Governance. Defend. Prevent. Respond OUR GROUP GDPR INFORMATION SECURITY FRAMEWORK FOREWORD

Similar documents
OUR GROUP GDPR INFORMATION SECURITY FRAMEWORK

Collecting and Handling Health Data in a GDPR World

Darwin Marine Supply Base HSEQ Quality Management Plan

Personal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person.

a practical guide ISO 13485:2016 Medical devices Advice from ISO/TC 210

ISO and the Delivery of Competent NDT Services

ISO 13485:2016 MEDICAL DEVICES QMS TRANSITION GUIDE

Committed to Environment, Health and Safety

Specific Accreditation Guidance OECD GLP

MEMORANDUM OF UNDERSTANDING THE INDEPENDENT FUNDRAISING STANDARDS & ADJUDICATION PANEL FOR SCOTLAND AND THE FUNDRAISING REGULATOR

The Impact of GDPR on Clinical Trials

Comments on Consultative Report Governance arrangements for critical OTC derivatives data elements (other than UTI and UPI)

PROVIDER CONTRACT ISSUES

We get your personal data from the following sources (examples detailed below are not exhaustive):

a practical guide Medical Devices Advice from ISO/TC 210 This is a free 11 page sample. Access the full version online.

Lakshy Management Consultant Pvt. Ltd.

THE POWER OF NUTRITION. Safeguarding Policy. June 18 1

Swan Advocacy. Trustee Candidate Information. Contents: Welcome from the Chief Executive of Swan Advocacy. About us. The person we re looking for

Justice Committee. Alternative Dispute Resolution. Written submission from Scottish Mediation

THE RESPONSIBLE PHARMACIST REGULATIONS

XOSERVE LIMITED SERVICES SCHEDULE FOR THE PROVISION OF NON-CODE USER PAYS SERVICES (REFERENCE NUMBER XNCUP(SS)06) DATED 20 INTRODUCTION

Committed to Environment, Health, & Safety

Kirklees Safeguarding Children Board. Annual Report. January 2011 March Executive Summary.

Standards of Conduct for Transmission Providers

LEAF Marque Assurance Programme

Medical gap arrangements - practitioner application

Driving Improvement in Healthcare Our Strategy

Supplier Code of Business Conduct

NAPAC Trustees. Candidate Recruitment Pack

Ofsted Inspection Report

Hampshire Safeguarding Adults Board. Organisational Safeguarding Audit Tool

Cancer Improvement Plan Update. September 2014

Safeguarding Strategy

Bishop s University Research Ethics Policy

EFSA s Catalogue of support initiatives during the life-cycle of applications for regulated products. European Food Safety Authority (EFSA)

QUALITY REVIEW PROGRAM REVIEW OF FORENSIC ACCOUNTING ENGAGEMENT QUESTIONNAIRE

Approval of Dosimetry Services in Ireland Guidelines for Applicants

OUR VISION AND PLAN We create places for people to call home and support them to live well

ESM MANAGEMENT COMMENTS ON BOARD OF AUDITORS ANNUAL REPORT TO THE BOARD OF GOVERNORS. for the period ended 31 December 2015

A proposal for collaboration between the Psychometrics Committee and the Association of Test Publishers of South Africa

The Importance of Hygiene

WORLDWIDE FLIGHT SERVICES PRIVACY SHIELD POLICY

GDC Disclosure and Publication Policy

Welcome to presentation By Sanjay Punjabi Lead Auditor for ISO 9001, ISO 14001, OHSAS & BS 7799

National Principles for Child Safe Organisations

ESRC-NIHR dementia research initiative 2018 outline call Call specification

IT and Information Acceptable Use Policy

ICTR Statement of Guiding Principles for Fundraising AmcL Finance Revised July 13 ICTR STATEMENT OF GUIDING PRINCIPLES FOR FUNDRAISING

Trust Policy 218 Ionising Radiation Safety Policy

Engaging People Strategy

Strategic Plan

Brussels, 20 December 2011 (Case ) 1. Proceedings

NOT PROTECTIVELY MARKED. Interpreters

The Economic and Social Council, Recalling the United Nations Millennium Declaration13 and the 2005 World Summit Outcome, 1

1. These regulations have been adopted in recognition of the following fundamental sporting imperatives:

Emerging Technology Open Working Group

IAYMH International Youth Mental Health Conference, Expression of Interest in hosting 2019 event

RADIOLOGIST JOB DESCRIPTION. Head of Radiology Department Radiology Manager

Tobacco Free Ireland Action Plan

THE CARDIFF COMMITMENT TO YOUTH ENGAGEMENT AND PROGRESSION: REPORT OF DIRECTOR OF EDUCATION & LIFELONG LEARNING

Human Research Participant Protection Program

Support Facilitator Partners in Recovery - Ashfield

Code of Practice on HIV/AIDS and Other Life Threatening Illnesses for the Public Sector. Ministry of Labour

