...
Specific Responsibilities for Parties: N/A as no Joint Processing
Compliance with Principles
Principle 1 – Processing is lawful, fair and Transparent:
...
39. SCHEDULE 3: SECURITY CONTROLS
39.1 SECURITY RESPONSIBILITIES
39.1.1 PKB shall maintain appropriate information security arrangements for all forms of Data held in any format and expressed or relayed in any communication (oral or written) in a manner consistent with the principles of the most current version of the NHS Data Security and Protection Toolkit (DSPT) and ISO 27002 - Code of Practice for Information Security Management (with the principles of the DSPT prevailing in case of any conflict). In particular:
39.1.2 PKB shall have management arrangements in place for the management of information security;
39.1.3 PKB shall comply with the DSPT assessment, reporting and audit requirements relevant to its organisation type; and
39.1.4 PKB shall have appropriate operational risk assessment and management processes in place for the identification, mitigation and management of operational security risks.
39.1.5 PKB shall ensure an appropriate level of protection for data at rest commensurate with the risks to rights and freedoms, including encryption to the latest available industry standard.
39.1.6 PKB shall comply with the requirements of Article 32 of GDPR and ensure that all data is held and Processed according to the risk attached to the category of data Processed.
39.1.7 The Parties shall agree, and PKB shall have in place, an information security policy that is supported by appropriate organisational, security and technical security standards (the “Security Policy”).
39.1.8 PKB shall propose changes to the Security Policy on an on-going basis to reflect good industry practice or changes necessitated by any changes in applicable law. Material changes to the management of information relating to the Controller's business shall be agreed in writing by both parties, and the requirement for all such changes shall be promptly notified to the other party.
39.1.9 PKB shall create, design, establish, provide, implement, manage and maintain safeguards (including security architecture) that reflect the Security Policy and shall ensure that any changes to the Security Policy from time to time are reflected in the secure environment provided to Controller as soon as practicable.
39.1.10 PKB shall be equally responsible for managing information security risk should the Data, or access to the Data, be made available to any third parties or Processors (as may be permitted elsewhere). Such engagements will be preceded by a satisfactory due diligence process, contractual documentation being signed, and the establishment of monitoring, auditing and incident handling procedures so that the Data is no less secure under the third party’s management.
39.1.11 PKB shall ensure that all transfers of the Data undertaken by it or on its behalf will be in accordance with Secure File Transfer Protocols within the Health and Social Care Network (HSCN) and/or in accordance with the NHS Digital Good Practice Guidelines.
39.2 SECURITY MANAGEMENT
39.2.1 PKB shall plan, determine, create, implement, manage, review and maintain security control over the technology and physical storage infrastructure, and respond appropriately to security events. This includes the implementation of secure technical infrastructures, technologies and physical controls (including firewalls, encryption, authentication services and swipe access) appropriate to the UK public health sector.
39.2.2 PKB shall implement control, technologies and procedures to limit the risk of unauthorised access to the environment used to provide the Services (the "Services Environment") appropriate to the UK health and social care sector.
39.2.3 PKB shall inform and make recommendations to the Providers if it becomes aware of any products, methods or services that would result in required improvements to the security procedures in operation.
39.2.4 PKB shall create, acquire, provide, install, implement, manage and maintain any such improvements reasonably requested by the Providers that reflect Good Industry Practice.
39.3 SECURITY ADMINISTRATION
39.3.1 PKB shall track, co-ordinate, implement, manage and maintain all security changes across the Services.
39.3.2 PKB shall limit the risk of unauthorised access to the Services Environment including content filtering to prevent objectionable material, virus protection, password controls and physical security. PKB shall have regard to the confidentiality and sensitivity contained within the Services Environment and shall ensure that measures applicable to the UK health and social care sector are in place to prevent unauthorised access.
39.4 SECURITY AUDIT
39.4.1 PKB shall provide to the Providers any information that the Providers reasonably requires for the purpose of allowing the Providers to have assurance with PKB’s compliance with the provisions of this Clause 39 within a reasonable time from the Provider’s request. PKB shall provide this information in such format as the Providers may reasonably require.
