NICU Guide App – Security Policy
Author: Tom Wise
Version: 1.0
Date: July 10, 2025
Scope: This document outlines the technical and organisational measures in place to protect the security of the NICU Guide App, used to provide staff with access to contact details, workflows, and onboarding information at Norfolk and Norwich University Hospital (NNUH).
1. Data Types and Classification
The app handles staff personal data only: names, roles, email addresses, and phone numbers.
No patient data, clinical records, or special category data are stored or processed.
Data is classified as confidential under NHS data protection standards.
2. Hosting and Infrastructure
Google Sheets is used as the data source for most staff reference data.
Google Firebase Firestore is optionally used for structured backend data storage.
All hosting is managed by Google Cloud Platform (GCP), which maintains the following certifications:
ISO/IEC 27001
ISO/IEC 27017 (Cloud Security)
ISO/IEC 27018 (Cloud Privacy)
SOC 1, 2, and 3
FedRAMP Moderate
CSA STAR Level 2
See: https://cloud.google.com/security/compliance
3. Data Security Measures
Encryption in transit: All communications between app, APIs, and data sources are secured using HTTPS with TLS 1.2+.
Encryption at rest: Google Cloud encrypts all data stored in Sheets and Firestore using AES-256 as standard.
Authentication (planned): User access may be restricted using Firebase Authentication (OAuth2-based, optional email/password or federated login) in future releases.
4. Access Control
Only the app developer (Tom Wise) and any authorised NHS project leads have edit access to the data sources (Google Sheets or Firestore).
Access to backend databases is secured via Google Cloud IAM roles and service account permissions.
No public access is permitted to backend APIs or data stores.
5. Patching and Software Maintenance
No custom server infrastructure is deployed; all hosting is serverless and cloud-managed.
Google Cloud and Thunkable platforms automatically handle security updates and patching of all underlying infrastructure.
If a local API is used (e.g., Flask), dependencies are documented and kept up to date via
pipand virtual environments.
6. Backup and Recovery
Google Sheets maintains version history automatically.
Firestore provides data export and backup functionality via scheduled scripts if used in production.
No patient-critical services are dependent on this app, so RTO/RPO is considered low risk.
7. Incident Management
Any suspected data breach or unauthorised access will be reported to the Information Governance team at NNUH within 24 hours.
Google Cloud includes built-in audit logs and access controls to support post-incident investigation.
Developer maintains access logs and activity reports where applicable.
8. Device and Development Security
Development is performed on a secure, password-protected workstation with full-disk encryption enabled.
Multi-Factor Authentication (MFA) is enabled for all Google and Firebase accounts.
Code repositories (if used) are private and stored in GitHub or Google Cloud Source Repositories with MFA and role-based access.
9. Supplier Risk
The system uses platform-as-a-service (PaaS) models and does not rely on unmanaged third-party suppliers.
All services used are well-established providers with independently audited security compliance.
10. Compliance
The system adheres to the principles of:
UK GDPR
NHS Data Security & Protection Toolkit (DSPT) requirements
National Data Guardian’s 10 Data Security Standards
Prepared to meet Cyber Essentials (not yet certified)
Policy Maintenance & Contact
This policy will be reviewed annually or upon significant changes.
For questions or incidents related to security, contact:
Tom Wise – Developer & Data Steward
Email: tom@datadive.systems
Supporting documentation, certificates and change logs available on request.