WHY AN EFFECTIVE NATIONAL REGULATORY INFRASTRUCTURE IS ESSENTIAL FOR A COUNTRY S RADIATION PROTECTION SYSTEM

Wiltshire Safeguarding Adults Board

Our raffles comply with the following policies:

Multi-sectoral aspects of pandemic preparedness and response

Medical Research Law & Policy Report

Cutanea Life Sciences, Inc. Comprehensive Compliance Program

EHR Developer Code of Conduct Frequently Asked Questions

RECOMMENDATION ADOPTED BY THE INTERGOVERNMENTAL COMMITTEE FOR THE NAGOYA PROTOCOL AT ITS FIRST MEETING

This paper contains analysis of the results of these processes and sets out the programme of future development.

Report to the. GAVI Alliance Board June 2013

How can the vulnerability of mobile populations (affected by infrastructure programmes) be reduced?

Quality Assurance Standard. Implemented 1991 Revised Version 3.0

A New Participant s Guide to CVA Qualification

BEST PRACTICE IN THE APPLICATION OF NDT AN UPDATE J. M. Farley Mitsui Babcock, Renfrew, UK

WCO Guidelines for the recognition of University Customs Curricula (2018)

TGA: the current regulatory reform agenda

Global Harmonization Task Force SG3 Comments and Recommendations ISO/DIS 9001: 2000 and ISO/DIS 9000: 2000 And Revision of ISO and 13488

Workplace Drug and Alcohol Policy

Kiwa Inspecta. Kiwa Inspecta. Trust Quality Progress

NO SMOKING POLICY POLICY IMPLEMENTATION CHECKLIST

SAMPLE. Certificate IV in Fitness

INVOLVING YOU. Personal and Public Involvement Strategy

Australian Sonographer Accreditation Registry (ASAR) Policy & Procedures 6 - Reporting Accreditation Decisions

Submitting a Suspicious Activity Report (SAR)

UPDATES TO CALIFORNIA PROPOSITION 65 GUIDELINES

Strategy Sports Grounds Safety Authority Updated February 2018

Mental Health Matters

Joint Office of Gas Transporters 0209: URolling AQ

BMA INFORMATION BULLETIN No. 23. International Safety Management (ISM) Code

Physiotherapy Tender Questions and Answers

Community Health Improvement Plan

Recommendation 2: Voluntary groups should be supported to build their capacity to promote mental health among their client groups.

Safeguarding Children and Young People Policy

OHSAS 18001:2007 OCCUPATIONAL HEALTH & SAFETY MANAGEMENT SYSTEM WHITE PAPER Lakshy Management Consultant Pvt Ltd aiming excellence

1 2 FEBRUARY 2019 HILTON MANCHESTER DEANSGATE HOTEL

International Standard for Athlete Evaluation. July 2015

Submitted to the House Energy and Commerce Committee. Federal Efforts to Combat the Opioid Crisis

Transcription:

OUR GDPR FRAMEWORK

OUR GROUP GDPR INFORMATION SECURITY FRAMEWORK Continuously improving our information security infrastructure for 2018 and beyond. MISSION STATEMENT Governance Our Group has worked hard to build a governance framework that embodies information security at its heart. This allows us to support our customers in meeting their legal and regulatory obligations. Defend As one of the few organisations in our sector to have achieved ISO 27001 information security certification, we will build the requirements of the GDPR into our existing framework to protect the security and integrity of all of the data we process. Prevent We will continue to develop and strengthen our controls to identify vulnerabilities so that we can anticipate potential incidents before they occur. Respond Our Group will be transparent in the way in which we communicate to our customers so that we can continue to protect the rights of our data subjects. FOREWORD Donald Fowler, Chief Executive, Premex Group. The recent global ransomware attack has highlighted that adequate and effective information security is paramount to any business. ExamWorks Investigation Services, part of the Premex Group of companies, has always recognised the importance of information security and the need to manage this as a fundamental aspect of our internal risk and governance framework. In 2014 our commitment to this cause propelled us on a journey that not only resulted in certification under the globally recognised ISO/IEC 27001:2013 standard, but it also brought about a cultural transformation across our businesses in the UK. Our overall aim has always been, and will continue to be, the integration of information security as a core consideration in each and every process spanning the length and breadth of our UK Group. We have a dedicated team in place of compliance, legal and IT security professionals who provide support and guidance to our Group to ensure our staff recognise and prioritise the protection of data. With the introduction of the General Protection Regulation (GDPR) in May 2018, we wanted to take this opportunity to assure our customers of our ongoing commitment to information security and the steps we are taking to strengthen our governance controls, so that we can continue to meet and exceed our legal and customer requirements. We hope you find this overview helpful and invite you to contact our GDPR project team with any questions you may have, or to request further information about how we are working towards GDPR compliance. CONTENTS What is the GDPR? Our Group s approach to information security Our Group s GDPR program of work Ensuring GDPR compliance 2 3

