Data security, governance and audit


Introduction
Data security is at the heart of all we do at L2S2. From accredited secure hosting, to data encryption and sophisticated permissions we ensure all data we handle is appropriately secured.

We are audited by BSI to ensure that we comply to ISO 27001, the data security standard. We also are accredited against the NHS information governance (IG) toolkit to level 3.

We have been rigorously audited by NHS Digital and are authorised to hold and process national data sets with highly confidential information.

Penetration testing has evidenced the success of the measures we take.

Encryption
All data we hold is encrypted using AES 256 or other similarly strong technologies.

Data in transfer or on websites also uses AES 256 encryption to avoid it being intercepted.

All data held on mobile devices using our platform technology, Xenplate, is secured using encryption and displayed directly from the encrypted dataset, without ever appearing on the device unencrypted.

Governance
Legislation and regulation provide clear guidance on what  comprises personal data,who can access it and the circumstances in which they are allowed to see and obtain it.
Our Xenplate platform has a sophisticated access model to provide very granular access to different types of data in an application.

We are highly skilled at negotiating governance agreements to obtain access to data and have even consulted for NHS Digital, undertaking negotiations on their behalf.

Audit
We go to considerable trouble to ensure that data captured using Xenplate is auditable and is compliant with relevant standards.

All data captured using Xenplate and L2S2 systems are fully auditable and is time, date, user and (if appropriate) location stamped. Users have innovative multi-factor authentication that provides hard assurance of their identity without making the system over-cumbersome.

Xenplate forms and workflow are fully versioned and data are also stamped with the version of the forms with which they were captured, where appropriate.

Hosting and network architecture
We host data at two independent secure premises with fibre connections to both the internet and NHS internal network (HSCN – formerly called N3)

We have innovative architecture that has been approved by NHS Digital for transferring data between the NHS HSCN network and the internet.