• No results found

SECTION FIVE

In document INFORMATION GOVERNANCE HANDBOOK (Page 32-36)

INFORMATION SECURITY POLICY

SECTION FIVE

1. INTRODUCTION

Information is an asset which, like other important business assets, has value to an organisation and consequently needs to be suitably protected.

This information security policy sets out how the CCGs information should be protected in order to ensure its:

 Confidentiality

That information is only available to those with a legitimate reason to see it.

 Integrity

That information can be trusted to be of good quality.

 Availability

That information is available to those that need it, when they need it.

If any of these are compromised, then this can have a direct impact on the ability of the CCGs to fulfil their objectives and may lead to consequences to patient care, the local health economy and to the reputation of the CCGs.

The CCGs have legal obligations to maintain security and confidentiality, notably under the:

 Data Protection Act (1998)

 Human Rights Act (1998)

 Copyright Patents and Designs Act (1988)

 Computer Misuse Act (1990)

In addition, the Caldicott Committee's Report on the Review of Patient-Identifiable Information, published in 1997, led to the establishment of a set of clear principles, reflecting best practice in the handling of confidential patient Information. The report called for regular and routine testing of Information flows against these principles and this would be developed and overseen by a network of Caldicott Guardians who would act, within each organisation, in a strategic, advisory and facilitative capacity.

Caldicott 2 was published in May 2013 and featured 23 recommendations which should be adhered to.

The policy aims to ensure that: -

 Information systems, whether electronic or manual are properly assessed for security

 Confidentiality, integrity and availability are maintained

 Staff and managers are aware of their responsibilities

 The risk to the information resource of the CCGs is effectively managed

2. SCOPE

This policy covers all information processed and information systems utilised by the CCGs and covers all staff employed by or acting on behalf of the CCGs.

3. RESPONSIBILITIES

It is the role of the CCGs Governing Bodies to define the policy in respect to the Information Security and ensure that sufficient resources are provided to support the requirements of the policy.

This policy applies to all staff who handle information obtained and processed on behalf of the CCGs. These responsibilities including those in key roles are outlined in more detail in Appendix B.

4. PRINCIPLES

The CCGs will maintain an Information Security Policy supported by appropriate linked policies, codes of practice, protocols and guidance documents that reflect best practice. It will ensure that that all staff have access to that policy and its subordinate documents by cascading information to managers and posting copies on the intranet.

The CCGs will comply with whatever legislative requirements apply. It will further seek to maintain compliance with national guidance.

The CCGs will expect compliance with the Information Security Policy together with the associated linked policies, codes of practice, protocols and guidance.

The CCGs will have procedures in place to evaluate security measures systematically with the greatest emphasis being given to areas where the potential impact of a security breach would be most serious.

The CCGs will assign responsibility to key personnel to ensure a sound and robust security and information management infrastructure.

The acknowledge that where appropriate resources are identified, it will need to carefully consider the balance of risk between action and inaction.

The CCGs will measure its compliance against this policy with an annual Information Governance Toolkit return.

5. PROCESS CHANGES

The CCGs will ensure that when changes take place that may impact on information assets:

 A risk assessment will be undertaken, with respect to information security best practice.

 The SIRO will be informed of any risks to such assets.

 Guidance will be sought from the CSCSU Information Governance team.

6. THIRD PARTIES

The CCGs will ensure that all contracts with third parties will:

 Identify inbound and outbound flows of personal data.

 Confirm that the third party has robust processes in place to comply fully with the Data Protection Act.

 Adhere to the guidance provided by the CSCSU Information Governance Team on safe information sharing.

7. TRANSFER OF PERSONAL INFORMATION

The CCGs will ensure that all that:

 All Staff adhere to the Transfer of Personal Information Procedure and the Data Protection Act policy.

 The transfer is Lawful.

8. INCIDENT AND RISK REPORTING

The CCGS will ensure that all incidents and risks are:

 Reported promptly to the SIRO and Caldicott Guardian.

 Recorded within a formal process to ensure they can be learnt from or mitigated.

 Reported in line with the CCG’s Incident and Risk reporting processes.

9. INFORMATION ASSET REGISTER

The CCGS will ensure that all information assets are:

 Formally recorded on the information Asset Register.

 Allocated an Information Asset Owner.

 Formally risk assessed – with the SIRO informed of all risks.

 Reviewed regularly

 Risk assessed again should any changes to processes or assets occur.

10. BUSINESS CONTINUITY PLAN

The CCGS will ensure that:

 Tested Business Continuity Plans are adopted.

 Business Continuity Plans covers all assets identified on the Information Asset Register.

 Business Continuity Plans will prioritise assets identified in the risk assessment plan.

 Business Continuity Plans are reviewed regularly.

In document INFORMATION GOVERNANCE HANDBOOK (Page 32-36)
Download now "INFORMATION GOVERNANCE..."

Outline

Related documents