FOI 26-189 IT Infrastructure

Freedom of Information Request

Reference
FOI 26-189 IT Infrastructure
Request Date
14 Apr 2026
Response Date
07 May 2026
Information Requested

I am requesting information relating to your organisation's IT
infrastructure, digital maturity, staffing, contracts and technology
spend. To assist in processing this request efficiently, I have
structured it into clearly numbered sections below.

──────────────────────────────────────
SECTION 1 — IT BUDGET AND SPEND
──────────────────────────────────────

1.1  What is your organisation's total annual IT / digital technology
budget for the current financial year (or most recently completed
financial year)? Please break this down into:
     (a) Capital expenditure (CapEx)
     (b) Operational expenditure (OpEx)

1.2  What proportion of your total organisational budget does IT /
digital technology represent (as a percentage)?

1.3  Is there a separate cyber security budget? If so, what is its value?

1.4  Please provide the name(s) of any Commissioning Support Units
(CSUs) or managed service partners that manage IT expenditure on your
behalf, if applicable.

──────────────────────────────────────
SECTION 2 — IT STAFFING
──────────────────────────────────────

2.1  How many whole-time equivalent (WTE) staff are directly employed
in IT, digital or technology roles within your organisation?

2.2  Please provide a breakdown of IT staff by job role or band (e.g.
Agenda for Change band or equivalent). Specific names are not
required.

2.3  Does your organisation have the following named roles in post?
(Please answer Yes / No / Vacant for each):
     (a) Chief Information Officer (CIO) or equivalent
     (b) Chief Digital Officer (CDO) or equivalent
     (c) Chief Technology Officer (CTO) or equivalent
     (d) Chief Information Security Officer (CISO) or equivalent
     (e) IT Director / Head of IT
     (f) Digital Transformation Lead or equivalent

2.4  How many IT staff are employed via third-party contractors or
agency arrangements? What is the approximate annual spend on these
arrangements?

──────────────────────────────────────
SECTION 3 — SERVER AND COMPUTE INFRASTRUCTURE
──────────────────────────────────────

3.1  Does your organisation operate on-premise server infrastructure? If yes:
     (a) What is the approximate number of physical servers in operation?
     (b) What server vendors / manufacturers does your organisation
use (e.g. Dell, HPE, Lenovo, Cisco UCS)?
     (c) What is the approximate age profile of your server estate
(e.g. percentage under 3 years, 3–5 years, over 5 years old)?

3.2  Does your organisation use virtualisation technologies? If yes,
which platform(s) (e.g. VMware, Microsoft Hyper-V, Nutanix)?

3.3  Does your organisation use hyperconverged infrastructure (HCI)?
If yes, which vendor(s)?

3.4  Does your organisation use cloud computing services (not
including office 365)? If yes:
     (a) Which cloud provider(s) do you use (e.g. AWS, Microsoft
Azure, Google Cloud, other)?
     (b) Approximately what proportion of your workloads are
cloud-hosted vs on-premise?
     (c) What is the approximate annual cloud spend?

──────────────────────────────────────
SECTION 4 — STORAGE INFRASTRUCTURE
──────────────────────────────────────

4.1  What storage platform(s) does your organisation use (e.g. NetApp,
Dell EMC, Pure Storage, HPE, IBM)?

4.2  What is the approximate total usable storage capacity across your
estate (in TB or PB)?

4.3  What is the approximate age of your primary storage estate?

──────────────────────────────────────
SECTION 5 — BACKUP, DISASTER RECOVERY AND BUSINESS CONTINUITY
──────────────────────────────────────

5.1  What backup software solution(s) does your organisation currently
use (e.g. Veeam, Commvault, Veritas NetBackup, Cohesity, Rubrik,
Zerto)?

5.2  What is your backup target infrastructure (e.g. on-premise disk,
tape, cloud)?

5.3  Does your organisation have a documented Disaster Recovery (DR)
plan? When was it last tested?

5.4  What is the current Recovery Point Objective (RPO) and Recovery
Time Objective (RTO) for your critical clinical systems?

5.5  Does your organisation use an offsite or cloud-based backup
solution? If yes, which provider?

──────────────────────────────────────
SECTION 6 — NETWORKING AND END-USER COMPUTING
──────────────────────────────────────

6.1  Who provides your Wide Area Network (WAN) and/or internet
connectivity services?

6.2  What network equipment vendors does your organisation use (e.g.
Cisco, Juniper, Aruba, Palo Alto)?

6.3  What is the approximate number of end-user devices (laptops,
desktops, tablets) in your organisation?

──────────────────────────────────────
SECTION 7 — SOFTWARE, LICENSING AND KEY CLINICAL SYSTEMS
──────────────────────────────────────

7.1  What is your current Electronic Patient Record (EPR) / Electronic
Health Record (EHR) system? Please provide the vendor name and
product.

