SH IG 41
INFORMATION SECURITY SUITE OF POLICIES
Procedure for the Management of Personal Data
USB Data Stick Procedure
Version: 2
Summary: This procedure details the process for ordering an
encrypted data stick for use by staff as part of the management of personal information procedures.
Keywords (minimum of 5): (To assist policy search engine)
Data stick; USB stick; information security; mobile working; data transfers;
Target Audience: All staff employed by Southern Health NHS
Foundation Trust, Non-Executive Directors and Contractors.
Next Review Date: April 2019 (or earlier if required).
Approved & Ratified by: Information Governance Group
Date of meeting:
14/03/2016
Date issued: March 2016
Author: Sharon France
Information Governance Manager
Sponsor: Lesley Barrington
2
Version Control
Change Record
Date Author Version Page Reason for Change
02/04/2013 S France V1 All Update for SHFT 24/05/2013 S France V1 All IGG Approved
22/01/2016 S France V2 Formal review/general update, to include: The use of unencrypted data sticks for non PID.
Pooled Assets
Information Asset Owner Audit and Accountability.
Loss of Data sticks. Update to Appendix A. Appendix B and C added.
25/01/16 P Whittle V2 All Formatting and added reallocation step
Reviewers/contributors
Name Position Version Reviewed
& Date
Lesley Barrington Head of Information Assurance V1 02/04/2013 Information Governance Group Membership for review V1 02/04/2013
Ed Purcell IT Security Specialist V2 10/02/2016
Donna Woolley Information Governance Facilitator V2 10/02/2016 Information Governance Group Membership for review V2 14/03/2016
Contents
Page
1 Introduction 4
2 When to User a Data Stick 4
3 Alternatives to Data Sticks 4
4 Applying for an Encrypted Data Stick 5
5 Information Asset Owner (IAO) - Audit and Accountability 5 6 Lost or Stolen Data Stick
Unencrypted Encrypted
6
Appendices
A Encrypted USB Data Stick Request Form 7
B Unencrypted USB Data Stick Request Form 8
USB Data Stick Procedure
1 Introduction
1.1 Data sticks are small in size but can hold a significant amount of data. These characteristics make the devices convenient mechanisms to transfer electronic data but these same
characteristics also increase the potential for the loss or theft of a device and the subsequent loss of data held on the device. This risk is effectively mitigated through the use of an
encrypted stick as all the data on the device is unreadable, without the password to enable access to the files on the device.
2 When to Use a Data Stick
2.1 A data stick is NOT recommended for long term storage and should only be used as a means of safe transportation from one location to another. All Trust data should be downloaded as soon as practical and stored on secure network drives that are regularly backed-up.
2.2 Personal Information - Trust preferred Data sticks
2.3 If personal information is to be transferred via a data stick it must be via a Trust approved encrypted device which will be purchased via the Information Assurance Team, on completion of an approved request form - Appendix A.
2.4 Non-personal Information – Unencrypted Data Sticks
2.5 These must NEVER be used for personal identifiable, or corporate sensitive information. The Information Asset Owner must be able to assure the Trust that unencrypted data sticks will only be used for the transfer of non-personal or non-sensitive information such as training resources (not considered commercially sensitive).
2.6 The use of these must also be noted by the Information Assurance Team and documented as an exception to using the Trust preferred SafeStick.
3 Alternatives to Data Sticks
3.1 The Information Asset Owner (IAO) has the responsibility of taking ownership of local asset control, risk assessment and management processes. Before approving a request for a data stick the IAO must:
3.2 Consider other alternative methods to transferring data before proceeding with the request for an encrypted device.
3.3 NHSmail considered – NHSmail is the Trust preferred method and a secure way of
transferring information but it has some limitations. The user needs an NHSmail account to send the message. The transfer will be secure if the data is sent to another NHSmail account or an account with one of the other public service organisations that are listed in SH IG 42 Procedure for the Management of Personal Information, available on the Trust web site. The maximum file size for an NHSmail transfer is 20MB. Data which is not Person Identifiable can be sent by ordinary Outlook email.
3.4 Staff to have an encrypted laptop with a ‘checkpoint’ account which allows for the data to be kept on a secure Trust server whilst the user gains access to the server/shared drives from a remote location (e.g. if working from home).
3.5 Staff to have a “smart working” laptop – that is fully encrypted, and allows access to secure drives via 3G.
3.6 Staff are able to access to the NHS Secure File Transfer (SFT) process. Secure File Transfer (SFT) also requires the people at both ends to have NHSmail accounts but it can transfer files up to 1GB in size. SFT can be used from any Internet connection. More information about SFT is available at https://nww.sft.nhs.uk.
3.7 For use of file encryption to protect email attachments sent via outlook please contact IT Service Desk - 0300 123 9977.
4 Applying for an Encrypted Data Stick
4.1 If the alternatives listed above are not suitable and the member of staff wishes to proceed to use an encrypted data stick they should complete the request form, appendix A.
4.2 On receipt of the request form, if the Team Manager wishes to support the request they should sign it and provide the relevant budget code then pass to the relevant IAO for final authorisation.
4.3 The request form should be sent to the IG team for processing 4.4 [email protected]
5 Information Asset Owner (IAO) - Audit and Accountability
5.1 IAO must keep a register of approved data sticks and their keepers, on their local IT equipment asset registers, for accountability and identification purposes.
5.2 Safesticks are allocated with a unique asset label by Information Governance (IG) that cross references the internal software serial number.
