Information Security Policy (Incl Laptop Security) V1.00

8/3/2019 Information Security Policy (Incl Laptop Security) V1.00

1/93


2/93

Information Security Policy version 1.00

University Hospital of South Manchester NHS Foundation Trust

VERSION CONTROL SCHEDULE

Version number Issue Date Revisions from previous issue Date of Ratificationby Committee

1.0 Complete Re-write:

Replaces Previous IT security policyand Laptop Policy

25th March 2011


3/93


DOCUMENT CONTROL

Summary of consultation process Intranet for all staff commencing 1/3/11

Information Governance Group

Control arrangements

[Reviews shall generally be undertaken

every 2-3 years or more frequently to takeaccount of organisational learning]

[Set out :

Minimum requirement to be monitored

Process for monitoring e.g. audit

HIRS, Security Audits, IGG Action Plan

Responsible individual/ group/ committee


Frequency of monitoring

Via review date or as and when requiredby change in guidance

Responsible individual/ group/ committeefor review of results



4/93


SECTION CONTENTS PAGE

EQUALITY IMPACT ....................................................................................................... 11. INTRODUCTION ..................................................................................................... 62. DEFINITIONS ......................................................................................................... 83. DUTIES AND RESPONSIBILITIES ...................................................................... 114. STAFF TRAINING ................................................................................................ 165. POLICY EFFECTIVENESS MONITORING ........................................................... 176. BREACH OF POLICY & SANCTIONS ................................................................. 197 INFORMATION OWNERSHIP ............................................................................. 208 INFORMATION TYPES ........................................................................................ 209.

INFORMATION SECURITY: BASICS................................................................... 22

10. INFORMATION SECURITY PRINCIPLES ........................................................ 2211. SAFE HAVEN PROCEDURES FOR INFORMATION TRANSFERS ................ 2413. INFORMATION SHARING ................................................................................ 3714. INFORMATION SHARING ................................................................................ 38SHARING WITH NON-NHS ORGANISATIONS ........................................................... 3815 PRINCIPLES OF CONFIDENTIALITY AND INFORMATION SHARING WITH


5/93


Appendices

Appendix A Disclosing Information to the Police: Form of Authority

Appendix B Disclosing Information to the Police: Form

Appendix C Disclosing Information to the Police Guidance

Appendix D Disclosing Information to the Police: Flow Chart

Appendix E Health Care Governance Committee Terms of Reference

Appendix F Information Governance Group Terms of Reference

Appendix G Plan for Dissemination

Appendix H Equality Impact Assessment

Appendix I Checklist for review and Ratification of UHSM Trust wide Policy


6/93


1. INTRODUCTION

This document defines the Information Security Policy for the University Hospital of SouthManchester (UHSM).

1.1. Scope

The Information Security Policy for the Trust applies to all Information Assets:-

Information this includes databases, system documentation and procedures, archive mediaand data including data processing, collection, analysis and presentation. (In general this ishealth and social care data or data that supports health and social care service provision.This may also include partner organisations, agencies and individuals data as necessary. N.B. This policy applies to all confidential electronic and manual information and systems.)

Information systems, networks, physical environment and relevant services that support

them.Software this includes application programs, systems, development tools and utilities.

Physical this includes infrastructure, equipment, furniture and accommodation used fordata processing

Services including computing and communications, heating, lighting, power, airconditioning used for data processing.

People including qualifications, skills and experience in the use of information systems.


7/93


Confidentiality: To ensure that information is accessible to only those authorised tohave access to it. This normally means staff that need to process(use) data in the scope of a care programme/pathway orprocessing derived from or supporting it.

Where there is an organisational need or legal requirement fordata to be kept secure then staff must do so.

Integrity: To safeguard the accuracy and completeness of information andprocessing methods. Information needs to have integrity: to beaccurate and complete and resistant to unauthorised modificationor destruction. All systems, assets and networks must operatecorrectly, according to specification.

