CRIS Network News

Data Security and Continuous Improvement (January, 2018)

To ensure the continued security and privacy of patient data processed in the UK-CRIS system, a risk assessment process (known as a Data Protection Impact Assessment) is carried out to review the technical and organisational controls in place. This included an independent assessment of the system and its controls before the system was launched, assessments by each individual NHS organisation using CRIS, and periodic assessments to update these reflecting any changes in the legislation and advances in technology and cyber security. Each of these assessments has found UK-CRIS to have a robust data security and governance model in place, that ensures data is secured throughout the lifecycle of processing, and there are checks and balances in place to ensure the system is actively monitored, (by each Trust and the overarching national governance group) and held accountable. It is evident patients and the public have been engaged in the implementation of the UK-CRIS system at each NHS site, and input has been given on the design and development of public facing material to ensure the language is consistent and understandable, alongside active participation in the governance of each local system with patient and public representation on each Trust CRIS oversight committee.  

In addition, the UK-CRIS system underwent a set of independent security tests (known as ‘penetration tests’) to test the system for any security vulnerabilities. This process found no high-level risks present in the system and recognised that the measures implemented to secure data were of industry standard and met national and international guidance in this space (e.g. ISO 27001 and National Institute for Standards and Technology).

Further details on the Data Protection Impact Assessments and/or security tests can be requested from the UK-CRIS team or the NHS Trusts who are members of the CRIS Network. To find out more, please use the contact form on our contact page: