Purpose

The purpose of the data protection by design and default approach is to establish the key principles and requirements that will enable PKB to embed Information Security and Data Privacy into new services, systems, and/or software for all internal PKB services (including those that are customer facing) and customer-facing shared services.

These principles reflect the Information Security and Data Privacy aspects of the design and delivery of systems, software, and services, both internally and for our customers, and will help to protect PKB, our customers, our employees, our partners, and third parties from information security risks including information loss, legal, financial and reputational harm.

For the avoidance of doubt within this document, a “service” describes any software, application, system, service, or product that is built and/or purchased to support PKB business or customer needs. It excludes any systems that are built or managed to the requirements of a single customer (as this will normally be defined through contract schedules).

Scope

The data protection by design and default approach applies to all those who have access to PKB systems and information, regardless of location or the types of information or systems that they have access to; this includes both permanent and temporary employees, contractors, suppliers and agents working on behalf of PKB.

This approach particularly applies to staff responsible for the design and development of services that are used to store or process information belonging to PKB, our customers or any third parties; whether the service retains or stores any information or temporarily stores information with the purpose of carrying out the transformation of information on another system.

Responsibilities

Designing, developing, and delivering PKB services imposes certain standards, responsibilities, and obligations on us to ensure compliance with PKB policies, agreed management systems (such as ISO 27001) as well as UK and international law. All employees with the responsibility for managing projects, designing systems, delivering systems, and/or introducing new systems are responsible for understanding and adhering to the principles of this policy and the details defined in the various other PKB Information Security and Data Privacy policies which can be found on the PKB wiki.

It is also the responsibility of Information Asset Owners within PKB to ensure the principles and processes within this document are adopted within any project that is likely to have an impact on any information they own, whether directly or indirectly.

Employees are reminded that this policy comprises part of the standard terms and conditions of employment and any breach of the principles in this policy could result in disciplinary action up to and including dismissal.

Line managers are responsible for the day-to-day management of staff and advise on the implementation of Information Security and Data Privacy policies and procedures within their business areas and for ensuring compliance by their staff.

Policy

data protection by design and default is to be considered at the conception stage of each service and any non-functional requirements connected with information security or data privacy are to be made in the early stages of any information system design. 

These considerations must be embedded in the design of any system that is likely to process personal or sensitive information including but not limited to the collecting, storing, and transmitting of any personal, sensitive, or confidential information.

Foundational Principles

The following principles are focused on the design of systems, software, and processes, and focus on the actions of system developers, system engineers, and architects. In all cases, the accountability of the information security and privacy of information, personal or otherwise, resides solely with the Information Asset Owner. 

It is the policy that all Information Asset Owners within PKB ensure these principles are adopted with any project that is likely to have a direct or indirect impact on any information they own.

Data protection by design and default will be embedded into the design from conception and will remain until the service is decommissioned.

• Data protection by design and default will be the default approach for all projects.

• Data protection by design and default controls will be appropriate to the level of risk.

• Data protection by design and default controls will be proactive and not reactive, where possible data protection by design and default controls will not be “traded off” for functionality or convenience without the commensurate risk being accepted at the appropriate management level.

• Information will be adequately protected through its entire lifecycle.

• The processing of any personal information should be transparent as to how it is being processed but access-restricted only to those who have a “need to know”.

• The processing of personal, sensitive, or confidential information will be the minimum required to achieve the purpose.

• Any process to re-use information that we have collected for another purpose must be lawful and within the agreed terms of the original notification.

These principles are to be followed when developing or delivering a service, either internally for PKB or when developing or delivering a service for our customers. 

Project Governance

Introduction

Staff that both lead and implement projects within PKB are responsible for the ongoing information security and privacy of their service and the ongoing confidentiality of information processed by the delivered service.

The project process shown below (with the addition of decommissioning) is the main delivery process used within PKB for both internal and external projects.

Project Managers are responsible for guiding projects to a successful conclusion either as part of a new initiative or to upgrade/replace a current system or service. This includes the integration of information security and data privacy controls that are required to deliver a secure system that processes information in a controlled and lawful manner.

