General Data Protection Regulation (GDPR)

  1. Introduction

    1. Information is one of the Medic Finder Ltd most important assets. Failure to ensure adequate security and protection of information held by Medic Finder Ltd may lead to legal action against Medic Finder Ltd and/or the individual responsible for the breach. Such legal action could include an investigation by the Information Commissioner’s Office (“ICO”) who can impose significant financial penalties and/or a claim for damages for breach of the General Data Protection Regulation and the Data Protection Act 2018 (together the “Data Protection Legislation”).
    2. In addition to the possibility of legal action being taken against Medic Finder Ltd, if the information held by Medic Finder Ltd is not kept safe, confidence in the Medic Finder Ltd by members of staff and the public at large could be irreparably damaged.
    3. Keeping information secure yet available to those that need it often presents a difficult challenge. This policy strives to achieve a sensible balance of securing the information held by Medic Finder Ltd while making it accessible to those who need the information. Medic Finder Ltd will always however favour security over accessibility where there is any doubt as to the security of information.

  2. Definitions

    1. The Medic Finder Ltd means Medic Finder Ltd.
    2. “Data Protection Legislation” means the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
    3. “Data” means Personal Data and Special Category Personal Data as defined by the Data Protection Legislation, and confidential and sensitive information held by the Medic Finder Ltd.
    4. “Personal Data” any information relating to an identified or identifiable natural person (a data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    5. “Special Category Personal Data” means information about a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health or condition or sexual life, or genetic or biometric data.
    6. “Processing” means any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring personal data to third parties.
    7. “Data Controller” is the organisation which determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for establishing practices and policies in line with Data Protection Legislation. The Data Controller referred to in this policy is Medic Finder Ltd.
    8. “Data Protection Officer” is The person within the organisation who is responsible for overseeing data protection strategy and implementation to ensure compliance with data protection legislation. Within Medic Finder Ltd that role is held by Yogesh Panjwani.
    9. “Data Subject” means all living individuals about whom Medic Finder Ltd holds Data. A Data Subject need not be a UK national or resident. All Data Subjects have legal rights in respect of their Data and the information that Medic Finder Ltd holds about them.
    10. “Data Processor” means any person who or organisation which processes Data on behalf of the Data Controller including members of staff, volunteers, contractors, and suppliers and any third party whose work involves accessing or otherwise using Data held by Medic Finder Ltd. Data Processors have a duty to protect the information they process for and on behalf of Medic Finder Ltd by following this and other Medic Finder Ltd information governance policies at all times.
    11. “Subject Access Request” (“SAR”) means a request by an individual to Medic Finder Ltd pursuant to Article 15 of the GDPR.
    12. “Information Asset” means Data held by Medic Finder Ltd in any form. This Data may be held electronically by software in computer systems and transferred across a network, on paper, in files or transferred by post, courier or in person.
    13. “Information Governance Policy” means the Data Protection, Freedom of Information, Information Security, Retention, Disposal and Records Management and Subject Access Request policies and any other policies which may from time to time be in place at Medic Finder Ltd.
    14. “ICO” means the Information Commissioner’s Office.
    15. “Information Security” means the protection of information and information systems against unauthorised access to or modification of information, whether in electronic or manual storage, Processing, transit and against the denial of service to authorised users.
    16. “Information Security Breach” means a breach which may be caused by a technical failure, unauthorised access to either Medic Finder Ltd’s network or a Client Device used for Medic Finder Ltd business by a third party, loss of the Medic Finder Ltd’s information and/or inappropriate actions of an individual or individuals which result in the compromise of information belonging to or held by Medic Finder Ltd.
    17. “Information Security Vulnerability” means an identified weakness of a system(s) or process that puts the security and availability of information at risk.
    18. “Member of Staff” means individuals working at Medic Finder Ltd whether on a full time, part time, temporary, fixed term, casual or volunteer basis.
    19. “Client Device” means laptops, tablets, telephones, smartphones, desktop computers or other electronic equipment that could be used for the carrying out of Medic Finder Ltd business or the Processing or storing of information.
    20. “Personal Device” means a Client Device not directly owned by Medic Finder Ltd.
    21. “Username” means a unique sequence of characters used to identify a person, system or service, allowing access to a computer system, computer network, client device, or online account.
    22. “Strong Password” means a phrase of sufficient random characters to prevent guessing or brute-force attacks. A Strong Password must be a minimum of 9 characters, does not use single common number sequences/dictionary words or easily accessible personal information (i.e. any portion of your name, date of birth, telephone numbers or NI numbers). Strong Passwords of less 24 characters must include a combination of three of the following: lowercase and uppercase letters, numbers and symbols.
    23. “Secure Authentication Device” means a device or component integrated into a Client Device that allows the encrypted storage and retrieval of Strong Passwords using biometric information.
    24. “Two-Factor Authentication (also known as Multi-Factor Authentication, MFA or 2FA)” means a method of confirming a claimed identity using a combination of at least two of the following categories: knowledge (something they know, e.g. a password), possession (something they have, e.g. a token), and inherence (something they are, e.g. a fingerprint).
    25. “Authorised User” means a person, or administrative service, that is authorised by the Medic Finder Ltd to authenticate to a system, that may contain Data and potentially to receive authorization to access resources provided by or connected to that system;
    26. “Removable Media” includes USB sticks, external hard drives, CD’s or other media which can be connected to Medic Finder Ltd network or a Client Device and used for storing information.
    27. “External” means any and all buildings, systems or services not directly owned by the Medic Finder Ltd, including all accounts not ending in [info@medicfinder.co.uk]
    28. “Social Media” means websites and applications that enable users to create and share content or to participate in social networking including Facebook, LinkedIn, Twitter, Google+, and all other social networking sites, internet postings and blogs. It applies to use of Social Media for Medic Finder Ltd purposes as well as personal use that may affect the Medic Finder Ltd in any way.
    29. “Cloud service” means Cloud computing/Service is the delivery of computing resources using a network of remote servers hosted on the Internet to store, manage, and process data, rather than local servers or a personal computer.

