Skip to main content

Bitsight - Vulnerability Management Service: GDPR information


For administrative purposes, Participating Trusts nominate an individual(s) to act as the main point of contact (PoC) for External Vulnerability Scanning. Nominated individual(s) will receive a BitSight user account.

Controller NHS Digital
How we use the information (processing activities)

BitSight provides a non-intrusive risk-based vulnerability scorecard based on publicly available information sources. This tool provides a “vulnerability credit” rating for each NHS Organisation.

Does this contain sensitive (special category) data such as health information? No
Who are recipients of this data?

NHS prescription services

NHS Business Services Authority (NHSBSA)

Data Access Release Service release register


Is data transferred outside the UK? Outside EEA
How long the data is kept 24 months
Our lawful basis for holding this data Legal obligation
Your rights
  • Tick Be informed
  • Tick Get access to it
  • Tick Rectify or change it
  • Cross Erase or remove it
  • Tick Restrict or stop processing it
  • Cross Move, copy or transfer it
  • Cross Object to it being processed or used
  • Cross Know if a decision was made by a computer rather than a person
How can you withdraw your consent?

Consent is not the basis for processing

Is the data subject to decisions made solely by computers? (automated decision making) No
Where does this data come from? The Data is collated by Bitsight servers primarily based in America, However as this data is obtained by Bitsight Services, via the open source internet, and collated by them, they are the data owners, not NHS Digital
The legal basis for collecting this data

Article 6,1, C - processing is necessary for compliance with a legal obligation to which the controller is subject (i.e. the Direction)

Directions and data provision notices