Availability: To ensure that authorised users have access to information andassociated assets when required

For the purposes of the risk management approach a fourth purpose is defined as:-

Legality: To facilitate legal compliance.

1.4. Outcomes

Th i t d d t f thi li f ll


8/93


2. DEFINITIONS

Term Definition

Data Items that make up information e.g. DoB, NHS numberetc

Information A particular arrangement of data items into a meaningfulform

Personal data orpersonal information

Personal data/information is information which canidentify a person in which the person is the focus of theinformation and which links that individual to details which

would be regarded as private e.g. name and privateaddress, name and home telephone number etc.

Sensitive personalinformation

Where the personal information contains details of thatpersons:

Health or physical condition

Sexual life

Eth i i i


9/93


Pseudonymised data Pseudonymisation is a process which involves theremoval of identifying information from data but does soin such a way as to allow the data to be restored to anidentifiable format when required. It differs fromanonymisation, which is characterised by the irreversibleremoval of identifying data.

Pseudonymised data continues to be "personal data" for

the purposes of the Data Protection Act because, in thewords of section 1 DPA, it is data relating to an individualwho can be identified from that data together with otherdata in the possession of the data controller.

PID Personal indentifiable data

PII Personal identifiable information

CfH Connecting for Health (Department of Health)

Information security Protecting information and information systems fromunauthorized access, use, disclosure, disruption,modification, perusal, inspection, recording or destruction.

The common goals of Information Security are protectingthe confidentiality, integrity and availability of information.


10/93


simply as staff. UHSM. This is irrespective of their location.

Any other persons working for UHSM, such as personsengaged on UHSM business or persons using UHSMequipment and/ or networks.

All usage by anyone granted access to the UHSMinformation systems, such as maintenance and supportservices or contractors.

Personnel on temporary or honorary contracts, non-executive directors, agency staff and students

Entity Any business unit, department, group, or third party,internal or external to UHSM, responsible for maintainingUHSM assets.

Risk Those factors that could affect confidentiality, availability,and integrity of UHSM's key information assets andsystems. UHSM is responsible for ensuring the integrity,confidentiality, and availability of critical information andcomputing assets, while minimizing the impact of securityprocedures and policies upon its business productivity.The SIRO in conjunction with the Caldicott Guardian and

t t ff thi


11/93


3. DUTIES AND RESPONSIBILITIES

3.1 Introduction

In this section the duties of accountable and responsible staff and committees are set forthwith respect to information security in the context of the wider Information Governance

agenda (of which it is a fundamental part):-

3.2 Executive sponsors of this policy

Trust Board

Chief Executive as Accountable Officer

Senior Information Risk Owner (SIRO)

Caldicott Guardian

STAFF

3.3 Chief Executive - Accountable Officer (AC)

The Chief Executive, as Accountable Officer, has overall responsibility and accountability for

I f ti G f hi h I f ti S it i k t ithi th i ti


12/93


3.5 Information Asset Owners (IAO)/ Information Asset Administrators (IAA)

Information Asset Owners and Administrators are responsible for the strategic management(IAOs) and day-to-day administration (IAAs) of information and information systems, theirsecurity and use.

They are required to ensure compliance with the UHSMs Information Security Policy andsupporting documents and thereby maintain controls to help provide:

Optimum security of information assets Optimum confidentiality of information

Optimum system integrity

Optimum availability of information

Appropriate use of equipment by appropriately trained personnel

Access control reviews

System security reviews

Developing and maintaining a database of Trust repositories of personal data and ensuringcompliance with Data Protection and Confidentiality over their assets.

IAOs must keep their part of UHSMs Information Assets Register up to date. It can be foundon the Intranet in the Information Governance Section.


13/93


3.8 Director of Health Informatics (DoHi)

The DoHi is responsible for escalating information security risks to the SIRO. Further toadvise on proposed solutions and ensure their effective rollout and implementation. Thus therole implements strategic risk management.

3.9 Head of IT (HoIT)

The Head of IT is responsible for ensuring that the Trust's information systems, computers,networks and devices, have the necessary security to ensure that it's information (that needsto be kept confidential) remains confidential. Further, that data has the necessary integrityand that data and systems are available as necessary.

The necessary technical measures to provide the necessary level of control and operationalservice to support the provison of health care services is dependent on having adequate and

effective measures in place.

If any are proved to be operationally unacceptable, inadequate or non-existent then the HoITmust flag that to the Head of Informatics, thence to the IGG for remedial action and alsoentered onto the Corporate Risk Register.

The Head of IT along with appointed IAAs provides advice and support to the Trust on allaspects of IT Security.

Th H d f IT i t bl t th T t B d f th IT t f I f ti


14/93


Providing guidance and advice to all staff in relation to compliance with the DataProtection Act and Confidentiality.

Developing, gaining agreement and maintaining Trust policies in respect of DataProtection and Confidentiality.

Advising the Information Governance Committee on breaches of the Act andrecommended actions.

Encouraging, monitoring and checking compliance with the Data Protection Act.

Producing guidance in key functional areas for the protection and use of personalinformation, including the need to obtain consent and the level of consent required.

3.11 Training Manager

Delivering and maintaining an education, training and awareness strategy covering Data

Protection, Confidentiality and Information Security.

3.12 Line Managers (LM)

Line Managers are responsible for ensuring that their staff and departments have access tothe Information Security Policy and that all staff are made aware of their responsibilities andcompliance.

All f t ff ibl f l i f ti it ithi th i i It i


15/93


Ensuring that their staff are aware of their security responsibilities.

Ensuring that their staff have had suitable security training.

3.13 All staff

All Trust staff have a duty to safeguard hardware, software and information in their care by

following this policy and supporting procedures.All staff are responsible for ensuring that no breaches of confidentiality or informationsecurity result from their actions.

Each employee is responsible for reporting any breach, or suspected breach of security, andensuring they are aware of, and support all relevant policies (see Related Policies,Procedures and Guidelines section).

Reports must be made by using the HIRS which is UHSM's 'one-place reporting' system

and which can be found on the Intranet. In case of emergency a more direct route canbe used via reporting to line management, Information Governance or the CaldicottGuardian.

Significant Untoward Reporting must be made by the Caldicott Guardian who willinstigate reporting, actions, investigations as deemed necessary.

Emergency reporting where time is of the essence must be made immediately to linemanagement or if this is not feasible to Information Governance staff or the Caldicott

G di ' ffi


16/93


4. STAFF TRAINING

4.1. Introduction

A sound working knowledge of information security purposes and practice is required by allstaff that work for UHSM. This is in order to ensure business continuity, legal compliance andthat patients, service users and staff's rights under the law are facilitated and upheld.

To achieve this UHSM implements a mandatory (compulsory) training programme for all staffthat process or handle confidential or business critical information or service or maintaininformation systems.

Staff that may come across such data or systems are included.

All staff that have access to confidential, key or business critical information mustundertake mandatory Information Governance training.

4.2. Mandatory training

An ongoing IG awareness training programme has been established and is maintained inorder to ensure that staff awareness is refreshed and updated as necessary.

A blended approach is taken to learning and training as follows:-

All new starters must attend Corporate Induction which includes InformationG i i hi h I f i S i


17/93


5. POLICY EFFECTIVENESS MONITORING

5.1. Information Governance Toolkit

Compliance with this policy will be monitored by virtue of the annual central returns producedfor the Information Governance Toolkit and reported to the Board via the InformationGovernance Group.

5.2. Internal Audit

Our processes are subject to review via internal audit, and the recommendations are dealtwith through the IG framework, and IG group.

