The purpose of this Standard Operating Procedure is to ensure definition of the controls needed for the identification, confidentiality, integrity and availability of personal information according to applicable regulatory requirements in order to protect this information. This personal information includes personal data concerning health.
2 Definitions and abbreviations
The following definitions and abbreviations are used in this document:
A piece of information that has value to organisations or person(s). Information assets take many forms and includes data printed or written on paper, stored electronically, transmitted by post or using electronic means, stored on media (e.g. USB-stick), spoken in conversation.
Ensuring that information is accessible only to authorized individuals and protecting from unauthorized disclosure.
Safeguarding the accuracy and completeness of information and processing methods.
Ensuring that authorized users have access to relevant information when required.
Systemic use of available information to identify hazards and to estimate the risk.
Any information relating to an identified or identifiable natural person: an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (source: regulation 2016/679).
Personal data concerning health
All data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test (source: regulation 2016/679).
Information security incident
A suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information;
interference with information technology operations; or significant violation of responsible use policy.
Dutch authority assigned to monitor compliance to the EU Data Protection Regulation 2016/ 679.
The CEO is responsible for the security policy of personal information and is ultimately responsible for an adequate level of security. The CEO is responsible for assigning authorities.
The QA manager is responsibility for managing information security and archiving of records.
All staff is responsible for adhering to this policy, and for reporting any security breaches or incidents to the QA manager.
Department managers are responsible for awareness training for all department staff involved
4.1 Security of confidential personal information
The purpose and objective of this information security policy is to safeguard the privacy of persons (enforced in the Netherlands by: ‘Wet bescherming persoonsgegevens’, BWBR0011468).
The management recognizes the increasing use of modern communication technology, complexity of and interrelationship between automated systems used that cause a higher dependency and vulnerability of the automated information systems, as well as the increasing professionalism and threat of computer criminality.
Furthermore, the processing of personal data, including data concerning health, induces specific risks and demand additional responsibilities concerning information security.
In general, the main hazards to prevent are:
- the loss of confidentiality, integrity and availability of personal data for business reasons
- the loss of personal data for the persons involved
- infringement of applicable regulation
- financial business risks in case of information security breach
4.2.1 Identification of confidential personal information
The CEO and QA manager are responsible for identification of any confidential personal information and identification of the applicable regulatory requirements. At NeoRad personal information is (potentially) involved during following processes:
- Information obtained during the order handling process.
- Information obtained during customer feedback processes (e.g. PMS data, Customer complaint data)
- Information obtained during clinical investigations
- Information obtained during human resource processes
The identification of the type of personal information and applicable regulatory
requirements will be addressed during Management review.
4.2.2 Risk analysis
The CEO and QA manager are responsible for identification and evaluation of the risks and vulnerabilities related to confidential personal information. This analysis and evaluation on information security risks will be done prior or during management review (SOP561-01) or in case significant changes are proposed.
Risk analysis is carried out considering the identification of risks concerning:
· significant trends and changes to information security risks
· known and foreseeable risks, in case of normal or abnormal circumstances
· people involved in processing personal information
· equipment used for processing or storage of personal information
· software used during processing or storage of personal information
· personal data to protect
· environment where personal data are stored or processed
· organizational roles and responsibilities
· suppliers and services needed for personal data protection
The identification of risks, or a reflection of the discussion during Management
review will be recorded.
4.2.3 Risk Control
The CEO and QA manager are responsible for identification of the risk control measures to be implemented to reduce the risks. These
measures should be related to the confidential information involved and the identified risks in 4.2.2.
The company identified the following risk control measures :
- Handling of personal information by limited, authorized staff only (CEO, QA/RA Manager).
- strict separation of database with personal information on network
- Anonymization of personal information before further processing whenever possible and implement in procedure (e.g. Order handling, Complaint handling). No documents with personal information through whole company
- No sharing of personal information with external parties without confidentiality
- internally sharing of personal data only according to “need to know” principle
- No processing of documents containing personal data outside premises of company
- All breaches of information security, actual or suspected, addressed via the CAPA system
- Protection of personal information on agenda of Management review and Internal audit
4.2.4 Monitoring follow-up
Monitoring of the protection of confidential personal information will be done via the management review. Protection of personal information will be on the agenda of internal audits.
4.3 Information security incidents
All security incidents related to personal data needs to be reported to the QA manager and addressed via the CAPA system in order to minimize the consequences of a security incident.
The company will keep records of every incident that is able to lead to serious adverse effects for the protection of personal data.
The QA manager and CEO are responsible for judging the severity of the incident and, if required, notification of it to the authorities.
In case of a security incident the company needs to inform the person involved whenever personal information has been unintentionally disclosed and whenever lack of availability of information systems may have adversely affected them. The notification of the data breach to the subject involved should take into consideration the nature of the incident and the actual consequences for the person involved. Notification of the subject is not required if the responsible has implemented sufficient crypto graphical or other techniques in order to make the data inaccessible for others.
In case of theft of business property containing confidential personal information, it should be reported to the QA manager in the same manner as other security incidents. In addition, the police will be informed.
It is required by law that serious data breaches will be reported to the ‘Autoriteit Persoonsgegevens’ using the template on the website autoriteitpersoonsgegevens.nl. In general, this needs to be done when personal data are leached and it cannot be excluded that this data can be used by unauthorized persons. Document ‘De Meldplicht datalekken in de Wet bescherming persoonsgegevens (Wbp), Beleidsregels voor toepassing van
artikel 34a van de Wbp (8 dec 2015)’ shows guidance for the correct procedure.
The following information needs to be provided at least:
Ø The nature of the data breach and the authorities where more information can be retrieved including recommendations and measures to minimize the negative effects of the breach.
Ø A description of the observed and suspected effects of the security breach and the measures the responsible has taken or is proposing in order to repair the consequences.
For infringement of the duty to notify the ‘Autoriteit Persoonsgegevens’ of data leaks, the authority may impose an administrative fine.
The outcome of this process is that personal information will be identified and risk control measures taken in order to protect personal data.
SOP424-01 Record Control
SOP561-01 Management Review
SOP852-01 Corrective and Preventive action
BWBR0011468 Wet bescherming persoonsgegevens
2016/679 EU Data Protection Regulation
De Meldplicht datalekken in de Wet bescherming persoonsgegevens (Wbp).
Beleidsregels voor toepassing van artikel 34a van de Wbp (8 dec 2015)