INFORMATION MANAGEMENT &
TECHNOLOGY
SECURITY POLICY
POLICY NO IM&T 003
DATE RATIFIED October 2010
NEXT REVIEW DATE October 2013
POLICY STATEMENT/KEY OBJECTIVE:
To protect the information assets of Lancashire Care NHS Foundation Trust
Accountable Director:
Director of Finance, IM&T & Estates
Policy Author:
IM&T Project Manager
Contents
Page
Summary of Document Changes 2
Executive Summary 3 1 Introduction 4 1.1 Rationale 4 1.2 Scope 4 1.3 Principles 4 2 Definitions 4 3 Legal Compliance 5 4 Policy 5 4.1 Management Responsibilities 5 4.2 Staff Responsibilities 6 4.3 Risk Management 6 4.4 Implementation 6
5 Audit & Monitoring 7
6 Reference Documents 7
‘Summary of Document Changes / Adaptations’.
POLICY
POLICY NO IM&T 004 IM&T Security
DATE RATIFIED DEC 2009
PROPOSED REVIEW DATE Oct 2011
TO SMN
Document section Nature of change.
1.2 Scope Page 2
Expanded scope
to define who it applies to e.g. all Trust employees, people working on behalf of the Trust etc
Applicability of business functions and what the networks are used for
3.0 Legal Compliance Page 3 Added this legislation:
Access to Health Records 1990 The Human Rights Act 1998
Electronic Communications Act 2000 Regulation of investigatory powers Act 2000 Health & Social Care Act 2001
4.1 Management Responsibility Page 4
Two more bullets added to the end of the list referring to: Secure and resilient remote access to network
Ensure all users are provided with security guidance and training / awareness of security responsibilities
4.2 Staff Responsibility Page 5
Added bullet point 4 – using home IT equipment for work purpose
Added last bullet – adherence to policy 4.3 Risk Management
Page 5
Paragraph on monitoring the policy has been moved to section 5.0 – Audit and Monitoring
4.4 Implementation Page 5
Added in other means of communication and access e.g. Network Governance groups, IG e-learning package and weekly e-bulletin 5.0 Audit and Monitoring
Page 6
Refer to 4.3 paragraph moved from section 4.3 6.0 Reference Documents
Page 6
Expanded ref doc‟s – Lifecycle of records policy superseded by Corporate Records Management Policy and Records Management strategy
Appendix No.1 Taking Confidential data off site Page 10
Added in
Bullet point 2 – reference re application of Safeboot on laptops
Use of USB Memory sticks
This page can be destroyed after the release of any subsequent „Summary of Changes / Adaptations‟ statements related to this policy or after 3 months.
Executive Summary
Subject Security of Information and Information
Technology
Applicable to All Trust staff and those authorised to use or access
the networks or systems on behalf of the Trust
Key Policy Issues To protect Trust information assets
Management responsibilities Staff responsibilities
Risk management
Date Issued December 2009
Dates Policy reviewed December 2009
Next review due date October 2013
Policy written by Michelle J Brammah
Consultation IM&T Team
Policy reviewed by: IM&T Project Manager, IT Security, Information Governance and IM&T senior management Lead responsible for policy Associate Director of IM&T
Monitoring arrangements Internal and external audit, compliance with annual IGT submission
Approved by
Authorised by EMT
Signature
1
Introduction
The objective of the Information Management and Technology (IM &T) Security Policy is to protect the data assets processed by Lancashire Care NHS Foundation Trust. The organisation has a legal and moral responsibility to protect the personal data it holds. Compliance with this policy and the associated guidance is necessary to ensure business continuity, and minimise data loss.
1.1 1.1 Rationale
The NHS Information Governance Toolkit sets out responsibilities for all NHS organisations to ensure data is secure. This policy reflects the requirements of the information governance toolkit. Further information can be found at https://www.igt.connectingforhealth.nhs.uk/
1.2 1.2 Scope
This policy applies to information (data), which is stored or processed in manual filing systems, on any form of computer. This Policy applies to all Trust employees, other persons working for or on behalf of the Trust and usage by anyone granted access to the Trust network. It is applicable to all business functions and information contained on the network, the physical environment and relevant people who support the network. The networks within the Trust are used for:
Storage, sharing and transmission of clinical and non clinical data and images Printing or scanning of clinical or non clinical data or images
The provision of internet systems for receiving, sending and storing of clinical and non clinical data and images
Remote access by mobile users a, home workers and non NHS staff Storage and transportation of data and images on removable media
1.3 1.3 Principles
The key principles are: -
Information assets and information processing facilities shall be protected against unauthorised access and disclosure.