7.2  What Patient Administration System (PAS) does your organisation use?

7.3  Does your organisation use a Picture Archiving and Communication
System (PACS) / radiology imaging system? If yes, which vendor and
product?

7.4  Does your organisation have a Microsoft Enterprise Agreement (or
equivalent) in place? When is this due for renewal?

7.5  What is the approximate annual spend on software licences across
the organisation?

7.6  Please list any other significant enterprise IT contracts (by
contract type / system category — e.g. HR, finance, workforce
management) with approximate annual values where held.

──────────────────────────────────────
SECTION 8 — WARRANTIES, CONTRACTS AND PROCUREMENT
──────────────────────────────────────

8.1  For your primary server, storage and network infrastructure, are
vendor warranties and/or third-party maintenance contracts in place?
Please provide:
     (a) The type of coverage (vendor warranty, third-party
maintenance, or both)
     (b) The name of the maintenance provider(s), if applicable
     (c) Approximate contract expiry dates where held

8.2  What procurement frameworks does your organisation use for IT
hardware and services (e.g. Crown Commercial Service, NHS Shared
Business Services, G-Cloud, Tech Products 4)?

8.3  Are any significant IT contracts due for renewal within the next
24 months? Please provide contract category (not necessarily full
commercial detail).

──────────────────────────────────────
SECTION 9 — DIGITAL MATURITY AND STRATEGY
──────────────────────────────────────

9.1  Has your organisation completed a Digital Maturity Assessment
(DMA) or equivalent framework in the last two years? If so:
     (a) Which assessment framework was used (e.g. NHS England DMA,
HIMSS EMRAM, Other)?
     (b) What overall maturity score or rating was achieved?

9.2  Does your organisation have a current Digital / IT Strategy? If
so, what is the publication or approval date?

9.3  Has your organisation achieved or is actively working towards any
recognised digital accreditations (e.g. HIMSS Level, NHS Digital
aspirant status, Cyber Essentials Plus)?

9.4  What are the top three stated digital priorities for your
organisation in the current or next financial year?

Response

 ────────────────────────────────────── 
SECTION 1 — IT BUDGET AND SPEND 
────────────────────────────────────── 
 
1.1  What is your organisation's total annual IT / digital technology 
budget for the current financial year (or most recently completed 
financial year)? Please break this down into: 
     (a) Capital expenditure (CapEx) - £1,621,950      (b) Operational expenditure (OpEx) - £10,888,562  
1.2  What proportion of your total organisational budget does IT / 
digital technology represent (as a percentage)? 

The proportion of our total organisational budget allocated to IT/digital technology stands at 2.6%. 

 1.3  Is there a separate cyber security budget? If so, what is its value? - No, this is included as part of the main ICT budget.  
1.4  Please provide the name(s) of any Commissioning Support Units 
(CSUs) or managed service partners that manage IT expenditure on your 
behalf, if applicable. Not Applicable 

 

  
────────────────────────────────────── 
SECTION 2 — IT STAFFING 
────────────────────────────────────── 
 
2.1  How many whole-time equivalent (WTE) staff are directly employed 
in IT, digital or technology roles within your organisation? - Currently around 60  
2.2  Please provide a breakdown of IT staff by job role or band (e.g. 
Agenda for Change band or equivalent). Specific names are not 
required. - Please see attached structure  
2.3  Does your organisation have the following named roles in post? 
(Please answer Yes / No / Vacant for each): 
     (a) Chief Information Officer (CIO) or equivalent - Yes      (b) Chief Digital Officer (CDO) or equivalent - No      (c) Chief Technology Officer (CTO) or equivalent - No      (d) Chief Information Security Officer (CISO) or equivalent - Yes      (e) IT Director / Head of IT - Yes      (f) Digital Transformation Lead or equivalent - No  
2.4  How many IT staff are employed via third-party contractors or 
agency arrangements? What is the approximate annual spend on these 
arrangements? - None 

 ────────────────────────────────────── 
SECTION 3 — SERVER AND COMPUTE INFRASTRUCTURE 
────────────────────────────────────── 
 
3.1  Does your organisation operate on-premise server infrastructure? If yes: 
     (a) What is the approximate number of physical servers in operation? - Approximately 350 servers are deployed across SAS estate.      (b) What server vendors / manufacturers does your organisation 
use (e.g. Dell, HPE, Lenovo, Cisco UCS)? - Primarily HP and DELL as per national framework agreements      (c) What is the approximate age profile of your server estate 
(e.g. percentage under 3 years, 3–5 years, over 5 years old)? - Exemption applied: FOISA s35(1)(a) – disclosure could assist cyber-crime by exposing infrastructure/supply-chain vulnerabilities, so we have withheld those details in the public interest. 

