SUPPLIER RELATIONSHIPS PROCEDURE

1 FUNCTION

This procedure supports the GP/D3 Data Protection and Confidentiality Policy.

 

NHS Fife recognises that health and related care organisations need to share information and, in some cases NHS Fife must allow access to eHealth resources from other parts of the NHS or vendors supplying application support to NHS systems.

 

The increased level of sharing brings with it increased risk to the security of the data and the systems on which it is held. This procedure outlines the framework with which NHS Fife maintains the security of the organisation’s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties and forms part of NHS Fife’s ISO 27001 information security management system. This procedure also details how security is addressed in third party agreements and how third party service delivery is managed within NHS Fife.

 

2 LOCATION

This procedure is applicable to all staff, contractors and volunteers working with the NHS Fife.

3 RESPONSIBILITY

3.1 SIRO

Taking into account the nature, scope, context and purposes of processing the third party is going to undertake on behalf of the NHS Fife, the SIRO is responsible for ensuring NHS Fife can demonstrate that processing is performed in accordance with the General Data Protection Regulation.

 

This involves, ensuring that third parties and NHS Fife have appropriate technical and organisational measures in place reasonable for the processing taking place.

 

The Data Controller (delegated to the SIRO) is responsible for the adherence to approved codes of conduct or approved certification mechanisms by NHS Fife and subcontractors.

 

The SIRO delegates into the Data Protection Office the functions indicated below.

 

 

3.2 Data Protection Officer

The SIRO delegates into the Data Protection Office:

 

• The registration of data processors (subcontractors)
• The verification of adequacy of security measures implemented by data processors when processing data on behalf of NHS Fife
• The verification of written contracts and contractual data protection clauses with data processors, including obligation to adhere to codes of conduct, escalation of data breaches, etc.
• Liaison with data processors to demonstrate compliance with their obligations.

 

3.3 eHealthDepartment (and other department providing IT services for the NHS Fife, e.g. Radiology, Laboratories).

In some cases the eHealthDepartment or other providers of IT services for NHS Fife will be responsible for implementing  changes to allow third parties access to NHS Fife’s ICT Infrastructure, for example:

 

• creating Active Directory accounts;
• granting access through firewalls;
• facilitating access to the SWAN network;

 

Note that this list is not exhaustive and requests are reviewed on a case by case basis as per the GP/I6 eHealthChange Management Policy.

 

3.4 eHealth Change Management

The eHealth Transition Specialist shall ensure that before any work is authorised to be carried out a Permit to Work (for third parties requiring access to the I.T. Infrastructure) is completed and attached to the Request for Change (RFC) on the Service Desk Call Logging System.

 

A Permit to Work cannot be approved unless:

• The supplier (third party) is accredited(The Data Protection Office can assist on this matter). This accreditation involves:
  • Risk assessment for the third party  (third party security questionnaire)
  • A written data processor contract in place.

 

3.5 eHealth System Engineers

It is the responsibility of the system engineer to verify that a Permit to Work (PtW) form has been approved and is attached to the RFC before access is granted to external parties – equally, they must check the third party is accredited (criteria explained above).

 

In some cases the system engineer will be responsible for submitting an RFC if they are participating in an eHealth Project.

 

In most cases it will be the system engineer who makes a change to the infrastructure that allows the third party access.

 

3.6 Information Security Manager

The Information Security Manager is responsible for reviewing any Request for Change with information security implications, and to provide advice to ensure appropriate security controls are in place.

4 OPERATIONAL SYSTEM

4.1 Identification of Risk Related to Suppliers Procedure

Before allowing suppliers access, a risk assessment must be carried out as part of NHS Fife’s established change management process to establish the level of risk and to recommend necessary counter-measures. The details of any risks shall be incorporated into the Request for Change.

 

Access to the I.T. infrastructure by third party suppliers will only be allowed when the appropriate measures have been implemented and an agreement has been signed defining the terms for the connection.

 

Arrangements for third party supplier access to NHS Fife facilities are based on a formal contract containing, or referring to, all of the necessary security conditions to ensure that the organisation concerned can satisfy NHS Fife’s security requirements.

 

4.2 Addressing Security in Supplier Relationship Agreements

In all cases third parties are required to sign a service support agreement, this is a declaration of security and confidentiality and this includes the following (see Appendix A Third Party Supplier Permit to work form):

 

• general policy on information security;
• permitted access methods and the control and use of User IDs and passwords;
• a description of each eHealth service to be made available;
• a requirement to maintain a list of individuals authorised to use the service;
• times and dates when the service is to be available;
• date of expiry, extension or formal renewal of the agreement;
• respective liabilities of the parties to the agreement;
• procedures regarding protection of NHS Scotland assets including information;
• responsibility with respect to legal matters e.g. Data Protection Act and Freedom of Information (Scotland) Act legislation;
• the right to monitor and revoke user activity;
• responsibilities regarding hardware and software installation and maintenance;
• the right of audit to contractual responsibilities;
• restrictions on copying and disclosing information;
• measures to ensure the return or destruction of information and assets at the end of the contract;
• any required physical protection measures;
• mechanisms to ensure security measures are followed;
• user training in methods, procedures and security;
• measures to ensure protection against the spread of computer viruses and other malware;
• An authorisation process for user access.
• In the case of access through SWAN, a formal authorisation process for accreditation will be followed;
• Arrangements for reporting and investigating security incidents.