Statutory and legal obligations must be met.
Unauthorised use of information assets and information processing facilities shall be prohibited; the use of obscene, racist or otherwise offensive statements shall be dealt with in accordance with other relevant policies published by Lancashire Care NHS Foundation Trust
All breaches of information security, actual or suspected, shall be reported and investigated in line with Lancashire Care NHS Foundation Trust‟s published policies
2 Definitions
This policy uses the terms 'data' and 'processing' as defined by the Information Commissioner. (www.ico.gov.uk)
3 Legal Compliance
The Trust has a legal obligation to protect the data it processes. The legislation directly relating to this policy is:
Data Protection Act, 1998
Access to Health Records Act 1990 Freedom of Information Act, 2000 The Human Rights Act 1998 Computer Misuse Act, 1990
Electronic Communications Act 2000
Regulation of Investigatory Powers Act 2000 Copyright, Designs and Patents Act, 1993 Health & Social Care Act 2001
4 Policy
Every person in the organisation has a responsibility for data protection. The Trust processes very sensitive personal data and everyone has an obligation to protect this data. All employees must make themselves familiar with Data Protection Guidance.
4.1 4.1 Management Responsibilities
Management must ensure that all employees are updated and informed of their security responsibilities and that an adequate confidentiality clause is contained in contracts of employment. In addition they must also:
Ensure all breaches in the operation of this policy and the procedures laid down herein are dealt with promptly and in an appropriate manner.
Ensure all employees have adequate opportunities to familiarise themselves with data processing systems.
Ensure only authorised employees are allowed to use data processing systems with appropriate levels of access where applicable.
Ensure appropriate business continuity plans are in place in the event of systems failure.
Ensure adequate controls are in place for monitoring usage of data processing systems and that staff are aware of them.
Ensure IT equipment is maintained and secure.
Ensure that all removable media (USB pens, floppy disks etc), and confidential hard copy material, including microfiche are stored in a secure environment and are securely disposed of and that all redundant or faulty hardware is returned to the IM&T department. Patient relevant information must be dealt with in accordance with the Health Records Policy.
Ensure suppliers and third party contractors comply with this policy and that a Data Processing Agreement covers any external data processing.
Ensure appropriate data sharing agreements are in place with external agencies and that staff are aware of these.
Ensure that all users of the network are provided with the necessary security guidance, awareness and appropriate training to discharge their security responsibilities
4.2 4.2 Staff Responsibilities
All employees are responsible for ensuring that breaches of information security do not result from their actions and that they have made themselves familiar with their security responsibilities before handling data or using data processing systems. In addition they must also:
Seek further assistance from management or the IM & T department if unclear of their responsibilities.
Never share system passwords with anyone else and always log off from the computer / system when not in use.
Always store Trust data on central systems; never store data where it is not backed-up or retrievable by Trust staff.
Refrain from using personal home IT equipment for work purposes unless arrangements have been made with the IT Service for access to VPN (Virtual Private Network) using a secure fob. Any transfer of electronic information onto home IT equipment is strictly prohibited regardless of method used i.e. portable media or email Make sure they are aware of any emergency procedures in the event of a system
failure.
Keep IT hardware safe and secure. Always take IT equipment back to the IM & T Department if leaving the Trust or if it is no longer needed.
Always ensure that personal data copied to removable media (USB Pens, floppy disks, etc) is encrypted. If unsure how to do this check with the IM & T department. Report suspected breaches of data security using the Trust's incident reporting
procedures.
Failure by an employee of the Trust to adhere to the policy and any associated guidance may result in disciplinary action.
4.3 4.3 Risk Management
Requirements for information security risk analysis and management can be found within ISO27001, to which the IM & T department is working toward accreditation. To ensure compliance with the IM&T Security Policy regular assessments of security will be conducted to identify security countermeasures necessary to protect against possible breaches in confidentiality, integrity and availability.
4.4 4.4 Implementation
This policy will be communicated to all employees via
Network Directors and Service Leads Corporate Inductions
Network Governance Groups
Information Governance e-learning package (available on the Trust‟s intranet) Intranet
5
Audit & Monitoring
Use of the Trust's data processing systems is subject to monitoring by the IM & T department. All employees should be aware that email and Internet usage is monitored to ensure compliance with legislation and policy.