Information Security and Data Privacy Requirements

It is inevitable that nearly all projects will have Information Security and Data Privacy requirements in some form or another, these requirements will vary from project to project depending on the functional requirements of the service and the information that is stored and processed. Some upgrade projects will have few if any security requirements above those of the original service, and compared to new services which may have a large number of requirements, the projects are differentiated as below:

• High Impact – Projects that store and/or process a significant amount of confidential information including personal information, special categories of personal information, or other information or functionality, critical to the operation of PKB as a business (large information transformation such as HL7 data migration or customer services that have the possibility to have a large impact on PKB or its customers).

• Medium Impact – Projects that store and/or process a small amount of business-focused personal information or other information required to continue the operation of PKB as a business (small to medium size internal or shared services).

• Low Impact – Projects that store and/or process no personal information or information critical to the continued operation of PKB.

The exception is where a low-impact system is public or internet-facing and could potentially be used to attack or misuse high or medium-impact systems, in this case then a view will be taken by the Information Security and Information Governance Teams concerning the potential risk and impact the new service brings to the business.

A list of types of personal and special category information can be found in Appendix A.

Pre-Project

Data protection by design and default requirements are to be embedded into the design from inception, this includes the Information Security and Information Governance Teams and/or the Data Protection Officer understanding any potential high-risk areas at the outset of any project that may either impact the information security profile of PKB or the personal information of our customers, employees or partners.

It is key that during this period there is a clear understanding of the Information Security and Data Privacy risks that any new service brings with it. This will involve the completion of a Service & System Security Assessment.

Should the project or delivery of the new service (through a change to people, process, or technology) introduce risk then it needs to be understood, for example:

• The system is Internet-facing.

• The system circumvents a previously established Information Security or Data Privacy Control.

• The system may alter the behaviour of users such that it increases the risk to PKB or customer information.

• If personal, sensitive, or confidential information is used on the system and whether a Data Protection Impact Assessment (DPIA) is required.

When a project entails the use of personal, sensitive, or business confidential information, particular thought will be given to the project specification and the information to be used. It is vital that the purpose of the project be clearly and precisely defined, along with the specific categories of personal information to be processed and individuals or groups of individuals concerned. This is to ensure data privacy considerations are taken into account throughout the project lifecycle, for example by limiting the use of personal information to what is strictly necessary to achieve the project.

In the case where personal information is being processed, particular focus will be on:

• How the personal information to be used has been obtained.

• Where personal information is to be used.

• Whether the purpose for which the personal information was initially collected is compatible with the project’s purpose.

• Where one set of personal information is cross-referenced or aggregated to provide new information.

• Where re-use is initially thought to be incompatible with the original purpose for which the personal information was collected.

• In any of the above cases, further assessments will need to be carried out before the information can be used.

Project Initiation

During the initiation of a project, it will be clear whether the involvement of the Information Security and Information Governance Teams and/or the Data Protection Officer is required. 

At this stage, the Asset Discovery - Service and System Security Assessment will take place.

Where the risks identified are such that the Data Protection Officer believes a Data Protection Impact Assessment (DPIA) is required, the PMO and the Information Governance Team will be informed and further screening will be undertaken to assess whether a DPIA is necessary. If a full DPIA is required, the DPIA process will be followed, with the risks and/or mitigating actions fed back into the project.

When the risk assessment has taken place, the solution (People, Process, or/and Technology) and the project deliverables will be categorised as either High, Medium, or Low potential risk to PKB. This rating will determine the Information Security and Data Privacy controls that will be required to ensure any potential risk or impact falls inside PKB’s risk appetite and in the case of personal information, is commensurate with the rights and freedoms of data subjects and the GDPR regulation as a whole.

The data protection by design and default controls will be agreed upon by the stakeholders (Project Manager, Information Security, Information Governance, DPO, etc.) during the initiation phase and will be tracked through delivery and acceptance into business as usual (BAU). 

The controls will be either from a PKBs standardised list of controls (that can be found in the Supplier Assurance Standard), or controls that are customised to mitigate the specific risk for the specific deliverable.

Sometimes it may not be possible to have a clear view of the controls that are required (due to design or timing constraints) but at a minimum, the type of information and its route through PKB services should be mapped to ensure PKB can meet regulatory requirements (including access by any third parties). Once this is complete it should be possible to agree to the control requirements early in the delivery phase.

