Information requested
I am requesting information relating to your organisation's IT infrastructure, digital maturity, staffing, contracts and technology spend. To assist in processing this request efficiently, I have structured it into clearly numbered sections below.
SECTION 1 — IT BUDGET AND SPEND
1.1 What is your organisation's total annual IT / digital technology budget for the current financial year (or most recently completed financial year)? Please break this down into:
(a) Capital expenditure (CapEx)
(b) Operational expenditure (OpEx)
1.2 What proportion of your total organisational budget does IT / digital technology represent (as a percentage)?
1.3 Is there a separate cyber security budget? If so, what is its value?
1.4 Please provide the name(s) of any Commissioning Support Units (CSUs) or managed service partners that manage IT expenditure on your behalf, if applicable.
SECTION 2 — IT STAFFING
2.1 How many whole-time equivalent (WTE) staff are directly employed in IT, digital or technology roles within your organisation?
2.2 Please provide a breakdown of IT staff by job role or band (e.g. Agenda for Change band or equivalent). Specific names are not required.
2.3 Does your organisation have the following named roles in post? (Please answer Yes / No / Vacant for each):
- (a) Chief Information Officer (CIO) or equivalent
- (b) Chief Digital Officer (CDO) or equivalent
- (c) Chief Technology Officer (CTO) or equivalent
- (d) Chief Information Security Officer (CISO) or equivalent
- (e) IT Director / Head of IT
- (f) Digital Transformation Lead or equivalent
2.4 How many IT staff are employed via third-party contractors or agency arrangements? What is the approximate annual spend on these arrangements?
SECTION 3 — SERVER AND COMPUTE INFRASTRUCTURE
3.1 Does your organisation operate on-premise server infrastructure? If yes:
- (a) What is the approximate number of physical servers in operation
- (b) What server vendors / manufacturers does your organisation use (e.g. Dell, HPE, Lenovo, Cisco UCS)?
- (c) What is the approximate age profile of your server estate (e.g. percentage under 3 years, 3–5 years, over 5 years old)?
3.2 Does your organisation use virtualisation technologies? If yes, which platform(s) (e.g. VMware, Microsoft Hyper-V, Nutanix)?
3.3 Does your organisation use hyperconverged infrastructure (HCI)? If yes, which vendor(s)?
3.4 Does your organisation use cloud computing services (not including office 365)? If yes:
- (a) Which cloud provider(s) do you use (e.g. AWS, Microsoft Azure, Google Cloud, other)?
- (b) Approximately what proportion of your workloads are cloud-hosted vs on-premise?
- (c) What is the approximate annual cloud spend?
SECTION 4 — STORAGE INFRASTRUCTURE
4.1 What storage platform(s) does your organisation use (e.g. NetApp, Dell EMC, Pure Storage, HPE, IBM)?
4.2 What is the approximate total usable storage capacity across your estate (in TB or PB)?
4.3 What is the approximate age of your primary storage estate?
SECTION 5 — BACKUP, DISASTER RECOVERY AND BUSINESS CONTINUITY
5.1 What backup software solution(s) does your organisation currently use (e.g. Veeam, Commvault, Veritas NetBackup, Cohesity, Rubrik, Zerto)?
5.2 What is your backup target infrastructure (e.g. on-premise disk, tape, cloud)?
5.3 Does your organisation have a documented Disaster Recovery (DR) plan? When was it last tested?
5.4 What is the current Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for your critical clinical systems?
5.5 Does your organisation use an offsite or cloud-based backup solution? If yes, which provider?
SECTION 6 — NETWORKING AND END-USER COMPUTING
6.1 Who provides your Wide Area Network (WAN) and/or internet connectivity services?
6.2 What network equipment vendors does your organisation use (e.g. Cisco, Juniper, Aruba, Palo Alto)?
6.3 What is the approximate number of end-user devices (laptops, desktops, tablets) in your organisation?
SECTION 7 — SOFTWARE, LICENSING AND KEY CLINICAL SYSTEMS
7.1 What is your current Electronic Patient Record (EPR) / Electronic Health Record (EHR) system? Please provide the vendor name and product.
7.2 What Patient Administration System (PAS) does your organisation use?
7.3 Does your organisation use a Picture Archiving and Communication System (PACS) / radiology imaging system? If yes, which vendor and product?
7.4 Does your organisation have a Microsoft Enterprise Agreement (or equivalent) in place? When is this due for renewal?
7.5 What is the approximate annual spend on software licences across the organisation?
7.6 Please list any other significant enterprise IT contracts (by contract type / system category — e.g. HR, finance, workforce management) with approximate annual values where held.
SECTION 8 — WARRANTIES, CONTRACTS AND PROCUREMENT
8.1 For your primary server, storage and network infrastructure, are vendor warranties and/or third-party maintenance contracts in place? Please provide:
- (a) The type of coverage (vendor warranty, third-party maintenance, or both)
- (b) The name of the maintenance provider(s), if applicable
- (c) Approximate contract expiry dates where held
8.2 What procurement frameworks does your organisation use for IT hardware and services (e.g. Crown Commercial Service, NHS Shared Business Services, G-Cloud, Tech Products 4)?
8.3 Are any significant IT contracts due for renewal within the next 24 months? Please provide contract category (not necessarily full commercial detail).