Implementation of the policy and all systems will be subject to periodic review by both internal and external auditors. All recommendations will be implemented unless senior Trust management gives specific dispensation.
This policy will be implemented in line with NHSLA requirements to ensure the effectiveness of its implementation and staff knowledge and understanding of the content.
Standard Timeframe How audited Lead
4.1 – 4.4 Annual IGT submission IG Leads
6
Reference Documents
This policy should be considered in relation to the following policies and guidance: Corporate Records Management Policy
Records Management Strategy
Policy For the Control And Use Of Mobile Phone Devices Health Records Service Security and Confidentiality Policy Policy for the Communication of Clinical Information via e-mail Policy for Electronic Communications
Access to Health Records Policy Data Quality Policy
ISO 27001 Information Security principles
NHSIA Information Governance Toolkit - Information Security Workbook Requirements
ITIL Standards
Please refer to the „Recording Service Users Details on the NHS Care Record Service and eCPA‟, which is available on the intranet if you are required to record clinical activity.
Appendix 1
Data Protection guidance for employees
Introduction
The Data Protection Act 1998 provides a legal framework for ensuring that personal information is handled properly. Firstly it requires that anyone who processes personal information must comply with the following eight principles to ensure that information is:
Fairly and lawfully processed Processed for limited purposes Adequate, relevant and not excessive Accurate and up to date
Not kept for longer than necessary
Processed in line with the rights of the individual concerned Secure
Not transferred to other countries without adequate protection.
The second area covered by the Act provides individuals with important rights, including the right (with certain exemptions) to find out what personal information is held about them on computer and most paper records. In addition, the NHS also has its own Code of Practice on Confidentiality. This paper provides a general checklist of requirements/good practice in relation to the handling of personal data held by the Lancashire Care NHS Foundation Trust. It is not exhaustive and should be read in the context of the legislation itself. Obviously more detailed advice may need to be sought where specific issues arise.
Checklist of requirements/good practice
Paper records
Do not store any records, which contain personal data unnecessarily or for longer than necessary (check the NHS guidelines on retention of records).
Files containing such information should be clearly marked “Private and confidential” and kept in secure locked filing cabinets or locked desk drawers with access strictly on a “need to know” basis.
Do not leave files of this nature lying about on your desk for others to see.
Where departments/individuals need to keep large volumes of such records then managers should consider installing a key entry pad on the office door or some other form of lock.
Everybody should take care when opening confidential mail to ensure it is not simply left in full view on a desk or elsewhere in the office.
When distributing sensitive mail internally this should be sent in sealed envelopes clearly marked “Private & confidential – for the personal attention of X”. Where possible person-to-person delivery of such items is best.
Destroying confidential records
All files should be checked before discarding to ensure that they do not contain personal/sensitive data.
Under no circumstances should confidential files be disposed of via general waste collection systems.
Confidential files should be either shredded or sent for incineration.
White sacks for confidential waste are available throughout the Trust and must not be left unsecured.
Check when you are photocopying / printing that you have not accidentally discarded any confidential material or sent it to the wrong printer. Never leave personal data on the printer for any period of time.
Avoid using personally identifiable information where possible in e-mails.
Do not use people‟s names and other personal information in the subject strap-line (instead use, e.g., initials or ref no‟s).
In particular do not include several pieces of personal info about the same individual (e.g. name/date of birth/address) which could allow for identity theft.
Under Freedom of Information and Data Protection legislation, beware of what you write in e-mails.
Also, when forwarding an e-mail containing a „string‟ of previous messages, take care that these do not contain anything sensitive.
If you have to send personal data using email to an external recipient it must be encrypted. Attachments are also unsafe unless they have been encrypted; a password on a file is not sufficient.
Always seek advice from the IM & T Department if you are planning to send large amounts of personal data
Post is the absolute last option for sending sensitive personal data but, where the need does occur, always use recorded delivery. Always have a process in place to confirm that the delivery has reached its destination as required.
Please report to your line manager/information governance lead whenever confidential data has come into your possession inappropriately and ensure that the sender is notified and rectifies their processes for the future.
Faxing
Double-check the fax no.
Use a cover sheet stating clearly who the fax is for (an identifiable individual); who it is from (your name/phone/fax no); and marked “Private & confidential”.
If appropriate ask for a report sheet to confirm transmission.
For sensitive faxes ring ahead and make sure the intended recipient is available to receive it.