  3. Summary

    1. Much of the information held by the Medic Finder Ltd is confidential and sensitive in nature. Therefore, it is necessary for all information systems to have appropriate protection against adverse events (accidental or malicious) which may put at risk the activities of Medic Finder Ltd or protection of the information held.
    2. Medic Finder Ltd has a responsibility to maintain:
      1. Confidentiality – access to Data must be confined to those with specific authority to view the Data in question;
      2. Integrity – information should be complete and accurate. All systems, assets and applicable networks must operate correctly and according to any designated specification;
      3. Availability – information must be available and delivered to the right person at the time when it is needed and in accordance with the relevant statutory provisions.
    3. Medic Finder Ltd must minimise the risk of data security breaches and any person connected to or acting on behalf of Medic Finder Ltd must meet the minimum requirements as set by Medic Finder Ltd for connecting to any network operated by or on behalf of Medic Finder Ltd.
    4. It is important that members of staff, governors or anyone else acting on behalf or with the authority of Medic Finder Ltd:
      1. Are aware of how and under what circumstances they are permitted to access Personal Data held by or on behalf of Medic Finder Ltd;
      2. Is aware of who they are allowed to share Personal Data and other information with and how it can and should be shared;
      3. Reports any Information Security incidents/breaches including phishing emails to the Data Protection Officer in respect of information in respect of or held by Medic Finder Ltd. Staff & Governors must follow the Data Breach flowchart in Appendix 4 when reporting a Data Breach;
      4. A Data Breach report must be filled out and past to the DPO after initial reporting of a breach.
      5. Ensures Data is stored and handled securely and in accordance with this and the other information governance and IT Policies;
      6. Does not ignore, turn off or otherwise bypass any Information Security controls put in place by Medic Finder Ltd;
      7. Does not send, distribute or otherwise divulge Data unless permitted to do so. The sending or distribution of any Data should only be done in accordance with the applicable statutory provisions, this policy and any other applicable policy of Medic Finder Ltd;
      8. Data must only be sent by secure methods and, all Data sent externally shall be encrypted.
      9. An email sent in an attempt to acquire sensitive information such as usernames, passwords or financial information.

  4. Policy Statement

    1. It is essential that Medic Finder Ltd information systems and data networks are adequately protected from events which may compromise the information held or the carrying on of Medic Finder Ltd business and to this end Medic Finder Ltd is committed to developing and maintaining an information systems structure which has an appropriate level of security.
    2. Medic Finder Ltd will maintain the security and confidentiality of Data held by it, its information security systems and relevant applications and networks for which it is directly responsible by:
      1. Ensuring appropriate technical and organisational measures are in place to prevent unauthorised access, damage or interference to and/or with information, IT assets and network services;
      2. Ensuring that it is aware of, and complies with, the relevant legislation as described in this and the other information governance and IT Policies;
      3. Creating and maintaining a level of awareness of the need for information security to be an integral part of the conducting of Medic Finder Ltd business and ensuring that everyone understands their individual and collective responsibilities in this respect;
      4. Protecting Data and other information held by and/or on behalf of Medic Finder Ltd.
    3. To ensure a consistent approach to Information Security, the controls set out at sections 7 and 8 of this policy will apply.

