Security, data protection, and regulatory compliance for Digital Health Passport

Governance & Compliance

The Digital Health Passport meets the highest standards for security, data protection, and clinical safety required by the NHS and UK healthcare regulators.

Security & Compliance Standards

ISO 27001 Certification

Information Security Management

We maintain ISO 27001:2013 certification, demonstrating:

Systematic approach to managing sensitive information
Risk assessment and treatment processes
Continuous monitoring and improvement
Regular internal and external audits

Certificate: View ISO 27001 Certificate (PDF) Scope: All systems and processes for Digital Health Passport platform

Cyber Essentials Plus

Enhanced Cybersecurity Standards

Cyber Essentials Plus certification validates our technical controls:

Firewalls and internet gateways
Secure configuration
User access control
Malware protection
Patch management

Certificate: View Cyber Essentials Plus Certificate (PDF) Renewal: Annual re-certification

NHS Data Security and Protection Toolkit

NHS-Specific Standards

We achieve "Standards Met" status on the NHS DSPT, covering:

Data security standards
Staff awareness and training
Business continuity planning
Incident management
Asset management

Status: Standards Met (2024) Link: View DSPT Submission

Data Protection

Legal Basis: Consent and legitimate interests for healthcare provision

Patient Rights:

Right to access personal data
Right to rectification
Right to erasure ("right to be forgotten")
Right to data portability
Right to object to processing

How We Protect Data:

Encryption at rest (AES-256)
Encryption in transit (TLS 1.3)
Regular penetration testing
Anonymized analytics
Data minimization principles

Data Residency

UK-Hosted Infrastructure

All patient data stored in UK data centers
ISO 27001 certified hosting providers
No data transfer outside UK/EEA
Compliant with NHS data sovereignty requirements

Data Retention

Active patient data: Retained while account active
Medical records: Retained per NHS guidelines (typically 8 years post-last access for children)
Audit logs: 7 years minimum
Deletion: Secure deletion on user request (subject to legal obligations)

Data Processing Agreements

We provide NHS-compliant DPAs covering:

Roles and responsibilities
Data flows and purposes
Security measures
Breach notification procedures
Sub-processor management

Download DPA Template (PDF)

Clinical Safety

DCB0129 & DCB0160 Compliance

Clinical Risk Management

We comply with NHS Digital clinical safety standards:

DCB0129: Clinical Risk Management - Manufacturer requirements

Hazard log maintained
Clinical safety case reports
Post-market surveillance
Incident management

DCB0160: Clinical Risk Management - Deployment requirements

Clinical Safety Officer appointed
Deployment-specific risk assessments
Training and competency assurance
Ongoing monitoring

Clinical Safety Case Report: Request CSCR

Software as a Medical Device (SaMD)

MHRA Registration: Class I Medical Device

Device Classification:

Rule 11: Software for wellbeing purposes
Intended purpose: Manage and prevent disease deterioration
Risk class: I (lowest risk)

Quality Management: ISO 13485 aligned processes

Post-Market Surveillance:

Adverse event reporting
User feedback monitoring
Continuous safety review

DTAC Readiness

Digital Technology Assessment Criteria

We are prepared for DTAC assessment across all domains:

Clinical Safety: ✅ DCB0129/0160 compliant Data Protection: ✅ UK GDPR compliant, DSPT standards met Technical Security: ✅ ISO 27001, Cyber Essentials Plus Interoperability: ✅ FHIR standards, NHS Login integration Usability: ✅ Accessibility standards (WCAG 2.1 AA)

View DTAC Evidence Pack (PDF)