/
Information Security Policy

Patients Know Best Resource Hub | Deploy | Developer | Trust Centre | Manual | Research | Education | Release Notes

Information Security Policy

PKB Statement of Intent

Patients Know Best (PKB) prides itself on being a leader in the provision of an online Personal Health Record where patients can manage their healthcare needs. As part of this, we recognise that we have a responsibility to protect all of the information that we process, whether it belongs, to our employees, patients, customers, partners, or suppliers. By protecting this information we can ensure that we maintain our reputation as a trusted organisation, employer and partner, enabling us to grow as an organisation and deliver exceptional service to our customers.

To demonstrate our commitment to information security, PKB has implemented industry best practice security controls and assured the effectiveness of the controls through the implementation of the Information Security Management System (ISMS) and how this complies with the ISO 27001:2013 standard, the global standard for managing information security. It is the responsibility of all PKB staff to become familiar with our information security and data privacy management processes and to comply with all information security and data privacy policies together with the procedures and standards that underpin them. In turn, we commit to ensuring that our information security and data privacy management systems and processes are efficient, effective and continuously improving to protect our information assets while avoiding the reputational, legal and financial harm that would result from a data breach.

The Executive Board fully support the information security management system and require all our staff, whether permanent, temporary, partner organisations, suppliers and contractors to do the same.

Approval and review

This statement was approved by the Executive Board on the 1st of October 2022.

PKB Information Security Policy - Public

Summary

Patients Know Best is committed to safeguarding its information assets by ensuring the confidentiality, integrity, and availability of all data it processes. This policy outlines measures to protect systems and data from threats, unauthorised access, and disruption, ensuring compliance with legal, regulatory, and contractual obligations. All employees, contractors, and third parties must follow this policy to maintain a secure environment. Key principles include secure access control, data classification, encryption, and incident response. Regular training, audits, and monitoring ensure continuous improvement and adherence to security standards, supporting PKBā€™s mission to deliver reliable, secure healthcare solutions.

1.Purpose and Scope

Patients Know Best (PKB) is committed to protecting information assets by ensuring the confidentiality, integrity, and availability of all processed data. This policy provides a framework for secure operations, minimises risks, and ensures compliance with legal and regulatory obligations.

Applicability: The policy applies to all employees, contractors, temporary staff, and third-party providers.

Coverage: It encompasses all systems, networks, infrastructure, and data lifecycle activities, regardless of the user's location.

Ā 

2.Principles and Objectives

The companyā€™s security approach is guided by three core principles:

Confidentiality: Data is accessible only to authorised individuals.

Integrity: Accuracy and completeness of data are maintained against unauthorised modification.

Availability: Systems and services remain accessible to authorised users when needed.

Key Objectives include protecting assets from internal and external threats, enabling secure information sharing, promoting accountability, and supporting business continuity.

Ā 

3.Roles and Responsibilities

Accountability is distributed across the organisation:

Executive Team: Holds ultimate accountability, sets strategic direction, and allocates resources.

Chief Information Security Officer (CISO): Oversees the security framework, develops standards, and leads incident investigations.

Security Team: Implements technical controls, manages encryption, and conducts audits.

Individuals: Every user must protect assets from unauthorised access and report security incidents immediately.

Third Parties: Vendors must enter into confidentiality agreements and notify PKB of any breaches.

Ā 

4.Key Security Controls

PKB utilises a comprehensive framework of controls:

Access Control: Access is restricted based on defined roles and responsibilities.

Data Protection: Information is classified by sensitivity and protected accordingly.

Incident Management: A robust process is in place to identify and resolve security incidents promptly.

Encryption: Data is encrypted both during storage and in transmission.

Retention: Information is held only as long as necessary and disposed of securely.

Ā 

5.Training and Monitoring

Awareness: All personnel must complete Security Awareness training during on boarding and annually thereafter.

Monitoring: PKB reviews system logs, performs vulnerability assessments, and conducts penetration tests.

Review: This policy is reviewed annually or following significant operational changes to ensure it remains aligned with evolving risks.

Ā 

Revision History

Version

Date

Description

1.1

Apr 20, 2026

Public version created.

Ā 

Appendix: Reference Materials and Associated Documents

Further Information Governance and PKB Policies can be found on the Trust Centre.

Data Security & Protection Toolkit: Data Security and Protection Toolkit

Ā