Third-Party Risk Management Policy
Effective Date: 23/05/2025 Issued by: Clinicians Check Limited
1. Purpose
This policy outlines CliniciansCheck’s approach to managing risks associated with third-party vendors, partners, and service providers. It ensures that any external party involved in delivering services, storing data, or accessing platform infrastructure meets our security, legal, ethical, and performance standards.
2. Scope
This policy applies to all third parties that:
-
Provide cloud hosting, SaaS tools, or data processing services
-
Handle sensitive data, including PHI or PII
-
Deliver clinical, marketing, development, or support services
-
Operate on-site or off-site in relation to CliniciansCheck operations
-
Appear on the platform as service providers or vendors
3. Risk Classification
All third parties are assessed and classified into one of the following tiers:
Tier 1 – Critical: Direct access to sensitive data, infrastructure, or core operations (e.g., cloud host, payment processor)
Tier 2 – Operational: Support functions with some data or system access (e.g., consultants, marketing tools)
Tier 3 – Low Risk: No access to sensitive systems or data (e.g., printing services, office suppliers)
4. Due Diligence Requirements
Before onboarding a third party, we may conduct:
-
Background checks and reference verifications
-
Review of privacy, security, and compliance policies
-
Assessment of financial health and operational viability
-
Contractual agreement review, including DPAs and SLAs
-
Proof of relevant certifications (e.g., ISO 27001, HIPAA compliance)
5. Ongoing Monitoring
Once onboarded, we monitor third parties via:
-
Annual reviews of certifications, practices, and SLAs
-
Security incident and breach notifications
-
Reassessment following major service changes
-
Audit rights to inspect compliance if contractually agreed
6. Contractual Safeguards
All third-party contracts must include:
-
Confidentiality and data protection clauses
-
Clear service level agreements (SLAs)
-
Breach notification timelines
-
Right to audit or terminate in case of non-compliance
-
Subprocessor transparency (if applicable)
7. Incident Reporting
Third parties must immediately notify CliniciansCheck of:
-
Any data breach or unauthorised access
-
Major service outage or disruption
-
Legal, reputational, or financial events affecting service delivery
-
Reports should be made to:
operationsteam@clinicianscheck.com
8. Termination and Offboarding
Upon termination, third parties must:
-
Return or securely delete all data
-
Cease all system access
-
Provide a final compliance certification (if required)
9. Regulatory Alignment
This policy aligns with:
-
UK GDPR (Articles 28–32)
-
HIPAA (for U.S. data processors)
-
ISO/IEC 27001 vendor controls
-
NHS DSP Toolkit supplier management requirements
-
NIST Cybersecurity Framework
10. Policy Review
This policy will be reviewed at least annually or upon major regulatory or operational changes.
11. Contact
For inquiries or third-party risk documentation:
operationsteam@clinicianscheck.com
Clinicians Check Limited, 2 Harley Street, London, UK
12. Cross-Border Data Transfers
Where third parties process or store data outside the UK, EU, or relevant local jurisdiction, CliniciansCheck ensures appropriate safeguards are in place, including:
-
Standard Contractual Clauses (SCCs)
-
UK Addendum (for non-EEA countries)
= Adequacy decisions or third-party certifications (e.g., APEC CBPR)
13. Subprocessor Register
Upon request, CliniciansCheck may provide a list of key subprocessors used by third-party vendors, subject to commercial and security considerations. Vendors are expected to maintain their own subprocessor register and notify CliniciansCheck of any significant changes.
14. Whistleblower Clause for Suppliers
Third-party staff are encouraged to report misconduct or unethical behaviour related to CliniciansCheck services. Reports can be submitted confidentially to:
operationsteam@clinicianscheck.com. All disclosures are protected from retaliation.