INFORMATION SECURITY FOR STARTERS, MOVERS AND LEAVERS POLICY

FEBRUARY 2020

This Policy supersedes all previous policies for Data Protection

2

Policy title Information Security for Starters, Movers and Leavers Policy

Policy reference

COR73

Policy category Corporate Policies

Relevant to All Staff

Date published February 2020

Implementation date

Date last reviewed

Next review date

February 2023

Policy lead Mahwish Noor, Information Governance Manager

Contact details Email: Information.Request@candi.nhs.uk

Telephone: 020 3317 7100

Accountable Director

Jeffrey Boateng, Director of Clinical Information Management Sally Quinn, Director of HR and OD

Approved by (Group):

Information Governance Steering Group

Approved by (Committee):

Audit and Risk Committee

Document history

Date Version Amendments

September 2019

1 New

Membership of the Policy development/ review team

Information Governance Manager

Consultation

Members of the Information Governance Steering Group

Summary 1. The Trust’s Policy on boarding and off boarding Employees, and how this also

applies to Employees moving internally within the Trust.

2. How the Trust ensures that information management is not disrupted at any

point during the Employee lifecycle.

3. To ensure that starters, movers and leavers understand their collective

responsibilities towards safeguarding the Trust’s Information Assets.

DO NOT AMEND THIS DOCUMENT

Further copies of this document can be found on the Foundation Trust Intranet.

3

SUMMARY:INFORMATION SECURITY FOR STARTERS, MOVERS AND LEAVERS

POLICY

Purpose of this policy

This the policy underpins the Trust’s Information Governance Policy, Information Risk

Management Policy and relevant HR policies and aims to ensure that all individuals working

at or on behalf of the Trust have appropriate access to the information needed to deliver

patient care and the Trust’s objectives.

Who it applies to

Starters: All persons joining the Trust who require access to the Trust’s information which

may include user account and access on Trust’s Information Communication Technology

(IT) system(s).

Movers: Persons who are already part of the Trust who are transferring to a different role

within organisation.

Leavers: Someone who is leaving the Trust and no longer requires access to the Trust’s

information and/or IT system(s).

It also includes subcontractors and Third Parties who may be authorised to access Trust IT

systems and information in the course of their work.

What it includes in detail

All Trust workers (at or on behalf of) should understand their responsibilities in safeguarding

the Trust’s physical and digital information assets; ensure the appropriate confidentiality,

integrity and availability of those assets at all times; understand this as a personal, as well as

professional, commitment.

Important points for all staff

It is vital that Employees joining have appropriate access to the information needed to

deliver patient care and the Trust’s objectives. HR services shall ensure:

that the appropriate pre-employment checks and screening are undertaken. Where access to more sensitive information or information systems is required further vetting processes against standards shall be required

ensure that employees security risks are effectively managed through robust security processes to ensure actions are in accordance with the Trust’s legal obligations

provide a legally binding contract of employment. The contract of employment shall explicitly state all applicable roles, benefits and responsibilities bestowed on the employee by the Trust.

Appendix includes

C&I Equality Impact Analysis guidance.

4

Contents

1. Purpose ......................................................................................................................... 5

2. Scope ............................................................................................................................ 5

3. Applicability .................................................................................................................... 5

4. Terminology ................................................................................................................... 5

5. Policy ............................................................................................................................. 6

Roles and Responsibilities ............................................................................................. 6

Core Responsibilities: Starters ..................................................................................... 6

Core Responsibilities: Movers ...................................................................................... 8

Core Responsibilities: Leavers ..................................................................................... 9

Training and Awareness .............................................................................................. 10

Non-Compliance .......................................................................................................... 11

6. Monitoring and Evaluation ............................................................................................ 11

7. Related Policies ........................................................................................................... 12

5

1. Purpose

1.1. This Starters, Movers and Leavers Policy aims to ensure that all individuals

working at or on behalf of Camden and Islington NHS Foundation Trust (hereafter

referred to as “the Trust”):

have appropriate access to the information needed to deliver patient care and

the Trust’s objectives;

understand their responsibilities in safeguarding the Trust’s physical and

digital information assets;

ensure the appropriate confidentiality, integrity and availability of those assets

at all times;

understand this as a personal, as well as professional, commitment.

