We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
Vulnerability Monitoring Service (VMS): GDPR information
Summary
Why and how we process your data in the VMS service and your rights.
| Controller | NHS England – as a Managed Security Services Provider (MSSP) for the NHS. NHS organisations – that sign up to use the VMS service |
| How we use the information (processing activities) | NHS organisations can sign up to the VMS service which is part of a catalogue of cyber security services that NHS England’s Cyber Operations’ (CO) offer as a Managed Security Services Provider (MSSP) for the NHS. This service provides an in-depth external vulnerability scanning option based on a list of an organisation’s external (public) facing Internet Protocol addresses (IPs). Authorised staff at participating NHS organisations are given access to VMS report output so that they can carry out any remedial actions on any vulnerabilities the scan has identified. NHS England’s CO also have access to each NHS organisation’s report to better understand and help improve cyber security across the NHS. |
| Does this contain sensitive (special category) data such as health information? | No |
| Who are recipients of this data? |
IBM (who are NHS England’s processor for the purpose of conducting the VMS scan for NHS organisations that sign up to the service). Authorised staff at participating NHS organisations are given access to VMS report output. |
| Is data transferred outside the UK? | No |
| How long the data is kept | Minimum of 2 years with regular reviews in accordance with the NHS Records Management Code of Practice and NHS England Corporate Records Retention and Disposal Schedule. |
| Our lawful basis for holding this data | Legal obligation |
| Your rights |
|
| How can you withdraw your consent? |
Consent is not the basis for processing. |
| Is the data subject to decisions made solely by computers? (automated decision making) | No |
| Where does this data come from? | NHS organisations that sign up to use the VMS service. |
| The legal basis for collecting this data | UK GDPR Article 6(1)(c) - legal obligation (the Data Security Centre Services Directions 2020, under s.254 of the Health and Social Care Act 2012). |
Where we use this data
Vulnerability Monitoring Service
The Vulnerability Monitoring Service (VMS) provides a scan of your organisation's IP addresses to help identify any cyber security risks. Find out more about the service, including the benefits and how to register.