We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
Bitsight: GDPR information
Summary
For administrative purposes, Participating Trusts nominate an individual(s) to act as the main point of contact (PoC) for Bitsight. Nominated individuals will receive a BitSight user account.
| Controller | NHS England – as a Managed Security Services Provider (MSSP) for the NHS. NHS organisations – that sign up to use the service. |
| How we use the information (processing activities) | NHS organisations can sign up to the BitSight Cyber Security Ratings service which is part of a catalogue of cyber security services that NHS England’s Cyber Operations’ (CO) offer as a Managed Security Services Provider (MSSP) for the NHS. The service provides NHS organisations with a risk-based vulnerability scorecard of their organisation’s cyber security posture. It is a non-intrusive service run by a supplier called BitSight who use externally observable data from public information sources to produce a vulnerability score rating. Authorised staff at participating NHS organisations are given access to the BitSight and are able to view their organisation’s scorecard report. NHS England manage the contract with BitSight on behalf of the NHS organisations and also collect the contact details of NHS staff who require access to the BitSight platform so that the supplier, BitSight, can create an account for them. NHS England’s CO also have access to each NHS organisation’s scorecard report to better understand and help improve cyber security across the NHS. |
| Does this contain sensitive (special category) data such as health information? | No |
| Who are recipients of this data? |
BitSight (who are a processor on behalf of the NHS organisations that sign up to the service). Each NHS organisation that signs up to use the service. |
| Is data transferred outside the UK? | Yes The BitSight platform is hosted in the US and they use sub-processors based in Portugal, Singapore, Israel and Argentina to support the provision of its services https://www.bitsight.com/subprocessors. NHS England and Bitsight have signed an Addendum to the International Data Transfer Agreement (IDTA) for this transfer of data. |
| How long the data is kept | Minimum of 2 years with regular reviews in accordance with the NHS Records Management Code of Practice and NHS England Corporate Records Retention and Disposal Schedule. |
| Our lawful basis for holding this data | Legal obligation |
| Your rights |
|
| How can you withdraw your consent? |
Consent is not the basis for processing |
| Is the data subject to decisions made solely by computers? (automated decision making) | No |
| Where does this data come from? | NHS organisations that sign up to use the BitSight Cyber Security Ratings service. |
| The legal basis for collecting this data | UK GDPR Article 6(1)(c) - legal obligation (the Data Security Centre Services Directions 2020, under s.254 of the Health and Social Care Act. |