1.2. This Policy underpins the Trust’s Information Governance Policy, Information Risk

Management Policy and relevant HR policies.

2. Scope

2.1. This Policy covers all Starters, Movers and Leavers with access to the Trust’s

information assets. Information assets include all types of information – patient;

employee; financial; corporate and other - which may be created, handled, shared,

stored, and disposed of, in all types of media. This includes, but is not limited to,

ICT systems, telephone, paper and voice conversations, photographs and CCTV

footage.

2.2. The scope applies to the Trust’s assets wherever and whenever they are used,

including out-of-working hours and remotely.

3. Applicability 3.1. This Policy applies to:

Starters: All persons joining the Trust who require access to the Trust’s information which may include user account and access on Trust’s Information Communication Technology (ICT) system(s).

Movers: Persons who are already part of the Trust who are transferring to a different role within organisation.

Leavers: Someone who is leaving the Trust and no longer requires access to the Trust’s information and/or ICT system(s).

3.2. It also includes subcontractors and Third Parties who may be authorised to access

Trust ICT systems and information in the course of their work.

4. Terminology

6

Term Meaning / Application

SHALL This term is used to state a mandatory requirement of this Policy

SHOULD This term is used to state a recommended requirement of this Policy

MAY This term is used to state an operational requirement of this Policy

5. Policy

Roles and Responsibilities 5.1. The Head of Department and the Deputy Director of HR and OD are responsible

for implementing and overseeing compliance to this policy.

5.2. Managers and Information Asset Owners (IAO) are accountable, within their

respective areas of business responsibility, for ensuring this Policy is

implemented, managed, maintained and improved.

Core Responsibilities: Starters 5.3. It is vital that Employees joining have appropriate access to the information

needed to deliver patient care and the Trust’s objectives.

5.4. HR services shall (in adherence with Recruitments Policy):

5.4.1. Ensure that the appropriate pre-employment checks and screening are

undertaken. Where access to more sensitive information or information

systems is required, further vetting processes against standards shall be

required;

5.4.2. Ensure that Employees commence employment with the appropriate

paperwork and checks are completed and received;

5.4.3. Ensure that Employees security risks are effectively managed through

robust security processes to ensure actions are in accordance with the

Trust’s legal obligations;

5.4.4. Provide a legally binding contract of employment. The contract of

employment shall explicitly state all applicable roles, benefits and

responsibilities bestowed on the employee by the Trust. From an

information security perspective, it shall include the expected Employee

Code of Conduct, confidentiality clauses, required compliance to legal

requirements, policies and procedures, and the consequences of non-

compliance and subsequent information breaches;

5.4.5. Ensure that prior to recruitment the security responsibilities are outlined to

the candidates. This includes embedding these responsibilities

appropriately into each job description.

Recruiting Line Manager shall:

5.4.6. Follow the Trust’s recruitment and screening processes at all times;

7

5.4.7. Ensure they understand the needs of the Starter and what is expected of

them, including all relevant policies;

5.4.8. Ensure the Starter shall not have access to the Trust’s ICT systems until

they have read and signed the Acceptable Use Policy;

5.4.9. Identify at the outset what ICT assets, systems, access and general

training the post holder(s) shall require;

5.4.10. Prepare a comprehensive induction programme covering: the role, the

responsibilities assigned to the individual, the Trust’s Information

Governance Policy and associated policies, the assets associated with the

role, and the access permissions granted;

5.4.11. Identify relevant training for the individual, including Information Security

Training;

5.4.12. Ensure the employee is familiar with all relevant information security

policies, including the Information Security Incident Reporting and

Management Policy;

5.4.13. Provide the Starter with an overview of information handling within the

department, including electronic and paper; and

5.4.14. In the event of non-compliance report to the relevant IAO.

Employees shall:

5.4.15. Read and sign the Acceptable Use Policy before accessing Trust ICT

assets and systems;

5.4.16. Read all policies relevant to their role, including Information Governance

Policies;

5.4.17. Ensure they understand their continued responsibilities under the

appropriate governing laws, including the Caldicott Principles and the Data

Protection Act (DPA) 2018;

5.4.18. Complete the Information Governance and Information Security training

within a timely manner of their start date;

5.4.19. Be aware of appropriate channels for reporting breaches in keeping with

the Information Security Incident Management Policy;

5.4.20. Should there be any dispute concerning the contract of employment, the

Employee should contact their Line Manager and the HR function.

