Request

I am conducting a research project into how public sector organisations procure cyber security services and enterprise software platforms. As part of this, I would be grateful if you could provide the most recent contract information you hold for the following areas: . Standard Firewall (Network), Anti-virus Software Application, Microsoft Enterprise Agreement, Microsoft Power BI

The NHS Business Services Authority (NHSBSA) received your request on Wednesday 04 June 2025

We have handled your request under the Freedom of Information Act 2000 (FOIA).

Our response

I can confirm that the NHSBSA holds the information you have requested. Please find the updated information below.

Kindly note that this is a revised version of the information previously provided. We apologise for any inconvenience caused; since the initial response was issued, we have received an updated figure and clarification regarding the Microsoft Enterprise Agreement.

Standard Firewall (Network)

• Description of Services: Firewall services that protect the organisation’s network from unauthorised access and other internet security threats.
• Contract Finder URL: ITIS Network Services WAN & LAN - Contracts Finder
• Existing Supplier: Virgin Media Business Limited
• Annual Spend: (Unable to provide a complete accurate figure due to the incorporation into the wider network contract)
• Primary Brand: N/A
• Contract Start Date: 25 September 2018
• Contract Expiry Date: 24 September 2025
• Total Duration: 84 Months
• Responsible Contract Officer:
  • Job Title: Exempt from disclosure, please see below
  • Name: Exempt from disclosure, please see below
  • Email Address: Exempt from disclosure, please see below
• Number of Licenses/Users: 4

Anti-virus Software Application

• Description of Services: Programs designed to prevent, detect, and remove viruses, malware, trojans, adware, and related threats.
• Contract Finder URL: Microsoft Enterprise Agreement - Contracts Finder
• Existing Supplier: Trustmarque Solutions Limited
• Annual Spend: (Unable to provide a complete accurate figure due to the incorporation into the wider Microsoft Enterprise Agreement)
• Primary Brand: Microsoft
• Contract Start Date: 01 April 2021
• Contract Expiry Date: 31 October 2025
• Total Duration: 43 Months
• Responsible Contract Officer:
  • Job Title: Exempt from disclosure, please see below
  • Name: Exempt from disclosure, please see below
  • Email Address: Exempt from disclosure, please see below
• Number of Licenses/Users: 7543

Microsoft Enterprise Agreement

• Description of Services: Volume licensing agreement including Microsoft 365, Windows Enterprise, EMS, and Azure services.
• Contract Finder URL: Microsoft Enterprise Agreement - Contracts Finder
• Existing Supplier: Trustmarque Solutions Limited
• Annual Spend: £1,985,197.67
• Primary Brand: Microsoft
• Contract Start Date: 01 April 2021
• Contract Expiry Date: 31 October 2025
• Total Duration: 43 Months
• Responsible Contract Officer:
  • Job Title: Exempt from disclosure, please see below
  • Name: Exempt from disclosure, please see below
  • Email Address: Exempt from disclosure, please see below
• Number of Licenses/Users: 6366 user Licenses across our M365 enterprise suite of products.

Microsoft Power BI / Business Intelligence Platform

• Description of Services: Business intelligence platform used for data connectivity, dashboards, and reporting.
• Contract Finder URL: Microsoft Enterprise Agreement - Contracts Finder
• Existing Supplier: Trustmarque Solutions Limited
• Annual Spend: (Unable to provide a complete accurate figure due to the incorporation into the wider Microsoft Enterprise Agreement)
• Primary Brand: Microsoft
• Contract Start Date: 01 April 2021
• Contract Expiry Date: 31 October 2025
• Total Duration: 43 Months
• Responsible Contract Officer:
  • Job Title: Exempt from disclosure, please see below
  • Name: Exempt from disclosure, please see below
  • Email Address: Exempt from disclosure, please see below
• Number of Licenses/Users: 85 Licenses

Job titles, names and email addresses:

I can confirm that we do hold the requested information, but this information is exempt under section 31(1)(a) of the FOIA (law enforcement) as disclosure would be likely to prejudice the prevention or detection of crime.

Disclosure of job titles, names and email addresses in connection with cyber security services and enterprise software platforms would be likely to increase the vulnerability to targeted phishing attacks by providing vital information and knowledge to assist cyber attackers.

Section 31 is a qualified, prejudice-based exemption and is subject to the public interest test. This means that not only does the information have to prejudice one of the purposes listed, but before the information can be withheld, the public interest in preventing that prejudice must outweigh the public interest in disclosure.

Public Interest Test:

Considerations in favour of disclosure:

• Disclosure would demonstrate a commitment to the NHSBSA’s transparency and could provide assurance to the public regarding the NHSBSA’s cyber security.
• Disclosure would assist in the accountability of public money being spent.

Considerations against disclosure:

• The inherent public interest in maintaining the integrity and security of the NHSBSA’s systems.
• Cyber-attacks, which may amount to criminal offences for example under the Computer Misuse Act 1990 or the Data Protection Act 2018, are rated as a Tier 1 threat by the UK Government. The NHSBSA, like any organisation, may be subject to cyber-attacks and, since it holds large amounts of sensitive, personal and confidential information, maintaining the security of this information is extremely important.
• The occurrence of a future cyber-attack would prejudice the NHSBSA’s legal duty to safeguard personal information from loss, theft, inappropriate access, or destruction and therefore it is not in the public interest to disclose information.
• A cyber-attack could have severe consequences for the NHSBSA’s services and therefore have a direct impact on members of the public receiving those services, as demonstrated in the recent cyber-attack.
• The inherent public interest in ensuring that public authorities can safeguard themselves from cyber-attacks which is linked to the protection of public funds.

Conclusion:

The NHSBSA recognises that there is a public interest in disclosure of the information to promote transparency and accountability however, in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information as more weight is afforded to the arguments outlined above in maintaining

Please see the following link to view the section 31 exemption in full - https://opendata.nhsbsa.net/dataset/foi-02896

Your personal details will be removed from the published response.

Data Queries

Please contact foirequests@nhsbsa.nhs.uk ensuring you quote the above reference if you have any specific questions regarding this response; or, if you feel you may be misunderstanding or misinterpreting the information; or, if you plan on publishing the data.

Reusing the data and copyright

If you plan on producing a press or broadcast story based upon the data please contact communicationsteam@nhsbsa.nhs.uk. This is important to ensure that the figures are not misunderstood or misrepresented.

The information supplied to you continues to be protected by the Copyright, Designs and Patents Act 1988 and is subject to NHSBSA copyright. This information is licenced under the terms of the Open Government Licence detailed at:

http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/

Should you wish to re-use the information you must include the following statement: “NHSBSA Copyright 2025”. Failure to do so is a breach of the terms of the licence.

Information you receive which is not subject to NHSBSA Copyright continues to be protected by the copyright of the person, or organisation, from which the information originated. Please obtain their permission before reproducing any third party (non NHSBSA Copyright) information.