Data Protection

The data the user (“You”) provide with Nurses Notes (“We”, “Us”, “Our”) are processed by a third party service provider called WP Vibes (“Form Vibes”) by WTS Business Solutions to enable interaction with you on our website and/or our product. As a data processor acting on our behalf, Form Vibes automatically receives and records certain information of yours like device model, IP address, the type of browser being used and usage pattern through cookies and browser settings. Form Vibes performs analytics on such data on our behalf which helps us improve our service to you. You can read about the cookies Form Vibes’ sets in their cookie policy here.

The website also uses a third party plugin by Digital Factory (“Cookie Notice”). This is used to ensure that our website complies with the EU GDPR cookie law and CCPA regulations. Cookie Notice Agreement appears in a form of popup message and should appear upon visiting the website for the first time. The amount of time that the cookie is stored for when user accepts the notice lasts for one (1) month. The amount of time that the cookie is stored for when the user doesn’t accept the notice lasts only for an hour. After which, the data is discard. More details about how the plugin operates can be accessed here: https://dfactory.eu/privacy-policy/

For more detailed information on how we protect your data and the procedures we have in place, please see below.

This Procedure provides general principles and an approach model to respond to, and mitigate breaches of any type of personal data (a “personal data breach”) in one or both of the following circumstances:

  • The personal data identifies data subjects who are residents of the Member States of the European Union (EU) and countries in the European Economic Area (EEA), regardless of where that data is subject to processing globally; and
  • The personal data is subject to processing in the EU and/or EEA, regardless of the country of residency of the data subject.

This Procedure is also applicable for any other type of security incident.

The Procedure lays out the general principles and actions for successfully managing the response to a data breach as well as fulfilling the obligations surrounding the notification to Supervisory Authorities and individuals as required by the EU GDPR.

All employees, contractors, temporary employees, and third parties working for or acting on behalf of Nurses Notes. (“Company”) must be aware of and follow this Procedure in the event of a personal data breach, or other security weakness or an incident.

  • EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC)
  • ISO/IEC 27001 standard, clauses A.7.2.3, A.16.1.1, A.16.1.2, A.16.1.3, A.16.1.4, A.16.1.5, A.16.1.6, A.16.1.7
  • Information Security Policy
  • Health Insurance Portability and Accountability Act of 1996 (HIPAA)

The following definitions of terms used in this document are drawn from Article 4 of the European Union’s General Data Protection Regulation (GDPR):

  • “Personal Data” means:
    • Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person Regulation.
    • Protected Health Information (PHI). Protected health information means individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.
    • Unsecured Protected Health Information (Unsecured PHI). Unsecured PHI means any PHI which is not unusable, unreadable, or indecipherable to unauthorized persons due to technology or methodology, such as encryption or destruction, as specified by the HHS Secretary.
  • “Controller” is the natural or legal person, public authority, agency or any other body, which alone or jointly with others, determines the purposes and means of the processing of personal data.
  • “Processor” is a natural or legal person, public authority, agency, or any other body which processes personal data on behalf of a Data Controller.
  • “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unintentional acquisition, unauthorized disclosure of, or access to, any personal data; transmitted, stored or otherwise processed.
  • “Supervisory Authority” means an independent public authority which is established by a Member State pursuant to Article 51.
  • For more detailed information about HIPPA rules and definitions please refer to:
    https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
  • For more detailed information about GDPR rules and definitions please refer to:
    https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679

 

Once a data breach is reported to the Data Breach Response team leader, the team must implement the following:

  • Validate/triage the data breach.
  • Ensure proper and impartial investigation (including digital forensics if necessary) is initiated, conducted, documented, and concluded.
  • Identify remediation requirements and track resolution.
  • Report findings to the top management.
  • Coordinate with appropriate authorities as needed.
  • Coordinate internal and external communications.
  • Ensure that impacted data subjects are properly notified, if necessary.
  • Analyze each incident recorded in the Data Breach Register and, if necessary, suggest preventive or corrective action.

The Data Breach Response Team will convene for each reported (and alleged) data breach, and will be headed by the Data Breach Response Team Leader.