8

Core Responsibilities: Movers 5.5. The process starts following the agreement of a change in role for a current

Employee. This could be due to service redesign, change in business

requirement, end of project, secondment, acting-up, promotion or a complete

change in role.

Existing and New Line Manager shall:

5.5.1. Ensure they understand the needs of the Mover and what is expected of

them and ensure compliance with the Trust’s Information Security Policy;

5.5.2. Action all elements of the Movers’ process in a timely manner;

5.5.3. Document what assets and access rights the individual currently has and

what the requirements of the new role are;

5.5.4. Work together to develop and implement a joint action plan to ensure that

the Employee does not have access rights to any assets that are not

needed for the new role;

5.5.5. Inform the IAO to revoke any information access that is no longer required

for the former role, and ensure all ICT assets no longer required are

returned;

5.5.6. Make arrangements with the relevant IAO for the Mover to receive the

appropriate ICT assets and access levels associated with the new role;

5.5.7. The new Line Manager should ensure the Mover understands their

continued responsibilities under the appropriate governing laws, including

the Caldicott Principles, the General Data Protection Regulation (GDPR)

2018 and the Data Protection Act (DPA) 2018; and

5.5.8. Ensure that the mover receives information security and training relevant to

their new role, including reading all relevant policies.

Employees shall:

5.5.9. Ensure they understand the process and what is expected of them;

5.5.10. Ensure they understand their continued responsibilities under the

appropriate governing laws, including the Caldicott Principles, GDPR 2018

and DPA 2018; and

5.5.11. Comply with all elements of the Mover process and return all the

organisational assets that are no longer required in the new role to their

existing Line Manager.

9

Core Responsibilities: Leavers 5.6. To ensure that Employees exit the Trust in an orderly manner in line with the

Trust’s relevant policies, leavers exiting from the Trust shall be managed, all

assets assigned to the individual shall be returned, and all access rights removed

in a timely manner.

HR Services shall:

5.6.1. Facilitate the Leaver process with the Line Manager in a timely manner.

This shall include notification of other relevant functions such as payroll

and conducting of an exit interview.

Line Managers shall:

5.6.2. Explain the Leaver process to the Employee and clarify any questions they

may have;

5.6.3. Initiate the Leaver process and action all elements of the Leaver process in

a timely manner;

5.6.4. Remind the leaver of their Terms and Conditions of employment, including

Information Governance obligations – namely, that they must not leave

with the Trust’s information in any format. In addition, they shall respect

confidentiality agreements and personal information requirements;

5.6.5. Ensure that the Employee understands their post termination

responsibilities under the appropriate governing laws, including the GDPR

2018, the DPA 2018 etc.;

5.6.6. Identify the Trust’s assets to which the Leaver has, or has had access, and

ensure these are all returned, and access removed prior to, or on, the

leave date;

5.6.7. Ensure that a robust handover is completed, and contact lists are updated,

recorded and communicated to appropriate areas;

5.6.8. Return the completed termination checklist to HR Support confirming that

all stages of the process have been actioned and ensuring that an exit

interview is carried out;

5.6.9. Ensure, with the IAO, that the Systems Administrator has been informed

that the Employee is no longer entitled to access ICT or equipment or Trust

data and information; and

5.6.10. Report any non-compliance of the Policy to the relevant IAO.

Employees shall:

5.6.11. Ensure that they understand the process and what is expected of them;

10

5.6.12. Ensure they understand their responsibilities under the appropriate

governing laws, including the GDPR 2018 and DPA 2018;

5.6.13. Comply with all elements of the Leavers process and return all the

organisational assets before leaving the Trust.

Training and Awareness 5.7. The Board is committed to leading and fostering a strong culture of information

security awareness throughout the Trust and shall support the Senior Information

Risk Owner (SIRO) in managing associated risks.