 

The eHealth Security Manager is responsible for the maintenance of these forms, and for liaising with the eHealth infrastructure managersto ensure that these forms are completed every time.

 

4.3 Information Communication Technology Supply Chain

Agreements with suppliers include requirements to address the information security risks associated with information and communications technology services and product supply chain. NHS Fife defines information security requirements to apply to information and communication technology products or service acquisition in addition to the general information security requirements for supplier relationships.

 

Some NHS Fife  IT suppliers are audited and risk assessed as part of NHS Scotland National Contract process and due diligence at contract initiation stage has been conducted by NHS Scotland to identify how they comply with best practice security controls.

 

eHealth supply chain providers will be risk assessed (where they are not part of a national NHS contract) and shall complete a third party security questionnaire. Whilsts the Data Protection office must ensure the risk is understood and adequate contractual documentation is in place, eHealth Engineers, project and service managers must ensure access is not granted until the third party is accredited (risk assessed and contract exits) and a valid Permit to Work is approved.

4.4 Supplier Service Delivery Management

Most subcontractors providing ICT services are managed via the eHealth department, however some exception may apply.

 

Either way, the eHealth Business manager or Heads of Departnments are responsible for overseeing and managing third party contracts and any support agreements that they have specifically entered into with third parties.  It is their responsibility to ensure no contract is entered into without the assurances required by the SIRO (Senior Information Risk Owner) , and to engage with the Data Protection Office for those purposes.

 

NHS Fife reserves the right to audit these third parties.

 

5 RISK MANAGEMENT

 

Any risks identified as part of the relationship with subcontractors must be managed in accordance to the NHS Fife risk management policy.

 

NHS Fife Staff shall respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to sensitive data; and to abide by legislation, policies, procedures, and guidelines with respect to access, use or disclosure of information.

 

The unauthorised disclosure of NHS Fife Data in any medium, except as required by an employee’s job responsibilities is expressly forbidden, as is the access or use of any NHS Fife Data for one’s own personal gain or profit, or to satisfy one’s personal curiosity or that of others.

 

It is the responsibility of the Line Manager to ensure this procedure is deployed within their area of responsibility.

 

With regard to the Health & Social Care Partnership (H&SCP), the Integrated Joint Board (IJB)will continue to monitor the efficacy of the existing H&SCP Risk Management Strategy and arrangements, and review these to ensure they comply with any changes made to the partnership arrangements and to accommodate the requirements associated with developments in Health & Social Care Integration.

 

6 RELATED DOCUMENTS

 

GP/D3 – Data Protection and Confidentiality Policy

GP/I5 Information Security Policy

GP/I6 eHealth Change Management Policy

All supplementary NHS Fife Information Security Policies

 

7 REFERENCES

Computer Misuse Act (1990)

Data Protection Act (1998)

Human Rights Act (1998)

Freedom of Information (Scotland) Act (2002)

NHSS Information Security Policy Framework July 2015

8 Appendix A – Third Party Supplier Permit Form

NO OTHER WORKSHALL BE CARRIED WITHOUT WITH FURTHER AUTHORISATION

 

SECTION 1 (to be completed by 3rd Party)		WORK AND ACCESS DETAILS
Name of Company, Department
Data Protection Office registration						3rd party security questionnaire				Approved?
						Data Proccesor contract				Y/N
Contact e-mail address
Name of Employees Attending
Locations to be accessed/Remote access to
Proposed Access Date (s)
Scheduled Start (dd/mm/yy  hh:mm)				Scheduled End Time (dd/mm/yy  hh:mm)
Work Description (provide details of planned work)									Add
									Modify
									Remove
									Move
Expected  Impact (on users/organisation during change e.g. system unavailable, reduced performance or limited functionality).  Also potential impact on other infrastructure e.g. network traffic.  Specify any periods of downtime.
Backout Plan attached	Yes/No		Test Plan attached				Yes/No
NHS Fife Resource Requirements:  Preparatory work required by NHS Fife? (E.g. rack space, power requirements, networking, firewall changes, telecoms, data backup etc) and support during implementation If yes please provide details below

Section 2 (to be completed by NHS Fife)	NHS FIFE AUTHORISATION
Names of NHS on-site contacts
Authorised Given	Yes/No	Change Ref No
Comments