Skip to main content

External Vulnerability Scanning, Vulnerability Management Service (VMS): GDPR information

Summary

The External Vulnerability Scanning, Vulnerability Management Service (VMS) will test solutions to enable NHS Digital to better understand the NHS estate’s vulnerability landscape so appropriate control measures can be enforced to reduce the likelihood of exploitation of potential vulnerabilities.

Controller NHS Digital
How we use the information (processing activities)

The purpose of the External Vulnerability Scanning (Vulnerability Management Service (VMS)) is to test solutions that would enable NHS Digital to better understand the NHS estate’s vulnerability landscape so appropriate control measures can be enforced to reduce the likelihood of exploitation of potential vulnerabilities. Ultimately the exercise supports the DSC’s vision to become a Managed Security Services Provider (MSSP) and deliver better health and care outcomes for patients. The two solutions essentially complement each other – where: - VMS provides a non-intrusive external vulnerability scan using the Qualys vulnerability scanner technology. This scan provdes information on the vulnerabilitys within a target estates perimeter, and and ranks them to enable targeted remediation. - The output of the VMS would enable the DSC to better understand the NHS estate’s vulnerability landscape. The qualitative data will inform key decisions such as investment and technology strategy with the aim of delivering better health and care outcomes to patients.

Does this contain sensitive (special category) data such as health information? Yes
Who are recipients of this data?

NHS Digital may report to other public bodies and Government Authorities e.g. Department of Health and Social Care, NHS England, NHS X an aggregate view of the data e.g. Region X has had 1025 cyber-attacks in January 2019. This will not contain any personal or special category data.

Is data transferred outside the UK? This data is not transferred out of the UK
How long the data is kept The DSC has procured the services for a duration of 48 months. It is expected that personal data will be retained for this full period.
Our lawful basis for holding this data Legal obligation
Your rights
  • Tick Be informed
  • Tick Get access to it
  • Tick Rectify or change it
  • Cross Erase or remove it
  • Tick Restrict or stop processing it
  • Cross Move, copy or transfer it
  • Tick Object to it being processed or used
  • Tick Know if a decision was made by a computer rather than a person
How can you withdraw your consent?

Consent is not the basis for processing.

Is the data subject to decisions made solely by computers? (automated decision making) No
Where does this data come from? Personal data will be sourced directly from NHS Organisations as part of their onboarding process onto the platform.
The legal basis for collecting this data

NHS Digital has a Direction, HSCA 2012 s.254 (1) and s.254 (6) by the Secretary of State for Health to establish and operate a Data Security Centre Operations Information System for the collection or analysis of information

GDPR
Article 6 (1) (c) – legal obligation and Article 6 (1) (e) - public interest

Where NHS Digital uses this data

internal

Vulnerability Monitoring Service

The Vulnerability Monitoring Service (VMS) provides a scan of your organisation's IP addresses to help identify any cyber security risks. Find out more about the service, including the benefits and how to register.