategies designed to detect, prevent, and respond to threats directly on the device itself. 2. Please provide the following information for the current maintenance and licensing agreement for the primary Perimeter Firewall/Intrusion Prevention System (IPS) solution (Include Supplier, Product Name, Start Date, Expiry Date, Annual spend 2025/2026 [£], Additional notes [including any framework used])  DEFINITION: The processes and technologies used to protect the boundaries (the perimeter) of an organisation's internal network from unauthorised external access. It involves monitoring and controlling incoming and outgoing network traffic. 3. Please provide the following information for the service agreement covering the Cloud Security Posture Management (CSPM) platform or equivalent third-party cloud security monitoring too (Include Supplier, Product Name, Start Date, Expiry Date, Annual spend 2025/2026 [£], Additional notes [including any framework used])  DEFINITION: The set of security measures designed to protect data, applications, and infrastructure running in cloud environments (e.g., AWS, Azure, GCP). It also includes securing internally and externally facing applications themselves (application security). 4. Please provide the following information for the service agreement covering your Identity & Access Management (IAM) software (Include Supplier, Product Name, Start Date, Expiry Date, Annual spend 2025/2026 [£], Additional notes [including any framework used])  DEFINITION: A framework of policies and technologies that ensures the right users have the appropriate access to the right resources at the right time. It involves managing digital identities, authentication (verifying identity), and authorisation (granting access). 5. Please provide the record from the organisation's Contract Register or equivalent procurement log entry pertaining to the current contract for your current Managed Security / SOC Services (Include Supplier, Product Name, Start Date, Expiry Date, Annual spend 2025/2026 [£], Additional notes [including any framework used])  DEFINITION: The outsourcing of security monitoring and management to a third-party expert. A Security Operations Center (SOC) is a centralised function (internal or outsourced) responsible for continuous monitoring, threat analysis, and managing security incidents. 6. Please provide the record from the organisation's Contract Register or equivalent procurement log entry pertaining to the current contract for your current Vulnerability & Compliance Management service (Include Supplier, Product Name, Start Date, Expiry Date, Annual spend 2025/2026 [£], Additional notes [including any framework used])  DEFINITION: The continuous, cyclical practice of identifying, classifying, prioritising, remediating, and mitigating software weaknesses (vulnerabilities). Compliance Management ensures that security practices adhere to specific internal policies, regulatory requirements (like GDPR), and industry standards. Yours faithfully,

FOI Response

Freedom of Information Request – Ref: FOI 045-2026

Thank you for your recent Freedom of Information request. Please find our response below.

You asked:

1. Please provide the record from the organisation’s Contract Register or equivalent procurement log entry pertaining to the current contract for the Endpoint Detection and Response (EDR) solution (Include Supplier, Product Name, Start Date, Expiry Date, Annual spend 2025/2026 [£], Additional notes [including any framework used])

Our response:

Our Endpoint Detection & Response solution, is part of national offering, the start and end date along with the annual spend cannot be separated out of the overall provisions.

We have applied the Freedom of Information Act 2000 exemption – Section 36(2)(c) – Prejudice to the Effective Conduct of Public Affairs has been applied to the remaining part of your question above. Please see explanation at the end of this FOI request.

You asked:

2. Please provide the following information for the current maintenance and licensing agreement for the primary Perimeter Firewall/Intrusion Prevention System (IPS) solution (Include Supplier, Product Name, Start Date, Expiry Date, Annual spend 2025/2026 [£], Additional notes [including any framework used])

Our response:

Our primary Perimeter Firewall/Intrusion Prevention System (IPS) solution, is part of national offering, the start and end date along with the annual spend cannot be separated out of the overall provisions.

We have applied the Freedom of Information Act 2000 exemption – Section 36(2)(c) – Prejudice to the Effective Conduct of Public Affairs has been applied to the remaining part of your question above. Please see explanation at the end of this FOI request.

You asked:

3. Please provide the following information for the service agreement covering the Cloud Security Posture Management (CSPM) platform or equivalent third-party cloud security monitoring too (Include Supplier, Product Name, Start Date, Expiry Date, Annual spend 2025/2026 [£], Additional notes [including any framework used])

Our response:

We do not have a cloud security posture management platform.

