Logical Security

Access Control

Appropriate access to each system will be granted to staff based on the access required to perform their job functions and on condition that relevant training has been successfully undertaken.

Access to systems is not permitted except where this has been formally authorised and documented.

Third party access will be governed by the NHS Code of Connection policies and approved/arranged by the ICT department.

Protection of Data

The access control procedures, which apply to operational systems, also apply to test programs.

Live sensitive data will not be used for testing, training or demonstration purposes.

Live and test data should be physically separated

NHS Tayside Information Governance Policy – February 2013 34

Password Protection

The following points need to be fully understood by all staff:

Individual members of staff will be given access to live systems when properly trained and made aware of their security responsibilities.

User IDs shall ensure that activities can be traced to individuals. This helps to ensure that audit and legal requirements are adhered to.

Passwords shall be distributed to users and updated by them in such a manner that the confidentiality of the password is maintained.

Passwords shall comply with the standards set in the NHS Scotland IT Security Manual Volume 3 Secure Use of Passwords.

Systems will ensure that passwords are stored in a form that no one may see the password chosen by the user.

Systems will require passwords to be changed regularly to assist in ensuring that the confidentiality of the password continues to be maintained.

Logon Procedures

Access to systems and services will be controlled via secure logon processes which will meet the following requirements:

No operational part of a system will be visible until logon has been completed.

Preferably, display a general notice warning that the computer should only be accessed by authorised users.

Limit the number of unsuccessful logon attempts to 3.

Not allow the dialogue to assist unauthorised users in any attempt to gain unauthorised access by specifying what may be incorrect.

Not allow group logons to be used Time-out Procedures

It is important from both a security and performance perspective that a

‘time-out’ process is in place. This process will meet the following requirements:

Inactive terminals will be set to time out after a pre-set period of inactivity. It should clear the screen. In high-risk areas the time-out facility will also close both application and network sessions.

The time-out delay will reflect the security risks of the area.

Virus and Malicious Software Controls

NHST ICT Department will ensure that effective anti-virus and malicious software (‘malware’) controls are implemented to ensure that the risk of disruption from virus and malware attacks is maintained at an absolute minimum.

All users have a responsibility to ensure that any suspected attack is reported to the Information Governance Manager.

Procedures to minimise the risk include:

All users are made aware of the dangers via this and related policies.

All networked PCs and related IT assets will incorporate virus and malware checking facilities. Users need only to be aware of these facilities as they operate in a completely automated way.

Virus and malware facilities will be automatically updated in real time with no user requirement for intervention.

Data Backup

Data should be protected by clearly defined and controlled backup procedures, which will generate data for archiving and contingency recovery purposes.

Procedures must be fully documented.

Archived data is information which is no longer in current use, but may be required in the future, for example, for legal reasons or audit purposes.

Recovery data should be sufficient to provide an adequate level of service and recovery time in the event of an emergency and should be regularly tested.

Restoration procedures should be regularly checked and tested to ensure that they are effective

Media Disposal

Reference should be made to the NHST Portable Computer and Removable Media Policy.

NHS Tayside Information Governance Policy – February 2013 36

Glossary

The following acronyms are used within the document;

CGRM Clinical Governance and Risk Management Standards DPA’98 Data Protection Act 1998

FOISA Freedom of Information (Scotland) Act 2002 DP Data Protection

IM&T Information Management and Technology IG Information Governance

F&RC Finance and Resource Committee I&Q Improvement and Quality Committee

NHS TAYSIDE - POLICY/STRATEGY APPROVAL CHECKLIST POLICY/STRATEGY AREA: Governance

POLICY/STRATEGY TITLE: Information Governance Policy LEAD OFFICER eHealth Programme Manager

Why has this policy/strategy been developed? To establish organisational arrangements to support compliance with relevant legislation and achievement of national IG standards.

Has the policy/strategy been developed in accordance with or related to legislation? – Please give details of applicable legislation.

Data Protection Act 1998

Freedom of Information (Scotland) Act 2002 Has a risk control plan been developed? Who is

the owner of the risk?

None

Who has been involved / consulted in the development of the policy/strategy?

NHST Information Governance Committee

Has the policy/strategy been assessed for Equality and Diversity in relation to:-

Has the policy/strategy been assessed For Equality and Diversity not to disadvantage the following groups:- Sexual Orientation

Religious & Faith Groups Disabled People

Children and Young People

Lesbian, Gay, Bisexual &

Transgender Community

Does the policy/strategy contain evidence of the Equality & Diversity Impact Assessment

Process?

No

Is there an implementation plan? No Which officers are responsible for

implementation?

Responsibilities for each area of Information Governance are described in the Policy.

Technical Services, ICT Maryfield and ISC Team, Ashludie

When will the policy/strategy take effect? March 2008

Who must comply with the policy/strategy? All NHS Tayside employees.

NHS Tayside Information Governance Policy – February 2013 38 How will they be informed of their

responsibilities?

This policy will be posted on the intranet/internet Notification of the approval of this guidance will be publicised through internal communication channels

Included in Information Governance training material.

Is any training required? Training responsibilities for each area of Information Governance are described in the Policy.

If yes, has any been arranged? As above.

Are there any cost implications? Costs may be incurred depending upon the action taken as identified in the NHS Tayside IG Improvement Plan.

If yes, please detail costs and note source of funding

As above.

Who is responsible for auditing the implementation of the policy/strategy?

Responsibilities for each area of Information Governance are described in the Policy.

What is the audit interval? Annual.

Who will receive the audit reports? NHS Tayside Improvement and Quality Committee.

When will the policy/strategy be reviewed and by whom? (please give designation)

One year after approval or following significant changes in legislation, guidance and/or service provision

Information Governance Manager

Name: Peter McKenzie, Information Governance Manager, February 2013

Which groups of the population do you think will be affected by this proposal?

• minority ethnic people (incl. gypsy/travellers, refugees & asylum seekers)

• women and men

• people in religious/faith groups

• disabled people

• older people, children and young people

• lesbian, gay, bisexual and transgender people

• people of low income Other Groups:

• people with mental health problems

• homeless people

• people involved in criminal justice system

• staff

None

N.B. The word proposal is used below as shorthand for any policy, procedure, strategy or proposal that might be assessed.

What positive and negative impacts do you think there may be?

Which groups will be affected by these impacts?

What impact will the proposal have on lifestyles? For example, will the changes affect:

• Diet and nutrition?

• Exercise and physical activity?

• Substance use: tobacco, alcohol or drugs?

• Risk taking behaviour?

• Education and learning, or skills?

There will be no lifestyle impact

Will the proposal have any impact on the social environment? Things that might be affected include

• Social status

• Employment (paid or unpaid)

• Social/family support

• Stress

• Income

There will be no social environment impact

Will the proposal have any impact on

• Discrimination?

• Equality of opportunity?

• Relations between groups? The proposal applies equally to all employees of NHS Tayside

Will the proposal have an impact on the physical environment? For example, will there be impacts on:

• Living conditions?

• Working conditions?

• Accidental injuries or public safety?

• Transmission of infectious disease?

There will be no physical environment impact

Will the proposal affect access to and experience of services? For example,

• Health care

• Transport

• Social services

• Housing services

• Education

There will be no service access impact

NHS Tayside Information Governance Policy – February 2013 40

Manager’s Signature: Peter McKenzie Information Governance Manager

Date: 2

1. POSITIVE IMPACTS (NOTE THE

In document INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY (Page 35-42)