Skip to main content

Third party and suppliers information security policy

Contents

  1. Introduction
  2. Purpose
  3. Scope
  4. Responsibilities, accountabilities and duties
  5. Procedure or implementation
  6. Training implications
  7. Monitoring arrangements
  8. Equality impact assessment screening
  9. Links to any other associated documents

1 Introduction

Rotherham, Doncaster and South Humber NHS Foundation Trust (hereby referred to as “the trust”) relies on the integrity and accuracy of its information to deliver its services. It is therefore paramount that the integrity, confidentiality, and availability of its information is ensured, throughout the lifecycle of that information.

2 Purpose

The purpose of this policy is to ensure that:

  • all of the trust’s information is appropriately managed and processed by those third parties with which that information is shared, or by which that information is handled
  • third parties understand, and adhere to, all relevant policies regarding information security and associated security constraints established by the trust
  • the trust maintains the confidence of all relevant stakeholders and remains in compliance with legal and regulatory requirements

3 Scope

All third parties working for or with the trust have a role to play in supporting the trust’s information security policies and meeting the associated obligations. All third parties are therefore required to take a proactive approach to cybersecurity, namely, the secure handling of information and data, and the provision of secure systems and processes.

This policy shall be reviewed every two years or in response to significant changes due to security incidents, variations of law and or changes to organisational or technical infrastructure.

In the event of a national health emergency such as the COVID-19 pandemic, this policy still applies, unless it is superseded by specific clauses mandated by the trust’s business continuity policy.

4 Responsibilities, accountabilities and duties

The trust is required to ensure compliance by any third party or supplier that accesses their information technology operational technology resources, or shared environments and or will process, manage or handle any of the trust’s information in accordance with the trust’s policies. This includes, but is not limited to:

  • all the trust’s entities governed by the overarching Information governance policy and management framework
  • all third parties involved in the design, development or operation of information systems for the trust and its subsidiaries, for example, writing and installing bespoke software, third party maintenance or operation of systems, and outsourcing of facilities
  • organisations and supply chain partners that access trust information from remote locations where the computer and network facilities are not under the control of the trust

All third parties and suppliers shall comply with the trust’s information security policies, legal obligations and associated documentation. Any exemptions shall be specifically written and agreed in accordance with the trust’s information governance policy and management framework.

A failure to follow the requirements of this policy may result in investigation and management action being taken, as considered appropriate. This may include formal action in line with the trust’s disciplinary or capability procedures for trust employees and other action in relation to other workers, which may result in the termination of an assignment, placement, secondment, honorary arrangement or contract for services. Additionally, failure to follow the requirements of the policy may result in a breach of the law or a criminal offence.

5 Procedure implementation

5.1 Terminology

Terminology
Term Definition
Shall This term is used to state a mandatory requirement of this policy
Should This term is used to state a recommended requirement of this policy
May This term is used to state an operational requirement of this policy

5.2 Security risks in the supply chain

When contracting third parties, the trust shall consider the following risks:

  • third party service providers such as maintenance or utility services, or hardware and software suppliers that could have physical or virtual access to systems and information without the ‘need to know’
  • poor information security practices by lower tier suppliers
  • compromised software or hardware purchased from suppliers
  • software security vulnerabilities in supply chain management or supplier systems
  • counterfeit hardware or hardware with embedded malware
  • third party data storage and retention of data without authority
  • risks should be mitigated through contractual means

The trust shall give due consideration to improving all risks through contractual means. Key performance Indicators (KPIs) should be reported regularly to the board and reviewed by the trust on a regular basis.

The establishment of contractual terms and KPIs is the responsibility of the chief operating officer (COO). Matters relating to trust information are described in the relevant policies and questions should be addressed through the DPO or head of IG to the trust’s senior information risk owner (SIRO).

5.3 Prior to engagement

Third parties whose engagement with the trust will entail use of the trust’s IT and or handling or processing of its information shall have established a management framework for information security and risk which is signed off at the appropriate level and which ensures the necessary resources to provide the required controls.

Documented procedures shall be in place to authorise significant changes to agreed information processing procedures for the trust, and to ensure relevant information security contracts and controls are maintained.

Third party personnel shall be subject to appropriate background and vetting checks, depending upon their roles and access levels.

Third party personnel requiring access to the trust’s IT systems and or data shall read and sign the information governance staff code of conduct. Access to the trust’s data assets shall be agreed in consultation with the relevant information asset owner (IAO).

The trust’s policies including information governance policy and management framework (includes data protection policy content), removable media policy, and information technology (IT) security policy, shall apply to all third party personnel working with the trust or its information.

5.4 During engagement

The trust’s information processed and handled by third parties shall, as a minimum, be classified and handled in accordance with the trust’s information handling and classification policy.

Third party facilities and equipment shall be secured to prevent loss, damage, theft or compromise of the trust’s information assets.

Access control shall be delivered through the trust’s IT department, in keeping with the IT security policy and in consultation with the relevant IAO.