Special HIPAA compliance notifications considerations

If it is determined that breach notification must be sent to affected parties, the Company’s standard breach notification letter (as modified for the specific breach) will be sent out to all affected individuals. Notice to affected parties shall be written in plain language and must contain the following information, which elements are included in the Company’s standard breach notification letter:

  • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
  • A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved).
  • Any steps the individuals should take to protect themselves from potential harm resulting from the breach.
  • A brief description of what the Company is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches.
  • Contact procedures for individuals to ask questions or learn additional information, which includes a toll-free telephone number, email address, website, or postal address.

Notice to affected parties shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach.

If the Company determines that notification requires urgency because of possible imminent misuse of unsecured PHI, notification may be provided by telephone or other means, as appropriate, in addition to the methods noted above. It is the responsibility of the Company to demonstrate that all notifications were made as required, including evidence demonstrating the necessity of any delay.

If a law enforcement official states to the Company or a business associate that a notification, notice, or posting would impede a criminal investigation or cause damage to national security, the Company shall:

  • If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting for the time period specified by the official; or
  • If the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described above is submitted during that time.

The Data Breach Response Process is initiated when anyone who notices that a suspected/alleged or actual data breach occurs, and any member of the Data Breach Response team is notified. The team is responsible to determine if the breach should be considered a breach affecting personal data.

The Data Breach Team leader is responsible for documenting all decisions of the core team. Since these documents might be reviewed by the supervisory authorities, they need to be written very precisely and thoroughly to ensure traceability and accountability.

When the personal data breach or suspected data breach affects personal data that is being processed on behalf of a third party, the Data Protection Officer of the Company acting as a data processor must report any personal data breach to the respective data controller/controllers without undue delay.

The Data Protection Officer will send a notification to the controller that will include the following:

  • A description of the nature of the breach.
  • Categories of personal data affected.
  • Approximate number of data subjects affected.
  • Name and contact details of the Data Breach Response Team Leader/ Data Protection Officer.
  • Consequences of the personal data breach.
  • Measures taken to address the personal data breach.
  • Any information relating to the data breach.

Information Security Analyst will record the data breach into the Data Breach Register.

 

When the personal data breach or suspected data breach affects personal data that is being processed by the Company as a data controller, the following actions are performed by the Data Protection Officer:

  1. The Company must establish whether the personal data breach should be reported to the Supervisory Authority.
    vIn order to establish the risk to the rights and freedoms of the data subject affected, the Data Protection Officer must perform the Data Protection Impact Assessment on the processing activity affected by the data breach.
  2. If the personal data breach is not likely to result in a risk to the rights and freedoms of the affected data subjects, no notification is required. However, the data breach should be recorded into the Data Breach Register.
  3. The Supervisory Authority must be notified with undue delay but no later than in 72 hours, if the personal data breach is likely to result in a risk to the rights and freedoms of the data subjects affected by the personal data breach. Any possible reasons for delay beyond 72 hours must be communicated to the Supervisory Authority.

CISO will send Notifications to the Supervisory Authority that will include the following:

  • A description of the nature of the breach.
  • Categories of personal data affected.
  • Approximate number of data subjects affected.
  • Name and contact details of the Data Breach Response Team Leader/ Data Protection Officer.
  • Consequences of the personal data breach.
  • Measures taken to address the personal data breach.
  • Any information relating to the data breach.

CISO must assess if the personal data breach is likely to result in high risk to the rights and freedoms of the data subject. If yes, the Data Protection Officer the Company must notify with undue delay the affected data subjects.

The Notification to the data subjects must be written in clear and plain language and must contain the same information listed in Section 7.

If, due to the number of affected data subjects, it is disproportionately difficult to notify each affected data subject, the CISO must take the necessary measures to ensure that the affected data subjects are notified by using appropriate, publicly available channels.

Any individual who breaches this Procedure may be subject to internal disciplinary action (up to and including termination of their employment); and may also face civil or criminal liability if their action violates the law.

This document is valid as of March 2019.

The owner of this document is Information Security Analyst, who must check and, if necessary, update the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

  • Number and significance of incidents arising from suppliers’ and partners’ activities
  • Number of contracts where the contract owner is not defined