Information Security Policy
The Board of Directors and management of DXS International Plc, located at Wrecclesham House, Wrecclesham Road, Farnham, GU10 4PS, which operates in provisioning of marketing, sales, support, development and implementation of software solutions in the digital health sector, are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information assets throughout their organisation in order to preserve its competitive edge, cash-flow, profitability, legal, regulatory and contractual compliance and commercial image. Information and information security requirements will continue to be aligned with DXS International Plc’s goals and the IMS is intended to be an enabling mechanism for information sharing, for electronic operations, and for reducing information-related risks to acceptable levels.
DXS International Plc’s current strategic business plan and risk management framework provide the context for identifying, assessing, evaluating and controlling information-related risks through the establishment and maintenance of an IMS. The Risk Assessment, Statement of Applicability and Risk Treatment Plan identify how information-related risks are controlled. The Information Security Manager is responsible for the management and maintenance of the risk treatment plan. Additional risk assessments may, where necessary, be carried out to determine appropriate controls for specific risks.
Business continuity and contingency plans, data backup procedures, avoidance of viruses and hackers, access control to systems and information security incident reporting are fundamental to this policy. Control objectives for each of these areas are contained in the IMS manual and are supported by specific documented policies and procedures.
DXS International plc aims to achieve specific, defined information security objectives, which are developed in accordance with the business objectives, the context of the organisation, the results of risk assessments and the risk treatment plan.
All Interested parties of DXS International Plc are expected to comply with this policy and with the IMS that implements this policy. All Employees, and certain external parties, will receive appropriate training. The consequences of breaching the information security policy are set out in the Organisation’s disciplinary policy and in contracts and agreements with third parties.
The IMS is subject to continuous, systematic review and improvement.
DXS International Plc has established Information Security Committee, chaired by Chief Information Security Officer (CISO) and including the Information Security Manager and to support the IMS framework and to periodically review the security policy.
DXS International Plc is committed to achieving certification of its IMS to ISO27001:2013.
This policy will be reviewed to respond to any changes in the risk assessment or risk treatment plan and at least annually.
In this policy, ‘information security’ is defined as:
This means that management, all full time or part time Employees, sub-contractors, project consultants and any external parties have, and will be made aware of, their responsibilities (which are defined in their job descriptions or contracts) to preserve information security, to report security breaches (in line with the policy and procedures identified in Section 16 of the Manual) and to act in accordance with the requirements of the IMS. All Employees will receive information security awareness training and more specialised Employees will receive appropriately specialised information security training.
a) Process the personal data only in accordance with the Data Controller’s instructions and these terms;
b) Implement appropriate technical and organisational measures to protect the personal data against unauthorised or unlawful processing and against
accidental loss, destruction, damage, alteration or disclosure. DXS is an NHS IG Toolkit accredited and ICO registered company.
What websites and applications are covered by this policy?
DXS Point of Care
DXS Pharmacy Knowledge Base
What information is being collected?
We may collect and process the following information about you:
Information you give us. You may give us information by filling out forms on the Application or on our Website or by corresponding with us by phone, email or otherwise. This includes information you provide when you register to use DXS applications or websites. The information you give us may include your name, date of birth, NHS number, address, email address and phone number (“Registration Information”).
Information we collect about you. Each time you use DXS Point of Care, the MyVytalCare application or our website we may automatically collect the following information: technical information, including the internet protocol (“IP”) address used to connect your computer to the internet or local area network, your login information (excl. passwords), Browser type and version, time zone settings, Browser plug-in types and versions, operating system and platform; and
Information about your visit to or usage of one of our web platforms or applications, including the full Uniform Resource Locators (“URL”) clickstream to, through and from our applications or website (including date and time) and page response time.
(collectively referred to as “Usage Information”) DXS applications may, from time-to-time, contain links to third party Applications or websites. If you follow a link to any of these Applications or websites, please note that these Applications or websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Who is collecting it?
DXS International plc and its subsidiaries.
How is it collected?
Registration and usage information is collected during use of the products and submitted to our content update servers which reside in the EU.
Who will your information be shared with
We may disclose your personal information:
International Transfers of your personal information
We share some of your personal data with other DXS group companies which operates in various countries (including, for example U.S and South Africa) to administer and manage group functions, including registrations.
Your personal data will also be shared with companies providing services under contract to the DXS group, such as LatticeWorx (in the U.S), the developers of the DXS Point of Care application.
If we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets if you have provided your express consent to the disclosure of your information;
If DXS International plc or substantially all its assets are acquired by a third party, in which case personal data held by it about its end users may be one of the transferred assets provided that have given your express consent to the disclosure of your information.
If we are under a duty to disclose or share your personal data to comply with any legal obligation, or to protect your vital interest or the vital interest of other end users;
If we are required to disclose “usage” statistics to Clinical Commissioning Groups.
To your healthcare organisations, if you have given your express consent to the disclosure of your information to the healthcare organisation.
DXS is a global organisation. For the purposes explained in this policy, your information will be transferred to other companies within the DXS group and our suppliers in countries outside of the EEA such as the U.S. and South Africa, which may not have the same level of protection laws as those in the country in which you are located. Details of the recipients are provided in the ‘Who will your information be shared with’ section.
How is this data safeguarded?
We take commercially reasonable steps to protect your personal information. This includes setting up processes and procedures to minimise unauthorised access to or disclosure of your information, and we use reasonable efforts to obtain the agreement of our Affiliates and third-party service
providers to take steps to protect the confidentiality, security, and integrity of personal Information we share with them. However, no electronic data transmission or storage of information can be guaranteed to be 100% private and secure.
How will the information be used?
We use information held about you in the following ways;
How long will the data be stored?
Your personal information will be used to provide you with the DXS services relevant to you as well as information about our services that we believe may benefit you.
Information you give us. We will use your Registration Information to manage your account, subscribe you to opt-in services, and for our own internal administration purposes;
Information we collect about you. We will use your Usage Information to monitor, gather and use “usage” statistics to gauge where future enhancements should be focused. We do not disclose information about identifiable individuals and “usage” statistics will always be anonymised.
To improve the Online Portal to ensure that consent is presented in the most effective manner for you and for your computer; and
As part of our efforts to keep the Online Portal safe and secure.
We will never sell your data to third parties, and it will only be used to provide you with the service you have agreed to and to keep you informed about our products and services.
DXS data retention is determined by our service level agreement (SLA) with our clients “the data controller”.
What right does the data subject have?
If at any point you believe your information need to be updated or removed you can request to see this information and have it corrected or deleted.
How can the data subject raise a complaint?
If you wish to raise a complaint on how we have handled your personal data, you can contact us to have the matter investigated. firstname.lastname@example.org. If you’re not satisfied with our response or believe we are processing your personal data not in accordance with the law you can direct your complaint to the Information Commissioner’s Office https://ico.org.uk