Living With Ltd Data Security Policy

(Updated 5th September 2018)

1. Introduction

This document sets out the measures to be taken by all employees of Living With Ltd (the “Company”) and by the Company as a whole in order to protect data (electronic and otherwise) collected, held, and processed by the Company, and to protect the Company’s computer systems, devices, infrastructure, computing environment, and any and all other relevant equipment (collectively, “IT Systems”) from damage and threats whether internal, external, deliberate, or accidental.

For the purposes of this Policy, “data” shall refer to the following type(s) of data:

(a)    Patient data.

(b)    Clinician data.

(c)    Health Care Provider data

(d)    Insurer data

(e)    Pharmaceutical Company data

For the purposes of this Policy, “personal data” shall carry the meaning defined in Article 4 of EU Regulation 2016/679 General Data Protection Regulation (“GDPR”): any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

2. Key Principles

2.1    All IT Systems and data are to be protected against unauthorised access.

2.2    All IT Systems and data are to be used only in compliance with relevant Company Policies.

2.3    All personal data must be used only in compliance with the GDPR and the Company’s Data Protection Policy.

2.4    All employees of the Company and any and all third parties authorised to use the IT Systems and data collected, held, and processed by the Company including, but not limited to, contractors and sub-contractors (collectively, “Users”), must ensure that they are familiar with this Policy and must adhere to and comply with it at all times.

2.5    All line managers must ensure that all Users under their control and direction must adhere to and comply with this Policy at all times as required under paragraph 2.4.

2.6    All data must be managed securely in compliance with all relevant parts of the GDPR and all other laws governing data protection whether now or in the future in force.

2.7    All data must be classified appropriately (including, but not limited to, personal data, sensitive personal data, and confidential information). All data so classified must be handled appropriately in accordance with its classification.

2.8    All data, whether stored on IT Systems or in hardcopy format, shall be available only to those Users with a legitimate need for access.

2.9    All data, whether stored on IT Systems or in hardcopy format, shall be protected against unauthorised access and/or processing.

2.10    All data, whether stored on IT Systems or in hardcopy format, shall be protected against loss and/or corruption.

2.11    All IT Systems are to be installed, maintained, serviced, repaired, and upgraded by the development team or by such third party/parties as the Managing Director may from time to time authorise.

2.12    The responsibility for the security and integrity of all IT Systems and the data stored thereon (including, but not limited to, the security, integrity, and confidentiality of that data) lies with the development team unless expressly stated otherwise.

2.13    The responsibility for the security and integrity of data that is not stored on the IT Systems lies with the Data Protection Officer, Joanna Rota, Joanna.Rota@livingwith.health

2.14    All breaches of security pertaining to the IT Systems or any data stored thereon shall be reported and subsequently investigated by the development team. Any breach which is either known or suspected to involve personal data shall be reported to the Data Protection Officer.

2.15    All breaches of security pertaining to data that is not stored on the IT Systems shall be reported and subsequently investigated by the Data Protection Officer.

2.16    All Users must report any and all security concerns relating to the IT Systems or to the data stored thereon immediately to the development team. If any such concerns relate in any way to personal data, such concerns must also be reported to the Data Protection Officer.

2.17    All Users must report any and all security concerns relating to data that is not stored on the IT Systems immediately to the Data Protection Officer.

3. Department Responsibilities

3.1    The Head of Development, Alex Clarke shall be responsible for the following:

(a)    ensuring that all IT Systems are assessed and deemed suitable for compliance with the Company’s security requirements;

(b)    ensuring that IT security standards within the Company are effectively implemented and regularly reviewed, working in consultation with the Company’s senior management and Data Protection Officer, as appropriate, and reporting the outcome of such reviews to the Company’s senior management;

(c)    ensuring that all Users are kept aware of the IT-related requirements of this Policy and of all related legislation, regulations, and other relevant rules whether now or in the future in force including, but not limited to, the GDPR and the Computer Misuse Act 1990.

3.2    The Data Protection Officer, shall be responsible for the following:

(a)    ensuring that all other data processing systems and methods are assessed and deemed suitable for compliance with the Company’s security requirements;

(b)    ensuring that data security standards within the Company are effectively implemented and regularly reviewed, working in consultation with the Company’s senior management and Data Protection Officer, as appropriate, and reporting the outcome of such reviews to the Company’s senior management;

(c)    ensuring that all Users are kept aware of the non-IT-related requirements of this Policy and of all related legislation, regulations, and other relevant rules whether now or in the future in force including, but not limited to, the GDPR.

