We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
This security guidance is for organisations applying for data from NHS Digital. It provides advice on how to supply the data security information we need to process your application.
If you have an enquiry, or would like to give us feedback on the application form, guidance or web pages, call 0300 303 5678 or email firstname.lastname@example.org.
The key to good data security is having a system with multi-layered security using differing tools and techniques. That way, if one level is compromised, then others are in place to prevent further damage. It's important to remember that no one single product can be 100 per cent secure.
The following guidance, standards and tools should be used to aid the development of security policies and processes:
- NHS Digital Data Security and Protection Toolkit application and score
- ISO 27001 - best practice for information security management systems (ISMS)
- ISO 27002 - code of practice and controls for ISMS
- ISO 27017 - code of practice and controls for cloud services
- ISO 27018 - code of practice for providers with personally identifiable data
- Information Commissioner's Office (ICO) code of practice data sharing agreements
- Information Commissioner's Office (ICO) Data Protection Act compliance and registration
- Information Commissioner's Office (ICO) Privacy Seal (Due 2016)
- NHS Digital code of practice on confidentiality
- NHS Digital good practice guides
Providing evidence for your application
To support your application to NHS Digital for data you need to supply evidence of your processes and procedures for security. This can be one of the following:
- A satisfactory Information Governance (IG) Toolkit score of at least 66%
- ISO 27001:2013 certification with alignment of policies, procedures and controls to ISO 27002:2013 and, if utilising third party services ISO 27017:2015, ISO 27018:2014 (where the third party has a multi-tenanted location)
- System Level Security Policy (SLSP)
We will verify the references from IG Toolkit scores and validate ISO certifications.
To provide SLSP evidence you need to supply a report on how your area/department will administer, secure, handle and use the requested data with the technical and physical controls employed to enforce your organisation's information governance and security policies and procedures. You can also reference your corporate policies.
An SLSP report must include:
- a heading, author, date and version number
- a document and version control section with details of who created, revised and approved
- an index to any sub-sections
- a glossary
- any additional information to support your application
- elaboration on the technical and physical controls in place to enforce your policies and procedures
- a high level network topology diagram
- confirmation that the storage architecture is compliant with the NHS Digital contract where NHS Digital can issue a data destruction notice for the immediate destruction of all data from all forms of storage and backups
- confirmation that any data destruction will be via multi pattern pass data wiping to NHS Digital guidelines using a commercially licenced tool (not freeware)
- specific address details of the location where your data is stored and where the disaster recovery/backups are located
- confirmation of penetration testing and the date of the last test with a pdf formatted copy of the report - where the test highlighted issues, include a copy of the mitigation and action plan to address
You must also ensure that:
- appropriate permissions on a 'need to know' basis are applied to the network shares holding the data (meaning those who have signed the relevant data access agreement)
- data is not held on any un-encrypted machines or device
- data stored on an NHS Digital SLSP and transmitted across a security approved network is encrypted to Advanced Encryption Standard 256 as a minimum.
- when referring to policies and procedures, please reference by document name, page number and section and include a pdf formatted physical copy
- access to data will be from within the network using NHS Digital security approved devices
- access to the above network data via remote methods will only be approved on an individual basis - if approved, this method must meet NHS Digital virtual private network (VPN) security guidance
- firewalls protecting the NHS Digital data must be ITSEC E3, Common Criteria EAL4+ or Protected Profile (EAL4+ equivalent)
Where Office for National Statistics (ONS) data is involved, we also look to confirm that:
- ONS data can only be accessed by users working in a secure environment with access only permitted to those users who are physically accessing the data through the organisation's on-site NHS Digital security assured network - no remote access (such as through a VPN/RDP connection) is permitted
- mobile devices must be running local software firewalls that deny all untrusted inbound network connections
The data must be situated on a subnet that uses a non-routable RFC1918 compliant Internet Protocol address scheme for IPv4 and/or RFC 4193 for IPv6.
We advocate the use of remote wiping software on all mobile devices.
