Information regarding Darktrace
Dear West Suffolk NHS Foundation Trust,
This is a request for information under the Freedom of Information Act.
Please provide the following details of any and all gifts and/or hospitality provided by the cybersecurity company Darktrace (also known as Darktrace Limited, Darktrace Holdings and Darktrace Plc):
-- The monetary value;
-- The description;
-- The date;
-- The unit, office or department in which the recipients of the gifts/hospitality worked;
-- Whether the gifts/hospitality were accepted, rejected, or otherwise donated;
Please provide this information for any gifts/hospitality received from June 2013 onwards inclusive in the form of an itemised list for each instance of a gift and/or hospitality.
Please also disclose whether you were using Darktrace's services in May 2017.
Please provide the most up-to-date information as of the date this request is fulfilled in electronic (soft copy) form.
If it is not possible to fulfil this request due to the information exceeding the cost of compliance limits identified in Section 12, please provide advice and assistance, under the Section 16 obligations of the Act, as to how I can refine my request. If you can identify any other ways that my request could be refined I would be grateful for any further advice and assistance.
Thank you for your assistance and I look forward to your response.
Kadhim Shubber
Dear Kadhim Shubber
I am writing to confirm that the West Suffolk NHS Foundation Trust has now
completed its search for the information which you requested on 27th April
2021.
Please find our response to your request.
Please provide the following details of any and all gifts and/or
hospitality provided by the cybersecurity company Darktrace (also known as
Darktrace Limited, Darktrace Holdings and Darktrace Plc):
-- The monetary value;
-- The description;
-- The date;
-- The unit, office or department in which the recipients of the
gifts/hospitality worked;
-- Whether the gifts/hospitality were accepted, rejected, or otherwise
donated;
Please provide this information for any gifts/hospitality received from
June 2013 onwards inclusive in the form of an itemised list for each
instance of a gift and/or hospitality.
West Suffolk NHS Foundation Trust has no record of gifts and/or
hospitality provided by Darktrace at any time.
Please also disclose whether you were using Darktrace's services in May
2017.
Please be advised we are applying an exemption to the above: See below
S31(3) of the FOIA allows a public authority to neither confirm nor deny
whether it holds information where such confirmation would be likely to
prejudice any of the matters outlined in section 31(1). This includes
information the disclosure of which would or would be likely to prejudice
the prevention or detection of crime.
As section 31(3) is a qualified exemption, it is subject to a public
interest test for determining whether the public interest lies in
confirming whether the information is held or not.
Factors in favour of confirming or denying the information is held
The NHS Trust considers that to confirm or deny whether the requested
information is held would indicate the prevalence of cyber- attacks
against the NHS Trust’s ICT infrastructure and would reveal details about
the Trust’s information security systems. The NHS Trust recognises that
answering the request would promote openness and transparency with regards
to the NHS Trust’s ICT security.
Factors in favour of neither confirming nor denying the information is
held
Cyber-attacks, which may amount to criminal offences for example under the
Computer Misuse Act 1990 or the Data Protection Act 1998, are rated as a
Tier 1 threat by the UK Government. The NHS Trust like any organisation
may be subject to cyber-attacks and, since it holds large amounts of
sensitive, personal and confidential information, maintaining the security
of this information is extremely important.
In this context, the NHS Trust considers that confirming or denying
whether the requested information is held would provide information about
the NHS Trust’s information security systems and its resilience to
cyber-attacks. There is a very strong public interest in preventing the
NHS Trust’s information systems from being subject to cyber-attacks.
Confirming or denying the type of information requested would be likely to
prejudice the prevention of cybercrime, and this is not in the public
interest.
Balancing the public interest factors
The NHS Trust has considered that if it were to confirm or deny whether it
holds the requested information, it would enable potential cyber attackers
to ascertain how and to what extend the NHS Trust is able to detect and
deal with ICT security attacks. The NHS Trust’s position is that complying
with the duty to confirm or deny whether the information is held would be
likely to prejudice the prevention or detection of crime, as the
information would assist those who want to attack the NHS Trust’s ICT
systems. Disclosure of the information would assist a hacker in gaining
valuable information as to the nature of the NHS Trust’s systems, defences
and possible vulnerabilities. This information would enter the public
domain and set a precedent for other similar requests which would, in
principle, result in the NHS Trust being a position where it would be more
difficult to refuse information in similar requests. To confirm or deny
whether the information is held is likely to enable hackers to obtain
information in mosaic form combined with other information to enable
hackers to gain greater insight than they would ordinarily have, which
would facilitate the commissioning of crime such as hacking itself and
also fraud. This would impact on the NHS Trust’s operations including its
front line services. The prejudice in complying with section 1(1)(a) FOIA
is real and significant as to confirm or deny would allow valuable insight
into the perceived strengths and weaknesses of the NHS Trust’s ICT
systems.
