Return2Play, part of Meliora Medical Group, shall as Data Processor:
1. ensure that the Personal Data can be accessed only by authorized personnel for the purposes of the service provided and agreed by both data controller and processor;
2. take all reasonable measures to prevent unauthorized access to the Personal Data through the use of appropriate physical and logical (passwords) entry controls, securing areas for data processing, and implementing procedures for monitoring the use of data processing facilities;
3. build in system and audit trails;
4. use secure passwords, network intrusion detection technology, encryption and authentication technology, secure logon procedures and virus protection;
5. account for all the risks that are presented by processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorized or unlawful storage, processing, access or disclosure of Personal Data;
6. ensure pseudonymisation and/or encryption of Personal Data, where appropriate;
7. maintain the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
8. maintain the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
9. implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing of Personal Data;
10. monitor compliance on an ongoing basis;
11. implement measures to identify vulnerabilities with regard to the processing of Personal Data in systems used to provide services to the Data Controller;
12. provide employee and contractor training to ensure ongoing capabilities to carry out the security measures established in policy.
Security Measure | Control |
---|---|
We ensure that systems containing Personal Data can only be accessed by authorized personnel for the purposes set forth in Annex 2 of the Data Processing Agreement. | Access controls in place, regularly reviewed and updated by Head of Operations. |
We ensure our staff use strong passwords and two factor authentication for our key systems which store personal data, particularly, our Return2Play platform, email and document storage systems. | Our platform is hosted on Amazon Web Services where two factor authentication is built in. We use Google Workspace for email and document storage and utilise their secure logon security features. Security is reviewed quarterly by the Head of Operations and annually by our Data Protection Officer. |
We ensure our Return2Play platform has in-built system and audit trails. | Our Return2Play platform logs all changes in the database. Our Head of Operations can access these at any time. Remote access is via VPN using encrypted devices and all access is logged using a monitoring system as well as access policies. |
We use secure passwords, network intrusion detection technology, and where appropriate encryption at rest and in transit. We also have Virus protection via our hosting provider, AWS. | We enforce secure passwords on Return2Play and Google Workspace. There is network intrusion detection monitoring and alerting software used via AWS for Return2Play platform. Alerts are handled in real time and the security measures are reviewed quarterly by the Head of Operations. |
We assess and take mitigation steps for the risks that are presented by processing, as described above, for accidental or unlawful access which may result in unlawful processing, destruction, loss, or alteration, or disclosure of Personal Data. | Access and security controls are reviewed regularly, minimally quarterly by the Head of Operations and annually by the Data Protection Officer. |
We ensure data aggregation / analytics are only run on pseudonymised or de-identified Personal Data. These processes are only run on our Return2Play platform with authorisation from our clients (schools) in order to produce reports and statistics to prevent injuries in sports. | The Head of Operations controls access to the report module where analytics and reports are produced. |
We maintain the ongoing confidentiality, integrity, availability and resilience of processing systems and services through a robust data backup procedure together with the security measure mentioned above. | Backups are checked quarterly. Platform resilience and failover is managed by AWS with Service Level Agreements in place for up-time, availability and Time to Restore. All staff must sign confidentiality agreements and receive data protection training. |
We ensure we have in place organisational standards for regularly reviewing, assessing, and evaluating the effectiveness of security measures and operational procedures covering the security of the processing of Personal Data. | We undertake an Annual Data Protection Audit by our Data Protection Officer. There are quarterly reviews of security measures, access controls, backups and real-time reviews of intrusion alerts. We have a Security Incident and Data Breach procedure in place. |
We use Sub processors to manage and maintain our Return2Play platform. They are Amazon Web Services and software developers. Both suppliers have entered into Data Processing Agreements and have appointed Certified Information Security Officers and a Data Protection Officer. In addition, both suppliers are ISO27001 certified. | We have strict remote access controls in place for our developers. All data is stored in the EEA. If data has to be accessed outside of the EEA (an urgent fix for example) we operate a one-time, time limited access policy to diagnose and apply the fix in a Staging Environment before pushing the fix to the Live environment. |
We provide employee and contractor training to ensure ongoing capabilities to carry out the data protection and security measures established in our Information Security policy. | All staff must sign confidentiality agreements, adhere to our internal policies and procedures and receive data protection training. |
Whether you are a School, Club or University, we’d love to help you enhance medical care and well-being for your pupils/players, so please feel free to contact us.
Return2Play is the trading name for the Sports Medicine service provided by Meliora Medical Group.
Other services include general medical services for schools and lifestyle medicine services. For more information, please visit the Meliora Medical Group website.
Visit melioramedicalgroup.co.uk