WHAT IS THE GDPR? 25 MAY 2018 The EU General Protection Regulation (GDPR) was introduced on 25th May 2018 to replace elements of the Protection Act 1998. This regulation creates new legal obligations which will have a significant impact upon the way in which organisations must handle personal data. OUR GROUP S APPROACH TO INFORMATION SECURITY WHO DOES IT APPLY TO? It applies to all organisations - public and private, anywhere in the world that handle, store or process the personal data of EU citizens. GDPR dictates the procedures and consequences surrounding data breaches and notification requirements. 2014: Commenced project to achieve 2014 ISO/IEC 27001:2013 certification In 2014 our Group chose to pursue the internationally recognised ISO/IEC 27001:2013 certification to demonstrate our commitment to information security and continue to set the standard in our industry. THE CONSEQUENCES OF NON-COMPLIANCE ARE SEVERE: FINES 20m OF UP TO ORGANISATIONS MAY NEED TO APPOINT A DATA PROTECTION OFFICER. Staff Training Internal Audits Notifying the supervisor if there is a breach All data being stored should be obtained by consent: OPT IN NOT OPT OUT 2016: We achieve ISO/IEC 27001:2013 certification 2016 In 2016 we achieved the highest standard of information security across our sites at Bolton and Durham, providing customers with complete assurance of our commitment to protect all data. OR 4% OF GLOBAL TURNOVER GDPR breaches must be reported within72 hours The risk of class action lawsuits from data breach victims The UK government has confirmed that our decision to leave the EU will not affect the introduction of the GDPR GDPR will impact on both controllers and processors New rights for individuals such as the right to be forgotten and the right to data portability subjects will have a right of compensation in respect of breaches In order to meet the requirements of the GDPR we are now building upon our existing information security management system (ISMS) 2017 2017: Build GDPR Prevent & Respond framework 2018 2018: The GDPR comes into force 4 5

OUR GROUP S GDPR PROGRAM OF WORK Asset Incident Policy Framework Internal Audit Plan Business Continuity Risk Information Lifecycle Complaints Consent Pseudonymisation Erasure/ Restriction Encryption Communications Strategy Privacy Impact Assessments Supplier Interested Parties Protection Officer Erasure Subject Access Requests Customer Process Control Log Fair Processing Notice Restriction Anonymisation Portability ENSURING GDPR COMPLIANCE POLICY FRAMEWORK Our policy framework forms a fundamental part of our information security management system as it sets out the principles we apply as a Group to protect information. Our Group will review existing principles and policies to ensure they are in line with the regulation s requirements. INCIDENT MANAGEMENT Our Group is continuing to build upon existing processes to ensure any incidents are identified and managed swiftly and in line with the regulation. FAIR PROCESSING NOTICE Our Group understands the importance of transparency in data processing. Our fair processing notices will provide clear guidance to data subjects on how our Group will handle and process information as well as be a point of contact for any questions. SUBJECT ACCESS REQUESTS Our Group has controls in place to respond to any requests from data subjects. As part of our program of work we will look to develop these controls so that we can meet the reduced timescales for the provision of data in line with the GDPR. CONSENT PRIVACY IMPACT ASSESSMENTS Our Group has always sought consent to process personal data and provides clear guidelines to data subjects on how we will process and handle their data. We will seek to ensure existing controls around consent meet the requirements of the GDPR so that we are truly transparent in our processes. Our Group has always embodied the philosophy of privacy by design and default. With a dedicated change management function in place across the Group we are able to consider privacy from the outset of any change. This way we can ensure we integrate the requirements of the GDPR throughout the lifecycle of a change. If you have any questions or would like to discuss this with us, please feel free to get in touch. Otherwise we would be grateful if you could return the attached signed copy of the Addendum to ensure that we both fulfil our obligations under GDPR. CONTACT DETAILS: We welcome any questions you may have in relation to our framework. Please send your queries to claims@examworks-is.co.uk. SUPPLIER MANAGEMENT We recognise that third party suppliers are an area of risk for the Group. Our supplier management program is a fundamental aspect of our control framework. All suppliers are assessed and, where applicable, audited on the basis of risk and controls and contractual provisions are applied accordingly. 6 7

2024 © healthdocbox.com Privacy Policy | Terms of Service | Feedback