About the Freedom of Information Act (FOI) 

The Freedom of Information Act (FOI) was passed on the 30th November 2000 and came into force on the 1st January 2005. It aims to promote a culture of openness and accountability in the public sector, by providing people with a general right of access to all types of recorded information held by public authorities. The Act replaces the Open Government Code of Practice which has been in operation since 1994.

The Act requires all public authorities to produce publication schemes, setting out what information they will make available as a matter of course, and when and how they will make it available.

The Act applies to all public authorities, including government departments, local authorities, NHS bodies, schools, colleges and universities, and the police, House of Commons and House of Lords.

What it means for our Trust:

  • The Act affects everyone in the Trust 
  • There is a statutory duty to implement the Act
  • It allows anyone to find out whether information is held, and if it is, to have access to it
  • There are no time limits on how far back someone can gain access to information, it is as far back as we hold the information
  • Under the Freedom of Information Act 2000, we are committed to providing timely and accessible information to the public and responding to reasonable requests for information.

How do I make a Freedom of Information request?

An FOI request is a request for information under the FOI Act. Your request for information must be in writing, include a name and address for correspondence (email address is also acceptable) and describe the information that you are requesting, giving us enough detail about the information in order to allow us to correctly identify and find it.

Where possible, responses to requests for information will be supplied in the format requested by the applicant. However, responses may be supplied by providing a copy of the original document, a summary of the original or by allowing the Applicant to visit Trust premises to read the document(s).

Your request must be dealt with within twenty working days of receipt (or after the payment of any relevant fee). Copies of our FOI responses are uploaded onto our website.

There are three main ways of making a request for information:

  • Directly to the Freedom of Information Act Officer
  • By emailing the Freedom of Information team: cdda-tr.cddftfoi@nhs.net 
  • To a member of Trust staff

To make a request for information, email: cdda-tr.cddftfoi@nhs.net 

Requests relating to Trust Systems

CDDFT believe that disclosing cyber security details would undermine the security of our infrastructure. It would reveal information about our cyber security operations and architecture which would be useful to potential cyber-attackers. We have therefore withheld this information in accordance with sections 31(1) (a) as well as section 24(1) FOIA. These are qualified exemptions and require a public interest test to be performed, as follows:

The NHS is aware of the increasing threat of cyber-crime to organisations, especially including high-profile organisations such as the NHS. With this in mind, we consider that disclosure of core architecture would prejudice the prevention and detection of crime (including cyber-crime). Therefore, this information is exempt by virtue of section 31(1) (a) FOIA. This is a qualified exemption and the public interest test applies.

CDDFT accept there is a legitimate public interest in the effectiveness of measures being employed to keep the NHS safe and secure. This is especially important given that this infrastructure is maintained using public fund. However, this is outweighed by the risks of criminal activity being undertaken if the information was disclosed. The release of this material could provide valuable information to those wishing to launch a cyber-attack against the Trust or the wider NHS. Knowledge of the core architecture would allow potential cyber-attackers to build up a picture of our capability and capacity in this area. It could provide those groups or individuals with an indication of where to focus their efforts when targeting our systems. Groups planning attacks are known to conduct extensive research and will take advantage of the ‘mosaic effect’ by combining information from different sources. If this information were to be combined with other information already in the public domain or obtained from elsewhere, the disclosure of it could assist in mounting an effort to breach or bypass cyber security measures, with serious consequences for both staff and patients.

In these circumstances it is CDDFT's view that the public interest in maintaining the exemption outweighs the public interest in disclosing the information.

In addition to the increased threats and incidents of cyber-crime, national security is also increasingly under threat from those organisations and individuals who seek to use technology to disrupt the workings of public bodies. To limit these risks, we are also withholding the information for the purpose of safeguarding national security. This information is therefore also exempt by virtue of section 24(1) FOIA. This is a qualified exemption and the public interest test applies.

Again, CDDFT accept there is a legitimate public interest in the effectiveness of measures being employed to keep the NHS safe and secure. This is especially important given that this infrastructure is maintained using public funds.

However, CDDFT consider that it is not in the wider public interest to disclose this information because, as well as the risk posed to the security of the NHS, there is also a risk of national security being compromised. Knowledge of the core architecture would allow potential cyber-attackers to build up a picture of our capability and capacity in this area. It could provide those groups or individuals with an indication of where to focus their efforts when targeting our systems. Groups planning attacks are known to conduct extensive research and will take advantage of the ‘mosaic effect’ by combining information from different sources. If this information were to be combined with other information already in the public domain or obtained from elsewhere, the disclosure of it could assist in mounting an effort to breach or bypass cyber security measures, with serious consequences. As the NHS is an essential part of the UK’s public health and emergency response and these security measures also protect the proper functioning of Category One Emergency provision, the disclosure of this information may also compromise national security.

In these circumstances it is CDDFT's view that the public interest in maintaining the exemption outweighs the public interest in disclosing the information.

The Trust is able to confirm that there are limited details of some system contracts available on the Contract Register published in the public domain.

However there will be no further information disclosed.