The information supplied to you continues to be protected by the
Copyright, Designs and Patents Act 1988. You are free to use it for your
own purposes, including any non-commercial research and for the purposes
of news reporting. Any other reuse, for example commercial publication,
would require the permission of the copyright holder.
If you are unhappy with the service you have received in relation to your
request and wish to make a complaint or request a review of our decision,
you should write to:
Chief Executive
West Suffolk NHS Foundation Trust
Hardwick Lane
Bury St Edmunds
Suffolk IP33 2QZ
If you are not content with the outcome of your complaint, you may request
the Information Commissioner’s Office to carry out a review.
Kind regards
FOI Team
West Suffolk NHS Foundation Trust
Hardwick Lane|Bury St Edmunds|SUFFOLK|IP33 2QZ
--------------------------------------------------------------------------
Scanned by Trustwave SEG - Trustwave's comprehensive email content
security solution.
Dear West Suffolk NHS Foundation Trust,
Please pass this on to the person who conducts Freedom of Information reviews.
I am writing to request an internal review of West Suffolk NHS Foundation Trust's handling of my FOI request 'Information regarding Darktrace'.
The Trust declined to confirm whether or not it held information about whether it was using Darktrace in May 2017, nor to provide that information if it is held. The basis of that refusal appears to be that there would be some risk to the Trust's cybersecurity if such disclosures were made. The Trust cites the exemption under Section 31(3), which require the Trust to show that there would be a "causal" link between the disclosures and the alleged harms.
The Trust states that "to confirm or deny whether the requested information is held would indicate the prevalence of cyber- attacks against the NHS Trust’s ICT infrastructure and would reveal details about the Trust’s information security systems" and further that "confirming or denying whether the requested information is held would provide information about the NHS Trust’s information security systems and its resilience to cyber-attacks". In addition, the Trust states that disclosure "would enable potential cyber attackers to ascertain how and to what extend the NHS Trust is able to detect and deal with ICT security attacks" and "assist a hacker in gaining valuable information as to the nature of the NHS Trust’s systems, defences and possible vulnerabilities". Finally, the Trust argues that disclosure would "set a precedent for other similar requests which would, in principle, result in the NHS Trust being a position where it would be more difficult to refuse information in similar requests", allowing hackers to "obtain information in mosaic form".
These arguments would carry greater weight if my request sought information about the current state of the Trust's cyberdefences. It does not. My request sought only the basic fact of whether the Trust used a particular supplier some four years ago, long in the past. This is of no use to a potential hacker. Even the most skilled hackers cannot go back in time to attack the Trust, and information about a state of affairs years in the past does not reveal anything about the current status of the Trust's cybersecurity systems. You will be aware that May 2017 was the month the WannaCry attack hit the NHS -- I don't think anybody thinks that NHS cybersecurity defenses did not change following that incident.
Further, the argument that disclosure would set a precedent possibly leading to further disclosure of other information in the future is not a sufficient "causal" link to an alleged harm. The Trust assesses each request it receives on its own merits and can judge the potential harms from any particular disclosure in the context of its previous disclosures. The Trust has made no argument in this case that there is a mosaic risk from the particular information requested, but it may do in future with other requests and nothing about disclosure in this case precludes it from doing so.
For these reasons, I do not believe that the Trust can make the required showing of a casual link to harm under the cited exemption.
Thank you for considering this matter.
Kadhim Shubber
West Suffolk NHS Foundation Trust
Hardwick Lane
Bury St Edmunds
IP33 2QZ
16^th June 2021
By email: Kadhim Shubber [1][FOI #751402 email]
Dear Kadhim Shubber
Review of your request under the Freedom of Information Act 2000
We refer to your email on 2 June 2021 in which you requested an internal
review of our response to:
FOI 21-16045 dated 18^th May 2021
Your original request is set out in Appendix 1 and our response in
Appendix 2 of this letter.
Your request for an internal review was, as follows:
“I formally ask for an internal review of this as I believe you have not
given me full details”
Decision We have now completed an internal review of your request and
confirm that we have decided to uphold / amend the original decision. We
have set out our reasons below.
Please find attached
Right to review
If you are not content with the outcome of the internal review, you have
the right to apply directly to the Information Commissioner for a
decision.
The Information Commissioner can be contacted at:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Yours sincerely
FOI Team
West Suffolk Hospital
Appendix 1
Please provide the following details of any and all gifts and/or
hospitality provided by the cybersecurity company Darktrace (also known as
Darktrace Limited, Darktrace Holdings and Darktrace Plc):
-- The monetary value;
-- The description;
-- The date;
-- The unit, office or department in which the recipients of the
gifts/hospitality worked;
-- Whether the gifts/hospitality were accepted, rejected, or otherwise
donated;
Please provide this information for any gifts/hospitality received from
June 2013 onwards inclusive in the form of an itemised list for each
instance of a gift and/or hospitality.
Please also disclose whether you were using Darktrace's services in May
2017.