5.3. Dissemination, Implementation & Access

5.3.1 Dissemination

All staff are trained in key aspects of the policy and supporting procedures throughmandatory training.

5.3.2 Implementation

5.3.2.1 Induction


18/93


5.5 Compliance Checking

5.5.1 Purpose

To empower the SIRO, IAOs and supporting IAAs and staff to perform periodic informationsecurity risk assessments (RAs) for the purpose of determining areas of vulnerability, and toinitiate appropriate remediation.

5.5.2 Scope

Risk Assessments (RA) will be conducted on any service within UHSM or any externalservice provider (with Agreementwith the Trust) when the IGG considers it necessary. RAsmay be conducted on any information asset or group of assets or any process or procedureby which these assets are administered and/or maintained in order to manage associatedrisks.

5.5.3 Risk Assessment and Remediation

The execution, development and implementation of remediation programs is the jointresponsibility of the IGG and the department responsible for the systems area beingassessed.

Employees must cooperate fully with any RA being conducted usually with theInformation Asset Owners and/or Information Asset Administrators in the development ofa remediation plans found to be necessary.


19/93


6. BREACH OF POLICY & SANCTIONS

6.1 Introduction

Unless a policy has sanctions it may be not be taken seriously. Breaches of this policy maylead to breaches of patients/ service users human rights. They may also lead to informationsystem failure or destruction.

6.2 New Legal Sanctions

The law has become increasingly strict on the use of confidential information. Under the DataProtection Act, it is an offence to sell or purposefully disclose personal data.

The Information Commissioner's Office now has the power of entry to premises to undertakeinvestigations and courts are able to impose fines of up to 500,000 and/or custodial

sentences.

6.3 UHSM Sanctions

This section provides information on UHSMs stance on violation of this policy and the law.

6.3.1 Enforcement

Any individual found to have violated this policy may be subject to disciplinary action, up to


20/93


means that they have the right and authority to access the system(s) in question andwhere there is any doubt the CG, SIRO or AC will act as ombudsman over this.)

If it is suspected or proven that staff have deliberately or negligently caused a breach ofthis or related policy then their information system access may be suspended untilinvestigations, determinations and decisions have been made.

6.4 Fraud, theft and computer crime

Where illegal acts such as fraud or theft are detected then investigations, disciplinary actionand/or litigation will be considered.

If the situation warrants that Counter Fraud or the police need to investigate then they will becalled in.

6.5 Human resources and sanctionsSanctions relating to breaches of this policy or the law will be made under guidance of UHSMHuman Resources policy (available on the Intranet and from HR).

7 INFORMATION OWNERSHIP

All data processed (used), stored or transmitted by or on UHSM computers, electronic

d i di h fil d d d b UHSM d


21/93


8.3. Public data

Public data can be shared with anyone.

This is information that is already public knowledge or qualifies to be in the 'public domain'under the Freedom of Information Act. It can freely be shared or provided to anyone.

Examples are such information that is put in the Annual Report, agendas and minutes ofmost meetings, advice leaflets and directions.

Public data is never personal or confidential, private or secret.

Public data is usually fact and not opinion.

8.4. NHS Confidential data

NHS Confidential data can only be shared with those who 'need to know' asdetermined by senior management and in compliance with the law.

NHS confidential comprises much of the NHS's data. It is a very wide ranging, fromconfidential data to super-sensitive data and must be protected in a robust and securemanner.

In the NHS this is mostly personal data pertaining to patients, service users and staff. (SeeDefinitions for 'personal data')

A subset of NHS Confidential information is UHSM Third Party Confidential information.

Thi i fid i l i f i b l i i i h i i hi d


22/93


Commercially confidential material such as development programs, potential acquisitiontargets, and other information integral to the success of UHSM.

UHSM personnel are encouraged to use common sense judgment and adherence to policyin securing UHSM Confidential information to the proper extent. If an employee is uncertainof the sensitivity of a particular piece of information, they should contact their line manager.

