1.1 The Data Protection Act 1998 ('the Act') imposes certain obligations upon Data Controllers and Data Processors in relation to the processing of personal data. These obligations are contained within eight data protection principles. The seventh principle relates to data security and requires us to take appropriate technical and organisational measures to safeguard personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.
1.2 We recognise the importance of personal data to our business and the importance of privacy rights to individuals about whom we process personal data. This Policy is intended to assist our staff to comply with the requirements of the seventh principle. This Policy is not limited to protecting personal data but extends to all information which we hold. References to 'personal data' should be read to include information of any kind that is used within the business, including confidential information.
1.3 The Act includes a number of defined terms which are used in this Policy. These terms are:
1.3.1 'data subjects' means individuals about whom we process personal data;
1.3.2 'personal data' means data which relate to a living individual who can be identified from those data or from those data and other information which is in our possession, or likely to come into our possession;
1.3.3 'processing' means virtually anything we do with personal data such as collection, modification, transfer, viewing, deleting, holding, backing up, archiving, retention, disclosure or destruction;
1.3.4 'sensitive personal data' means personal data about an individual's racial or ethnic origin; political opinions; religious beliefs or other beliefs of a similar nature; membership of a trade union; physical or mental health or condition; sexual life; commission or alleged commission of an offence; or the proceedings relating to any alleged or actual offences, the disposal of such proceedings or the sentence of the court in such proceedings. References to 'we' and 'us' refer to ClinicYou™ Limited.
2. POLICY
2.1 The seventh data protection principle requires us to take appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.
2.2 In order to assist us to comply with the seventh principle:
2.2.1 We must comply with the technical and organisational measures set out in the Annex to this Policy whenever we process personal data;
2.2.2 we must consider the nature of the personal data we are processing and determine whether the technical and/or organisational measures are commensurate to the harm that might result if there were a security breach. If the data are also confidential or sensitive personal data, an additional level of security will be required
2.2.3 Examples of confidential information will include include sensitive personal data concerning someone’s physical or mental health or condition; we should only hold personal data for as long as it is required for the purpose for which those data were originally collected. Once the data are no longer required, we must destroy or delete those data securely;
2.2.4 NOTE TO STAFF. PLEASE NOTE ALL STAFF AT CLINICYOU WILL NOT BE ABLE TO ACCESS MEDICAL INFORMATION RELATING TO ANY PATIENTS.
We must immediately report all actual or suspected security breaches to the Security Officer. Where the breach involves personal data, we should also notify the Data Protection Officer.
Clinic You is responsible for taking reasonable steps to ensure the reliability of employees who have access to personal data. If we are responsible for the recruitment of staff (whether permanent, temporary or contract), we must assist to comply with this requirement by:
- screening/vetting all new staff;
- ensuring all new staff sign terms and conditions which include confidentiality and security obligations;
- taking up references for all new staff;
- ensuring new staff are trained on the care and handling of personal data when they join (eg. as part of their induction training).
As part of our obligation to ensure the reliability of employees who have access to personal data, we must provide training on the requirements of the Act. If we are responsible for training staff (whether permanent, temporary or contract), we must ensure that periodic training sessions (including refresher courses) are provided to staff on data protection topics, including the care and handling of personal data and security requirements.
ClinicYou is required to take additional security measures whenever it uses third parties to process personal data on its behalf. Third parties may include IT contractors, providers of hosting services for our websites, outsourced service providers, payroll providers, computer maintenance providers, disaster recovery service providers. These third parties are referred to as 'data processors'. If we are responsible for the selection or appointment of any data processors, or are involved in contract negotiations with data processors, we must make sure we only select data processors that provide sufficient guarantees in respect of the technical and organisational security measures they will use in relation to the processing of personal data. If you have any queries about this Policy, please contact the Data Protection Officer at data@clinicyou.com We reserve the right to change this Policy from time to time to take into account any relevant changes in law or guidance from the Information Commissioner. Changes made to this Policy will be made online.
November 2009
ANNEX
TECHNICAL AND ORGANISATIONAL MEASURES
Technical Security Measures
1. Protection against malicious software/viruses
2. Backing up data
3. Encryption
4. Secure exchange of information
5. User access controls (eg passwords should be allocated to all users; passwords should be changed on a regular basis; passwords should not be pinned up next to the computer or anywhere else where they could be seen; computers should have password activated screen savers that can be turned on whenever the user is away from his or her desk; passwords should include a mixture of letters and numbers; avoid passwords that are easy to guess such as your name or date of birth; different access should be allocated to different users depending on job description and need to access personal or confidential data; different access rights should be allocated to individuals who have a need to modify personal or confidential data; read and write privileges should be allocated depending on job description and need)
6. Network access controls
7. Monitoring system access and use
8. Guidance on mobile computing (eg. do not leave laptops unattended in cars or in public places or on top of desks left unattended overnight)
9. Guidance on teleworking (eg. do not use your home computer for work purposes unless you have cleared this with the IT department)
10. Disaster recovery
11. Secure destruction or deletion of data and secure disposal of computer equipment and removable media
12. Lockout mechanisms
13. Security audits
14. User authentication
Organisational Security Measures
15. Entry controls to premises
16. Secure access to computer facilities
17. Positioning equipment so as to prevent screens from being overlooked
18. Securing equipment when off-site
19. Secure disposal of equipment or its re-use/re-conditioning
20. Clear desk and clear screens policies to be implemented across the business
21. Procedure should be put in place to handle any breaches of security
22. Training