Skip to main content

Departmental Data Protection

Volume 486: debated on Monday 12 January 2009

To ask the Secretary of State for Health what percentage of contractors and suppliers to (a) his Department and (b) its agencies have reported that they are compliant with the Government’s security standards following publication of the report, Data Handling Procedures in Government, and the accompanying document, Cross-departmental Actions: Mandatory Minimum Action, on 25 June 2008. (245324)

The Department’s Senior Information Risk Owner (SIRO) wrote to all Directors in November 2008 requiring them to seek assurance from contractors and suppliers within their area of responsibility that they are aware of, and comply with, the Government’s security standards set out in the report, Data Handling Procedures in Government, and the accompanying document, Cross-departmental Actions: Mandatory Minimum Action. The response to this exercise will be recorded in end of year assurance statements in March 2009.

Security and information assurance conditions are available for use by NHS Purchasing and Supply Agency (PASA) and the wider NHS in relevant tendering exercises, i.e. where personal or other confidential information will be used, disseminated or handled by the relevant public body or any third party associated with the contract (including but not limited to ICT contracts). These conditions fully comply with the latest data handling procurement policy guidance published by OGC in November 2008. NHS PASA is in the process of contacting its own suppliers to ensure they are compliant with the Government security standards.

The Medicines and Healthcare Regulatory products Agency (MHRA) and all its suppliers are compliant with the Government’s security standards and the Data Handling Procedures.

To ask the Secretary of State for Health how many contracts (a) his Department and (b) its agencies have which allow contractors to store personal data of UK citizens overseas; for which contracts this applies; in which countries the data for each contract are held; and how many people have their data stored overseas in the case of each such contract. (245345)

Neither the Department nor its agencies, the NHS Purchasing and Supply Agency or the Medicines and Healthcare products Regulatory Agency, have any contracts allowing contractors to store personal data of United Kingdom citizens overseas.

To ask the Secretary of State for Health when his Department appointed a senior information risk owner in accordance with the report, Data Handling Procedures in Government and the accompanying document Cross-departmental Actions: Mandatory Minimum Action; when the appointment was made; and what grade the person holds within the Department. (245363)

The Department appointed a senior information risk owner (SIRO) on 15 March 2004 in response to a letter from Cabinet Office in February 2004, and consequently before the requirements for such an appointment in the report, “Data Handling Procedures in Government” and the accompanying document “Cross-departmental Actions: Mandatory Minimum Action”.

The SIRO is a director general.

To ask the Secretary of State for Health what percentage of the IT systems in (a) his Department and (b) its agencies are fully accredited to the Government's security standards. (245387)

All the Department's information technology (IT) systems meet the requirements set out in the Security Policy Framework (SPF), the “Data Handling Report” (DHR) and related “Cross Government Actions: Minimum Mandatory Measures”. They also comply with ISO27001, the standard for Information Security Management.

Of its agencies, the NHS Purchasing and Supply Agency's IT systems are fully certified to ISO27001 and they are required to comply with the requirements of the SPF and the DHR.

The Medicines and Healthcare Regulatory products Agency and all its suppliers are compliant with the Government's security standards and the data handling procedures.