Skip to main content

Freedom of information requests concerning information technology (IT) infrastructure

Information technology infrastructure, security issues, attacks, ransomware, malware, and related topics

Rotherham Doncaster and South Humber NHS Foundation Trust (RDaSH) operates a large number of information technology (IT) systems. To ensure our data and services are protected, the trust uses all necessary tools to keep our systems and infrastructure safe and secure. We regularly update our estate to comply with the relevant guidance and codes of practice. We also have a duty under the UK General Data Protection Regulations and the Data Protection Act (2018) to keep people’s personal data safe and secure and we comply with that duty.

As a public body the trust must demonstrate that it keeps its systems and infrastructure safe and complies with prevailing obligations, but at the same time we must be careful that transparency does not provide an opportunity for nefarious groups or individuals to attack the trust.

Disclosures made under the Freedom of Information Act (2000) are made to the world, not just the individual requesting the information. As such, whilst the trust accepts that most requesters will have a genuine purpose for requesting the information, its disclosure would still increase the vulnerability of the trust’s information technology (IT) security infrastructure, as it would allow cyber-criminals to identify and exploit weaknesses within our systems and infrastructure.

For example, if the trust provides information regarding recent security software updates, cyber criminals could use this information to exploit any known weaknesses and attack the organisation. Similarly, information relating to our infrastructure, or the tools and methods we deploy to keep the trust safe, could identify further weaknesses for cyber criminals to exploit.

We must take all necessary steps to ensure data remains secure and is suitably protected from unlawful access or loss.

The trust receives frequent freedom of information requests for detailed information about our IT infrastructure and IT security. We are often asked about what technology we deploy, what IT security systems we have in place, the suppliers and versions of our IT security, how often we update and amend our security, whether we have identified particular issues or vulnerabilities and what we have done to strengthen our systems.

The trust have considered these issues carefully and have decided not to disclose this information for any requests of this nature. This is because we consider the information to be exempt under section 31 of the Freedom of Information Act (2000). The trusts justification for applying section 31 is below:

Refusal notice section 31(1)(a) law enforcement

Section 31(1)(a) states that a local authority need not provide information that would be likely to prejudice the functions of law enforcement, in this case, the prevention and detection of crime.
The trust believes that disclosing information about our security systems and infrastructure could allow criminals to identify vulnerabilities within our estate and use this information for targeted attacks. If these attacks were successful, cyber criminals may unlawfully gain access to trust systems containing sensitive personal and commercially confidential data. The trust therefore considers that disclosing these types of information would increase the risk of further criminal offences.

Public interest test

Section 31 is a qualified exemption which means we must consider the public interest in disclosure.

Factors in favour of disclosure

  • Evidencing the trust’s transparency and accountability.
  • Reassuring the public and our partners that the trust’s systems are secure.
  • Providing information about how effective our security systems are.
    Factors in favour of withholding
  • The public interest in crime prevention.
  • Avoiding disruption to public services.
  • Avoiding costs associated with any attacks (for example, recovery, revenue, regulatory fines).
  • Preventing any threat to the integrity of trust data.
  • Ensuring the trust can comply with its duties to take all necessary steps to safeguard data.

The trust is satisfied that the balance of public interest lies in upholding the exemption and not releasing the information.

To provide assurance that trust systems are secure, we are happy to release details of the compliance standards the trust currently meets at the time of any request being submitted.

Malware and ransom attacks

The trust is frequently asked to supply information about malware, ransomware and any other previous cyber-attacks. Examples of common questions include whether we have been subjected to any cyber-attacks within a given period, the volume, whether they succeeded and what actions we have undertaken to protect the Trust. We may be asked if we have been the victim of ransomware, whether attacks were successful, if we paid ransoms, how often, when, to whom and for how much.

The trust has considered these issues carefully and we have decided that we should “neither confirm, nor deny” whether this information is held by the trust. This is because we consider this information to be exempt under section 31 of the Freedom of Information Act (2000).
Please see the trust’s justification for applying section 31 below.

Refusal notice section 31(3) law enforcement

The trust believes that disclosing whether we hold information about cyber-attacks, malware or ransomware may give cyber criminals insight into vulnerabilities within our systems which would pose a threat to our cybersecurity infrastructure. The trust therefore considers that confirming whether we hold the requested information would, or would be likely to, prejudice the prevention or detection of crime, section 31(1)(a). Therefore, in line with section 31(3), the trust considers that the duty to “confirm or deny” does not arise.

Public interest test

Section 31 is a qualified exemption which means we must consider the public interest in disclosure.

Factors in favour of confirming or denying if we hold relevant information.

  • Evidencing the trusts’ transparency and accountability.
  • Reassuring the public and our partners that the trusts’ systems are secure.
  • Providing information about how effective our security systems are.
    Factors against confirming or denying if we hold relevant information.
  • The public interest in crime prevention.
  • Avoiding disruption to public services.
  • Avoiding costs associated with any attacks (for example, recovery, revenue, regulatory fines).
  • Preventing any threat to the integrity of trust data.
  • Ensuring the trust can comply with its duties to take all necessary steps to safeguard data.

The trust is satisfied that the balance of public interest lies in upholding the exemption and not releasing the information.

To provide assurance that trust systems are secure, we are happy to release details of the compliance standards the trust currently meets at the time of any request being submitted.

Your rights

Internal review

If you are dissatisfied with the handling of your request, you have the right to ask for an internal review. Internal review requests should be submitted within two months of the date of receipt of the response to your original request and should be submitted to rdash.foirdash@nhs.net.

Complaint to the Information Commissioners Office

If you are not content with the outcomes of the internal review, you have the right to apply directly to the Information Commissioner for a decision.

The Information Commissioner Office can be contacted by using the details below.

The Information Commissioner’s Office

The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire

Page last reviewed: June 10, 2025
Next review due: June 10, 2026

Problem with this page?

Please tell us about any problems you have found with this web page.

Do not include personal or medical information in your message. For example, your name, NHS number, date of birth or medical history.