The Department’s Senior Information Risk Owner (SIRO) wrote to all Directors in November 2008 requiring them to seek assurance from contractors and suppliers within their area of responsibility that they are aware of, and comply with, the Government’s security standards set out in the report, Data Handling Procedures in Government, and the accompanying document, Cross-departmental Actions: Mandatory Minimum Action. The response to this exercise will be recorded in end of year assurance statements in March 2009.
Security and information assurance conditions are available for use by NHS Purchasing and Supply Agency (PASA) and the wider NHS in relevant tendering exercises, i.e. where personal or other confidential information will be used, disseminated or handled by the relevant public body or any third party associated with the contract (including but not limited to ICT contracts). These conditions fully comply with the latest data handling procurement policy guidance published by OGC in November 2008. NHS PASA is in the process of contacting its own suppliers to ensure they are compliant with the Government security standards.
The Medicines and Healthcare Regulatory products Agency (MHRA) and all its suppliers are compliant with the Government’s security standards and the Data Handling Procedures.
The Department appointed a senior information risk owner (SIRO) on 15 March 2004 in response to a letter from Cabinet Office in February 2004, and consequently before the requirements for such an appointment in the report, “Data Handling Procedures in Government” and the accompanying document “Cross-departmental Actions: Mandatory Minimum Action”.
The SIRO is a director general.
All the Department's information technology (IT) systems meet the requirements set out in the Security Policy Framework (SPF), the “Data Handling Report” (DHR) and related “Cross Government Actions: Minimum Mandatory Measures”. They also comply with ISO27001, the standard for Information Security Management.
Of its agencies, the NHS Purchasing and Supply Agency's IT systems are fully certified to ISO27001 and they are required to comply with the requirements of the SPF and the DHR.
The Medicines and Healthcare Regulatory products Agency and all its suppliers are compliant with the Government's security standards and the data handling procedures.