Password, account, and personal information security

The request was partially successful.

Dear Health and Care Professions Council,

I am writing to request all details about how the security of HCPC registrants' personal information is maintained. This would include (but not be limited to) details on encryption methods and practices (including account recovery and any salting/hashing), how personal data is stored and handled and measures to prevent and detect security breaches.

I would also like to know the method by which authentication codes are generated and stored (for example, is this based on any inputs such as personal details of registrants, or is it randomly generated).

Yours faithfully,

Mr T Jones

FOI, Health and Care Professions Council

Dear Mr Jones

 

Thank you for your email of 5 September 2019, in which you ask for
information about the security of our registrants personal data.

 

We are treating this as a request under the Freedom of Information Act
2000 (FOIA).

 

We will deal with your request as promptly as possible and at the latest,
within 20 working days of receiving it, as required by the FOIA. If you
have any queries about your request please do contact us using this email
address, or the address below.

 

The reference number for your request is FR06365.

 

Yours sincerely

 

Freedom of Information

 

Health and Care Professions Council

Park House, 184 - 186 Kennington Park Road

London SE11 4BU

[1]www.hcpc-uk.org

 

To sign up to our e-newsletter, please email [2][email address]

 

Please consider the environment before printing this email

 

Correspondence is welcome in English or Welsh / Gallwch ohebu yn Gymraeg
neu Saesneg.

 

 

 

show quoted sections

FOI, Health and Care Professions Council

Our Ref. FR06365

 

 

Dear Mr Jones

 

Thank you for your email of 5 September 2019, in which you ask for
information about the security of our registrants personal data.

 

Your request has been handled under the Freedom of Information Act 2000
(FOIA).

 

Registrant information is one example of an information asset which is
managed in a number of key business applications within HCPC. HCPC is
certified against the international ISO 27001 Information Security
Management standard and applies comprehensive policies, processes,
procedures and technology to achieve the standard. HCPC applies a defence
in-depth approach to protecting the confidentiality, integrity and
availability of information assets.

 

Amongst the technical controls applied, HCPC limits access to information
assets to those that have a need for the execution of their job role
duties, this includes both electronic and physical access controls.
Authentication to key systems utilises strong password controls including
the application of multi-factor authentication for higher risk
environments. Encryption is applied in several forms as appropriate across
the IT infrastructure protecting information assets ‘in flight’ and ‘at
rest’ according to usage and risk. Anti-malware protection is applied at
several levels across devices, and email and web services including the
application of advanced threat protection services.

 

A variety of perimeter security devices and services are employed to
monitor and protect connections between HCPC infrastructure and internet
services. Publically accessible infrastructure is regularly security
tested using specialist penetration testing organisations as well as being
regularly scanned for vulnerabilities. Each year we are audited on the
ISO27001 standard and all employees and contractors are required to
undergo information security training each year as part of the ISO27001
accreditation. Comprehensive backup and disaster recovery services are
employed to allow the recovery of part or full services in a variety of
scenarios.

 

We are unable to detail specific information about how we protect
registrant information, as this could be used to gain unauthorised access
to the HCPC information systems. We consider that the exemption within
section 36(2)(c) of the FOIA applies. To enable you to better understand
our decision, I have provided below more information on this exemption.

 

Section 36

 

The exemption in section 36(2)(c) applies to information which would
otherwise prejudice, or would be likely otherwise to prejudice, the
effective conduct of public affairs.

 

The public interest test must be applied in relation to certain exemptions
under the FOIA. The test requires that the public interest in maintaining
the exemption (refusing to disclose the information) should be weighed
against the public interest in disclosing the information. The public
interest test must be considered in relation to section 36.

 

In this case, the public interest factors in favour of disclosing the
specific details about how we protect registrant information, are that the
disclosure would increase transparency about the HCPC’s information
security practice and management.

 

The factors in withholding the information are that disclosure would be
likely to prejudice the effectiveness of the HCPC information security
controls and will compromise our information security. Not allowing
technical information leakage is a key control to protecting information
assets.

 

Having considered all of these factors, we have decided that the public
interest in withholding the information outweighs the public interest in
disclosing it.

 

Internal review

 

If you are unhappy with the way your request for information has been
handled, you can request a review by writing to:

 

Governance Department

Health and Care Professions Council

Park House

184 - 186 Kennington Park Road

London

SE11 4BU

 

Email: [1][email address]                                       

 

If you remain dissatisfied with the handling of your request or complaint,
you have the right to appeal to the Information Commissioner at:

 

The Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

 

Telephone: 0303 123 1113 

Email: [2][email address]                                     

 

There is no charge for making an appeal.

 

Kind regards

 

Freedom of Information

 

Health and Care Professions Council

Park House, 184 - 186 Kennington Park Road

London SE11 4BU

[3]www.hcpc-uk.org

 

To sign up to our e-newsletter, please email [4][email address]

 

Please consider the environment before printing this email

 

Correspondence is welcome in English or Welsh / Gallwch ohebu yn Gymraeg
neu Saesneg.

 

 

 

show quoted sections