Please provide the most up-to-date information as of the date this request
is fulfilled in electronic (soft copy) form.
Appendix 2
Dear Kadhim Shubber
I am writing to confirm that the West Suffolk NHS Foundation Trust has now
completed its search for the information which you requested on 27th April
2021.
Please find our response to your request.
Please provide the following details of any and all gifts and/or
hospitality provided by the cybersecurity company Darktrace (also known as
Darktrace Limited, Darktrace Holdings and Darktrace Plc):
-- The monetary value;
-- The description;
-- The date;
-- The unit, office or department in which the recipients of the
gifts/hospitality worked;
-- Whether the gifts/hospitality were accepted, rejected, or otherwise
donated;
Please provide this information for any gifts/hospitality received from
June 2013 onwards inclusive in the form of an itemised list for each
instance of a gift and/or hospitality.
West Suffolk NHS Foundation Trust has no record of gifts and/or
hospitality provided by Darktrace at any time.
Please also disclose whether you were using Darktrace's services in May
2017.
Please be advised we are applying an exemption to the above: See below
S31(3) of the FOIA allows a public authority to neither confirm nor deny
whether it holds information where such confirmation would be likely to
prejudice any of the matters outlined in section 31(1). This includes
information the disclosure of which would or would be likely to prejudice
the prevention or detection of crime.
As section 31(3) is a qualified exemption, it is subject to a public
interest test for determining whether the public interest lies in
confirming whether the information is held or not.
Factors in favour of confirming or denying the information is held
The NHS Trust considers that to confirm or deny whether the requested
information is held would indicate the prevalence of cyber- attacks
against the NHS Trust’s ICT infrastructure and would reveal details about
the Trust’s information security systems. The NHS Trust recognises that
answering the request would promote openness and transparency with regards
to the NHS Trust’s ICT security.
Factors in favour of neither confirming nor denying the information is
held
Cyber-attacks, which may amount to criminal offences for example under the
Computer Misuse Act 1990 or the Data Protection Act 1998, are rated as a
Tier 1 threat by the UK Government. The NHS Trust like any organisation
may be subject to cyber-attacks and, since it holds large amounts of
sensitive, personal and confidential information, maintaining the security
of this information is extremely important.
In this context, the NHS Trust considers that confirming or denying
whether the requested information is held would provide information about
the NHS Trust’s information security systems and its resilience to
cyber-attacks. There is a very strong public interest in preventing the
NHS Trust’s information systems from being subject to cyber-attacks.
Confirming or denying the type of information requested would be likely to
prejudice the prevention of cybercrime, and this is not in the public
interest.
Balancing the public interest factors
The NHS Trust has considered that if it were to confirm or deny whether it
holds the requested information, it would enable potential cyber attackers
to ascertain how and to what extend the NHS Trust is able to detect and
deal with ICT security attacks. The NHS Trust’s position is that complying
with the duty to confirm or deny whether the information is held would be
likely to prejudice the prevention or detection of crime, as the
information would assist those who want to attack the NHS Trust’s ICT
systems. Disclosure of the information would assist a hacker in gaining
valuable information as to the nature of the NHS Trust’s systems, defences
and possible vulnerabilities. This information would enter the public
domain and set a precedent for other similar requests which would, in
principle, result in the NHS Trust being a position where it would be more
difficult to refuse information in similar requests. To confirm or deny
whether the information is held is likely to enable hackers to obtain
information in mosaic form combined with other information to enable
hackers to gain greater insight than they would ordinarily have, which
would facilitate the commissioning of crime such as hacking itself and
also fraud. This would impact on the NHS Trust’s operations including its
front line services. The prejudice in complying with section 1(1)(a) FOIA
is real and significant as to confirm or deny would allow valuable insight
into the perceived strengths and weaknesses of the NHS Trust’s ICT
systems.
The information supplied to you continues to be protected by the
Copyright, Designs and Patents Act 1988. You are free to use it for your
own purposes, including any non-commercial research and for the purposes
of news reporting. Any other reuse, for example commercial publication,
would require the permission of the copyright holder.
If you are unhappy with the service you have received in relation to your
request and wish to make a complaint or request a review of our decision,
you should write to:
Chief Executive
West Suffolk NHS Foundation Trust
Hardwick Lane
Bury St Edmunds
Suffolk IP33 2QZ
If you are not content with the outcome of your complaint, you may request
the Information Commissioner’s Office to carry out a review.
Kind regards
FOI Team
West Suffolk NHS Foundation Trust
Hardwick Lane|Bury St Edmunds|SUFFOLK|IP33 2QZ
--------------------------------------------------------------------------
Scanned by Trustwave SEG - Trustwave's comprehensive email content
security solution.
References
Visible links
1. mailto:[FOI #751402 email]
We work to defend the right to FOI for everyone
Help us protect your right to hold public authorities to account. Donate and support our work.
Donate Now