To ask the Secretary of State for Health what percentage of contractors and suppliers to (a) his Department and (b) its agencies have reported that they are compliant with the Government's security standards following publication of the report, Data Handling Procedures in Government, and the accompanying document, Cross-departmental Actions: Mandatory Minimum Action, on 25 June 2008.
The Department's Senior Information Risk Owner (SIRO) wrote to all Directors in November 2008 requiring them to seek assurance from contractors and suppliers within their area of responsibility that they are aware of, and comply with, the Government's security standards set out in the report, Data Handling Procedures in Government, and the accompanying document, Cross-departmental Actions: Mandatory Minimum Action. The response to this exercise will be recorded in end of year assurance statements in March 2009.
Security and information assurance conditions are available for use by NHS Purchasing and Supply Agency (PASA) and the wider NHS in relevant tendering exercises, i.e. where personal or other confidential information will be used, disseminated or handled by the relevant public body or any third party associated with the contract (including but not limited to ICT contracts). These conditions fully comply with the latest data handling procurement policy guidance published by OGC in November 2008. NHS PASA is in the process of contacting its own suppliers to ensure they are compliant with the Government security standards.
The Medicines and Healthcare Regulatory products Agency (MHRA) and all its suppliers are compliant with the Government's security standards and the Data Handling Procedures.