Information Asset Name | Supplier Name (IT Only) | Contract Location (IT Only) | Contract Start Date (IT Only) | Contract End Date (If applicable, IT Only) | What information is kept here, why? | Location | Special Category Data? | Owner | Shared Externally? If so, is the Process Included on the ROPA? | Do you receive it from someone outside your organisation or share it externally? | Risks if there is a breach | What security measures have been put into place | Date IA issued (if applicable) | Date IA returned | Date of last audit | Has there been a breach since last audit? | If breach since last audit, have all action items been completed? |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Healthtech 1 gathers this information from the patient. | Cloud | November 1, 2021 | Patient demographic and medical information is collected, stored and used in order to be able to register a patient for our customers, GP practices. | Azure Cloud in UK South Servers | Yes, Ethnicity and Sexual Orientation, for practice's population understanding. | Pete 🧪 twenty--twenty | No | No, we recieve this directly from the patient. | Demographic and medical details can be associated with a patient that could be used to access other sources of information. Service users' highly personal records would be seen. This could cause upset to service users, reputational damage to the company, and breach data protection legislation. The company could be fined or other pernalties could be imposed. | This is in our own secure systems. We store this data in a secure cloud built in a safe software architecture. We restrict access and controls to only those need access to this information. We adhere to national security guidance and Cyber Security Essentials. We have annual 3rd party assessments of our software. | November 1, 2021 | October 18, 2021 | |||||
Healthtech 1 gathers this information from the practice. | Cloud | November 1, 2021 | Information needed to associate a registration with a practice in the clinical system. | Azure Cloud in UK South Servers | No | Pete 🧪 twenty--twenty | No | No, we recieve this directly from the practice. | Contact information we get from practices is public already. We also create documentation of each practices | This information is stored within enterprise grade software, Google Workspace. We've ensured that our subscription is the most secure version - Google Enterprise Plus. This gives us the ability to keep our data within the EU, store backups, have advanced security controls as well. This is above the security level of most organisations. | November 1, 2021 | October 18, 2021 | |||||
Ourselves | Cloud, Physical | November 1, 2021 | General plans, operations, documents that help us reach our company objectives! To reduce the admin burden away from GP practices! | Azure Cloud in UK South Servers, Stratford Village Surgery | No | Pete 🧪 twenty--twenty | No | No, we generate this. | Sensitive company information on our activities, people and assets could be accessed. With malicious intent, the actor could create disruption to our client and their end user needs. | Similar to our practice information. Plus internal security processes to ensure that internal data remains within. | November 1, 2021 | October 18, 2021 |