 3.2  Does your organisation use virtualisation technologies? If yes, 
which platform(s) (e.g. VMware, Microsoft Hyper-V, Nutanix)? - Yes, VMWare.  
3.3  Does your organisation use hyperconverged infrastructure (HCI)? 
If yes, which vendor(s)? - No.  
3.4  Does your organisation use cloud computing services (not 
including office 365)? If yes: - Yes, SAS uses cloud provided services. This includes national system solution which are not under the contractual management of SAS. National NHS Scotland systems for example.      (a) Which cloud provider(s) do you use (e.g. AWS, Microsoft 
Azure, Google Cloud, other)? This information is not fully available, AWS and Azure are both included. 

      (b) Approximately what proportion of your workloads are 
cloud-hosted vs on-premise? This information is not available. To calculate such proportions would require extensive investigatory effort.  It is for this reason we have applied section 17 of the Freedom of Information Scotland Act 2002 as information not held. 

      (c) What is the approximate annual cloud spend? 

This information is not available. It is for this reason we have applied section 17 of the Freedom of Information Scotland Act 2002 as information not held.  
────────────────────────────────────── 
SECTION 4 — STORAGE INFRASTRUCTURE 
────────────────────────────────────── 
 
4.1  What storage platform(s) does your organisation use (e.g. NetApp, 
Dell EMC, Pure Storage, HPE, IBM)? - Dell EMC, HPE  
4.2  What is the approximate total usable storage capacity across your 
estate (in TB or PB)? - This information is not available. It is for this reason we have applied section 17 of the Freedom of Information Scotland Act 2002 as information not held.  
4.3  What is the approximate age of your primary storage estate? - Exemption applied: FOISA s35(1)(a) – disclosure could assist cyber-crime by exposing infrastructure/supply-chain vulnerabilities, so we have withheld those details in the public interest.  
────────────────────────────────────── 
SECTION 5 — BACKUP, DISASTER RECOVERY AND BUSINESS CONTINUITY 
────────────────────────────────────── 
 
5.1  What backup software solution(s) does your organisation currently 
use (e.g. Veeam, Commvault, Veritas NetBackup, Cohesity, Rubrik, 
Zerto)? - Exemption applied: FOISA s35(1)(a) – disclosure could assist cyber-crime by exposing infrastructure/supply-chain vulnerabilities, so we have withheld those details in the public interest.  
5.2  What is your backup target infrastructure (e.g. on-premise disk, 
tape, cloud)? - Exemption applied: FOISA s35(1)(a) – disclosure could assist cyber-crime by exposing infrastructure/supply-chain vulnerabilities, so we have withheld those details in the public interest.  
5.3  Does your organisation have a documented Disaster Recovery (DR) 
plan? When was it last tested? - Yes, elements of the plan are tested where appropriate on different elements. This reduces the impact to critical system availability whilst verifying the recovery capability.  
5.4  What is the current Recovery Point Objective (RPO) and Recovery 
Time Objective (RTO) for your critical clinical systems? - Exemption applied: FOISA s35(1)(a) – disclosure could assist cyber-crime by exposing infrastructure/supply-chain vulnerabilities, so we have withheld those details in the public interest.  
5.5  Does your organisation use an offsite or cloud-based backup 
solution? If yes, which provider? - Exemption applied: FOISA s35(1)(a) – disclosure could assist cyber-crime by exposing infrastructure/supply-chain vulnerabilities, so we have withheld those details in the public interest.  
────────────────────────────────────── 
SECTION 6 — NETWORKING AND END-USER COMPUTING 
────────────────────────────────────── 
 
6.1  Who provides your Wide Area Network (WAN) and/or internet 
connectivity services? - SAS uses Scottish Wide Area Network (SWAN) provided under national framework.  
6.2  What network equipment vendors does your organisation use (e.g. 
Cisco, Juniper, Aruba, Palo Alto)? - Cisco, Fortinet, Extreme.  
6.3  What is the approximate number of end-user devices (laptops, 
desktops, tablets) in your organisation? - Approx 3000. This excludes mobile devices as per question.  
────────────────────────────────────── 
SECTION 7 — SOFTWARE, LICENSING AND KEY CLINICAL SYSTEMS 
────────────────────────────────────── 
 
7.1  What is your current Electronic Patient Record (EPR) / Electronic 
Health Record (EHR) system? Please provide the vendor name and 
product. - The Scottish Ambulance Service utilises national and specialist clinical systems appropriate to its operational role as a national ambulance service. 