3.3    The development team shall be responsible for the following:

(a)    assisting all Users in understanding and complying with the IT-related aspects of this Policy;

(b)    providing all Users with appropriate support and training in IT security matters and use of IT Systems;

(c)    ensuring that all Users are granted levels of access to IT Systems that are appropriate for each User, taking into account their job role, responsibilities, and any special security requirements;

(d)    receiving and handling all reports relating to IT security matters and taking appropriate action in response including, in the event that any reports relate to personal data, informing the Data Protection Officer;

(e)    taking proactive action, where possible, to establish and implement IT security procedures and raise User awareness;

(f)    assisting the Head of Development in monitoring all IT security within the Company and taking all necessary action to implement this Policy and any changes made to this Policy in the future; and

(g)    ensuring that regular backups are taken of all data stored within the IT Systems at intervals no less than once a month and that such backups are stored at a suitable location

3.4    The Data Protection Officer, shall be responsible for the following:

(a)    assisting all Users in understanding and complying with the non-IT-related aspects of this Policy;

(b)    providing all Users with appropriate support and training in data security matters;

(c)    ensuring that all Users are granted levels of access to data that are appropriate for each User, taking into account their job role, responsibilities, and any special security requirements;

(d)    receiving and handling reports concerning non-IT-related data security matters and taking appropriate action in response [including, in the event that any reports relate to personal data, informing the Data Protection Officer];

(e)    taking proactive action, where possible, to establish and implement security procedures and raise User awareness; and

(f)    assisting in monitoring data security within the Company and taking all necessary action to implement this Policy and any changes made to this Policy in the future.

4. Users’ Responsibilities

4.1    All Users must comply with all relevant parts of this Policy at all times when using the IT Systems and data.

4.2    All Users must use the IT Systems and data only within the bounds of UK law and must not use the IT Systems or data for any purpose or activity which is likely to contravene any UK law whether now or in the future in force.

4.3    Users must immediately inform the development team and the Data Protection Officer, of any and all security concerns relating to the IT Systems or data.

4.4    Users must immediately inform the development team of any other technical problems (including, but not limited to, hardware failures and software errors) which may occur on the IT Systems.

4.5    Any and all deliberate or negligent breaches of this Policy by Users will be handled as appropriate under the Company’s disciplinary procedures.

5. Software Security Measures

5.1    All software in use on the IT Systems (including, but not limited to, operating systems, individual software applications, and firmware) will be kept up-to-date and any and all relevant software updates, patches, fixes, and other intermediate releases will be applied at the sole discretion of the development team. This provision does not extend to upgrading software to new ‘major releases’ (e.g. from version 1.0 to version 2.0), only to updates within a particular major release (e.g. from version 1.0 to version 1.0.1 etc.). Unless a software update is available free of charge it will be classed as a major release, falling within the remit of new software procurement and outside the scope of this provision.

5.2    Where any security flaw is identified in any software that flaw will be either fixed immediately or the software may be withdrawn from the IT Systems until such time as the security flaw can be effectively remedied.

5.3    No Users may install any software of their own, whether that software is supplied on physical media or whether it is downloaded, without the approval of the Head of Development. Any software belonging to Users must be approved by the Head of Development and may only be installed where that installation poses no security risk to the IT Systems and where the installation would not breach any licence agreements to which that software may be subject.

5.4    All software will be installed onto the IT Systems by the development team unless an individual User is given written permission to do so by the Head of Development. Such written permission must clearly state which software may be installed and onto which computer(s) or device(s) it may be installed.

6. Anti-Virus Security Measures

6.1    Most IT Systems (including all computers and servers) will be protected with suitable anti-virus, firewall, and other suitable internet security software. All such software will be kept up-to-date with the latest software updates and definitions.

6.2    All IT Systems protected by anti-virus software will be subject to a full system scan at least weekly.

6.3    All physical media (e.g. USB memory sticks or disks of any kind) used by Users for transferring files must be virus-scanned before any files may be transferred. Such virus scans shall be performed automatically upon connection / insertion of media.

6.4    Any files being sent to third parties outside the Company, whether by email, on physical media, or by other means (e.g. shared cloud storage) must be scanned for viruses before being sent or as part of the sending process, as appropriate.

