• No results found

Policies and Procedures. Policy on the Use of Portable Storage Devices

N/A
N/A
Protected

Academic year: 2021

Share "Policies and Procedures. Policy on the Use of Portable Storage Devices"

Copied!
9
0
0

Loading.... (view fulltext now)

Full text

(1)

Policies and Procedures

Policy on the Use of Portable Storage Devices

Date Approved by

Trust Board Version Issue Date Review Date

Lead Person

One May 2008 Dec 2012 Head of ICT

Two Dec 2012 Dec 2014 Head of ICT

Procedure /Policy number IMxx.V1

(2)

Contents Page No

1 Introduction 3

2 Background 3

3 Definitions 3

4 Risks 4

5 Authorised use of portable storage devices 5

6 Relevant Policies and Legislation 5

7 Scope 6

8 Responsibilities 6

9 Implementation and awareness 6

10 Reporting Procedures 6

11 Review and Monitoring 6

Appendices

A Signature Sheet

B Portable Storage Devices – Data Log C Transfer of Portable Storage Device

(3)

1.0 Introduction

1.1 There is a wide range of portable storage devices available, capable of holding huge amounts of data at relatively little cost. This policy has been developed to instruct staff in what the Trust policy is for use of these devices. Staff should observe these polices and be aware of the risks associated with the use of these devices, the limitations on their use and how they may be used in a controlled manner.

2.0 Background

2.1 There has been much publicity surrounding the loss of personal data in transit in both the public and private sector. Some incidents have involved the NHS, including the loss of numerous patient records. This has focussed attention on how organisations can best safeguard the data with which they are entrusted. This policy is part of the Trust’s provision of guidance on the various data transfer methods in use to ensure good practice is followed.

3.0 Definitions

3.1 The term “staff” is used generically and covers all persons with access to Trust data including contractors and employees of the Trust.

3.2 The term “confidential” includes personal data (see below). The term also includes financial and operational data that should not be disclosed. Example reasons for non-disclosure include, but are not restricted to, the following:

Financial data - disclosure of detailed building refurbishment costs could provide an outside body with a commercial advantage.

Operational data – disclosure of certain information regarding site security could compromise the Trust’s business.

3.3 The term “personal data” includes data from which an individual can be identified or data which can contribute to the identification of an individual. Examples of personal data include name, address, video image, health records etc.

3.4 The terms “data” and “information” are used interchangeably. Examples include, but are not limited to, the following:

MRI Images

Computer files created using MS Office products such as Word and Excel

PET/CT scans Case notes

(4)

3.5 The term “storage device” covers any medium that is capable of storing computerized data. The term “portable” means the medium may be connected to a different computer where data may be transferred, copied, read, amended or deleted. Examples of portable storage devices include, but are not limited to, the following:

USB memory sticks Digital cameras Mobile telephones PDAs

MP3 players, e.g. an iPod External hard drives

Floppy discs, CDs and DVDs

3.6 Internal hard drives in PCs must not be used to store data. These drives are thus not treated as portable storage devices for the purposes of this policy.

4.0 Risks

4.1 Risks associated with the use of portable storage devices include, but are not limited to, the following:

In the case of unauthorised use of a portable storage device, staff could be liable to prosecution under the Misuse of Computers Act 1990.

Loss of Trust data, in which case staff may be liable to prosecution under the Data Protection Act 1998, may be effected in a number of ways:

o The device may be lost or stolen.

o An authorised user may access data in an insecure physical environment, allowing data to be viewed by unauthorised persons.

o An authorised user may access data via an insecure computer, allowing data to be “stolen” by unauthorised persons.

Spread of computer viruses and other malicious programmes from one computer to another.

The data stored could be treated as if it were current even though it may have become out of date.

Data held on the device is not backed up.

Data held on the device is updated and the data held on the server is not, resulting in multiple, unsynchronised versions of the

(5)

5.0 Authorised use of portable storage devices

5.1 All Trust data must be stored on the appropriate server. Data may only be transferred from the server to a portable storage device as follows:

Trust staff must only used portable storage devices provided by the Trust to store and process sensitive or health care related data. The use of personal storage devices for sensitive or health related data is strictly prohibited. In such cases, the device must have been supplied by the Trust and be used for the sole use of Trust business. Personal data sticks may be used for personal education, training purposes but must not contain sensitive data. Personal, medical or otherwise sensitive data must not be stored in unencrypted form on any portable computer storage media. The storage of unencrypted sensitive data on such devices is strictly prohibited.