We will be looking at your data policies and procedures for evidence of the following:
- Physical security
- Anti-virus and anti-malware
- Intrusion defence
- Access controls
- Employee awareness and training
- Asset registration policy
- Information governance policies
- Data disposals policy - multi pass wiping, degaussing, physical destruction
- Password policy - complex construction with duration less than or equal to 90 days
- Mobile computing policy - full encryption to Advanced Encryption Standard 256 (AES-256)
- Acceptable use policy
- Compliance policy - appropriate legislation compliance
- Software management policy
- System management policy
- User management policy
- Network management policy
- Information handling policy
- Physical security policy
- Data protection policy - appropriate ICO registration
- Remote access policy
- Back and recovery policy - encryption of data at rest and in backup
- Incident response policy
- Virtual private network (VPN) - type and level of encryption
- Policy guest access
- Wireless policy
- Third party connection policy
- Network security policy
- Encryption policy - type and levels of encryptions employed
- Confidential data policy
- Data classification policy
- Retention policy / records management policy
- Cloud services policy
- Outsourcing policy
- Network topology
Data on your systems should be protected against break-ins that could mean equipment containing confidential, sensitive or personally identifiable data is stolen. Servers should be in a separate room with secure lockable doors using access codes or entry combination/cards. All back-up devices must be encrypted to NHS Digital minimum encryption standards, never left unattended and must be locked away when not in use. Desktop and mobile devices should be fully encrypted and locked down to prevent unauthorised access and where appropriate we would advocate the use of remote wiping technology implementation.
Anti-virus and anti-malware
Your network should be regularly scanned by up-to-date anti-virus and/or anti-malware products to detect and prevent threats.
You should be using a well-configured ITSEC E3, Common Criteria EAL4+ or Protected Profile (EAL4+ equivalent) compliant firewall to help prevent any breaches and stop them penetrating your network. Your servers and workstations should have up-to-date operating systems, be patched to manufacturers' recommendations and not be de-supported in the lifetime of the agreement. A schematic of your network, workstation and peripherals should be provided in your application.
Access to your systems should be restricted to users and sources you trust. All users must have their own username and password and these must never be shared.
Hackers, cyber criminals and casual users should be prevented from accessing your local area network (LAN), wide area network, wi-fi network and workstations by strong passwords, limited login attempts and enforced regular password changes.
Passwords and other access should be cancelled as soon as a user leaves the organisation or if they are absent for a long period.
Employee and user awareness and training
Users need to be trained to recognise system threats, such as phishing emails, malware and unauthorised use. Users at all levels need to be aware of what their roles and responsibilities are.
Your network components should be separate, and access between them limited, in order to prevent or limit data breaches. For example, web servers should be separate from main file servers so that any attacks on your website cannot access your central data store.
Well-written data policies should be integrated into your business processes. Policies should enable you to investigate, mitigate and address risks in a consistent manner.
All unused software and services must be removed from your devices. Any default passwords used by applications software or hardware must be changed as this is a well-known route for cyber-attacks and hackers.
Where data is backed up from legacy systems where the data has been loaded and installed in systems (it would be very difficult if not completely impractical to separate out our data from legacy systems). NHS Digital are content with 3 months, so long as the backups are encrypted to at least AES-256, held at one of the storage locations stated in the Data Sharing Agreement, and none of the NHS Digital data will be restored without our prior permission (should it previously have been subject to a data destruction certificate).
If the data is being held and processed at the same location, then the risk of unencrypted network traffic is minimised and NHS Digital are content. If it's across their own site (such as one building to another) NHS Digital are less comfortable and would seek further assurances. NHS Digital would not be content if it's across multiple sites.
This is assuming that files and workstations are encrypted to AES-256, and that the organisation is committed to moving to encryption over the LAN (for example as elements are replaced). NHS Digital would not accept an unencrypted LAN if a client installed a completely new network which doesn't have encryption built in.
In January 2018 NHS Digital published guidance that enables health and social care organisations to use cloud services and/or store patient data offshore.
Organisations that include the use of cloud services and/or store patient data offshore in their DARS applications will need to provide evidence that they have undertaken the steps described in the guidance for their application to progress.
The NHS and social care data: off-shoring and the use of public cloud services document provides an overview of the requirements. The Health and social care cloud security – good practice guide provides greater detail and a four step method to understand the risk of the data that needs to be stored and processed and the safeguards that must be put in place to do so, securely.
Step 1 - Understand the data you are dealing with
Step 2 – Assess the risks associated with the data
Step 3 – Implement appropriate controls
Step 4 – Monitor the implementation and ongoing risks
The Health and social care cloud security one page overview is as described a single page version of the 4 steps above to provide support to data controllers.
The Health and social care cloud risk framework should be used to assess and manage the risks associated with the use of public cloud services.
The Health and social care data risk model should be used to assess and record the details of any proposed use of cloud services, by producing a risk class indication which is used to define the required controls.
Specific DARS requirements
Whilst the controls below should be identified in your risk assessment to meet your contractual obligations and data protection legislation (DPA/GDPR), they are listed here as requirements:
Data destruction – an NHS Digital approved method to prevent the recovery of any data that is no longer required (Principle 5) at the end of the DARS Agreement, at the retention period or on the issue of a Data Destruction Notice (DDN).