  5. Use of Client and Personal Devices

    1. Client Devices used for, or in connection with, Medic Finder Ltd business and in particular for the collection or storing of Personal Data and/or Special Category Personal Data must be kept secure with Strong Passwords (see Definitions). If available with the device, an approved Secure Authentication Device to aid entering the of the password;
    2. Client Devices used for, or in connection with, Medic Finder Ltd business must not be left unattended in plain sight at any time, including whilst at home or travelling, and must be protected against loss, damage, misuse or unauthorised access. When not in use, Personal Devices must stored in a secure, lockable location and should never be stored in vehicles, even if locked.
    3. Client Devices used for, or in connection with, Medic Finder Ltd business must not be used to access, view or process Personal Data or Special Category Personal Data in a manner that allows Persons other than the Authorised User to view the Data.
    4. Personal Devices, including but not limited to, laptops, tablets, telephones, smartphones, desktop computers or other electronic equipment, must not be used to store or transmit Data. Where a Member of Staff believes there is a legitimate need to process Special Category Personal Data using a Client Device, the Member of Staff should contact their Line Manager with a business case for the provision of a Client Device, who shall evaluate the business case for such request.
    5. Client Devices used for, or in connection with, Medic Finder Ltd business must be updated with the manufacturer’s software and other updates regularly when updates become available, and where supported have antivirus software installed and regularly updated.
    6. Client Devices used to store Personal Data or Special Category Personal Data must be encrypted.
    7. Client Devices issued to a Member of Staff for or in connection with, Medic Finder Ltd business by Medic Finder Ltd must only be used by Medic Finder Ltd Members of Staff. At no time shall any other User, including but not limited to, family members, friends, employee from another organisation, be permitted to use the device.
    8. If a Client Device used for, or in connection with Medic Finder Ltd business it lost or stolen, the loss/theft should be reported to Data Protection Officer and IT Team as soon as possible and in any event within 24 hours of the loss/theft occurring. Where possible the Client Device should be remotely accessed and the information erased.

  6. Removable Media

    1. Removable Media storing Data must only be used as a last resort, when all other options have been considered, including the need to store or process the data. All Data must secure network service is not available.
    2. Only Removable Media provided by Medic Finder Ltd or Medic Finder Ltd that has been encrypted should be used for the storing of Data.
    3. Removable Media should not be used for the storing of Personal Data, Special Category or Sensitive Data unless the device is capable of and has been encrypted.
    4. Removable Media must be stored securely.
    5. If Removable Media used for, or in connection with Medic Finder Ltd business is lost or stolen, the loss/theft should be reported to Data Protection Officer and IT Support Team immediately. Where possible the Personal Device should be remotely accessed and the information erased.