8.6. Business Critical data

Business critical or sensitive information can only be shared when authorised bysenior management and in doing so will not prejudice any operations of the Trust.

Information which, if compromised through alteration, corruption, loss, misuse orunauthorised disclosure, is likely to adversely effect the Trust or other third party.

9. INFORMATION SECURITY: BASICSIntroduction

Simple security goes a long way in preventing theft, fraud and confidentiality and securitybreaches e.g. shutting the door to a secure area and not leaving ID cards lying about.

Without the 'simple' security being right it is highly unlikely that complicated securitymeasures will be as effective as they could be.


23/93


10.2. Physical security (see IT Security section)

Staff issued with Smartcards must carry them and not leave them unattendedunless they are (a) in a secure area with trusted staff and (b) it cannot be usedby anyone that finds it.

These cards or access PIN codes must not be shared except with authority orunless the situation could be justified to senior management e.g. anemergency situation.

Premises and transport must be suitably secure so as not to put confidentialinformation or e.g. laptops or paper records containing confidential data, atrisk.

Equipment must be located where such information cannot be read by anyonewithout a legitimate relationship with it and most certainly out of public viewor access.

10.3. Logical security (see IT Security section) Staff must not share computer passwords unless authorised by management.

In case of absence management may need legitimate access to usersystem(s) and this must be authorised and justifiable. Applications must berecorded and made via the IT Service Desk.

10.4. Data Access (see Data Sharing section)

S


24/93


10.7. Information Systems Security (see IT Security section)

All staff must ensure that the computers or other equipment they use aresecure, throughout use and in transit if they are carried.

IT Services staff must ensure IT equipment is configured securely for computerusers. This means that they must be given it to be configured in the first place.Where equipment is purchased unbeknown to IT Services then the purchasingservice must ensure IT secure it if it will contain confidential data.

11. SAFE HAVEN PROCEDURES FOR INFORMATION TRANSFERS

11.1 Introduction

In order to comply with legislation and Department of Health guidance, all NHS organisations

are required to have safe haven procedures to safeguard the confidentiality of personal orsensitive information held and transferred.

When such information needs to be transferred from one place (or information system) toanother, then an approved secure method of transport or transfer must be used.

This is intended to ensure compliance with:-

Data Protection Act 1998


25/93


11.3 New Safe Havens

The NHS has used safe havens for over 20 years to ensure the secure transfer of PID. Thispolicy provides the guidance regarding the security of transferring information via staffdelivery, fax, post and telephone. It also incorporates the New Safe Haven principles.

The New Safe Haven principles includes the concept of restricting access to identifiable datawhich is required to support the pseudonymisation process of de-identifying records. TheNew Safe Haven applies to the security of patient information and databases.

Patient information systems and databases must be within an electronic safe haven wherebyaccess is limited and password controlled for each authorised user.

Access to a safe haven will be given by the Trusts IT Department on the correct completionof the Systems Access Request Change Form.

A list of the staff able to authorise access to a Safe Haven will be maintained and regularlyreviewed by the IT Department and Information Governance Team.

A list of the authorised users will be maintained for each safe haven database/system by theappropriate Information Asset Owner and a full access list maintained by the IT Department.

11.4 Where Safe Haven procedures are needed

Safe haven procedures must be in place in any location where large amounts of personalinformation are being received, held or communicated especially where the personalinformation is of a confidential and sensitive nature.


26/93


accidentally.

Ensure that each individual piece of paper is identifiable to the person (for example,name and date of birth / or NHS number / or hospital number / or department ref. no.)

Do not walk away from your work area leaving personal/business sensitive informationexposed for unauthorised persons to see.

Do not leave information left open in pigeonholes.

If documents containing personal/business sensitive information come into yourpossession and you are not the intended recipient, you must either forward these to theintended recipient or, if this is not known, the Caldicott Guardian.

