Please use the latest version of a supported browser with JavaScript enabled: Got it - don't show me this again
SUPPORTED MOBILE BROWSERS | |
---|---|
ANDROID AND IOS |
|
ANDROID ONLY |
|
IOS ONLY |
|
WINDOWS 10 MOBILE |
|
SUPPORTED DESKTOP BROWSERS | |
WINDOWS AND MAC |
|
MAC ONLY |
|
WINDOWS ONLY |
|
Classification | Public |
Location | https://www.medcrowd.com/compliance/iso27001/policies/InformationClassification |
Author | Paul Gardner |
Approver | Felix Jackson |
Approved | 14th December 2016 |
Date | Author | Changes |
19th June 2023 | Paul Gardner | Periodic review |
6th June 2022 | Paul Gardner | Periodic review |
16th February 2021 | Paul Gardner | Periodic review |
27th February 2020 | Paul Gardner | Skype For Business deprecated in favour of Microsoft Teams |
12th February 2020 | Paul Gardner | Periodic review |
30th July 2019 | Paul Gardner | Added Skype For Business |
5th July 2019 | Paul Gardner | Added External email to Approved Partners. |
20th March 2019 | Paul Gardner | Renamed 'Transfer Tool' to 'medDigital Secure File Transfer' to prevent any ambiguity. |
6th December 2018 | Paul Gardner |
Documents by default are CONTROLLED. The Transfer tool can be used to send information up to and including RESTRICTED. |
15th May 2018 | Paul Gardner | Periodic review |
13th December 2016 | Paul Gardner |
Added the PERSCONF classification to cope with patient identifying information in medCrowd |
2nd December 2016 | Paul Gardner |
Tasks & medCrowd can be used to transmit all classifications |
14th November 2016 | Paul Gardner |
Moved to the web |
17th May 2016 | Paul Gardner | Initial revision |
This policy is part of the medDigital ISMS and must be fully complied with.
medDigital is committed to the secure management of its information and the identification of assets that require protection.
The purpose of this policy is to establish the key principles of classifying information and the controls applied to each classification.
This policy applies to all information assets produced by medDigital that is stored or shared by any means.
All information will be classified into one of four categories.
Note that medCrowd conversations are created by third parties and cannot be labelled. Therefore, all medCrowd conversations should be considered CONTROLLED. If the conversation identifies a patient, it is PERSCONF. All information within the SETA application is also PERSCONF. Any material not classified is considered CONTROLLED.
Where information is grouped together, the highest classification shall be applied to all information in the group.
Classification | Description | Restrictions | Examples |
PERSCONF | Information containing confidential personal identifying information | It is unusual for employees/contractors to be exposed to PERSCONF information. If you are exposed to this information, you may not use or disclose the information in any way. |
|
RESTRICTED | Information whose unauthorised disclosure would cause serious damage, legal action or loss of reputation | Access is restricted to senior management |
|
CONTROLLED | Information which contains business value or which requires protection due to (non-confidential) personal identifying information |
Access is restricted to:
|
|
PUBLIC | Information that can be made available to the public domain and which would not cause damage | None |
|
All information must be classified PUBLIC, CONTROLLED, RESTRICTED or PERSCONF. Note that the classification of information does not override our duties under the Data Protection Act.
PERSCONF information must only be processed within the medCrowd application and must never be processed in any other way - this includes taking screenshots or printing the information.
It would be unusual for any employee/contractor to come into contact with PERSCONF information. If an employee/contractor is exposed to PERSCONF information, it must not be used or shared in any way. To do so would be unlawful.
CONTROLLED, RESTRICTED & PERSCONF information, when being handled by employees must only be processed on medDigital owned equipment.
A confidentiality or non-disclosure agreement must be in place when exchanging CONTROLLED or RESTRICTED information between medDigital and a third party.
Method | PUBLIC | CONTROLLED | RESTRICTED | PERSCONF |
Post | YES | NO | NO | NO |
External email | YES | YES2 | NO | NO |
External email to approved partners See M:\Operations\Approved Partners |
YES | YES | NO | NO |
Microsoft Teams3 | YES | YES | YES | NO |
Internal email | YES | YES | YES | NO |
Portable media | YES | YES1 | YES1 | NO |
M: Drive | YES | YES | YES | NO |
medDigital Secure File Transfer | YES | YES | YES | NO |
medCrowd | YES | YES | YES | YES |