/
HIC ISMS Glossary

HIC ISMS Glossary

Owned by Symone Sheane
Nov 07, 2024
10 min read

PURPOSE

The purpose of this glossary is to define technical words, specialised and unique terms to HICs business or technical domains, provide quick reference to key concepts as well as avoid duplicating definitions in multiple locations within the Information Security Management System.

Quick Access

[ 1 PURPOSE ] [ 2 Quick Access ] [ 3 ADP ] [ 4 Anonymised Data ] [ 5 Application ] [ 6 Appropriate ] [ 7 Approved Data User ] [ 8 Approved Project ] [ 9 Asset  ] [ 10 Automated Build Environment ] [ 11 Caldicott Guardian ] [ 12 Change Approvers ] [ 13 Change Advisory Group ] [ 14 Change Category ] [ 15 Change Description ] [ 16 Change Impact Category ] [ 17 Change Risk Assessment ] [ 18 Change Type  ] [ 18.1   ] [ 19 Change Urgency ] [ 20 CHI ] [ 21 Client ] [ 22 Cohort Manager ] [ 23 Communication Plan ] [ 24 Control ] [ 25 Consented Data ] [ 26 Data ] [ 27 Data Controller ] [ 28 Data Processor ] [ 29 Development Team ] [ 30 DLS ] [ 31 External Party ] [ 32 HIC ] [ 33 HIC Data Analyst ] [ 34 HIC Developer ] [ 35 HIC Executive Committee ] [ 36 Information ] [ 37 Information Security ] [ 38 Information Systems ] [ 39 ISMS ] [ 40 ISMS Documentation ] [ 41 Maintenance Window ] [ 42 Material Change ] [ 43 Non-Consented Project Dataset ] [ 44 Non-Standard Change ] [ 45 Personal Data ] [ 46 Process Manager ] [ 47 Pro-CHI ] [ 48 Production Database ] [ 49 Project ] [ 50 Project Dataset ] [ 51 Project Description ] [ 52 Policy ] [ 53 Project Management System ] [ 54 RFC  ] [ 55 Risk  ] [ 56 Risk Assessment ] [ 57 Service ] [ 58 Service Catalogue ] [ 59 Staging database ] [ 60 Standard Change ] [ 61 Strategic Change ] [ 62 Superficial Change ] [ 63 System Administrator ] [ 64 TASC ] [ 65 Team Manager ] [ 66 Testing Database ] [ 67 TCTU ] [ 68 Third party ] [ 69 TRE ] [ 70 User ] [ 71 Version Control System (VCS) ]

ADP

Application Development Projects. This is the HIC team that carries out software development to facilitate secure data collection, consisting entirely of HIC Developers and working mainly with consented data. This team has since been renamed: Software.

Anonymised Data

Any and all data that could allow individuals to be identified has been removed. These include CHI, name, date of birth, address, full postcode, GP code, General Medical Council registration number, GP Practice code. Any request for data containing any of this information will be treated as a request for identifiable data, which will require explicit Caldicott approval from the NHS Board(s) of residence of the patient(s). HIC Services recognises that while the data is anonymised it is potentially disclosive, so is treated by HIC Services as potentially personal data.

Application

The implementation of a service (web application, console application, etc.)

Appropriate

Suitable for the level of risk identified and justifiable by risk assessment.

Approved Data User

An Approved Data User is an approved DLS Project Principal Investigator (PI) as named on the PM System, or a person who is authorised by the PI to also have access to the DLS Project Dataset. The Approved Data User, to whom data has been made available, will be recorded on the PM system. 

  • The Approved Data User must complete approved Information Governance training and provide the certificate to HIC.

  • Employees of NHS Tayside, NHS Fife, the University of Dundee, or the University of St Andrews need to read, sign, and follow the terms of the HIC TRE User Agreement.

  • Where an Approved Data User is not such an employee the HIC TRE User Agreement must also be signed by a senior representative of the Approved Data User's organisation.

