Security Policy
INFORMATION SECURITY & DATA PRIVACY POLICY
Statement of Intent
Patients Know Best (PKB) prides itself on being a leader in the provision of an online Personal Health Record where patients can manage their healthcare needs. As part of this, we recognise that we have a responsibility to protect all of the information that we process, whether it belongs, to our employees, patients, customers, partners, or suppliers. By protecting this information we can ensure that we maintain our reputation as a trusted organisation, employer and partner, enabling us to grow as an organisation and deliver exceptional service to our customers.
To demonstrate our commitment to information security, PKB has implemented industry best practice security controls and assured the effectiveness of the controls through the implementation of the Information Security Management System (ISMS) and how this complies with the ISO 27001:2013 standard, the global standard for managing information security.
It is the responsibility of all PKB staff to become familiar with our information security and data privacy management processes and to comply with all information security and data privacy policies together with the procedures and standards that underpin them. In turn, we commit to ensuring that our information security and data privacy management systems and processes are efficient, effective and continuously improving to protect our information assets while avoiding the reputational, legal and financial harm that would result from a data breach.
The Executive Board fully support the information security management system and require all our staff, whether permanent, temporary, partner organisations, suppliers and contractors to do the same.
Approval and review
PKB-ISDPP v1.2 was approved by the Executive Board on the 1st of October 2022. |
---|
1. Purpose and Scope
The purpose of the Information Security and Data Privacy Policy is to demonstrate PKB’s commitment to protecting our employees, customers, patients, partners and suppliers' business confidential and/or personal or sensitive information from security threats, whether internal or external, deliberate or accidental.
2. Policy
Maintaining the Confidentiality, Availability and Integrity of our own, our customers, patients, partners and suppliers' information, is a requirement for all of us. We will treat the information entrusted to us respectfully and professionally and ensure that it is processed for legitimate business reasons taking into account legislative, regulatory and contractual requirements.
The aim of this policy is to ensure compliance with the objectives and legal obligations within the Data Protection Legislation and the NHS Digital Data Security and Protection Toolkit.
This policy is applicable to all Patients Know Best (PKB) employees, both permanent and temporary and contractor or third party resources, regardless of geographical location, who process business confidential and/or personal or sensitive information, see Appendix A for definitions, on behalf of PKB, as defined within the Data Protection Legislation. Additional information security and data privacy policies, procedures and standards shall be put in place to ensure the principles within this policy are met.
3. Information Security Principles
PKB is committed to applying the following information security principles to all areas of the organisation and to all employees regardless of role or geographical location by:
● Protecting PKB systems, locations and information against unauthorised access.
● Protecting the Confidentiality, Integrity and Availability of the information we process in accordance with legislation, regulation, contractual requirements, and industry best practice.
● Ensuring training, raising awareness and policy requirements are communicated to and provided to all employees.
● Applying PKB security standards to our supplier and delivery partners.
● Ensuring actual or suspected breaches of information security are reported, assessed and investigated.
● Ensuring security risks are identified and managed through the appropriate channels.
● Assessing and measuring the maturity of information security controls and delivering on continuous improvement measures.
4. Data Privacy Principles
PKB is committed to protecting the business's confidential personal and/or sensitive personal information about our staff, customers, patients, partners and suppliers with any personal information processed in accordance with Data Protection Legislation.
The Data Protection Legislation sets out the rules for how organisations must process personal information with this policy seeking to ensure that we:
● Are clear about how personal information must be processed and our expectations for all those who process personal information on our behalf.
● Comply with data protection legislation and apply good data privacy practices in our business areas.
● Protect PKB’s reputation by ensuring the personal information entrusted to us is processed in accordance with individual subject rights.
● Protect PKB from risks of personal data breaches and other breaches of data protection legislation.
5. Responsibilities
PKB must implement appropriate technical and organisational measures in an effective manner to ensure compliance with the data protection principles detailed in Appendix B of this policy. PKB expects that all employees, contractors and third parties will enable PKB to ensure that we process information in accordance with our legal obligations.
5.1 Executive Team
PKB’s Executive team have a responsibility to define the organisation’s policy in respect of information security and data privacy and to ensure that sufficient resources are provided to support the requirements of this policy.
5.2 Senior Information Risk Owner (SIRO)
The Chief Technology Officer and Senior Information Risk Owner has responsibility for the management and mitigation of information risk and advises the Executive team on the effectiveness of information risk management across the organisation.
5.3 Data Protection Officer (DPO)
The Data Protection Officer provides PKB with independent risk-based advice to support its decision-making in the appropriateness of processing personal and special category information within the principles and individual subject rights of the Data Protection Legislation together with managing responses to the Information Commissioner’s Office.
5.4 Managers Responsibility
Managers who are responsible for supervising staff undertaking work which involves the processing of personal information must ensure that staff are aware of and are applying PKB policies. Managers have a responsibility to:
● Apply PKB policies in their business areas.
● Ensure their teams are aware of the information security and data privacy requirements.
● Ensure information security and data privacy initiatives are proactively supported within their business areas.
● Ensure all staff within their business areas have undergone information security and data privacy training in accordance with PKB requirements.