SECTION 9 — DIGITAL MATURITY AND STRATEGY
9.1 Has your organisation completed a Digital Maturity Assessment (DMA) or equivalent framework in the last two years? If so:
- (a) Which assessment framework was used (e.g. NHS England DMA, HIMSS EMRAM, Other)?
- (b) What overall maturity score or rating was achieved?
9.2 Does your organisation have a current Digital / IT Strategy? If so, what is the publication or approval date?
9.3 Has your organisation achieved or is actively working towards any recognised digital accreditations (e.g. HIMSS Level, NHS Digital aspirant status, Cyber Essentials Plus)?
9.4 What are the top three stated digital priorities for your organisation in the current or next financial year?
NHSCFA response
SECTION 1 — IT BUDGET AND SPEND
1.1
(a) Capital expenditure (CapEx) £628,443
(b) Operational expenditure (OpEx) £2,407,771
1.2 13.40%
1.3 There is no separate cyber security budget
1.4 Not Applicable
SECTION 2 — IT STAFFING
2.1 23
2.2 Agenda for Change Bands:
- Band 8 = 5
- Band 7 = 8
- Band 6 = 6
- Band 5 = 4
2.3
- (a) Chief Information Officer (CIO) or equivalent - NO
- (b) Chief Digital Officer (CDO) or equivalent - NO
- (c) Chief Technology Officer (CTO) or equivalent - NO
- (d) Chief Information Security Officer (CISO) or equivalent - NO
- (e) IT Director / Head of IT - YES
- (f) Digital Transformation Lead or equivalent - NO
2.4 No IT staff are employed via third-party contractors or agency arrangement.
SECTION 3 — SERVER AND COMPUTE INFRASTRUCTURE
3.1 (a) 10 servers
3.1 (b) The information you requested is being withheld as it falls under the exemption in section 31(1)(a) of the Freedom of Information Act. In applying exemption 31(1) we have had to balance the public interest in withholding the information against the public interest in disclosing the information. The attached annex to this letter sets out the exemption in full, as well as the factors the Authority considered when deciding that in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information.
3.1 (c) 80% under 3 years old 20% over 5 years old
3.2 The information you requested is being withheld as it falls under the exemption in section 31(1)(a) of the Freedom of Information Act. In applying exemption 31(1) we have had to balance the public interest in withholding the information against the public interest in disclosing the information. The attached annex to this letter sets out the exemption in full, as well as the factors the Authority considered when deciding that in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information.
3.3 No, the organisation does not use HCI.
3.4 (a) The information you requested is being withheld as it falls under the exemption in section 31(1)(a) of the Freedom of Information Act. In applying exemption 31(1) we have had to balance the public interest in withholding the information against the public interest in disclosing the information. The attached annex to this letter sets out the exemption in full, as well as the factors the Authority considered when deciding that in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information.
3.4 (b) Cloud- hosted 95% vs on – premise 5%
3.4 (c) £125000
SECTION 4 — STORAGE INFRASTRUCTURE
4.1 The information you requested is being withheld as it falls under the exemption in section 31(1)(a) of the Freedom of Information Act. In applying exemption 31(1) we have had to balance the public interest in withholding the information against the public interest in disclosing the information. The attached annex to this letter sets out the exemption in full, as well as the factors the Authority considered when deciding that in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information.
4.2 1.5PB
4.3 Less than 3 years
SECTION 5 — BACKUP, DISASTER RECOVERY AND BUSINESS CONTINUITY
5.1 The information you requested is being withheld as it falls under the exemption in section 31(1(a) of the Freedom of Information Act. In applying exemption 31(1) we have had to balance the public interest in withholding the information against the public interest in disclosing the information. The attached annex to this letter sets out the exemption in full, as well as the factors the Authority considered when deciding that in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information.
5.2 Cloud
5.3 Yes the organisation has a disaster recovery plan.
5.4 This information is not held
5.5 The information you requested is being withheld as it falls under the exemption in section 31(1)(a) of the Freedom of Information Act. In applying exemption 31(1) we have had to balance the public interest in withholding the information against the public interest in disclosing the information. The attached annex to this letter sets out the exemption in full, as well as the factors the Authority considered when deciding that in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information.
SECTION 6 — NETWORKING AND END-USER COMPUTING
6.1 This is provided by the NHS Business Services Authority under a Memorandum of Understanding.
6.2 Information not held. This is outsourced.
6.3 300
SECTION 7 — SOFTWARE, LICENSING AND KEY CLINICAL SYSTEMS
7.1 This information is not held.
7.2 This information is not held.
7.3 This information is not held.
7.4 No, the organisation does not have a Microsoft Enterprise Agreement
7.5 Based on FY2025/26 spend;
Capital - £868,178
Revenue - £575,720
Total - £1,443,898
7.6 Please refer to the public contract register which is published here:
SECTION 8 — WARRANTIES, CONTRACTS AND PROCUREMENT
8.1
(a) Vendor Warranty
(b) Not Applicable
(c) Not Applicable
8.2 Crown Commercial Service, NHS Shared Business Services, G-Cloud.
8.3 Please refer to the public contract register which is published here:
SECTION 9 — DIGITAL MATURITY AND STRATEGY
9.1 (a) This information is not held
9.1 (b) This information is not held
9.2 Yes. July 2025
9.3 The organisation has achieved ISO27001 (since 2007)
9.4
- Improve operational efficiency
- Enhance fraud prevention mechanisms
- Develop a digitally literate workforc