How we protect our information
Marie Curie is committed to keeping information safe and secure, enabling us to deliver excellent patient care and maintain confidence in our brand so we retain the financial support of our fundraisers.
In order to achieve this, we have developed an information security strategy. The strategy aims to protect data from unauthorised access, unlawful processing, loss, modification and destruction. It does this through activities which:
- govern and manage information
- train, educate and raise awareness in its staff and volunteers
- find and deal with information risks and issues
- handle incidents and data breaches
- conduct information ‘assurance’ to check that the protections are working as they should.
We manage information risk by implementing controls based on regulations, established standards and good industry practice, such as from the UK Data Protection Act 2018/EU GDPR, ISO 27001 and the Payment Card Industry Data Security Standard.
We protect information throughout its lifecycle (ie, from ‘cradle to grave’). It includes everything from the creation, collection, and storage of data, to its use, sharing, archiving and destruction when no longer needed.
There are four main types of security control we use: administrative, personnel, physical and technical.
Administrative controls include policies and procedures. Personnel controls include vetting and raising staff awareness of privacy and security risks. Physical controls include restricted site access, CCTV, visitor procedures and the secure destruction of data.
We have a layered ‘defence in depth’ approach to technical controls, including:
- secure setup of IT systems
- checking for malicious internet traffic
- access requirements such as passphrases and multi-factor authentication
- anti-malware to protect from viruses and other cyber-attacks, including ‘phishing’
- encryption to prevent unauthorised people from reading data in transit or while stored on a server
- applying updates to our IT systems and applications (aka ‘patching’).
We monitor the effectiveness of these controls and update them as threats change. We do this through:
- internal audits
- independent vulnerability scanning and penetration testing to keep IT systems safe and secure
- intrusion detection and protection monitoring to detect suspicious activity
- back-up and recovery testing to prepare for potential data loss or a disaster event
- regular reporting to senior management, committees and the Board of Trustees.
If you have any queries or concerns, please contact DPO@mariecurie.org.uk.
