Skip to content
Contents

Cyber Security; Budget, Staff, Breaches

Reference: 25-26322

Date response sent: 22/10/2025

Details of enquiry

Please provide the following information:

  1. The most up to date annual cybersecurity budget that has been allocated to your NHS trust.
  2. A breakdown of the trust’s annual cybersecurity budget since 2019.
  3. How is your annual cybersecurity budget spent in the latest up to date annual figure? Please include: percentage going towards cybersecurity training for employees, towards technology investments, towards employee resources for cybersecurity team.
  4. The number of employees working in your NHS Trust.
  5. The number of employed, full time members of staff which make up the NHS Trust’s cyber / info security team.
  6. Number of hours of cybersecurity training employees at the Trust are required to undertake each year.
  7. Has the Trust paid any ransom demands to cybercriminals in the last five years? If yes, how much was paid?
  8. Has the Trust had any patient records compromised / stolen by cybercriminals in the last five years? If yes, how many?

Response sent

  1. The most up to date annual cybersecurity budget that has been allocated to your NHS trust.

This is not a separate budget, it is included within the whole IM&T budget

  1. A breakdown of the trust’s annual cybersecurity budget since 2019.

Not applicable.  See our response to Question 1 above.

  1. How is your annual cybersecurity budget spent in the latest up to date annual figure? Please include: percentage going towards cybersecurity training for employees, towards technology investments, towards employee resources for cybersecurity team.

Data withheld under S31a of the Freedom of Information Act 2000 (FOIA) – see below for details on the application of this exemption

  1. The number of employees working in your NHS Trust.

The data you have requested is withheld under s21 of the Freedom of Information Act 2000 (FOIA) as it is already available within the public domain and can be accessed from the Workforce Statistics section on the NHS England Digital website, by clicking on this link: NHS workforce statistics – NHS England Digital There you will find a summary page with a series of links by month which provide workforce statistics, going back to 2013.

Our Trust, the Tavistock and Portman NHS Foundation Trust is listed within these reports, by name, under the section ICS Code QM5 and North Central London

When reviewing these statistics it might be helpful for you to know that The Tavistock and Portman NHS Foundation Trust is a small specialist mental health Trust, and not a hospital.  We provide outpatient, and mainly psychological, services. We do not provide acute services, nor inpatient patient services, nor detention facilities, and do not have an A&E department.

  1. The number of employed, full time members of staff which make up the NHS Trust’s cyber / info security team.

We do not have a dedicated Cyber security team. These tasks are undertaken as part of the Business-as-Usual activities of the ICT Infrastructure Team and the Information Governance Team

  1. Number of hours of cybersecurity training employees at the Trust are required to undertake each year.

Circa 30 minutes as part of the Trust’s mandatory e-training programme

  1. Has the Trust paid any ransom demands to cybercriminals in the last five years? If yes, how much was paid?

No

  1. Has the Trust had any patient records compromised / stolen by cybercriminals in the last five years? If yes, how many?

No

 

Explanation of Exemptions Engaged in this Response

  • Section 21(1) of the Freedom of Information Act, Information Accessible by Other Means

With regards to the above exemption engaged for question 3, Section 21(1) of the Freedom of Information Act exempts disclosure of information that is reasonably accessible by other means, and the terms of the exemption mean that we do not have to consider whether or not it would be in the public interest for you to have the information, as it is readily available for public review.

  • FOIA Exemption s31(a), Explanation and Public Interest Test

With regards to the above exemption engaged for question 3, under s.31(a) of FOIA, – Law Enforcement: the prevention or detection of crime, this is a qualified exemption that requires us, the authority, to carry out the public interest test.

We have carried out the public interest test and have set out below the public interest arguments which we have considered for each of question 1 and question 2 above:

Arguments in favour of disclosure:

Promoting accountability and transparency on how public funds are utilised and spent

Arguments in favour of maintaining the exemption:

The Trust has a duty to ensure that its information systems and assets are kept secure

Disclosure of the requested information could facilitate criminal activity, in particular cybercrime, and especially when combined with other information already in the public domain or which could be gleaned from other sources, including any information that the Trust has previously provided or may be forced to disclose in the future.

Disclosure of the requested information could, therefore, increase vulnerability to malicious attack, including the corruption or loss of data, software, hardware or other equipment, which would impact on the Trust’s ability to provide essential services

These vulnerabilities could extend to suppliers on whose services the Trust relies.

Weight of Balance

We have concluded that, on balance, the public interest in maintaining the exemption outweighs the public interest in disclosure. This means that the Trust will withhold the requested data.

 

Back to top