Last updated: 5 December 2025

BMA recognises the additional security that needs to be in place when processing sensitive, confidential, or personal information, and has developed further policies and guidance covering data protection and information handling in support of that. The controls identified in those policies will ensure that the security of our information assets provides overall assurance for both BMA, our members, and our customers.

BMA is committed to managing the confidentiality, integrity and availability of all physical and electronic information assets throughout the organisation through the deployment of robust information security management, quality assurance, and governance.

This policy supports the BMA’s information security objectives:

• Confidentiality – this is ensured by having in place a suite of policies and procedures that limits access to both sensitive corporate and personal information.
• Integrity – this is the assurance that the information is trustworthy, accurate and covers data quality.
• Availability – this is a guarantee of ready access to the information by authorised people.

Aims and purpose

BMA is committed to the adoption and continuous development of appropriate and relevant information security controls to meet the highest possible standards of information security.  This policy is one of several that when fully implemented achieves this aim.

In addition to this, the BMA must adhere to UK and EU legislation surrounding the security of information. See examples of legislation (this is not an exhaustive list):

• The Data Protection Act 2018
• The Data Usage and Access Act 2025
• General Data Privacy Regulation 2016 (EU GDPR)
• Privacy and Electronic Communication Regulations (PECR)
• The Computer Misuse Act 1990
• The Human Rights Act 1998

To achieve this, controls will be applied in line with what is required to comply with the relevant legislation. This will be achieved by using the following industry standards promoting best practice including, but not restricted to:

• Information Commissioner’s Office (ICO)
• British Standards Institute (BSI): Standards ISO 27001
• IAMSE Cyber Essentials Plus Scheme

Scope

The policy applies to any data or information that is held, obtained, recorded, used, shared and archived or destroyed by BMA irrespective of whether it is held in electronic or paper format. 

This policy and associated standards, requirements, and procedures are intended to provide the framework for ensuring adequate protection of all information assets and processing operations. It is designed to ensure the confidentiality, integrity and availability of the data or information we process and share, minimising the risk of information security incidents and reducing their potential impact.

Implementation

BMA has committed to:

Continuous improvement initiatives, including appropriate and timely audits, risk assessment and risk treatment strategies. 

Maintaining compliance with its policies, applicable global legislation and regulation. 

Communicating its Information security and governance policies, standards and objectives throughout the business and to other relevant parties by using appropriate training and awareness methods:

• training is conducted as part of the BMA’s corporate induction
• training material and policies are made available on the BMA’s intranet, and self-certification is required annually.

Procedures that ensure effective information access and security control. The objective of these technical procedures ensure that: 

• information systems users are appropriately identified and have access to information for which they have a legitimate need
• computer systems are appropriately managed and controlled in line with the requirements of this policy
• information assets are identified and protected
• there is clear assignment of responsibilities. 

Ensuring that all information security incidents are investigated and followed up.

Liaising with, and sharing good practice with, members, business partners and other relevant parties to further promote information security and governance standards.

Producing suitable and effective business continuity plans with a robust testing structure.

Ensuring that information security and wider information governance issues are assessed for compliance and risk at the business development stage.

Roles and responsibilities

Everyone working for BMA (permanent or temporary staff, business partners, third party suppliers, contractors, vendors, temps, consultants, interns, etc.) who have access to BMA information, must adhere to this policy and are responsible for implementing and maintaining

BMA information security and governance standards. This is irrespective of the time or location, when working in normal office or other remote environments.

In addition

• The further development of this policy plus associated procedures will be the responsibility of the Information governance steering group and Chief information officer under guidance from the Data protection officer.
• Reporting to the Chief information officer (CIO), Chief technology operations officer will provide overall direction and senior management responsibility for Information security and governance.  Chief technology operations officer will chair the Information governance steering group.
• The Chief technology operations officer and the Information governance lead will provide support and be responsible for ensuring that the required Information security and governance standards are implemented effectively. The BMA operates a process of continual training and ongoing review of all security guidelines, with an emphasis on creating a culture which recognises the importance of information governance.
• Senior managers will be responsible for their own specific area and in some circumstances be policy owners, responsible for reviewing, updating and cascading their policies, procedures and standards to all staff covered, and are expected to implement the policy.
• Information asset owners will be accountable for information assets and equipment in accordance with the requirements of relevant policies. They will also be responsible for identifying any information risk associated with that information asset.

Disposal of data, physical records and equipment

The BMA undertakes extensive steps to ensure that the retention of unnecessary data is avoided and that personal or confidential data, in any form, are destroyed securely.

Any equipment that holds, or has held, data should be securely wiped or destroyed once it is no longer needed. This must be carried out by authorised staff within BMA technology services.

Additional considerations

Any deviation from this policy must be documented, risk assessed, and agreed by the Information governance steering group, or by a nominated representative.

Definitions

Information

Information takes many forms. For the purposes of this policy, it includes data stored on computers, transmitted across computer networks, printed, written, sent by post or fax, or stored on removable devices.

Access

Access refers to any mechanisms by which individuals gain access to information.

Security

Security refers to mechanisms and procedures designed to ensure that appropriate controls on information access are in place and are effective.

Confidentiality

Confidentiality requires protection of information from unauthorised disclosure or intelligible interception (see below).

Integrity

Integrity involves safeguarding the accuracy, completeness and consistency of both information and computer software.

Availability

Availability involves ensuring information and the associated services needed to process that information are available to staff, students and the public when required.

Information assets 

Information assets include information (see above definition), computer software and hardware.

Communication

A current version of this content is available to all BMA of staff on the intranet and will be made available to all parties contracting with the BMA. 

Continual improvement

This policy is subject to annual review by the Information governance steering group (IGSG) as part of its governance processes. It will be updated accordingly to address emerging security threats and changes in regulatory requirements as part of the continual improvement process.

Non-compliance

Non-compliance with this policy may lead to disciplinary action against the individual(s) involved.

Exceptions

Any exception to this policy must be approved and recorded by the CISO and/or the DPO.

Document and version control

Status

This is a controlled document. Whilst this document may be printed, the electronic version posted on the BMA website is the controlled version. Any printed copies of this document are not controlled. 

Owner and approval

The Information governance steering group maintain ownership of this policy and are responsible for ensuring that it is reviewed in line with the review requirements of the BMA’s ISMS. 

Revision history 

Version Control Note: All documents in development are indicated by minor versions i.e. 0.1, 0.2 etc. The first version of a document to be approved for release is given major version 1.0. Upon review the first version of a revised document is assigned the designation 1.1, the second 1.2 etc. until the revised version is approved, whereupon it becomes version 2.0. The process continues in numerical order each time a document is reviewed and approved.