Solved

UK Data Protection Compliance and Best Practice for SAAS solution handling medical data.

Posted on 2015-01-17
3
199 Views
Last Modified: 2015-01-26
I am looking for a checklist for the key points for a secure design for a system based in the UK dealing with UK data that does the following:

1. Allows 3rd party companies (CO) to store very sensitive (medical) information about their customers.

2. Provides a web interface for supervisors from CO to access, read and modify that data which is owned by CO. This web interface is to be accessed by the public internet. Data is held in a relational database.

3. The system is provided under a SAAS model and hosted in its entirety by a hosting service.

4. Retains (for compliance, auditing and disaster contingency) an audit trail of the stored data as text documents.


I have tried to be deliberately simple in the description.

Separately, does this position vary significantly for the USA?
0
Comment
Question by:monoceros
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40555015
If you are talking health care when you say medical information then the rules here in the UK are very much tighter than in the US.  There are a lot of regulations that go a long way over and above the the data protection act.

You would need to define what is meant by medical data.
who would have access to it?
0
 
LVL 1

Author Comment

by:monoceros
ID: 40555050
This information is related to careworkers and their customers. So the information on customers may include medical history and details of the medications to be administered when the careworker visits.
0
 
LVL 82

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 40555781
it should be encrypted with the Case Worker only having access to the decryption key.  The data must be stored only within the UK.  The caseworker must have access (read only) to session logs/audit logs.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question