Office diaries should be destroyed 1 year after the end of the calendar year to whichthey refer.

Health Professional diaries, for example diaries used to record appointments withservice users, should be destroyed 2 years after the end of the calendar year to which

they refer. Diaries should be viewed as an administrative document and thereforeshould not contain clinical information. Any service user relevant information should berecorded in the service users record.

Any diaries containing personal information (both service user and non service userinformation) should be destroyed under confidential conditions.

Please note that those staff who have an arrangement with the Finance Departmentregarding Travel Claims to record specific details of visits and journeys in their diaryshould retain the diary for a period of six years after the calendar year to which they


27/93


Ensure you have authority to take the information. This will normally be granted by yourline manager.

Only health and social care records required for patients being seen in the communitycan be removed. Ideally, records should not be removed for general administrationpurposes, e.g. writing reports.

If you are taking manual records please ensure there is a record that you have theserecords, where you are taking them and when they will be returned. Records must be

removed for the minimum amount of time possible.

Records must be stored and carried in a secure case. Piles of records must not becarried loosely as this increases the risk of dropping them and losing something.

Records must only be taken home if the health or social care professional is notreturning to their base after the working day or the records are required for the nextworking day. This must be with the prior agreement of the team manager. Make surethey are put in the locked boot of the car or carried on your person while being

transported from your work place to your home. Such records must not be leftovernight in a locked boot.

Remember you are bound by the same rules of confidentiality whilst away from yourplace of work as you are when you are at your desk.

While at home you have personal responsibility to ensure the records are kept secureand confidential. This means that other members of your family and/or yourfriends/colleagues must not be able to see this information or have access to it.


28/93


Full address (inc. dept if applicable)

Postcode

Internal mail (mark if confidential)

Name of the person you are sending to - the recipient

Job Title

Location in the hospital

Site (Wythenshawe / Withington)

All confidential mail sent via internal/external mail must be in a new envelope, sealedand marked CONFIDENTIAL. All mail must be addressed to a named person anddepartment. Old envelopes must not be used for sending confidential information.

Staff must nominate a colleague to open mail containing service user records when on

annual leave.

Prior to sending any information to a patients home address, confirm the addressagainst an up to date and verifiable source of information e.g. address recorded incasenotes or address recorded on an electronic patient record.

Correspondence sent to a patient must not identify the Trust as the origin of the letteranywhere on the envelope.

Loose personal/business sensitive information must not be handed to another person


29/93


11.9 SAFE HAVEN: Fax

11.9.1. FAX MACHINE TRANSFERS

Sending service user information by fax increases the risk of the information being seenby unauthorised persons. The fax machine could be sited in an open office and may beshared by more than one department.

Faxes containing service user information must only be sent when it absolutely

necessary.

Faxes containing very sensitive service user information (e.g. psychiatric reports, drugabuse, incriminating evidence, child protection reports) must only be sent: -

In an emergency, where delay would cause harm to the patient.

The risk to the patient is greater than the risk of disclosure.

Regular fax numbers should be programmed into the fax memory.

Fax machines used to transmit personal/business sensitive information must not besituated in an area accessible to the public.

11.9.2. Definition of a Safe Haven fax machines

A safe haven fax is a fax machine that has safeguards in place to ensure unauthorisedpersons do not have access to the information. These safeguards include:-


30/93


Leave the information unattended whilst the information is being transmitted.

Send very sensitive information by a fax.

Leave faxes unattended at the fax machine or in the print tray.


31/93


It should be noted that this method of transfer is only secure when the information is beingreceived to another NHS.net account. E-mail is not a secure way of sending personaldata/business sensitive information unless encryption is in place. Personal data/businesssensitive information must only be sent using an approved method and following the securitymeasures detailed below.

Any breach of confidentiality resulting from using email for personal identifiable data will beinvestigated and you are responsible for showing why any of the following guidelines may

have not been applied.Messages containing personal data sent to the wrong recipient will be classed as a breach ofconfidentiality even if it is another NHS employee.

