FOI - IT systems [Apr 2025]

Your request 

I would like to request details of the major IT systems used by your organisation for a number of service areas.

Specifically, I request the following information:

• The name of the primary IT system/software used for each service area.
• The name of the supplier/vendor providing the system.
• The contract start date and end date.
• The total contract value (or annual cost if available).
• The number of users/licenses for each system (if applicable).

Our response 

I can confirm the GLA holds some of the information requested within the scope of your request.

The GLA is London's strategic government and does not operate in the same way as local Borough Councils. We therefore do not hold all the information you have requested as it would not be relevant.

From the spreadsheet that you enclosed the following service areas were relevant to the GLA:

1. Finance & Accounting
2. Human Resources (HR) & Payroll
3. Procurement & Contract Management
4. Document & Records Management
5. IT Service Management & Helpdesk
6. Integration platforms
7. Cybersecurity & Data Protection
8. GIS & Mapping Services

The primary IT system used for for points 1, 3 and 8 (from the list above) is SAP (ariba), for point 2 it is SAP Success Factor and for point 5 it is TfL oneLondon network. These are all managed by Tfl as part of our shared service contract, the supplier is SAP for these points except point 5 which is TfL.

Since 2009, Transport for London (TfL) has been providing a shared procurement service to the Greater London Authority (GLA) and the Old Oak and Park Royal Development Corporation (OPDC). Governed by the GLA’s and OPDC's Contracts & Funding Codes, this service includes delivering procurements over £25k, commercial contract management, procurement policy, strategy, governance, assurance support, and advice and training.

The systems used for procurement (SAP Ariba) are therefore shared across TfL and the GLA group.

In 2019, the GLA Collaboration Board approved a study to explore the feasibility of TfL’s Technology & Data team delivering IT services for the GLA group. This aligns with the strategic direction of GLA’s systems and IT, which have moved closer to TfL, sharing various IT services, third parties and platforms.

Over the years, each organisation within the GLA group has maintained its own IT environment, leading to increased financial and demand pressures as the GLA grows and embraces flexible working. To address these challenges, TfL's Technology & Data (T&D) team now manage GLA’s IT Services under an IT Shared Services working arrangement.

The various “line of business” systems used across the GLA (GLA, OPDC, MOPAC & LLDC) are therefore shared with TfL IT systems and service providers.

The GLA and OPDC also rely on TfL's Business Services Function (BSF) to provide shared transactional HR and supporting services across two legal entities. GLA uses TfL’s existing SAP payroll, SAP HR and Finance solutions and other enterprise HR solutions.

The systems used for people related functions at the GLA are shared with TfL.

As a result of multiple IT systems, services and managed service providers being shared with TfL and shared costs, working out component systems costs, contracts is complicated. TfL publishes information regularly on its website under its transparency obligations here - Transparency - Transport for London

Points 4 and 6 are IT systems managed by the GLA, the IT system used for point 4 is WriteOn and for point 6 it is Microsoft Office 365 and is an ongoing contract until December 2027.

For WriteOn the supplier is Pivitol Solutions, the contract is a rolling contract start date 1st April 2025 to 31st March 2026, the cost is £42,080.08, it is not possible to provide an exact number of users as it records according to how many times staff log on.

For Microsoft Office 365 the supplier is Microsoft and the annual cost for GLA licences is £628,725.68, there are 2483 licenses for MS E3 but this figure constantly changes.

We have withheld details related to point 7. because releasing the details could be harmful to the GLA’s security. We have relied on the following exemption related to law enforcement:

• Section 31(1)(a) – the prevention or detection of crime

31.—(1) Information which is not exempt information by virtue of section 30 is exempt information if its disclosure under this Act would, or would be likely to, prejudice - (a) the prevention or detection of crime.

The withheld information relates to information about the GLA’s cyber security and data protection information.

This is sensitive information which is withheld under Section 31(1)(a) - the prevention or detection of crime.

Information about any such material used by the GLA would provide useful information to potential criminals about the steps the GLA takes to protect its premises, property, staff and guests.

This would allow criminals to take steps to avoid these measures, thereby prejudicing our ability to prevent, detect and deter criminal acts.

Section 31(1)(a) covers all aspects of the prevention and detection of crime. Section 31(1)(a) of the Act is engaged because the release of this information would, or would be likely to prejudice the prevention or detection of crime.

The GLA considers that disclosing details of systems and expenditure relating to cyber security would be likely to prejudice the prevention and/or detection of crime. The release of this information would provide an indication of the amount of resources expended and implemented by the GLA to prevent and deter cyber security attacks on our digital estate. Although such a disclosure would represent a ‘snapshot in time’, it could be compared against any previous or future responses that we might release to provide an indication of how our expenditure in this area has changed, thereby inferring any changes in our capabilities.

Section 31 is a qualified exemption and we are required to conduct a public interest test when applying any qualified exemption.

The public interest test required by the Act is set out in section 2(2). The test is whether “in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information”.

• Considerations favouring disclosure

The GLA acknowledges that there is a legitimate interest to the public regarding being held accountable. The GLA is committed to being open and transparent and this is reflected in its extensive publication scheme including reports of all the GLA’s spending over £250 and our register of contracts.

The GLA is also mindful of the assumption in favour of disclosure in 2(2)(b) of the FOIA.

• Considerations favouring non-disclosure

In applying this exemption, the GLA has considered that it is vital to maintain the integrity and security of the GLA’s systems. As such, disclosing details of any expenditure relating to cyber security and data protection provisions would undermine those aims.

If disclosed, this information, would offer cyber criminals’ insight into not only the strengths of the GLA’s cyber security but also any potential or perceived weaknesses that may exist.

The GLA considers that this information would lead to vulnerability to potential crime; namely, a malicious attack on GLA’s computer systems. More specifically, any details relating to the expenditure of GLA’s cyber security provisions could provide useful information to malicious third parties about what resources the GLA is expending to counteract threats. This could ultimately result in a future cyber-attack.

In this case, we find that the balance of the public interest favors maintaining the exemption provisions of Section 31(1)(a) in relation the withheld information