The third party shall ensure that appropriate information security awareness, training and education is in place for their personnel to meet contractual requirements.

Where individual personnel of the third party, who has been given access to the trust’s systems or data, has changed role or is terminated from employment in the course of the contract, the third party shall:

  • inform the trust of that change in personnel
  • ensure that any passes are returned
  • ensure that any IT equipment issued by the trust is logged and returned to the trust
  • provide details of personnel replacement for vetting as appropriate

Third parties shall comply with contractual obligations to assist any information security audits undertaken by the trust or nominated parties.

In the event of breach or data loss regarding the trust’s information, third parties shall observe the trust’s incident management policy and bring matters directly to the attention of the trust’s SIRO and, where relevant, the trust’s data protection officer (DPO).

5.5 Termination or change of engagement

The third party shall ensure that the integrity, availability and security of information belonging to, processed or held on behalf of the trust is maintained throughout any change of roles or ongoing contractual management, or contract exit plan.

The third party shall ensure that details are provided to the trust such that:

  • any access or permissions to access the trust’s systems, information or data is revoked
  • all passes and or equipment issued by the trust are returned
  • pending deletion or destruction, contractual arrangements must ensure the continued protection of personal data after the contract ends
  • any trust information or data held on the systems of the third party shall be deleted or destroyed, in accordance with the records management policy

5.6 Sharing information requested by third parties

There are occasions when third parties request (for example, police, voluntary agencies and councils) information about data subjects; on occasion, this could simply be a request to confirm whether a data subject has been in contact with any of the trust’s services. Disclosure of this information could be in breach of the Data Protection Act (2018), as it impacts on the rights and freedoms of the data subject.

Before any information is disclosed to the third party, colleagues must:

  • confirm the identity of the third party, for example, by requesting a phone number and confirming the identity of the requester
  • establish whether the data subject has given their consent to the disclosure
  • and or establish whether the third party has provided a valid legal basis for the disclosure
  • and or establish whether the third party has provided a valid legal exemption to allow the trust to disclose the information
  • document the contact in detail and the decision-making process in the clinical record, or as per local recording practices

Further guidance is available from the information governance department.

If in any doubt, colleagues must decline to provide the information and seek advice from the information governance department.

6 Training implications

6.1 All employees Data Standards Authority (DSA)

  • How often should this be undertaken: Upon commencement of employment and annually thereafter.
  • Length of training: 1 and a half hours.
  • Delivery method: E-learning or face to face.
  • Training delivered by whom: Information governance or NHS Digital e-learning package.
  • Where are the records of attendance held: ESR.

7 Monitoring arrangements

7.1 Policy

  • How: Review of best practice against the policy will be undertaken annually through auditing.
  • Who by: Head of information governance.
  • Reported to: Information governance group and health informatics group.
  • Frequency: Annually.

8 Equality impact assessment screening

To access the equality impact assessment for this policy, please see the overarching equality impact assessment.

8.1 Privacy, dignity and respect

The NHS Constitution states that all patients should feel that their privacy and dignity are respected while they are in hospital. High Quality Care for All (2008), Lord Darzi’s review of the NHS, identifies the need to organise care around the individual, ‘not just clinically but in terms of dignity and respect’.

As a consequence the trust is required to articulate its intent to deliver care with privacy and dignity that treats all service users with respect. Therefore, all procedural documents will be considered, if relevant, to reflect the requirement to treat everyone with privacy, dignity and respect, (when appropriate this should also include how same sex accommodation is provided).

8.1.1 How this will be met

No issues have been identified in relation to this policy.

8.2 Mental Capacity Act (2005)

Central to any aspect of care delivered to adults and young people aged 16 years or over will be the consideration of the individuals’ capacity to participate in the decision-making process. Consequently, no intervention should be carried out without either the individual’s informed consent, or the powers included in a legal framework, or by order of the court.

Therefore, the trust is required to make sure that all colleagues working with individuals who use our service are familiar with the provisions within the Mental Capacity Act (2005). For this reason all procedural documents will be considered, if relevant to reflect the provisions of the Mental Capacity Act (2005) to ensure that the rights of individual are protected and they are supported to make their own decisions where possible and that any decisions made on their behalf when they lack capacity are made in their best interests and least restrictive of their rights and freedoms.

8.2.1 How this will be met

All individuals involved in the implementation of this policy should do so in accordance with the principles of the Mental Capacity Act (2005).

Related policies referenced in this document are available on the intranet or by request to the employees’ line manager and should be read in conjunction with this policy.

Document control

  • Version: 2.1.
  • Unique reference number: 611.
  • Date approved: 15 January 2024.
  • Approved by: Corporate policy approval group.
  • Name of originator or author: DPO or head of Information Governance.
  • Name of responsible individual: Director of health informatics or SIRO.
  • Date issued: 16 January 2024.
  • Review date: 31 August 2026.
  • Target audience: Audience: All employees.

Page last reviewed: December 05, 2024
Next review due: December 05, 2025

Problem with this page?

Please tell us about any problems you have found with this web page.

Report a problem