6.5    Where any virus is detected by a User this must be reported immediately to the development team. The development team shall promptly take any and all necessary action to remedy the problem. In limited circumstances this may involve the temporary removal of the affected computer or device. Wherever possible a suitable replacement computer or device will be provided to limit disruption to the User.

6.6    Where any User deliberately introduces any malicious software or virus to the IT Systems this will constitute a criminal offence under the Computer Misuse Act 1990 and will be handled as appropriate under the Company’s disciplinary procedures.

7. Hardware Security Measures

7.1    Wherever practical, IT Systems will be located in rooms which may be securely locked when not in use or, in appropriate cases, at all times whether in use or not (with authorised Users being granted access by means of a key, smart card, door code or similar). Where access to such locations is restricted, Users must not allow any unauthorised access to such locations for any reason.

7.2    All IT Systems not intended for normal use by Users (including, but not limited to, servers, networking equipment, and network infrastructure) shall be located, wherever possible and practical, in secured, climate-controlled rooms and/or in locked cabinets which may be accessed only by designated members of the development team..

7.3    No Users shall have access to any IT Systems not intended for normal use by Users (including such devices mentioned above) without the express permission of the Head of Development.

7.4    All mobile devices (including, but not limited to, laptops, tablets, and smartphones) provided by the Company should always be transported securely and handled with care.

7.5    The development team shall maintain a complete asset register of all IT Systems. All IT Systems shall be labelled, and the corresponding data shall be kept on the asset register.

8. Organisational Security

8.1    All Users handling data (and in particular, personal data) personal data will be appropriately trained to do so.

8.2    All Users handling data (and in particular, personal data) will be appropriately supervised.

8.3    All Users handling data (and in particular, personal data) shall be required and encouraged to exercise care, caution, and discretion when discussing work-related matters that relate to such data, whether in the workplace or otherwise.

8.4    Methods of collecting, holding, and processing data (and in particular, personal data) shall be regularly evaluated and reviewed.

8.5    All personal and non-personal data held by the Company shall be reviewed periodically, as set out in the Company’s Data Retention Policy.

8.6    The performance of those Users handling personal data shall be regularly evaluated and reviewed.

8.7    All Users handling personal data will be bound to do so in accordance with the principles of the GDPR and the applicable Company Policies by contract.

8.8    No data, personal or otherwise, may be shared informally and if a User requires access to any data, personal or otherwise, that they do not already have access to, such access should be formally requested from the Managing Director.

8.9    No data, personal or otherwise, may be transferred to any unauthorised User without the authorisation of the Managing Director

8.10    All data must be handled with care at all times and should not be left unattended or on view to unauthorised Users or other parties at any time.

9. Access Security

9.1    Access privileges for all IT Systems and data shall be determined on the basis of Users’ levels of authority within the Company and the requirements of their job roles. Users shall not be granted access to any IT Systems or data which are not reasonably required for the fulfilment of their job roles.

9.2    All IT Systems (and in particular mobile devices including, but not limited to, laptops, tablets, and smartphones) shall be protected with a secure password or passcode, or such other form of secure log-in system as the development teammay deem appropriate and approve.

9.3    All passwords must, where the software, computer, or device allows:

(a)    be at least 8 characters long;

(b)    contain a combination of upper and lower case letter/numbers and symbols;

(c)    be changed at least every 90 days;

(d)    be different from the previous password;

(e)    not be obvious or easily guessed (e.g. birthdays or other memorable dates, memorable names, events, or places etc.); and

(f)    be created by individual Users.

9.4    Passwords should be kept secret by each User. Under no circumstances should a User share their password with anyone. No User will be legitimately asked for their password by anyone at any time and any such request should be refused. If a User has reason to believe that another individual has obtained their password, they should change their password immediately.

9.5    If a User forgets their password, this should be reported to the development team. The development team will take the necessary steps to restore the User’s access to the IT Systems which may include the issuing of a temporary password which may be fully or partially known to the member of the Staff responsible for resolving the issue. A new password must be set up by the User immediately upon the restoration of access to the IT Systems.

9.6    Users should not write down passwords if it is possible to remember them. If a User cannot remember a password, it should be stored securely (e.g. in a locked drawer or in a secure password database) and under no circumstances should passwords be left on display for others to see (e.g. by attaching a note to a computer display).

9.7    All IT Systems with displays and user input devices (e.g. mouse, keyboard, touchscreen etc.) shall be protected, where possible, with a password protected screensaver that will activate after 15 minutes of inactivity. This time period cannot be changed by Users and Users may not disable the screensaver. Activation of the screensaver will not interrupt or disrupt any other activities taking place on the computer (e.g. data processing).

