Data Protection

FirstCare is registered with the Information Commissioners Office for the Data Protection Act 1998 and is the only absence management company to hold the ISO 27001 Information Security Standards Accreditation.

The Data Protection Act 1998

The Data Protection Act 1998 gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.

FirstCare is fully compliant with the eight principles which underpin the Act, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

ISO 27001 Information Security Management

ISO 27001 is an internationally recognised information security management system (ISMS) standard published in October 2005 by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), which is awarded to organisations for the successful establishment and maintenance of systems that ensure the confidentiality, security and integrity of all sensitive information held on record.

Why did FirstCare apply for this Accreditation?

The absence management service provided by FirstCare involves the collection, storage and retrieval of confidential data. Aware that it has both a statutory, and a social, obligation to protect this data, FirstCare decided to apply for the ISO 27001 Accreditation in order to:

  • Compliment the existing data security features and processes already employed by FirstCare
  • Put in place a continual cycle of review and revision to ensure that FirstCare remains compliant and up-to-date with the latest developments and issues surrounding data security
  • Provide both existing and potential clients with absolute confidence in the integrity of the data protection systems employed by FirstCare.

How was the Accreditation gained?

The ISO 27001 Standard defines 134 Information Security Controls that an organisation must be able to implement, maintain, audit and continue to improve. These Security Controls fall into the following sections:

  • Information Security Policies
  • Asset Management
  • Human Resource Security
  • Business Continuity Management
  • Physical and Environmental Security
  • Access Control Security
  • Information Technology Development
  • Information Security Incident Management

To determine that FirstCare had in place the necessary policies and procedures to meet with these 134 controls, a series of external audits were completed by BSI Management Systems between May and December of 2008. Further audits, to monitor continued compliance with security controls take place on an annual basis, the last of which took place in December 2010.

Top of Page