Introduction
This policy is part of the medDigital ISMS and must be fully complied with.
This policy ensures that our information assets are protected when processed by suppliers and to maintain
an agreed level of information security and service delivery.
Personal Information
Paul Gardner is responsible for reviewing
information flows outside of the EEA and the table below must be updated annually.
This table shows the data that flows outside of the EEA, who receives it, why, and how they comply with the
Data Protection Act.
Data |
Purpose |
Recipient |
Location |
Compliance |
Name
Telephone Number
Recording of Contact Centre calls
|
We use Twilio to send text messages to mobile devices and as a carrier for incoming and outbound calls to and from Contact
Centres. The recordings of Contact Centre calls are stored on Twilio infrastructure whilst the call is in progress and then
deleted.
|
Twilio Inc.
|
California, United States of America
|
Twilio Inc participates in and has certified its compliance with the EU-US
Privacy Shield Framework and also has a GDPR compliant data processing contract addendum.
|
Supplier selection
Suppliers must be based in the EEA or the United States of America. Suppliers outside of these regions
cannot be selected.
Suppliers in the USA with access to medCrowd data that may contain personal identifying information
must participate in the EU:US Privacy Shield framework and/or
have sufficient GDPR compliant agreements.
No supplier can be given access to medCrowd conversation data.
Service delivery
It is the responsibility of the project lead to monitor, review, and audit supplier service delivery where
their projects are concerned and to maintain a record of these activities.
Changes to the provision of services by suppliers, including maintaining and improving existing information
security policies, procedures and controls, shall be managed, taking account of the criticality of business
information, systems and processes involved and re-assessment of risks.