21051-GDPR

1)      How would you best describe your organisation’s approach to software security?

 
2)      What is the biggest challenge your organisation faces in implementing an application security program?
  • Reference:
    21051
  • Response:
    1)      How would you best describe your organisation’s approach to software security?
    We are unable to provide an opinion on this matter as the Freedom of Information Act only covers recorded information, not opinion or judgement.  Therefore we are unable to respond to this question of your request.
     
    2)      What is the biggest challenge your organisation faces in implementing an application security program?
    We are unable to provide an opinion on this matter as the Freedom of Information Act only covers recorded information, not opinion or judgement.  Therefore we are unable to respond to this question of your request
     
    3)      When working with a third party, what standards do you use to ensure data is processed and managed in a compliant manner?
     The NHS Standard Contract covers the standards, found: https://www.england.nhs.uk/nhs-standard-contract/19-20/  and this is further monitored and assessed through the NHS Digital Data Security Protection Toolkit.

    4)      What percentage of software applications are developed in-house vs. supplied by third parties (commercial software and open source components)?
    1. Less than 10 percent
    2. More than 10 percent, but less than 50 percent
    3. More than 50 percent
       
       Answer – (a) less than 10 percent
    5)      What percentage of your software development organization has received data privacy related training?
    1. Less than 10 percent
    2. More than 10 percent, but less than 50 percent
    3. More than 50 percent
       
      We are not a software development organisation
       
    6)      With the GDPR deadline nearly a year past, how have software procurement, development, and management practices changed from prior practices?
    Software procurement, development and management practices continue to comply with legalisation in place and the NHS Standard Contract.
     
    7)      When data processing by external providers is involved, to which security frameworks are providers held to account?
    As an NHS Trust we follow a variety of legislation and guidance supplied from NHS Digital – this may include procurement through an existing NHS Procurement Framework.  We may also undertake due diligence and insuring that the provider is registered with the Data Security and Protection Toolkit (DSPT) which is required for all organisations dealing with NHS patient information
     
    8)      Are security reviews of external providers performed primarily by internal teams or are industry certifications and auditor reports used to verify ongoing compliance?
    The Trust submits The Data Security and Protection Toolkit to measure performance against the National Data Guardian’s ten data security standards. The toolkit is used to provide assurance personal information is handled correctly and there is a good level of data security.

    9)      What controls are in place to ensure reviews of consent and data processing polices remain current as applications evolve? (For example, should additional data processing via external sources be required, but consent for such processing wasn’t originally obtained, that updated consent be sought.)
    This is controlled via the Trusts Information Governance Group and monitored on the Trust Information Asset Register.

     10)   In the past five years, has your organisation suffered a data privacy incident which would now be required to be reported under GDPR?
    Since the 25th of May 2018 (date GDPR came into force) to the current day we have had 37 incidents reported to the ICO. From 2014 until the 25th May 2018 we reported 35 incidents to the ICO. It would take over the 18 hour time frame to re-evaluate incidents reported prior to the 25th of May 2018 and determine whether they would be reportable under GDPR However we have provided our figures of data privacy incidents that were reportable to the ICO.

     (a) What processes were implemented to address shortcomings contributing to these incidents?
    A variety of processes have been implemented to address shortcomings contributing to these incidents, example of these are below;
    • Team and/or individual awareness raised,
    • Procedure altered,
    • Disciplinary,
    • Equipment changed or replaced,
    • Information notice circulated,
    • Policy implemented or changed,
    • Training  - team and/or individual
    11)   Has your organisation suffered at least one data privacy incident which was reported under GDPR?
     Yes, the Trust has reported 37 incidents to the ICO

    12)   To which position(s) does your data protection officer report (For example, CISO, CRMO, CIO, CFO, MD, CEO)?
    Directly to the Deputy Director of Clinical Quality, however has direct access to the SIRO, Caldicott Guardian and CEO if deemed necessary
     
    13)   Has your organisation received any requests under the GDPR “Right to Access” provisions?
    If yes, what is the average response time to compile and communicate the response?
    Yes
    The average response time for the Trust to compile and communicate a Subject Access request is 28.41 days.
     
    14)   How does your organisation verify the security of third-party software prior to purchasing and deploying it?
    Through a rigorous procurement process, using software appearing on NHS Frameworks (security is checked as part of the process), NHS Standard Contract, suppliers of large applications confirm compliance with security standards.
     
     
  • Area:
    Trust wide
  • Category:
    Risk and Governance
  • Month:
  • Year: