Introduction
This policy is part of the medDigital ISMS and must be fully complied with.
The purpose of this policy is to avoid breaches of legal, statutory, regulatory or contractual obligations
related to information security and of any security requirements.
Identification
We have identified and documented the statutory, regulatory and contractual requirements and our approach
to meet these requirements. We openly publish this information.
This information must be updated as information systems and requirements evolve.
Intellectual property rights
The use of any third party intellectual property in medDigital products must be escalated to IT so that
licensing can be evaluated and procured as necessary.
Protection of records
Records must be protected from loss, destruction, falsification, unauthorised access and unauthorised
release, in accordance with legislation, regulatory, contractual and business requirements.
Privacy and protection of personally identifiable information
Privacy and protection of personally identifiable information shall be ensured as required in relevant
legislation and regulation where applicable. More information can be found at DPA compliance.
Regulation of cryptographic controls
Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations.
For more information, see our Cryptography policy.
Compliance with security policies and standards
Managers shall regularly review the compliance of information processing and procedures within their area
of responsibility with the appropriate security policies, and document this review along with any findings
and remediation work in M:\mD Managers\Compliance on a quarterly basis.
Technical compliance review
All information systems shall be reviewed by IT on a bi-annual basis for compliance with the information security
policies and standards. This review should be documented, along with any findings and remediation work
in M:\IT\Compliance.