39.5 NON-COMPLIANCE REPORTING
39.5.1 PKB shall monitor, on an ongoing basis, computer and network security configurations.
39.5.2 PKB shall create and issue reports to the Providers on incidents of non-compliance with the Security Policy according to their severity within a reasonable time after such incidents occur.
39.6 SYSTEM ACCESS CONTROL
39.6.1 PKB shall administer the provision of access to the Services Environment (by both the Provider’s Personnel and PKB's Personnel), Data and any other applicable data in accordance with Good Industry Practice.
39.6.2 PKB shall restrict access to the Services Environment to appropriately identified authenticated and authorised personnel and shall keep records of which personnel have access to the Services Environment and the reasons for such personnel being given such access. PKB shall also keep records of which personnel have accessed the Services Environment (including details of login and logout times).
39.6.3 PKB shall restrict user access to information and data held on external networks.
39.7 CRYPTOGRAPHY MANAGEMENT
39.7.1 PKB shall ensure that Data is encrypted as appropriate in accordance with Good Industry Practice and the most current version of the Data Security and Protection Toolkit and ISO 27002 - Code of Practice for Information Security Management (with the principles of the Data Security and Protection Toolkit prevailing in case of any conflict).
39.7.2 PKB shall manage all processes and procedures pertaining to the administration of the encryption keys, including secure key storage, periodic changing of keys, destruction of old keys, and registration of keys with the appropriate authorities.
39.8 ASSET PROTECTION
39.8.1 PKB shall acquire, create, provide, manage and maintain mechanisms to prevent or mitigate destruction, loss, alteration, disclosure or misuse of equipment used within the Services Environment, Data and Providers assets, having regard to Good Industry Practice. This includes annual Penetration testing and the satisfactory completion of remedial actions identified following that testing.
39.8.2 All Data shall be appropriately backed up and stored in a secure facility which in line with industry practice would be off site.
39.8.3 PKB will ensure adequate business continuity services and disaster recovery services are in place and regularly tested. Evidence of this testing may be required as part of the Provider’s due diligence.
39.8.4 PKB shall ensure that no-one, other than properly authorised Processor manner having regard to their confidentiality including, where appropriate, being securely destroyed or shredded prior to disposal.
39.8.5 PKB will classify the security of documentation and information to limit distribution and to ensure adequate controls are in place to protect more sensitive content.Personnel, has physical access to any servers in scope under this Contract or used to deliver the Services, including any servers located at PKB's facilities without formal documented approval from the Providers.
39.8.6 In relation to PKB’s facilities, PKB shall, at a minimum, acquire, create, provide, manage and maintain mechanisms to prevent or mitigate destruction, loss, alteration, disclosure or misuse of Data, having regard to Good Industry Practice.
39.8.7 PKB will fully and regularly assess the physical security risk for all premises and ensure reasonable controls are in place to prevent inappropriate access as would be expected for the National Health Service.
39.8.8 Implement National Cyber Security Centre (NCSC) guidelines (e.g. cyber essentials) as agreed with the Controller so that assets are protected.
39.9 SECURITY AWARENESS
PKB shall ensure that all its Personnel working on the Providers account are screened and security checked to an appropriate standard, trained in the Security Policy and any other requirements of this Contract, undertake annual training and are deemed competent to undertake Processing activities and are individually accountable for their actions. All PKB Personnel shall, as at the commencement of the Services, be deemed to be appropriately screened and trained to a level befitting the UK health and care sector.
39.10 DOCUMENTATION AND RECORD PRESERVATION
39.10.1 PKB shall protect all Data held by its employees, agents or Processors in a physical form by adopting a “clear desk” policy in respect of such Data and disposing of such information securely by treating it as confidential waste.
39.10.2 PKB shall ensure that any documentation or records relating to the Services being disposed of by or on behalf of PKB are treated in an
...
appropriate
40. SCHEDULE 4: SIGNATORIES
...