You asked:

4. Please provide the following information for the service agreement covering your Identity & Access Management (IAM) software (Include Supplier, Product Name, Start Date, Expiry Date, Annual spend 2025/2026 [£], Additional notes [including any framework used])

Our response:

Our Identity & Access Management (IAM) software, is part of national offering, the start and end date along with the annual spend cannot be separated out of the overall provisions.

We have applied the Freedom of Information Act 2000 exemption – Section 36(2)(c) – Prejudice to the Effective Conduct of Public Affairs has been applied to the remaining part of your question above. Please see explanation at the end of this FOI request.

You asked:

5. Please provide the record from the organisation’s Contract Register or equivalent procurement log entry pertaining to the current contract for your current Managed Security / SOC Services (Include Supplier, Product Name, Start Date, Expiry Date, Annual spend 2025/2026 [£], Additional notes [including any framework used])

Our response:

This is a local NHS shared system provider which is reviewed & renewed annually as an internal supplier arrangement. The total contract value is £260k, the costing cannot be broken down in the way requested.

We have applied the Freedom of Information Act 2000 exemption – Section 36(2)(c) – Prejudice to the Effective Conduct of Public Affairs to the remaining part of your question above.  Please see explanation at the end of this FOI request.

You asked:

6. Please provide the record from the organisation’s Contract Register or equivalent procurement log entry pertaining to the current contract for your current Vulnerability & Compliance Management service (Include Supplier, Product Name, Start Date, Expiry Date, Annual spend 2025/2026 [£], Additional notes [including any framework used])

Our response:

This is a local NHS shared system provider which is reviewed & renewed annually as an internal supplier arrangement. The total contract value is £260k, the costing cannot be broken down in the way requested.

We have applied the Freedom of Information Act 2000 exemption – Section 36(2)(c) – Prejudice to the Effective Conduct of Public Affairs to the remaining part of your question above.  Please see explanation at the end of this FOI request.

Freedom of Information Act 2000 – Exemption Applied – Section 36(2)(c) – Prejudice to the Effective Conduct of Public Affairs

For the remaining parts of your questions above which has not been answered the Trust has applied an exemption under section 36(2)(c) of the Freedom of Information Act 2000.  This exemption applies where, in the reasonable opinion of a Qualified Person, disclosure of the information would otherwise prejudice, or would be likely otherwise to prejudice, the effective conduct of public affairs.

Reason for applying the exemption

The information requested relates to the Trust’s cyber security arrangements, including details of systems, services, or protections used to secure its digital infrastructure.  In the reasonable opinion of the Qualified Person, disclosure of this information would be likely to prejudice the effective conduct of public affairs, as it would:

  • Undermine the Trust’s ability to manage and mitigate cyber security risks;
  • Reduce the effectiveness of security controls by exposing aspects of the Trust’s defensive arrangements;
  • Increase the likelihood of cyber‑attack, system compromise, or service disruption; and
  • Impact the Trust’s ability to deliver safe and effective healthcare services.

Cyber security forms an essential part of the Trust’s operational governance and service delivery. Providing detailed information about defensive measures or configurations would be likely to assist malicious actors and weaken the Trust’s capacity to protect patient data, maintain system availability, and ensure continuity of care.

The exemption is therefore engaged as disclosure would be likely to inhibit the Trust’s ability to carry out its public functions effectively.

Next steps:

Should you have any queries in relation to our response, please do not hesitate to contact us. If you are unhappy with the response you have received in relation to your request and wish to ask us to review our response, you should write to:

Louise Moss
Head of Legal Services / Associate Director of Corporate Governance
c/o Gloucestershire Health and Care NHS Foundation Trust
Edward Jenner Court
1010 Pioneer Avenue
Gloucester Business Park
Brockworth, GL3 4AW
E-mail: louise.moss@ghc.nhs.uk

If you are not content with the outcome of any review, you may apply directly to the Information Commissioner’s Office (ICO) for further advice/guidance. Generally, the ICO will not consider your case unless you have exhausted your enquiries with the Trust which should include considering the use of the Trust’s formal complaints procedure. The ICO can be contacted at: The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.