Better still check whether there is a „safe-haven‟ fax facility available. Ask the recipient to ring and confirm receipt – this is important.
For incoming faxes, someone should be assigned responsibility for checking the fax machine. They should check the fax machine several times a day (particularly first thing in the morning and last thing at night) and ensure incoming faxes are distributed appropriately.
Taking confidential data off-site
This should be avoided as much as possible and line managers need to be aware of the extent of this practice to assess risk.
Confidential information on laptops or other portable electronic equipment must be encrypted and kept to an absolute minimum. The IT Dept are ensuring that all laptops have full disk encryption (SafeBoot) available to store confidential and sensitive data. A password locking system is not sufficient.
Where there is a need for staff to hold sensitive data on mobile devices and media other than their laptops, a Trust encrypted memory (USB) stick must be used. The IT
department are enforcing the use of USB sticks with appropriate software (Sanctuary). Should any item go missing while containing sensitive data, the user must immediately inform their line manager and complete an IR1 form.
Paper records must be kept secure during transit, for example in a locked brief-case/folder etc.
When driving, laptops/files etc should be kept out of sight (e.g. in a boot or under a seat).
Under no circumstances should files (whether electronic or paper) containing personal data be left unattended in your car.
If you are keeping information overnight then laptops/folders etc should be moved from your car to your home
Keep laptops, bags etc away from main doors and front halls where they are at greater risk from opportunist burglars.
Keep confidential information out of sight of family and friends (e.g. in a cupboard) Never allow friends or family to use your NHS IT equipment.
Avoid doing NHS work on your home computer unless it is using the authorised secure home access system. This not only avoids the exposure of NHS systems to viruses but also avoids copies of confidential documents being left on hard drives of home computers.
Miscellaneous
Unless you can be sure of, or verify, the caller‟s identity, you should never disclose personal information over the phone.
Ensure that when you are viewing person-identifiable data on a screen, that the data is not viewable by others, especially if being viewed in a public accessed area (for instance a reception).
You are responsible for the safety of your IT equipment. The IM & T Department is responsible for the disposal of all IT equipment.
Lancashire Care NHS Foundation Trust
Initial Equality Impact Assessment
Department/Function IM&T Person responsible Michelle J Brammah Contact details [email protected] 01772 695387 07507 847592 Name of policy/procedure/service to be assessed
IM&T Security Policy
Date of assessment 28 July 2009
Is this a new or existing policy/procedure/service?
Existing 1. Briefly describe the aims,
objectives and purpose of the policy/procedure/service?
The aim of the policy is to set out requirements to protect all Trust data assets. The Trust has a legal and moral responsibility to protect personal data it holds. Compliance with the Policy is to ensure business continuity and to minimise data loss. It applies to all Trust employees, those working on behalf of the Trust and those granted access to the systems.
2. Who is intended to benefit? All Trust Users
3. What outcomes are wanted? Trust Users take responsibility for the use and security of all IM&T systems
4. Who are the main stakeholders? All Trust Users including contractors and third parties undertaking work on behalf of the Trust
5. Who is responsible for implementation?
6. Are there concerns that there could be differential impact on the following groups and what existing evidence do you have for this? People from a Black or minority ethnic
background
Y N This policy is applicable to all employees who are authorised to access and use the Trust systems and networks. Ethnicity and background has no bearing on individual responsibility. Women or men
Including trans people Y
N
There are no gender issues associated with the understanding and implementation of this policy. The policy applies equally to men and women.
People with disabilities or long term health conditions
Y N This Policy can be made available in audio or large print for users who have visual impairment.
People with or without a religion or beliefs
Y N This policy neither infers or refers to religion or a specific belief. Religion or specific beliefs have no impact on adhering to the requirements of the Policy.
Lesbian, gay ,bisexual or heterosexual people
Y N The sexuality of an individual has no implications for complying with responsibilities outlined in the policy Older or younger people Y N There is no anticipated impact or concerns for these groups.
However assistance to aid understanding can be provided by line management or IM&T advisors.
7. Could any differential impact identified above be potentially adverse?
Y N No
8. Can any adverse impact be justified on the grounds of promoting equality of opportunity?
Y N No
9. Have you consulted with those who are likely to be affected?
Y N No
10. Should the
policy/procedure/service proceed to full impact assessment?
Y N No
I understand the impact assessment of this policy/procedure/service is a statutory obligation and take responsibility for the completion of this process.
Names of assessors: Michelle J Brammah Date of assessment: July 2009