Where the project involves personal information, the controls must focus at a minimum on the following points (whether or not a DPIA is required):

• Data Minimisation - ensuring that the collection, disclosure, or other processing of personal data throughout the life of the project is kept to the minimum necessary to fulfill the project.

• Data Anonymisation - consideration of whether the personal and sensitive information identifiers collected can be removed, so that they cannot reasonably be used to identify an individual. 

• Data Pseudonymisation - also known as de-identification, consideration to whether the removal or replacement of personal and sensitive identifiers, i.e. NHS number with replacement identifiers, i.e. reference number.  This technique will allow for some form of re-identification by those individuals who hold these artificial identifiers.

• Data Encryption - the technique of translating information into another form, or code so that only individuals with access to a password or secret key can read it.

• Specification Retention Period - the clear statement of the retention period for the personal and sensitive information used in the project, and the technical capabilities that are deployed to action such retention periods.

• Data Subject Rights - ensure that the project enables PKB to action any request from individuals to exercise their rights under the General Data Protection Regulation.

• Security - ensuring the implementation of security measures proportional to the magnitude of the risk assessed and the sensitivity of the personal data.

Refer to the Supplier Assurance Standard for further details.

Delivery

During the early part of the project delivery (or even in some cases the late part of initiation) it may be decided that the project cannot implement a specific control, this can be for a number of reasons:

• The control cannot be integrated with the solution.

• The control cannot be economically delivered.

• The control cannot be delivered within the specified time period.

All of these reasons may be appropriate to an individual circumstance, any decision to accept the risk of not implementing a defined data protection by design and default control shall require acceptance at the appropriate level within PKB, up to the executive level depending on both the likelihood and the impact to the information.  It is also possible to introduce other controls that may partially or completely mitigate the risks rather than the most appropriate control. In this case, a gap analysis will take place to assess the alternate controls, and if necessary a risk raised on any residual risk remaining after the alternate controls are in place.

Any remaining risks will be placed on the relevant risk register (depending on the type of risk and the area impacted) and either accepted or tracked through the solution's entire lifecycle.

Verification and Testing of Information Security and Data Privacy Controls

Protection Controls

High and Medium impact projects will have their control design and delivery verified and tested, this may include specific User Acceptance Testing (UAT) (for items such as access controls) vulnerability testing (for internal and externally facing projects), and penetration testing (for external or customer-facing projects). This testing is to be organised and completed within the project, and the results released to the Information Security and Information Governance team/DPO for verification and acceptance.

Where the project involves personal information, the project manager will be responsible for ensuring they have liaised with the Information Security and Information Governance team/DPO to ensure all information protection aspects have been considered and the effectiveness of the mitigating measures taken is to the satisfaction of the DPO.

Project Closure

The Data protection by design and default process will vary depending on the impact of the project and the potential risks with its implementation from an Information security and data privacy perspective.

• High Impact Projects – The Information Security and Information Governance team and where appropriate the DPO will continue to be a stakeholder in the projects and its transition to BAU. This will involve confirmation by the Information Security and Information Governance team and where appropriate the DPO that any controls are in place and effective.

• Medium Impact Projects - The Information Security and Information Governance team and where appropriate the DPO will continue to be a stakeholder in the projects and its transition to BAU. This will involve confirmation by the Information Security and Information Governance team and where appropriate the DPO that any controls are in place and effective.

• Low-Impact Projects – With low-impact projects security should be advised, especially if there has been any change to information security and data privacy controls since delivery.

Change Control Board

When the final go-live is to take place before the project goes to the Change Control Board

• High Impact Projects – The change control board will require the project to be “signed off” by the Information Security and Information Governance team and where appropriate the DPO before go-live.

• Medium Impact Projects – Verification to the Information Security and Information Governance team and where appropriate the DPO that any controls are in place and effective. To this end, the Change Control Board will advise that the project has moved to BAU.

• Low-Impact Projects – No sign-off or verification is required for low-impact projects, however, should the project need to be re-purposed or go through a material change after the initial risk assessment a further cycle of engagement may be needed.

The Change Control Board will be notified by the Project Manager, if the project manager or any member of the CCB believes the impact of the project is flawed then they are to discuss it with the Data Protection Officer depending on the focus of the impact.