● Where requested by the Information Governance (IG) Team, help to document and maintain all processing of personal information within their business areas in accordance with guidance provided by the IG team.
● Alert the IG team when they become aware of and assist with the investigation of any information security and data privacy incidents.
● Ensure that the IG team are notified of any new processing activities or use of personal information for purposes it was not originally obtained so that the processing of the personal information register can be updated.
● Where the processing of personal information is on behalf of a customer, the PKB member of staff leading the engagement with the customer is responsible for ensuring that personal information is only processed in accordance with the customer’s instructions and the contractual arrangements in place between PKB and the customer with any non-compliances escalated to the IG team.
● Engage with the IG team, where it is necessary to appoint a third-party sub-processor of personal information in order to onboard the new supplier.
5.5 Information Security (IS) Team
The Information Security Team have a responsibility to:
● Ensure information risks are identified, managed and mitigated.
● Ensure only authorised users can access and share information in order to perform their roles.
● Ensure technical, procedural and physical controls support agreed security measures.
● Ensure our contractual and legal obligations relating to information security are met through the implementation of relevant information security standards and industry best practices.
● Ensure incidents affecting our information assets are resolved and learnt from to improve our controls.
● Ensure that individuals, including any third parties, are aware of their information security responsibilities.
5.6 Information Governance (IG) Team
The Information Governance Team have a responsibility to:
● Ensure the maintenance of this and other PKB policies, procedures and standards meet information security and Data Protection legislative and regulatory requirements.
● Provide advice and guidance to all business areas on data privacy matters. ● Ensure training and awareness materials are in place and are available for all staff.
● Audit the register of processing activities in each business area for accuracy and lawfulness.
● Manage responses to information security and data protection breaches.
● Maintain and report on the IG Improvement Plan.
● Monitor and test our compliance status against our legal obligations.
5.7 All Staff Responsibilities
All staff, including permanent, temporary and contractor resources, that process personal information have a responsibility to ensure:
● They report all suspected or actual information security and data privacy incidents to the support desk team, support@patientsknowbest.com in the first instance.
● They assist the IG team in investigating and resolving such incidents.
● All personal information is used in accordance with PKB policies, procedures and standards.
● That advice is sought from the IG team where there is uncertainty around information security or data privacy matter.
● All communications of personal information, verbally or in writing, are only disclosed to authorised persons who are entitled to receive that information.
● Any queries relating to information security and data privacy are promptly directed to the IG team in the first instance.
More specific detailed guidance aimed at individual teams on how information security and data privacy can be implemented within teams can be found on the internal wiki. In addition to the above, all staff have a responsibility to notify the Finance team of any changes in their own circumstances, such as a change of contact details, so that all personnel records are accurate and complete.
6. Monitoring and Enforcement
PKB information and systems remain the property of PKB at all times and PKB reserves the right to monitor compliance with PKB policies in accordance with applicable laws, with due regard and respect for the fair treatment of all individuals, and to protect its infrastructure and network from systems and events that threaten or degrade operations.
PKB reserves the right to copy and examine PKB-owned files or information resident on systems or devices. If the device or its use is in contradiction to PKB policy or allegedly related to unacceptable use, those responsible may be subject to disciplinary action up to and including dismissal, and where applicable, may be referred to law enforcement agencies for prosecution.
Appendix A: Definitions
For reference, data protection legislation uses the following definitions:
Personal Data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.
Special Categories of Personal Data (previously known as sensitive personal data) relate to racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Examples of Personal Data and Special Category Data items are shown in the below table.
Appendix B: Data Protection Principles
For reference, Data Protection Legislation sets out the following principles which must be applied when processing personal or special category data.
(a) lawfulness, fairness and transparency - processed lawfully, fairly and in a transparent manner in relation to individuals.
(b) purpose limitation - collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
(c) data minimisation - adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
(d) accuracy - accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
(e) storage limitation - kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
(f) integrity and confidentiality - processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
(g) accountability - there must be appropriate measures and records in place to be able to demonstrate compliance with all of the principles.
Appendix C: Reference Materials and Associated Documents
Information Governance and Information Security Policies and Guidance can be found on the internal staff handbook wiki.Internal Intranet
Data Security & Protection Toolkit: https://www.dsptoolkit.nhs.uk/
Information Commissioners’ Office: https://ico.org.uk/
Legislation and Regulations
General Data Protection Regulation 2016: https://gdpr-info.eu/
Computer Misuse Act 1990: https://www.legislation.gov.uk/ukpga/1990/18/contents
Confidentiality Code of Practice:
https://www.gov.uk/government/publications/confidentiality-nhs-code-of-practice
Article 8 Human Rights Act 1998: http://www.legislation.gov.uk/ukpga/1998/42/contents
Records Management Code of Practice: https://transform.england.nhs.uk/information-governance/guidance/records-management-code/
ISO 27001 (ISO/IEC 27001:2013) is the international standard that provides the specification for an information security management system (ISMS)
ISO/IEC 27002 code of practice for information security controls
ISO 27799:2016 information security management in health
NHS Digital Data Security Centre: https://digital.nhs.uk/services/data-security-centre