Information governance and data security

Excellence in information governance

Excellence in information governance is at the heart of what we do. We have a legal and ethical responsibility to handle confidential and sensitive information carefully and securely, and we are fully committed to doing that in a way that maximises its utility while preventing unauthorised or inappropriate use or disclosure.

Independent assurance

Our Information Security Management System (ISMS) is certified to ISO 27001:2013 by Certification Europe. Regular audits and independent assessment help us to maintain compliance with the standard and provide assurance that information security is always built in to our work.

Experience

Since 1999 Dr Foster has been handling confidential patient-level data and operating under a range of UK, European and international laws, associated codes of practice and international standards. Our experience contributes to the maturity of our ISMS and provides customers with confidence that their information is protected.

International compliance

Wherever we work we comply. We make sure that we meet the data protection and other legal requirements of the countries we operate in. This includes  the General Data Protection Regulation (GDPR) in Europe, the UK’s Data Protection Act and the Health Insurance Portability and Accountability Act (HIPAA) in the US. We meet all of the requirements set out by the NHS Information Governance Toolkit and adhere to the Caldicott Principles. And our team remains up to date with compliance developments as they emerge.

Data protection by design and default

We are respectful of the nature of the data we work with, where it comes from and what it means for individuals and organisations.

We use a range of privacy enhancing technologies, physical security measures, data agreements, contracts of employment, impact assessments and audit measures. Taken together these provide us with a robust governance framework for information management.

Privacy is core to our designs and processes. We process anonymised and pseudonymised data about patients to preserve privacy and minimise risk. For more information please see the patient privacy notice here.