It must be absolutely necessary to transfer the data to a portable device for subsequent access on a different computer in order to conduct the Trust’s business.

The device must be available on request for inspection by the Trust IT manager.

The IT department will keep a log of all portable storage devices issued and will allocate a named nominal owner to each.

Data must be deleted from the device when no longer required. A description of all sensitive bulk data (file or files contain sensitive information about more than 10 patients) held on portable devices must be logged. (Appendix B)

Where possible the device should bear a label displaying the number of its log entry and indicating the data present on the device.

All devices held on Trust premises, whether containing data or not, must be securely stored.

Staff must take personal responsibility for the safekeeping and, where appropriate, the safe return of storage devices removed from Trust premises.

Where a portable storage device is passed to a non-Trust body the IT department must be notified immediately via a signed form as set out in Appendix C.

(6)

6.0 Relevant Policies and Legislation

6.1 Relevant Trust policies include: IM&T Security Policy

Data Protection Act and Access to Patient Records Trust Confidentiality Code of Conduct

Staff and Public Disclosure Policy 6.2 Relevant legislation includes:

Data Protection Act 1998

Access to Health Records Act 1990

7.0 Scope

7.1 This policy relates to the transfer of Trust data onto any removable storage device. This includes information relating to patients, ex-patients, staff, ex-staff, Trust financial matters and Trust operational issues. All staff are required to adhere to this policy.

8.0 Responsibilities

8.1 Managers are responsible for ensuring all staff adhere to this policy.

9.0 Implementation and Awareness

9.1 This policy should be implemented from the Issue Date. Managers should employ the Signature Sheet at Appendix A to ensure all their staff are aware of policy contents.

10.0 Reporting Procedures

10.1 All cases of deviation from this policy must be reported in accordance with incident management policies set out in the Trust IM&T Security Policy.

11.0 Review and Monitoring

11.1 This policy will be reviewed at two-yearly intervals or whenever a material change occurs. The content of relevant incident reports will be used to inform reviews.

(7)

Appendix A Signature Sheet

Policy on the Use of Portable Storage Devices

This sheet should be used to record the names of staff members who have read and understood the above policy document.

(8)

Appendix B – Example 1 Portable Storage Devices – Data Log – [Department Name]

Device No: 1

Device Type: USB stick

Category of data held: medical

Current Owner Dr Who

List of data held:

Item No.

Description Date copied to device

Date deleted Notes

1 Medical notes for 52 ortho. patients

01/02/yyyy 17/03/yyyy

3 Radiology images for patients x,y,z etc.

(9)

Appendix C

South Tyneside NHS Foundation Trust Transfer of Portable Storage Device

From:

Department Name: Device Owner: Device Number: Device Type:

I have transferred this device to the receiving person identified below. Signed:

Date:

To - Receiving Person:

Organisation Name: Department:

I acknowledge receipt of the device identified above.

I undertake to ensure the data contained on the device will be treated strictly in accordance with the Data Protection Act 1998 and all other legislation relevant to its safekeeping.

When the data is no longer required I further undertake to either:

(a) Permanently delete data from the device, and will inform Tyneside NHS Foundation Trust accordingly

or

(b) Return the device intact to South Tyneside NHS Foundation Trust. Signed:

Date:

References

Related documents

Medical image management and exchange software like DICOM Grid’s cloud solution pro- vide a platform to access, view, share, and store images online.. DICOM Grid’s medical im-

Furthermore and in accordance with DPP2(3) and DPP4(2), if service providers are engaged by the organisations to process (including to erase) personal data held on PSDs, the

Double Sided Esso Blue Enamel Flange Sign Make: Contact Auctioneer Model: Contact Auctioneer Year: 0 Mileage: 0 VIN: Contact Auctioneer Configuration: Right Hand Drive

Our objectives were to evaluate the effects fungal or urea treatment on upgrading the nutritive value of peanut hulls of chemical composition, in vitro digestibility, in sacco

• Difference #1: These are NOT tied to the share-price impact as they are in stock pitches; a bank won’t say, “Successfully launching Drug X might make the pharma

Lay clerks are expected to discuss with the Organist any commitments which would make them unavailable for tours, concerts and recordings, and to give him suitable advance notice

The most well-known targeted therapy is trastuzumab (Herceptin) but the benefits of others for the treatment of secondary breast cancer in the brain are being looked at in

Point of care surveys Incident Reporting Administ rative Data Point of Care Surveys Case Note Review Advantages Composite Harm ‘free’ Data & charts immediate