Transition into Business as Usual

Some but not all projects will need to go through a transition into BAU, in particular, but not restricted to projects delivering services with new functionality. Within the specific case of Information Security and Data Privacy, a number of key areas need to be transitioned to the relevant parties:

• Any personal information will need to have a nominated Information Asset Owner responsible for the ongoing due diligence required through the entire lifecycle of the information, for example, the assurance of information retention policies.

• Any specific security controls such as access control mechanisms, encryption, and other security controls will need to be transitioned to the relevant parties for ongoing management.

• Any residual risk will need to be transferred to the relevant BAU department to ensure ongoing monitoring and continual acceptance and/or mitigation.

ISO 27001 Certification

PKB is ISO27001 compliant and the certificate is held by Google because all data is hosted within Google Cloud Platform (GCP) data centers (with the scope of certification including the physical security of the data centres). Further details can be found here.

Business as Usual

After go-live, the ongoing security maintenance is the responsibility of the BAU teams. After introduction into service, the solution will be auditable from an internal perspective and systems will be brought into the regular audit schedule of the Compliance Team, and for high-impact projects which will be audited on an annual basis. 

All projects will also be monitored for any residual risks in the risk register, this will be continual until the risks are closed, in the case where risks are accepted then they will come under an annual review to ensure the risk has not increased and is still accepted by the appropriate authority.

New services that are deemed as high-impact will be scheduled for an internal audit within 12 months of go-live, medium and low-impact services will be moved into the ongoing internal audit schedule.

Innovation Governance

Information security governance and the implementation of security and data privacy controls in a period of innovation may sometimes seem problematic. However it is key to understand the specific risks and impact that any new service will have both on PKB and our customers, and the disruption that implementing these controls at inception may bring to the development process.

Supporting the Business

It is important to understand that PKB will only succeed by developing unique services to sell to its customers, security and data privacy requirements can curtail that development in the initial stages, hence when designing an innovative service it is more efficient to focus on the functionality and outcomes required. Therefore it is normal to start initial development without the additional burden of security and data privacy controls while developing functionality.

This is an accepted risk of doing business and at the beginning an appropriate response, however as the service gets closer to a deliverable state it is important to begin integrating control mechanisms to ensure the service can maintain the Confidentiality, Integrity, and Availability of the information it contains. To enable the Information Security and Information Governance Teams to run a system called Elastic Governance.

Elastic Governance

Elastic Governance allows for innovation to be trialed and refined early in the process without being encumbered with a large number of security controls at the outset. It divides innovation into three sections:

• The initial functionality scope with Information Security and Data Privacy requirements is fully or partially understood.

• The functionality build stage is where Information Security and Data Privacy controls are fully understood and possibly partially integrated.

• The final release stage is where the Information Security and Data Privacy controls are integrated into the solution.

The middle stage can include multiple stages of development. The key principle is that for each stage the functionality becomes closer to release, and more data protection by design and default requirements and the related controls are integrated with the solution.

Use of Live Data for Development and Testing Purposes

The use of operational live information containing personal information or any other PKB confidential information for testing purposes is not permitted.

In cases where using live information containing personal information, special categories of personal information, or any other business confidential information for testing purposes cannot be avoided, the policy exception process must be followed.

Secure Development Practices

PKB shall ensure secure development practices are followed at all times in line with industry-recognised security standards, all developed code/applications shall undergo security tests such as static code reviews, vulnerability tests, and/or penetration tests to verify the security posture of the developed application/code.

Refer to the Supplier Assurance Standard for further details.

Document Management & Control

PKB systems and information remain the property of PKB at all times and PKB reserves the right to monitor compliance to policies in line with all applicable laws, with due regard and respect for the fair treatment of all employees, and to protect its network from systems and events that threaten or degrade operations.

PKB reserves the right to copy and examine any PKB-owned files or information resident on systems or devices. If the device or its use is in contradiction to PKB Policy or allegedly related to unacceptable use, those responsible may be subject to disciplinary action up to and including dismissal, and where applicable may be referred to the police for prosecution.

Appendix A

Examples of Personal Data and Special Category Data items are shown in the table below.