5.3 Note: nothing must be attached to the data stick that Identifies it belongs to the NHS or SHFT
Identifies contents or data held on the data stick 5.4 Do not reveal the Password.
5.5 Some teams have a local process which requires a ‘pool’ of data sticks. The IAO must ensure these data sticks are locally recorded and tracked on the Register for Data Sticks being used as a ‘pooled’ Asset. Refer to Appendix D
5.6 IAO must notify the IG Team immediately if they plan to reallocate a Data Stick to another user and also complete Appendix A (for the new user).
5.7 IAO must retrieve any Datasticks from leavers and return them to IG for reallocation, please contact the IG Team on 01962 763937
5.8 Any unencrypted datastick must be passed from hand to hand: it may not be posted or sent by courier.
5.9 IAO must review the purpose and need for each data stick at least annually and report back to the IG Team if there are any anomalies
6 Lost or Stolen Data Stick 6.1 Unencrypted
6.1.1 In the event that an Unencrypted USB Data Stick is lost or stolen,the member of staff, upon discovery, must immediately:
6.1.1.1 Report the loss to their Team Manager to enable; a) The amendment of the local IT Asset Register b) The loss is escalated to the relevant IAO
6.1.1.2 Complete an incident form on Ulysses. The incident type - general category will be Information Governance and Confidentiality Breach and the subcategory will be ‘Lost or Stolen Electronic/Equipment
6.1.1.3 In the event that the Data Stick has Personal Information stored on it, a full
assessment of the potential data breach MUST be undertaken to enable appropriate recording of severity and impact of the incident.
6.1.1.4 Inform the Information Assurance team.
6.1.2 NOTE: Transporting/storing personal identifiable information on an unencrypted USB Data Stick could result in disciplinary actions, or in the case where there is apotential breach of the data protection act, the incident may be reportable to the Information Commissioners Office.
6.2 Encrypted
6.2.1 In the event that an encrypted USB Data Stick is lost or stolen, the member of staff, upon discovery, must immediately:
6.2.1.1 Report the loss to their Team Manager to enable; a) The amendment of the local IT Asset Register b) The loss is escalated to the relevant IAO
6.2.1.2 Complete an incident form on Ulysses. The incident type - general category will be ‘Security Concern’ and the subcategory will be ‘Loss or Missing Property’
6.2.1.3 Inform the Information Assurance team to enable them to update the Trust’s Data Stick Asset Register.
Appendix A - Encrypted USB Data Stick Request Form
Name Team Division
Full base Location / Postal Address Contact Number Team Budget Cost Code (Sxxxxx)
(Cost = £25.87 per 4GB USB data stick)
For what purpose is the USB data stick to be used?
Please confirm the following in next column:
It is not practical to retain the data on a secure Trust server and use Check Point for remote access. It is not practical to email the data (using encrypted email i.e. NHSmail, for personal data).
It is not practical to transport the data on an encrypted Trust laptop.
It is not practical to transfer the data via NHS Secure File Transfer (SFT) or approved dropbox, or WINZIP encryption The USB data stick will be used for appropriate information in accordance with the Data Protection Act.
The USB data stick will be kept in a secure place, using the same level of care as is applied to laptops.
The USB data stick will be returned to Information Asset Owner if it is no longer required or its use no longer authorised.
Does the Information Asset Owner accept the proposed use of the data stick? (please circle Y or N) Y / N
The Information Asset Owner (IAO) has the responsibility of taking ownership of local asset control, risk assessment and management processes before approving this request for a data stick. The requester is accountable to the IAO for ensuring appropriate use of the USB data stick.
Is this request for a new Datastick or reallocation of previous purchase
(Please circle New or Reallocation) NEW REALLOCATION
Signature of Requester Date
PRINT Requester’s name Job title
Signature of Line Manager Date
PRINT Line Manager’s name Job title
Signature of Information
Asset Owner (IAO) Date
PRINT IAO’s name Job title
Appendix B – Unencrypted USB Data Stick Request Form
For the transfer of Non-Personal and Non-Corporate Sensitive Information
Name Team Division
Contact Number Full base Location / Postal Address
For what purpose is the USB data stick to be used?
Please confirm the following in next column:
The Unencrypted USB data stick will only be used for the transfer of Non-Personal Information
The Unencrypted USB data stick will not be used for the transfer of Corporate Sensitive Information
It is not practical to transport the data on an encrypted Trust laptop.
The USB data stick will be returned to Information Asset Owner if it is no longer required or its use no longer authorised.
Does the Information Asset Owner accept the proposed use of the data stick? (please circle Y or N) Y / N
The Information Asset Owner (IAO) has the responsibility of taking ownership of local asset control, risk assessment and management processes before approving this request for a data stick. The requester is accountable to the IAO for ensuring appropriate use of the USB data stick.
Signature of Requester Date
PRINT Requester’s name Job title
Signature of Information
Asset Owner (IAO) Date
PRINT IAO’s name Job title
Appendix C - Register for Data Sticks being used as a ‘Pooled’ Asset
Division / Team Base Location Information Asset Owner (IAO)
Your datastick will have an asset sticker similar to the example on the left. This is a unique number and is
cross referenced with the serial number in our asset data base.
It is the responsibility of the IAO to ensure datasticks are accounted for and to be able to demonstrate this during any audit spot checks.
Datastick asset No.
Where is the Datastick being assigned to e.g. clinic, training session etc.
Date taken DD/MM/YY
Print Name Signature Date returned DD/MM/YY
Contents erased
Y/N