  7. Securing Information

    1. Physical Access Controls
      1. A nominated member of Medic Finder Ltd will be responsible for ensuring the Information Security of all Information Assets held by or on behalf of Medic Finder Ltd. The nominated person will also have and maintain an Information Asset register which should record all Information Assets held by Medic Finder Ltd;
      2. A copy of the Information Asset register will be filed with the Data Protection Officer at the Medic Finder Ltd each year;
      3. Medic Finder Ltd will ensure that only authorised individuals are allowed access to restricted areas containing Personal Data or Special Category Personal Data or information systems where there is an identifiable need to access that area;
      4. Access to Personal Data and/or restricted physical locations will be monitored by the Academies nominated person to ensure authorised access to relevant information and to prevent unauthorised access to Personal Data or Special Category Personal Data;
      5. Where an unidentified person or any other person without authorisation to be in a restricted area is found, the individual is to be challenged as to their identity and the purpose for which they are in the restricted area. If the unauthorised individual has no legitimate reason to be in the restricted area, this information is to be logged as an Information Security Breach and the Data Protection Officer should be consulted as to whether the matter requires reporting to the ICO;
      6. External doors and windows must be locked at the end of each day;
      7. Equipment that serves multiple users must be capable of identifying and verifying the identity of each authorised user;
      8. Devices or equipment capable of displaying output upon multi-user displays or presentation equipment, including but not limited to, Projectors, Interactive Whiteboards, televisions, video walls, remote computer sessions and desktops, or any other form of presentation equipment, must not be used to access, view or process Data in a manner that allows Persons other than the Authorised User to view the Data.
      9. Members of staff of Medic Finder Ltd with access to and use of Data must maintain a clear desk and clear screen policy to reduce the risk of unauthorised access to Information Assets such as papers, media and information processing facilities;
      10. Medic Finder Ltd wireless systems should be secured to industry standard Enterprise security level/appropriate standards suitable for educational use;
      11. Data recorded on paper must be kept locked away in a safe, cabinet or other form of secure furniture when not in use;
      12. Personal Data and Special Category Personal Data, confidential and sensitive information about Medic Finder Ltd whether stored electronically or on paper must be kept locked away in a secure room or in a safe, cabinet or other form of secure furniture when not in use;
      13. Documents containing Data must not be left unsecured, unattended at mail points or on printers, photocopiers, scanners or fax machines and must be removed immediately when received.
    2. Password and Access Control
      1. Access to Data stored electronically must be controlled through the use of a Strong Password;
      2. Access to Authorised User accounts must be controlled, as a minimum, through the use of a password, which must not be less than 8 ASCII characters in length. Wherein, a system or service, provides alternative authentication methods, including but not limited to, facial or biometric recognition, the alternative authentication method must be in additional to a password;
      3. Members of Staff must ensure that they have a Strong Password for all Authorised User accounts and the same password not re-used across different types of system;
      4. Authorised Users are responsible for keeping their assigned password(s) secure and must ensure their password(s) is neither disclosed to, nor used by, anyone else under any circumstances;
      5. Use of another person’s username or password will constitute an Information Security Breach and must be reported in accordance with the procedures set out in this policy or any other relevant policy from time to time in force;
      6. Authorised Users are responsible for ensuring that all Medic Finder Ltd and/or Client Devices used to access Data or other confidential information, are logged off, switched off or otherwise controlled by a Strong Password when unattended or not in use, at all times
      7. Authorised Users with access to Medic Finder Ltd network or a Client Device which is used for, or in connection with Medic Finder Ltd business is responsible for any actions carried out under their username and password.
      8. Where available, Members of Staff using critical systems or accessing Personal or Special Category Personal Data should use Two-Factor Authentication.
    3. Cloud Computing
      1. Only cloud computing networks or services, including Social Media commissioned by Medic Finder Ltd, or expressly authorised by the Data Protection Officer, may be used to store and send information concerning or relating to Medic Finder Ltd business. The use of personal cloud storage solutions (Skydrive, Onedrive Personal, iCloud, G-Drive etc.) for the transfer of Medic Finder Ltd information is expressly forbidden.
      2. Personal Data, Special Category Personal, confidential and sensitive information, whether on Medic Finder Ltd network or a Client Device must not be stored on a cloud computing network or service not commissioned by Medic Finder Ltd, or expressly authorised by the Data Protection Officer.
      3. If Data or other information concerning or relating to Medic Finder Ltd business is to be stored in or on a cloud network, Medic Finder Ltd will take all reasonable steps to find out in which country the Data or other information is being stored, and to ensure that appropriate measures are in place in relation to any Data transferred outside of the EEA.
      4. If Medic Finder Ltd receives notification that Data in respect of Medic Finder Ltd business has been corrupted, lost or otherwise compromised while stored on a cloud network, Medic Finder Ltd should ascertain whether any or all of the information stored in the cloud can be recovered and if this is possible restore that information;
      5. Any corruption, loss or compromise of information held on a cloud network should be recorded in the risk register and if appropriate reported via the mandatory reporting procedure set out at section 9 of this Policy.
    4. Leaving Medic Finder Ltd /Contract Termination\
      1. Upon leaving Medic Finder Ltd, Members of Staff must return/transfer, in a useable format, all equipment and information, including Data to Medic Finder Ltd, on or before the agree leaving date (e.g. last day of employment) to their Line Manager, or other Medic Finder Ltd representative if their Line Manager is not available. This includes, but is not limited to:
        • All information, including data, used or stored as part of the role, both physical and electronic;
        • All information, including files, documents and emails, including any Data,stored within individual Cloud Service accounts;
        • Client Devices loaned by Medic Finder Ltd, including PIN numbers, usernames or passwords required to reuse or reset the devices;
        • Any Removable Devices provided by Medic Finder Ltd;
        • Access control, PIN, tokens and ID Cards;
        • Keys and PIN numbers used to access physical locations.
      2. The Off-Boarding Checklist (see Appendix 3) must be completed and returned to Human Resources by the leaving date;
      3. After leaving Members of Staff may not attempt to access or use any Medic Finder Ltd information, including any Data.