Approved Project

An approved project is a project that is logged into the Project Management System and has Ethics, Caldicott and NHS R&D governance approval, as required. 

Asset 

Anything that has a value to HIC Services 

Automated Build Environment

Software system used by HIC to manage consistent, tested, and automated building and release of applications.

 

Caldicott Guardian

A Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing.  

  • Each NHS organisations is required to have a Caldicott Guardian; this was mandated for the NHS by Health Service Circular: HSC 1999/012. The mandate covers all organisations that have access to patient records, so it includes acute trusts, ambulance trusts, mental health trusts, primary care trusts, strategic health authorities, and special health authorities such as NHS Direct. 

  • Caldicott Guardians were subsequently introduced into social care in 2002, mandated by Local Authority Circular: LAC 2002/2. 

  • The Guardian plays a key role in ensuring that NHS, Councils with Social Services Responsibilities and partner organisations satisfy the highest practical standards for handling patient identifiable information. 

  • Acting as the 'conscience' of an organisations, the Guardian actively supports work to enable information sharing where it is appropriate to share and advises on options for lawful and ethical processing of information. 

Change Approvers

Process manager. 

Change Advisory Group

The CAG is a HIC internal group comprised of senior members of staff and is responsible for approval of changes. 

Change Category

Defines a common scale against which to judge the magnitude of the change in terms of effort and risks.

Change Description

Description of the change – what is being changed and how. 

Change Impact Category

Defines a common scale against which to judge the magnitude of the change in terms of effort and risks: 

  • Extensive - There is a significant business service impact because multiple customers are affected by the change. Considerable human and technical resources are needed. Management is involved in the decision process. The RFC must be discussed in the CAG meeting and approved by the change manager. The change manager seeks advice on change authorization and planning. 

  • Significant - There is a clear service impact because at least one customer is affected by the change. The RFC must be discussed in the CAG meeting and approved by the change manager. The change manager seeks advice on authorization and planning. 

  • Moderate - There is little impact on current services because no customers are affected because of the change. The change manager can authorize this RFC. 

  • Minor - The change can be executed without prior approval from the change manager because no customers are affected by the change.
     

Change Risk Assessment

Provides a review of the likelihood of risk and the related consequence: 

  • Likelihood:

    • 1 – Rare 

    • 2 – Unlikely 

    • 3 – Possible 

    • 4 – Likely 

    • 5 – Almost Certain 

  • Consequences: 

    • 1 – Insignificant 

    • 2 – Minor 

    • 3 – Moderate 

    • 4 – Major 

    • 5 – Catastrophic 

Change Type 

Defines the type of change being submitted for review: 

  • Standard Change – a low risk change that’s preapproved and follows documented, repeatable tasks. 

  • Non-Standard Change – a thorough review process is conducted before approving this change. 

     

 

Change Urgency

Provides a comparator scale to measure how urgent the change is: 

  • Critical - The change is immediately necessary to prevent severe business impact. Change approval is needed by the CAG or Emergency Committee. 

  • High - The change is needed as soon as possible because of potentially damaging service impact. 

  • Medium - The change will solve irritating problems or repair missing functionality. This change can be scheduled. 

  • Low - The change will lead to improvements, changes in workflow, or configuration. This change can be scheduled. 
     

CHI

Community Health Index number. Unique 10-digit NHS (Scotland) patient identifier consisting of patient's date of birth (as DDMMYY), followed by four digits: two digits randomly generated, the third digit identifying gender at birth (odd for men, even for women) and a check digit. HIC uses CHI to link cohort records across datasets when creating Project datasets. 

Client

The requestor of a software project. This could be internal or external to HIC.

Cohort Manager

DLS software used to manage versions and Pro-CHI allocation of Approved Project cohorts. 

Communication Plan

Detailed description of the communications to be provided during the change.

