NHS Secure Boundary (pilot)
Why and how we process your data in the NHS Secure Boundary (pilot) and your rights.
|How we use the information (processing activities)||As part of the private beta stage of the programme, we will be on-boarding two NHS Trusts; York Teaching Hospitals NHS Foundation Trust (live on 12 December 2019) and Torbay and South Devon NHS Foundation Trust (due to go live 10 February 2020) as well as one Consumer Network Service Provider (CNSP), NyNet (live on 10 January 2020). The aim is to enhance the visibility of internet breakout traffic to improve the detection of cyber security threats across the NHS and enable more preventative actions and controls to be used to protect critical systems and patient data. The solution is delivered by NHS Digital’s processors Accenture, Palo Alto and Imperva. The following categories of data will be processed: Internet traffic data which flows through the solution when a user connects to a website or service: - Source/destination IP address - Packet content (which may include personal and special category data (relating to health)). This will not be decrypted during the pilot. Internet Traffic Metadata about websites or internet services which have been accessed by a user in the pilots organisations , including staff: - First Name - Last Name - email address - telephone number - IP address - URLs visited - username Directory data to match internet traffic to specific users in pilot organisations to provide audit and access control, including staff: - First Name - Last Name - email address - IP address Local administrator data – local admins will be appointed in the pilot organsisations to manage and maintain the NHS Secure Boundary solution in their organisation, which will involve the processing of their personal data including if they raise service tickets with our processors - First Name - Last Names - Email addresses - Telephone Numbers|
|Does this contain sensitive (special category) data such as health information?||Yes|
|Who are recipients of this data?||
NHS Digital may report to other public bodies and Government Authorities e.g. Department of Health and Social Care, NHS England, NHS X an aggregate view of the data e.g. Region X has had 1025 cyber-attacks in January 2019. This will not contain any personal or special category data.
|Is data transferred outside the UK?||Yes - The data collected by the NHS Secure Boundary solution is stored in the UK and the EU (Netherlands and Germany) but may be accessed by Accenture, Palo Alto and Imperva from outside the EU. NHS Digital use EU Model Standard Contractual Clauses for international transfers with Accenture, Palo Alto and Imperva. Accenture’s Service Now incident management tool used to monitor and track service incidents is hosted in the US. Staff which access the data may be in the US, India or Australia. Service Now is covered by the EU-US Privacy Shield Framework. Palo Alto’s service|
|Our lawful basis for holding this data||Public task|
|How can you withdraw your consent?||
Consent is not the basis for processing.
|Where does this data come from?||From the pilot organisation as part of their onboarding process onto the NHS Secure Boundary solution (e.g. contact details required to raise support tickets) or will be sourced as a consequence of processing / inspecting network traffic of the pilot organisations for the security purposes of the solution|
|The legal basis for collecting this data||
Article 6 (1) (e) - Public task
Schedule 1, Part 1 (2) (2) (f) - Health or social care purposes
Where NHS Digital uses this data
We support health and care organisations to manage cyber security risk. This enables the safe and secure use of data and technology to deliver improved patient care.