9.8    All mobile devices (including, but not limited to, laptops, tablets, and smartphones) provided by the Company shall be set to lock, sleep, or similar, after 15 minutes of inactivity, requiring a password, passcode, or other form of log-in to unlock, wake, or similar. Users may not alter this time period.

10. Data Storage Security

10.1    All data stored in electronic form, and in particular personal data, should be stored securely using passwords and data encryption.

10.2    All data stored in hardcopy format or electronically on removable physical media, and in particular personal data, should be stored securely in a locked box, drawer, cabinet, or similar.

10.3    No personal data should be stored on any mobile device (including, but not limited to, laptops, tablets, and smartphones), whether such device belongs to the Company or otherwise.

10.4    No data, and in particular personal data, should be transferred to any computer or device personally belonging to a User unless the User in question is a contractor or sub-contractor working on behalf of the Company and that User has agreed to comply fully with the Company’s Data Protection Policy and the GDPR.

11. Data Protection

11.1    All personal data (as defined in the GDPR) collected, held, and processed by the Company will be collected, held, and processed strictly in accordance with the principles of the GDPR, the provisions of the GDPR and the Company’s Data Protection Policy.

11.2    All Users handling data for and on behalf of the Company shall be subject to, and must comply with, the provisions of the Company’s Data Protection Policy at all times. In particular, the following shall apply:

(a)    All emails containing personal data and/or other data covered by this Policy must be encrypted.

(b)    All emails containing personal data and/or other data covered by this Policy must be marked “confidential”;

(c)    Personal data and/or other data covered by this Policy may be transmitted over secure networks only; transmission over unsecured networks is not permitted under any circumstances;

(d)    Personal data and/or other data covered by this Policy may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;

(e)    Personal data and/or other data covered by this Policy contained in the body of an email, whether sent or received, should be copied directly from the body of that email, and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted.

(f)    All personal data and/or other data covered by this Policy to be transferred physically, including that on removable electronic media, shall be transferred in a suitable container marked “confidential”.

(g)    Where any personal data and/or other data covered by this Policy is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the User must lock the computer and screen before leaving it.

11.3    Any questions relating to data protection should be referred to the Data Protection Officer.

12. Deletion and Disposal of Data

12.1    When any data, and in particular personal data, is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it must be securely deleted and/or disposed of.

12.2    For further information on the deletion and disposal of personal data, please refer to the Company’s Data Retention Policy.

13. Internet and Email Use

13.1    All Users shall be subject to, and must comply with, the provisions of the Company’s Communications, Email and Internet Policy when using the IT Systems.

13.2    Where provisions in this Policy require any additional steps to be taken to ensure security when using the internet or email over and above the requirements imposed by the Communications, Email and Internet Policy, Users must take such steps as required.

14. Reporting Security Breaches

14.1    Subject to paragraph 14.3, all concerns, questions, suspected breaches, or known breaches that relate to the IT Systems shall be referred immediately to the Managing Director.

14.2    Subject to paragraph 14.3, all concerns, questions, suspected breaches, or known breaches that relate to other data covered by this Policy shall be referred immediately to the Managing Director

14.3    All concerns, questions, suspected breaches, or known breaches that involve personal data shall be referred immediately to the The Data Protection Officer who shall handle the matter in accordance with the Company’s Data Protection Policy.

14.4    Upon receiving a question or notification of a breach, the individual or department responsible shall, within 4 hours assess the issue including, but not limited to, the level of risk associated therewith, and shall take any and all such steps deemed necessary to respond to the issue.

14.5    Under no circumstances should a User attempt to resolve a security breach on their own without first consulting the relevant individual or department or the Data Protection Officer, as appropriate. Users may only attempt to resolve security breaches under the instruction of, and with the express permission of, the Managing Director as appropriate.

14.6    All security breaches, howsoever remedied, shall be fully documented.

15. Policy Review

The Company shall review this Policy not less than once every two years and otherwise as required in order to ensure that it remains up-to-date and fit for purpose. All questions, concerns, and other feedback relating to this Policy should be communicated to the Managing Director as appropriate and/or the Data Protection Officer.

16. Implementation of Policy

This Policy shall be deemed effective as of 1st April 2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.

This Policy has been approved and authorised by:

Name: David Anahory

Position: Managing Director

Date: 5th September 2018

Due for Review by: 4th September 2020