 7.2  What Patient Administration System (PAS) does your organisation use? - The Service does not operate a traditional PAS system of the type used in acute NHS boards. 

 7.3  Does your organisation use a Picture Archiving and Communication 
System (PACS) / radiology imaging system? If yes, which vendor and 
product? - Not applicable. 

 7.4  Does your organisation have a Microsoft Enterprise Agreement (or 
equivalent) in place? When is this due for renewal? - The Service holds enterprise software agreements from legacy agreements and a National agreement via NSS (National Services Scotland) 

 7.5  What is the approximate annual spend on software licences across 
the organisation? - This is difficult to breakdown due to the licenses being bundled up as part of our maintenance contracts.  It is for this reason we have applied section 17 of the Freedom of Information Scotland Act 2002, as information not held.  
7.6  Please list any other significant enterprise IT contracts (by 
contract type / system category — e.g. HR, finance, workforce 
management) with approximate annual values where held. 

The following contracts are via National Procurement and as such are included within the National Agreements 

  

HR 

Finance 

Payroll 

Turas 

  

Command & Control Circa £750k 

Patient Transport System Circa - £105k 

Mobile Data / EPR – Circa £1.7m 

  
────────────────────────────────────── 
SECTION 8 — WARRANTIES, CONTRACTS AND PROCUREMENT 
────────────────────────────────────── 
 
8.1  For your primary server, storage and network infrastructure, are 
vendor warranties and/or third-party maintenance contracts in place? 
Please provide: Appropriate vendor warranties and support arrangements are in place. Detailed contract information is exempt under section 33 of FOISA.      (a) The type of coverage (vendor warranty, third-party 
maintenance, or both) - Both      (b) The name of the maintenance provider(s), if applicable – Dacoll 

     (c) Approximate contract expiry dates where held - Circa – July 2026  
8.2  What procurement frameworks does your organisation use for IT 
hardware and services (e.g. Crown Commercial Service, NHS Shared 
Business Services, G-Cloud, Tech Products 4)? - The Service uses NHS Scotland and Crown Commercial Service frameworks where appropriate.  
8.3  Are any significant IT contracts due for renewal within the next 
24 months? Please provide contract category (not necessarily full 
commercial detail). - No significant contracts are currently expected to be re-procured over the next 2 years  
────────────────────────────────────── 
SECTION 9 — DIGITAL MATURITY AND STRATEGY 
────────────────────────────────────── 
 
9.1  Has your organisation completed a Digital Maturity Assessment 
(DMA) or equivalent framework in the last two years? If so: 
     (a) Which assessment framework was used (e.g. NHS England DMA, 
HIMSS EMRAM, Other)? The Service has undertaken digital maturity and capability assessments as part of national and organisational planning processes.  SAS take part in the Scottish Government Digital Maturity Assessment process each year.      (b) What overall maturity score or rating was achieved? The Scottish Government assessment does not provide an overall maturity score.  
9.2  Does your organisation have a current Digital / IT Strategy? If 
so, what is the publication or approval date? - The Scottish Ambulance Service has an approved Digital and ICT Strategy aligned to national NHS Scotland priorities. 

 9.3  Has your organisation achieved or is actively working towards any 
recognised digital accreditations (e.g. HIMSS Level, NHS Digital 
aspirant status, Cyber Essentials Plus)?  The Service maintains appropriate cyber and information governance accreditations in line with national policy. 

SAS does not currently hold any accreditations as noted, however within the public interest it is important to note that as an Operator of Essential Services, SAS is mandated by legislation to the NIS Regulations which provides assurance on required controls being in place to maintain essential services as required by the public. 

  
9.4  What are the top three stated digital priorities for your 
organisation in the current or next financial year? We have applied section 25 of the Freedom of Information Scotland Act 2002 as information that is otherwise accessible - Strategies and Plans 

 

Information and Communications Technology Frequently Asked Questions 
 

In This Section