  8. Storing and Transportation of Non-Electronic Data

    1. Data can be vulnerable to loss, unauthorised access, misuse or corruption when being physically transported either personally by Member of Staff of Medic Finder Ltd or when sending Data via the postal service or couriers;
    2. Special controls should be adopted where necessary to protect Data from unauthorised disclosure or modification and may include:
      1. Ensuring the packaging is sufficient to protect the contents from any physical damage likely to arise in transit;
      2. Delivering by hand records containing Personal Data, where appropriate;
      3. Sending Data via secure post such as Royal Mail recorded or signed for delivery or special delivery or as otherwise agreed with the Data Subject;
      4. Records containing Special Category Personal Data shall not be delivered by hand unless absolutely necessary. In which case the following should occur:
        1. Documents transported in vehicles should be hidden away or placed in boot where possible, and the vehicle locked.
        2. Documents should never be left unattended even in a locked vehicle.
    3. Consideration should be given to the necessity of transporting or moving Data or other records as this increases the risk of Data loss.

  9. Transportation/Transmission of Electronic Data

    1. Personal Data, Special Category Personal, confidential and sensitive information sent or transmitted externally using an electronic systems or services must be secured using a process that ensures the Data is encrypted and Users must carefully check the recipient’s contact details before sending.
    2. Data must only be sent or transmitted externally when authorised by job description, Medic Finder Ltd policy, applicable legislation, or when specially authorised by the Data Protection Officer. The sending of Personal Data and Special Category Personal Data to personal cloud systems or services email accounts is expressly forbidden. Members of staff working remotely are required to access Data through the Medic Finder Ltd authorised systems and services.
    3. Data must not be sent using any systems or services, including but not limited to, cloud platforms and social media providers or any other type system not owned by Medic Finder Ltd, including text messaging.
    4. Personal Data and Special Category Personal Data must be sent to named Users only. Multi-User posting, sending or transmission, including, but not limited to, email lists, distribution groups, security groups, chat/team-based groups, forums, rooms, and channels is prohibited.

  10. Information Security Incident Reporting and Management

    1. Medic Finder Ltd will have and maintain a register where all Information Security incidents are logged. The form in Appendix 4, can be used as the basis for the Information Security incidents to the Data Protection Officer. = This log as a minimum should include:
      1. The nature of the breach;
      2. The number of Information Assets compromised;
      3. How the Information Asset(s) has/have been compromised;
      4. Whether any Special Category Personal Data was compromised;
      5. Whether the incident needs to be reported in accordance with the mandatory reporting section of this policy at paragraph 10.3 below.
    2. Where there has been any breach the Data Protection Officer must be informed immediately, so they can decide if an Information Security Breach has occurred and in order that consideration can be given to reporting the breach to the appropriate authorities;
    3. If there has been an Information Security Breach but it does not involve the compromise of more than 2 records, it should be recorded in the Information Security Incident Log;
    4. Examples of an Information Security Breach include but are not limited to:
      1. Password(s) written down or stored, in an accessible, plain text or otherwise visible, manner to persons other than the Authorised User;
      2. Using another person’s password;
      3. Divulging of a password;
      4. Making use of Personal Data for personal gain;
      5. Accessing Data for personal knowledge;
      6. Attempting to gain access under false pretences;
      7. Unauthorised release of Data;
      8. Knowingly entering inaccurate Data;
      9. Deleting Data prior to the retention period or any other period set out in the Retention, Disposal and Records Management policy expiring;
      10. Loss or misuse of Data;
      11. Malicious damage to equipment or Data;
      12. Changing permissions that allows access to, or sharing information (including Data) with, persons not authorised to access the information.
      13. Unauthorised removal of Data, Medic Finder Ltd equipment or equipment used for or in connection with Medic Finder Ltd business from Medic Finder Ltd premises or another site authorised for the storage of such information or equipment
      14. Loss or theft of a Client Device used for or in connection with Medic Finder Ltd purposes or any other device belonging to Medic Finder Ltd.

  11. Business Continuity and Disaster Recovery Plans

    1. Medic Finder Ltd will develop a managed process to counteract the interruption of Medic Finder Ltd business caused by major IT service failure. Medic Finder Ltd will ensure that business continuity and disaster recovery plans are produced for all IT systems and networks which store and/or Process Data.
    2. Medic Finder Ltd will have procedures in place to maintain essential services in the event of an IT system failure.

  12. Monitoring and Review

    1. This policy will be reviewed every 4 years or earlier if required and may be subject to change.

Logo Logo

Medic Finder is dedicated healthcare services partner offering staffing, managed services and innovative delivery models to health and social care systems and the life sciences industry.

Our Services
Quick Links
Policies
Reach Us
Copyright © Medic Finder. All Rights Reserved