FOI_23-385 IT contracts
Date of response: 08 January 2024
We have now considered your request of 07 December 2023 for the following information:
You may have received the same request in the past and this information sent has now expired and I require an update as soon as possible for the following. This is a request for information that relates to the organisation’s contracts around ICT contract(s) for Server Hardware Maintenance, Server Virtualisation Licenses and Maintenance and Storage Area Network (SAN) Maintenance/Support, which may include:• Server Hardware Maintenance- contracts relating to the support and maintenance of the organisation’s physical servers.• Virtualisation Maintenance/Support/ Licensing (VMware, Solaris, Unix, Linux, Windows Server)• Storage Area Network Maintenance/Support (EMC, NetApp etc). For each of the types of contract described above, please can you provide me with the following data. If there is more than one contract please split the information for each separate supplier this includes annual spend1. Contract Title: Please provide me with the contract title.
2. Type of Contracts (ABOVE): Please can you provide me with one or more contract types the contract relates to: Server Hardware, Virtualisation, SAN (Storage Area Network)3. Existing/Current Supplier: Please provide me with the supplier name for each contract.4. Brand: Please state the brand of hardware or software 5. Operating System / Software (Platform): (Windows, Linux, Unix, Vsphere, AIX, Solaris etc.) Please state the operating system used by the organisation.6. Annual Average Spend: Please provide me with the most recent annual spend for this contract?7. Contract Duration: (Please can you also include notes if the contract includes any contract Extension periods.) 8. Contract Expiry Date: Please can you provide me with the date of when the contract expires. 9. Contract Review Date: (An approximate date of when the organisation is planning to review this particular contract.) 10. Purchase of Servers: Could you please provide me with the month and year in which most/bulk of servers were purchased. 11. Number of Physical Server: Please can you provide me with the number of physical servers. 12. Number of Virtual Servers: Please can you provide me with the number of Virtual servers 13. Brief Contract Description: I require a brief description of the service provided under this contract. Please do not just put maintenance. I need at least a sentence. 14.Contract Owner: (The person from within the organisation that is responsible for reviewing and renewing this particular contract. Please include their full name, job title, direct contact number and direct email address.)
Our response:
Please see our updated response in FOI_23-385 Appendix A. Please note that we have used the original data provided to you in our response to the following related request, our ref: FOI_23-298 and updated the information accordingly.
The staff named in FOI_23-385 Appendix A are exercising their right to object to processing contained in article 21 of the General Data Protection Regulation. This right is exercised here with specific reference to not having their contact information used for marketing purposes.
Unfortunately, on this occasion, it is not possible to provide all the requested information. The Act contains a number of exemptions that allow public authorities to withhold certain information from release. We have applied the following exemption to some of the information you have requested:
Exemption | Reason |
|---|---|
s.31(1)(a), Law enforcement | Some of the requested information would be likely to prejudice the prevention or detection of crime |
As with other large organisations, universities are reliant on the smooth running of their IT networks. Maintaining the security of these networks is a significant challenge for all universities, who are increasingly subject to both general cyber security threats and targeted attempts to obtain information from students and staff.
Release of any information under the Act represents a disclosure to the world at large, and it is our belief that if specific information was disclosed about our ‘server hardware maintenance’ – our operating system software and details of our ‘virtualisation, maintenance / support licencing’ – specifically the contract title, brand, operating system software and description of this, then a motivated individual or group could use this information to target any potential vulnerabilities, exposing the University’s IT systems to various types of unlawful attack and consequently prejudicing the prevention of criminal activity.
We believe that this is a real and significant risk, and this belief is based on what we know about attacks that have taken place at other universities and which have had serious effects on those institutions.
Having determined that disclosure of this information would expose the University to a real and significant risk of crime, application of the s.31(1) exemption also requires us to consider the public interest in withholding or disclosing this information.
The factors in favour of disclosure would include:
Increasing public understanding of the University’s information technology systems and processes and how it manages its business; this may include general information about how we manage our server hardware and virtualisation maintenance / support licencing and underpinning much of the work of the organisation
Enhancing the transparency and accountability of our IT operating system software and licencing which we have implemented.
Factors in favour of withholding the information are largely laid out in the explanation for the use of the exemption above but would include:
Protecting the ability of public authorities to protect valuable public assets acquired with public funds.
There is a strong public interest in not publishing information which might expose the University to cyber attacks and in preventing criminal activity that could damage the running of the University and the security of information held.
After consideration of the above factors, we believe, on balance, that the public interest lies in maintaining in the exemption. We have detailed in Appendix A where this exemption applies.