Principles of Data Protection and Information Security
Information security supports the preservation of:
- confidentiality: protecting information from unauthorised access and disclosure;
- integrity: safeguarding the accuracy and completeness of information and processing methods; and
- availability: ensuring that information and associated services are available to authorised users when required.
Statement of Compliance
- Only the minimum data is stored as required for analysis, feedback and research.
- All patient data received, stored and utilised is anonymous, using only patient reference identifiers, gender and age as necessary for data analysis and reporting.
- Published data identifies sources only with their express permission.
- Data is backed up offsite, automatically and with a frequency not less than weekly.
- Access to data by staff is password protected.
- Any supplier or partner organisations shall have in place information security policies supporting these principles and at least matching this policy.
- The principal supplier of data warehousing services is Methods Analytics Ltd, see their NHS IG framework certificate.
- GP Access Ltd is registered as a data controller with the Information Commissioner’s Office, number Z3487875.
Information controlled by the company falls into the following categories and is managed accordingly.
- Public We put data, research, case studies and other materials into the public domain via our website and other routes. On occasion it may be embargoed until a specific date and time.
- Private Information which can be seen by anyone who has a link to it, but is not searchable within the public domain.
- Hidden The information is specific to clients, accessed by a link unique to the client, and it is up to the client to decide who may use the link. Clients have their own unique webpage with a randomly generated url. By exception, clients may request a password to be placed on the page but this is not normally provided. No personal data may be placed on such a page. If a private link is accidentally revealed to others who should not have access to it, the operations manager will immediately on learning of this replace the random url with a new random address. The client will then be informed of the new address.
- Protected The information can be accessed only through a password protection system. Normally this is for internal use by approved staff, and it covers all internal systems. Passwords must be a combination of letters and symbols, and must not be based on dictionary words or personal data. If anyone suspects that protected data has been misused, they must change their password and inform the operations manager immediately.
Reviewed on 6 April 2014, H Longman