Control

A means of managing risk by providing safeguards. This includes policies, procedures, guidelines, other administrative controls, technical controls, or management controls. 

Consented Data

The individuals to whom the data relates (data subjects) have given explicit approval for its processing for the purposes being undertaken. 

Data

Information held in electronic or paper form.

Data Controller

A group or individual responsible for determining the purposes for which and the manner in which any personal data are, or are to be, processed. For example, NHS Tayside and Fife are Data Controllers for regional NHS data processed on their behalf by HIC Services. 

Data Processor

An individual outside the Data Controller’s organisation processing data on behalf of the Data Controller. 

Development Team

Comprised of the Developer Manager, Senior Developers and Junior Developers.

DLS

Data Linkage Service. This is the HIC team of mainly Data Analysts that carries out data receiving, managing, linkage, anonymisation and release, mainly with unconsented NHS data. 

External Party

(or Third Party) in relation to personal data, means any person other than the data subject, the data controller, or any data processor or other person authorised to process data for the data controller or processor. 

HIC

Health Informatics Centre 

HIC Data Analyst

An employee of the University of Dundee authorised by the HIC Executive Committee to develop software and process data on behalf of HIC. HIC Data Analysts will be located within the HIC secure offices and will work on NHS networks.

HIC Developer

An employee of the University of Dundee authorised by the HIC Executive Committee to develop software and process data on behalf of HIC. HIC Developers will be located within the HIC secure offices and will potentially work on either University or NHS networks. A HIC Developer is not permitted to receive or release data, which must be handled by a HIC Data Analyst within the Data Team.

HIC Executive Committee

The management committee with overall decision-making responsibility for HIC operational activity. The HIC Exec meets bi-monthly and has the responsibility to ensure compliance with HIC SOPs on behalf of the HIC Information Security and Governance Committee.

Information

Any communication or representation of knowledge such as facts, data, or opinions in any medium or form including textual, numerical, graphic, cartographic, narrative, and audio-visual. 

Information Security

Preservation of confidentiality, integrity, and availability.

Information Systems

Any system, service or infrastructure used to process information or the physical locations housing them. This includes critical business environments, business processes, business applications (including those under development), computer systems and networks. 

ISMS

Information Security Management System which covers the full range of HIC ISO 27001 documentation covering HIC's governance and data security processes.

ISMS Documentation

Standard Operating Procedures (SOPs) and other documentation relating to HIC's ISO 27001 Information Security Management System

Maintenance Window

An agreed period in time where changes to an application can be made and where users are aware of potential unavailability.

Material Change

is defined as a significant alteration or modification that could have a substantial impact on various aspects of systems, processes, procedures, products, services, or organizational structure, organization, and or environment. It also refers to any alteration or update that could affect an organization's compliance status or obligations.

Non-Consented Project Dataset

A project dataset that uses routinely collected administrative data without direct consent from individuals described within the data.

Non-Standard Change

New changes that require full Change Advisory Group approval.

Personal Data

Information relating to an identified or identifiable living person. The 8 Data Protection Principles in relation to protecting personal data are listed in the Policy document.  

Process Manager

Senior staff or delegated process manager.

Pro-CHI

Project-specific identifier used by HIC to uniquely anonymise a typical NHS dataset CHI number across all datasets within the overall Project Dataset.

Production Database

A database with live data.

Project

​​​​​​​One or more services that covers a client's needs.

Project Dataset

A Project Dataset that has been anonymised uniquely and specifically for use within an Approved Project. The dataset must relate to the cohort and purpose defined in the Project Description.

Project Description

A Project Description will specify the study cohort, aims, and methods. It will also carry a date and a version number. This document is used to help decide what data is required to fulfil the study objectives.

Policy

Overall intention and direction as formally expressed by management. 

Project Management System

The database and software system used by HIC to store project details and documents relating to, in particular, approvals and data releases.

