Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
2. Definitions • "processing", in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including- (a) organisation, adaptation or alteration of the information or data, (b) retrieval, viewing, consultation or other use of the data, (c) disclosure of the information or data by transmission, dissemination or otherwise making available, or (d) alignment, combination, blocking, erasure or destruction of the information or data • "data controller" means a person/body that (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed; • "data processor", in relation to personal data, means any person/body (other than an employee of the data controller) who processes the data on behalf of the data controller; • the use of the term “data” shall mean any Personal Data and/or Sensitive Personal Data in addition to any other data within the Service; • “patient identifiable data” is personal information that can be used to establish the identity of an NHS patient. • references to an “organisation” shall be references to an entity constituted by statute; • Support Service Provider shall refer any organisation providing the offshore support and maintenance service; • Service shall be use to mean the entire support and maintenance contracted elements, including helpdesk services, remote resolution, subsequent levels of support, remote patching and fixes, support staff, infrastructure, etc; • the use of the term “user” or “User” shall mean any user of the Service including, without limitation, members of the Support Service Provider’s support staff. © Crown Copyright 2009 Page 4 of 6
3. Requirements Sanctions may potentially apply to the Support Service Provider where significant information or infrastructural risks are identified, or where information incidents have arisen that suggest a significant IG shortfall exists. Requirements 1 In respect of systems and applications connected to NHS CFH systems and applications Patient Identifiable Data should not be recorded outside of the England boundary in any format for any reason without the prior explicit written permission of NHS CFH. 2 Where it is proposed that there be a significant change to where data is to be processed which patients are unaware of and may have concerns about, the Data Controller shall consider and document its policy in respect of: i. obtaining consent from the patients whose information will be held on the system; and ii. satisfying fair processing requirements with respect to the Data Protection Act 1998. 3 A logical technical security architecture design should be documented by the Data Controller and the Support Service Provider and approved by the Authority. Any subsequent changes to this architecture must be flagged to the Authority for reconsideration. 4 The Support Service Provider must complete an assessment of performance utilising the NHS Information Governance Toolkit and provide an assurance statement indicating that all key requirements are satisfied and agreement that this may be audited by the Authority. 5 Appropriate training and communications should be provided by the Support Service Provider to ensure that all support staff having any contact with the remote support and maintenance service are informed of the requirement not to record any Patient Identifiable Data. 6 The Support Service Provider shall develop a process for the destruction of Patient Identifiable Data which it receives or inadvertently records through communications or other means with the users. This process should be compliant with the “Records Management: NHS Code of Practice” guidance published in April 2006, or as subsequently updated. 7 The Support Service Provider should periodically, minimum annually, scan all information repositories and stores within the Support Service Provider’s base location(s), outside of England, for the presence of Patient Identifiable Data, and if any found securely deleted immediately. 8 The Support Service Provider shall ensure all support staff working within the Service have had reliability and security clearance checks carried out that include • Identity (passport, etc.); • Employment, academic and qualification references including any relevant previous security checks which should be followed up in writing. 9 The Support Service Provider shall ensure that any visitors, or contractors, that require access to the Service, are vetted to the same level as support staff, sign the confidentiality statement and have all access recorded for audit purposes. © Crown Copyright 2009 Page 5 of 6