Encryption at rest – encryption of data in cloud storage.
Encryption in transit – encryption of data in transit between the cloud provider and the end user.
Geography/jurisdiction – a risk assessment that can support the storage location or storage locations.
Evidence to support a DARS application
For applications that include the use of cloud services, the following documentation should be provided to support the application:
- The type of cloud service(s) that you are using to confirm that you have considered the risks associated with each service. Examples of cloud services include cloud storage, Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).
- A completed Health and social care data risk model, to confirm that the data class has been assessed.
- A cloud risk assessment to confirm that an appropriate risk assessment has been undertaken and that the applicant has considered all risks associated with the use of cloud.
Data on the move
Many data security breaches arise from the theft or loss of laptops, mobile phones or USBs. The same level of security should therefore be applied to devices being used away from the office as those used in the office. Personally identifiable, sensitive and confidential data must not be stored on mobile devices unless by exceptional circumstance and has been authorised by your organisation with a business case to do so. In any event, any data held on a mobile device must be secured by using data encryption (minimum AES-256) so that it cannot be accessed by unauthorised persons and must only be held temporarily on the device. We would advocate the implementation of remote wiping technologies. You should also consider the security of data if being sent by email or post.
You should use encryption (minimum AES-256) to make sure data can only be accessed by authorised users. Typically, this means a password is required to 'unlock' the data.
Your encryption should include:
- full disk encryption so that all data is encrypted
- file encryption so that individual files can be encrypted
- an encryption password that is a mix of upper and lower case, numbers and special characters (i.e. #, &, !) and is kept secret
- (where possible) password protection to stop people making changes to data
Where an approved business case applies you should only transfer personal data to mobile devices as a temporary measure if you actually need it and securely remove it when you have finished - in line with your data deletion and disposal policy. Some mobile devices can be disabled or wiped remotely. If they're stolen this means you can send a signal to locate and, if necessary, securely delete all data. You will need to pre-register for this service.
Always make sure you know exactly what protection you are applying to your data.
Computer equipment and software needs to be regularly maintained in order to keep it running smoothly and to fix any security vulnerabilities. Security software, such as anti-virus and anti-malware, needs to be regularly updated so that it continues to provide adequate protection. Attacks can go unnoticed and many people only find out they have been attacked when it is too late.
To maintain data security effectively you need to ensure that:
- security software is kept switched on and monitoring the files it should be
- software is updated regularly (most can be set to do this automatically)
- security software messages, control logs and other reporting systems are checked regularly
- you check what software or services are running on your network and identify if there is something there which should not be
- you run regular vulnerability scans and penetration tests to scan your systems for known vulnerabilities - and address them
Review, update, mitigate
Make sure you're correctly using your security systems and that people can spot when there is a problem. Make sure users and/or employees are aware of their roles and responsibilities and clear when action needs to be taken. You should also put in place plans for a data breach.
To help make sure you're using your security correctly, you should:
- review what personally identifiable data or patient identifiable data you currently have and what protection you have in place
- make sure you are compliant with any industry guidance and legal requirements
- document the controls you have in place and identify where you need to make improvements
- (once any improvements are in place) continue to monitor the controls and update them where necessary
- consider the risks for each type of personal data you hold and how you would manage a data breach, so you can reduce the impact
- have an acceptable-use policy and training materials in place for staff so they know their data protection and data handling responsibilities - this should also cover for non-personal data handling where the data protection act doesn't apply
- get a security expert to review your systems and highlight where your security vulnerabilities are and how best to address them
- make regular encrypted back-ups, keep them secure and delete them properly when no longer required, in line with your disposals policy
If you outsource IT systems to a third party you should make sure they treat your data with the same level of security as you do.
To check the security of third party suppliers you should:
- make sure data is not stored outside the United Kingdom unless by specific agreement
- ask for a security audit of the systems containing your data to identify and address any vulnerability
- review copies of their security assessments
- if appropriate, visit their premises to make sure they're as you would expect
- check that contracts are in writing and require your supplier to act only on your instructions and comply with certain obligations of the Data Protection Act
- make sure you have a contract for any data to be erased and equipment disposed of or recycled - also that you receive a notice of certification for destruction that complies with your policy and that this is done adequately (you may be held responsible)
- ensure that you are aware and can provide evidence of the location of the processing servers, the location of any backups and provide evidence of any cross border data transfers that may take place
- confirm that the supplier does not outsource any admin tasks or services outside of the United Kingdom (such as database maintenance and configurations)
- confirm and request evidence of their certifications if available