RFC 

Request for change. The RFC is the main reference for all documentation related to a change and supports the approval decision process. It should highlight the following: 

 

  • Change Description - Description of the change – what is being changed and how. 

  • Business Justification - Clearly record reasons for making a change and if the change is not made, what are the consequences and risks? 

  • Change Approvers – Process manager. 

  • Internal and External Stakeholders - Stakeholders who are likely to be affected by the change.

  • Communication Plan - Detailed description of the communications to be provided during the change. 

  • Planned Start and End Date of Change - Will be defined by the change implementer. 

  • Affected Assets - List of assets affected by the change. 

  • Change Impact and Urgency - A change can be Extensive, Significant, Moderate or Minor. The urgency can be Critical, High, Medium or Low. 

  • Risk Assessment of Change - Once the change has been made are there any risks that might arise? 

  • Implementation Plan - Detailed description of the steps required to implement the change. 

  • Test Plan - What is the plan for testing the change before implementation? 

  • Rollback Plan - If the change has been unsuccessful (or has created actual or suspected problems) a documented roll-back plan should be in place in advance of roll out. 

Risk 

The potential for an unwanted event to have a negative impact as a result of exploiting a weakness. It can be seen as a function of the value of the asset, threats, and vulnerabilities.

Risk Assessment

Overall process of identifying and evaluating risk.

Service

Combination of people, processes, and technology to support customer's business.

Service Catalogue

A dashboard which contains up-to-date project information. (for example: project status, lifecycle stage, error reporting, docs, etc.)

Staging database

A database with the identical structure as the production database but containing only test data.

Standard Change

Pre-authorised, repetitive, tested and documented changes that are low risk.

Strategic Change

is defined as adjustment of strategies and processes to comply with changing regulatory requirements, manage emerging risks, or address legal and ethical considerations.

Superficial Change

refers to an alteration or modification that is primarily surface-level in nature and does not significantly impact anything material or strategic.

System Administrator

An employee of the University of Dundee authorised by the HIC Executive Committee to provide and support the technical infrastructure, including maintaining secure IT environments, backup and off-site mirroring of data.

TASC

Tayside medical Science Centre, Ninewells Hospital

Team Manager

The Senior member of staff conducting the Audit Procedure.

Testing Database

The database used during development containing only test data.

TCTU

Tayside Clinical Trials Unit

Third party

Person or body that is recognised as being independent of HIC Services.

TRE

Trusted Research Environment (TRE) is a secure computing environment. It is specifically designed for handling sensitive data in a way that protects privacy and ensures security, enabling your world-leading projects.

User

The individual using the software system once completed. Can be internal and can also support testing of the software before completion.

Version Control System (VCS)

The software system used by HIC to store, manage versions, and track changes to applications and documentation.

DOCUMENT CONTROLS

Process Manager

Point of Contact

Process Manager

Point of Contact

Symone Sheane

hicbusiness-support@dundee.ac.uk

Revision Number

Revision Date

Revision Made

Revision By

Revision Category

Approved By

Effective Date

Revision Number

Revision Date

Revision Made

Revision By

Revision Category

Approved By

Effective Date

1.0

01/05/24

Created from Sharepoint ISMS Glossary

Bruce Miller

Superficial

Symone Sheane

01/05/24

1.1

02/05/24

Added in purpose of glossary.

Added in definitions from SOPs and Policies.

Symone Sheane

Bruce Miller

Superficial

Symone Sheane

02/05/24

1.2

17/10/24

Added in the definition of TRE.

Symone Sheane

Superficial

Symone Sheane

17/10/24

1.3

07/11/24

Corrected spelling on lifecycle

Symone Sheane

Superficial

Symone Sheane

07/11/24

Copyright Health Informatics Centre. All rights reserved. May not be reproduced without permission.
All hard copies should be checked against the current electronic version within current versioning system prior to use and destroyed promptly thereafter. All hard copies are considered Uncontrolled documents.

Related content