In dealing with
confidential data, employees are required to fully comply with the principles
of the Data Protection Act 2018
In this context,
confidential data means any information or matter which is not in the public domain and which relates to the business, products, affairs
or finances of the Company or any of its business contacts and includes:
Personal data
are stored in locked cabinets in a secure location (paper) or on a secure area
in the Company Server. Access to confidential data is only authorised
to specific staff who need it for their currently role (typically the Office
Manager) and authorisation is removed as soon as no
longer required. Staff may request access to their personal data at any time.
No requests have been made in the last 12months. No external supplier has
access to personal data.
Employees are
required to comply with the Company’s regulations to keep such records safe,
and at no time either during or after their employment with the Company use or
disclose to any person, cause or facilitate the unauthorised
disclosure of confidential information, or make use of any confidential
information about the business or affairs of the Company or any of its business
contacts, or about any other matters which may come to their knowledge in the
course of their employment.
Employees cannot
remove from the Company premises without prior authority, any document,
computer media or other tangible item which contains any confidential information or which belongs to the Company or their
clients/customers, suppliers or agents.
Employees cannot
without the prior written authorisation of the
Company publish literature, deliver any lecture or
make any recording, broadcast or demonstration relating in any way to the
Company’s activities or in which the name of the Company is mentioned, except
with the prior consent of the Company or as required by law.
Employees are
also required to comply the Company’s GDPR Code of Conduct, which in the
Company’s case is primarily related to the processing of patient data. The Code
of Conduct is overseen and managed by the Data Protection Officer (currently
Prof. T. Ritchings) and approved by Trust Data Controllers.
Employees must
ensure that no information relating to patients is held by the Company,
employees processing computer records relating to patients on Trust sites. This
will includes (but is not limited to) personal details
and medical examination records including images.
Employees must
only access patients records that a Trust’s Data Controllers indicate need
processing, the Trust making access to these records on a temporary basis for
the duration of the processing.
Any breach
observed by the Data Controller or the Company is
raised immediately to the DPO, who will investigate and take appriate action.
The Data
Protection Officer (currently Prof. T. Ritchings) is responsible for
Information Security in the Company. All employees are made aware of the impact
their actions can have on privacy and security through their Job Contract and
annual data security training and testing.
The Company’s
information security policies include the technologies used by the Company to
protect the confidential information, and define the
processes and action plans in place to recover from a computer security
incident. A security incident is the violation or imminent threat of violation
of confidential information, such as unauthorised
employee activity, infected computer, or Cyber-attack (DDoS). Depending on the
severity of the incident, it may be necessary to implement the Business
Continuity plan to keep the company operating, and if this fails implement the
Disaster Recovery plan. The Incident Recovery plan is defined below after
describing the technologies currently used by the Company to protect the
confidential information.
The Company
achieved CyberEssentials certification (7/12/2022)
and is currently seeking re-certification.
The Company
computer infrastructure, internet access, and administration is managed by an
external professional IT support and technology services Company, ManchesterIT.
The
infrastructure consists of an internal network with 10 PC Workstations (Windows
10), 1 Server (Windows 2016) and a DrayTek router
which provides access to the Internet. ManchesterIT
ensure that all high-risk or critical security updates for Operating Systems
and firmware are installed and tested promptly (within 14days). They are also
responsible for backing up the Servers and the recovery process, and
documenting and reviewing this annually. The Company also has a PC (Windows 10)
connected to the HSCN network via a separate DrayTek
router/firewall.
They are
responsible for managing the system firewalls and anti-virus software
(currently Bitdefender). There is an embedded firewall in the DrayTek routers, and all PC have Windows firewalls enabled.
Users cannot access the system remotely (see note in Business Continuity
section), or use tablets or smartphones to access the
network. ManchesterIT have access into the system via
Kaseya RMM.
ManchesterIT also manage users accounts on
written notification (email) from the Company including:
†The SPAM filters are currently
blocking approximately 100 threats per day. No phishing emails have been
reported in the last 12months
The incident
response plan has the following stages:
No Security
Incidents have been reported in the last 12months
The Business
Continuity and Disaster Recovery plans define the actions and arrangements that
take place following a security or other incident that could prevent the
Company from operating normally. The most critical risk relates to the
Company’s Help Desk which provides real-time support and maintenance for the
Hospitals clinics using the Company’s clinical applications. Plans that are in
place to ensure continuity of the Help Desk and software development are as
follows:
An inventory of
staff expertise is maintained and updated regularly to ensure that all software
development staff, especially new employees, are able to
use the development tools effectively, and understand the details of the
applications and the computer interfaces to the hospitals in sufficient depth
to perform updates and testing. Any software modifications are tested by a
second developer before release. Succession planning is in place.
All software
sources and Company documentation are saved on the main server, which is backed
up by ManchesterIT weekly and stored in a data
warehouse off-site. Only ManchesterIT have Administrative rights to the backup/recovery process.
Depending on the severity of an incident, information can be partially or fully
restored from the backup. No patient information is held by the Company at any
time, and so is not affected by any information security breaches in the
Company.
The Company PCs
and Servers and situated in locked rooms in a building that is fully alarms and
monitored 24hours by a professional Security firm. Alarm is enabled/disabled by
key-fob and all alarm status changes logged. In the event of a break-in and damage
or theft of the computers, the affected computers are replaced
and the appropriate software downloaded by ManchesterIT,
and in the case of the Server the backup restored. In the case of serious
damage to the premises such as fire, or electrical power-out, staff can be
relocated to work at home on a temporary basis, access to new or relocated
machine being managed by ManchesterIT and the main
telephone switchboard diverted to the Office Manager’s home
Since the
out-break of Covid-19, Business Continuity has been maintained by staff have
been working from home and secure access to the Office network via VPN has been
enabled by ManchesterIT on a temporary basis. The
Help Desk and software development has been operating normally.