5.8. Information Governance, and associated requirements and responsibilities, shall

be included throughout the employee lifecycle from Starters, to Movers, to

Leavers, and during post.

HR Services including Learning and Development team shall:

5.8.1. Ensure that all Employees receive relevant training regarding this Policy

and the associated processes;

5.8.2. Make such training available not only at key points such as starting and

moving but also throughout the entire employee lifecycle;

5.8.3. Provide appropriate support to managers through the process, if required;

5.8.4. Monitor compliance to the Policy and facilitate general and role-specific

training to support this;

5.8.5. Ensure that best practice and lessons learnt are promulgated to foster a

mature information security culture, in liaison with the SIRO;

5.8.6. Ensure that organisational training records are kept, secured and updated.

Line Managers / IAOs shall:

5.8.7. Allow Employees appropriate time to attend any required information

security training / awareness sessions throughout their tenure in post;

5.8.8. Review and check completion of training requirements to support effective

information handling and governance and include this in the performance

appraisal process;

5.8.9. Have in place an appropriate level of ongoing Employee security

management;

5.8.10. Ensure regular formal reviews of access rights for their direct reports;

5.8.11. Ensure that all staff are familiar with the Information Security Incident

Reporting and Management Policy;

11

5.8.12. Ensure that Employees only have authorised access to information assets

required to undertake their jobs and that they follow the Trust’s policies and

procedures;

5.8.13. Ensure that ICT access, activity and monitoring will take place in line with

Trust Policy and good practice as set out by the Regulator and in

applicable laws;

5.8.14. Remind employees on an annual basis of the circumstances in which the

Trust may access user information or monitor usage.

Employees shall:

5.8.15. Comply with all elements of the Starter, Mover and Leaver process

including ongoing training while in post;

5.8.16. Take responsibility to comply with all elements of this Policy and attend

any required training, throughout the duration of their employment with the

Trust;

5.8.17. Comply with Trust policies and procedures, including relevant legal

requirements.

Non-Compliance 5.9. Any circumstances requiring exemptions to this Policy shall be referred to the

relevant IAO. Where the risk sits outside their delegated authority, the IAO shall

complete a Risk Balance Case and forward to the SIRO for approval.

5.10. If there are reasonable grounds for suspecting misuse of IT assets, access may

be suspended by the system manager in consultation with Line Manager / HR,

pending further investigation. Please refer to the Acceptable Use Policy for further

information.

6. Monitoring and Evaluation 6.1. This Policy shall be reviewed every two years or in response to significant

changes due to security incidents, variations of law and/or changes to

organisational or technical infrastructure.

6.2. This Policy is written and maintained by HR Director, in consultation with the SIRO

on behalf of the Board. Questions relating to its content or application should be

addressed through the Information Governance Structure (see Information

Governance Policy for more details) to the SIRO who is responsible for facilitating

communication of this Policy throughout the organisation.

6.3. Breach of this Policy may be dealt with according to disciplinary procedures set

out in the Employees’ contracts.

12

7. Related Policies 7.1. Related policies referenced in this document are available on the intranet or by

request to the Employee’s Line Manager and should be read in conjunction with

this Policy.

13

8. Appendix 1 - C&I Equality Impact Analysis Guidance Document

1. Please indicate the expected impact of your proposal on people with protected characteristics

Characteristics Significant +ve Some +ve Neutral Some -ve Significant -ve

Age X

Disability X

Ethnicity X

Gender re-assignment: X

Religion/Belief: X

Sex (male or female) X

Sexual Orientation X

Marriage and civil partnership X

Pregnancy and maternity X

The Trust is also concerned about key disadvantaged groups event though they are not protected by law

Substance mis-users X

Homeless people X

Unemployed people X

Part-time staff X

Please remember just because a policy or initiative applies to all, does not mean it will have an equal impact on all.

