We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
External Vulnerability Scanning, Vulnerability Management Service (VMS): GDPR information
The External Vulnerability Scanning, Vulnerability Management Service (VMS) will test solutions to enable NHS Digital to better understand the NHS estate’s vulnerability landscape so appropriate control measures can be enforced to reduce the likelihood of exploitation of potential vulnerabilities.
|How we use the information (processing activities)||
The purpose of the External Vulnerability Scanning (Vulnerability Management Service (VMS)) is to test solutions that would enable NHS Digital to better understand the NHS estate’s vulnerability landscape so appropriate control measures can be enforced to reduce the likelihood of exploitation of potential vulnerabilities. Ultimately the exercise supports the DSC’s vision to become a Managed Security Services Provider (MSSP) and deliver better health and care outcomes for patients. The two solutions essentially complement each other – where: - VMS provides a non-intrusive external vulnerability scan using the Qualys vulnerability scanner technology. This scan provdes information on the vulnerabilitys within a target estates perimeter, and and ranks them to enable targeted remediation. - The output of the VMS would enable the DSC to better understand the NHS estate’s vulnerability landscape. The qualitative data will inform key decisions such as investment and technology strategy with the aim of delivering better health and care outcomes to patients.
|Does this contain sensitive (special category) data such as health information?||Yes|
|Who are recipients of this data?||
NHS Digital may report to other public bodies and Government Authorities e.g. Department of Health and Social Care, NHS England, NHS X an aggregate view of the data e.g. Region X has had 1025 cyber-attacks in January 2019. This will not contain any personal or special category data.
|Is data transferred outside the UK?||This data is not transferred out of the UK|
|How long the data is kept||The DSC has procured the services for a duration of 48 months. It is expected that personal data will be retained for this full period.|
|Our lawful basis for holding this data||Legal obligation|
|How can you withdraw your consent?||
Consent is not the basis for processing.
|Is the data subject to decisions made solely by computers? (automated decision making)||No|
|Where does this data come from?||Personal data will be sourced directly from NHS Organisations as part of their onboarding process onto the platform.|
|The legal basis for collecting this data||
NHS Digital has a Direction, HSCA 2012 s.254 (1) and s.254 (6) by the Secretary of State for Health to establish and operate a Data Security Centre Operations Information System for the collection or analysis of information
Where NHS Digital uses this data
The Vulnerability Monitoring Service (VMS) provides a scan of your organisation's IP addresses to help identify any cyber security risks. Find out more about the service, including the benefits and how to register.