2. Consideration of available data, research and information

Please list any monitoring, demographic or service data or other information you have used to help you analyse whether

you are delivering a fair and equitable service. Social factors are significant determinants of health or employment

outcomes. Monitoring data and other information should be used to help you analyse whether you are delivering a fair and

equitable service. Social factors are significant determinants of health outcomes. Please consult these types of potential

sources as appropriate. There are links on the Trust website:

• Joint strategic needs analysis (JSNA) for each borough

• Demographic data and other statistics, including census findings

• Recent research findings (local and national)

• Results from consultation or engagement you have undertaken

• Service user monitoring data (including age, disability, ethnicity, gender, religion/belief, sexual orientation and)

• Information from relevant groups or agencies, for example trade unions and voluntary/community organisations

• Analysis of records of enquiries about your service, or complaints or compliments about them

14

Recommendations of external inspections or audit reports

Key questions (supports EDS Goals)

Your Response

This meets objective EDS2 4.1 Inclusive leadership. Board and senior leaders routinely demonstrate their commitment to promoting equality within and beyond the organisation.

2.1 What evidence, data or information have you considered to determine how this policy/ development contributes to delivering better health outcomes for all?

Equality Act 2010, GDPR and Data Protection Act 2018

Cyber security consists of technologies, processes and controls designed to protect trust’s information assets such as systems, networks, programs, devices and data from cyber-attacks. Effective cyber security reduces the risk of cyber attacks, effectively manage information risks and protects against the unauthorised exploitation of trust’s information assets resulting in better patient care.

2.2 What evidence, data or information have you considered to determine how this policy/ development contributes to improving patient access and experience?

As above

2.3 What evidence, data or information have you considered to determine how this development/policy contributes to delivering a representative and well supported workforce?

This policy encourages staff to protect their assets as part of cyber security and with information securely

2.4 What evidence, data or information have you considered to determine how this policy/development contributes to inclusive leadership and governance?

The Senior Information Risk Owner is responsible for cyber security with delegated responsibility the Information Asset Owners across the trust. This has been explained in the roles and responsibilities section

3. It is Trust policy that you explain your proposed development or change to people who might be affected by it, or their representatives. Please outline how you plan to do this.

Group Methods of engagement

Staff The policy will be published on the intranet and updates provided at divisional leadership meetings as well as cascaded by the Information Asset Owners across the trusts

IG Steering Group The policy has been reviewed by HR, Comms, Caldicott Guardian , SIRO, ICT

4. Equality Impact Analysis Improvement Plan

If your analysis indicates some negative impacts, please list actions that you plan to take as a result of this analysis to

reduce those impacts, or rebalance opportunities. These actions should be based upon the analysis of data and

engagement, any gaps in the data you have identified, and any steps you will be taking to address any negative impacts or

15

remove barriers. The actions need to be built into your service planning framework. Actions/targets should be measurable,

achievable, realistic and time framed.

Negative impacts identified Actions planned By who

Staff do not read or complete relevant training in cyber security

These policies will be available on intranet and a comms plan will be in place to ensure staff are aware where to access the cyber security policies

IG Steering Group

Race

The application of this policy is both fair and consistent regardless of race, ethnicity or nationality. However, it is recognised there is a risk to any member of staff whose first language is not English and support will be offered to ensure the policy is translated to the required language.

EDI Lead

Disability

The application of this policy is both fair and consistent regardless of the disability and therefore does not impact on this protected characteristic. This policy can be made available in another format, on request.

EDI Lead

5. Sign off and publishing

Once you have completed this form, it needs to be ‘approved’ by Service Director, Clinical Director or an Executive Director

or their nominated deputy. If this Equality Impact Analysis relates to a policy, procedure or protocol, please attach it to the

policy and process it through the normal approval process. Following this sign off by the Sub Policy Group your policy and

the associated EqIA will be published by the Trust’s Policy Lead on the website.

If your EqIA related to a service development or business /financial plan or strategy, once your Director or the relevant

committee has approved it please send a copy to the Equality and Diversity Lead (equalityanddivesity@candi.nhs.uk), who

will publish it on the Trust’s website. Keep a copy for your own records.

I have conducted this Equality Impact Analysis in line with Trust guidance

Your name: Mahwish Noor Position Information Governance Manager

Signed: Mahwish Noor Date: December 2020

Approved by: Equality and Diversity Lead

Your name: Debra Hall Position: Equality and Diversity Lead

Sign:

Date 13/01/2020