11.10.1 Email addresses

Staff must ensure that they know what various email addresses mean. The common ones

that staff use are described next:-The format of email in the NHS is:- firstname.surname @name.nhs.uk

Trust's put their name where 'name' is so they are recognizable as NHS.

@uhsm.nhs.uk

These are from UHSM email addresses within the address book (except those marked with a


32/93


11.11 SAFE HAVEN: Secure File Transfer

Staff wishing to send personal and sensitive information to a user who can not obtain annhs.net account, should first consider if that user is a legitimate 3 rd party for receiving NHSinformation. If so they should the information can be transferred through UHSMs secure filetransfer site,https://uhsm.sendfilesafely.net

In all instances the following guidelines must be observed.

Mark the message appropriately in the subject line .e.g. confidential or businesssensitive and select confidential in the Sensitivity section in the Message Options.

Limit the number of recipients of the message to as few as possible.

Limit the amount of data to only that which is needed for the purpose it is being sent e.g.use a unique identifier or initials instead of the persons name.

Password protect any attachments containing personal data/business sensitiveinformation. Ask the recipient to telephone for the password.

Double check that you have the correct recipient(s) before pressing the send button.This can be done by checking the properties of the recipient you have selected.

Change the address book view from Global address book to the Trust address book.This will avoid the chance of sending an e-mail to another employee in another localNHS organisation.

Send to email addresses that are person specific unless the e-mail can be dealt with byany member of the team reading the e-mail (e.g. request for a medical record send to
https://uhsm.sendfilesafely.net/https://uhsm.sendfilesafely.net/https://uhsm.sendfilesafely.net/https://uhsm.sendfilesafely.net/


33/93


Always check whether they are entitled to the information they request. Information onservice users must only be released on a need-to-know basis and with consent wherenecessary. If in doubt, check with your line manager.

If you receive suspicious queries regarding other members of staff asking aboutwhereabouts, base or personal information, then please treat with caution, take contactdetails of the caller and either verify that it is an authorised person or pass the details tothe individual concerned.

Report any suspected bogus enquires to your line manager and via the HIRS.

Ensure that recorded conversations on answerphones cannot be overheard or otherwiseinappropriately accessed.

Messages about named service users must not be left on answerphones. Simply leaveyour name and telephone number and no other information.

Ensure unauthorised people cannot overhear you when making sensitive telephone

calls, during meetings, and when you are having informal discussions with colleaguesabout personal/business sensitive information. In these situations, if you do not need toidentify a service user by name, then dont.

Message books to note messages for absent staff members must be stored securely.

11.13 SAFE HAVEN: Verbal / Face-to-Face


34/93


Floppy discs/CDs/videos and any other removable media containing confidentialinformation must be physically destroyed. All this must be logged with the IT ServiceDesk for advice on secure disposal or arranging it.

N.B. For disposal or re-cycling of computers and erasure of computer data please refer to theIT Security section of this document.

12 INFORMATION ACCESS

12.1. Information Systems Access

12.1.1. Authorisation

The Information Asset Owner (IAO) responsible for the information systemdetermines authorisation of physical access to it. This will normally be a Head of

Department or Service who may consult the SIRO, CG or IGM. Access to information systems must be restricted to authorised personnel and to

other persons only under the supervision of an authorised person. It must be grantedon the basis of a sound, ethical, legal and justifiable need.

Access to the information held on information systems must be authorised by themanagement responsible for the information.

Authorisation for software issues such as upgrades that could affect users work must


35/93


12.2. USER ACCESS CONTROL

12.2.1. Introduction

The purpose of this section is to govern access to the UHSMs information systems andprevent unauthorized access. The policy describes the registration and de-registration

process for UHSM information systems and services where these are not in place.

This applies especially to new staff, leavers and those changing job role or responsibility. Itshould also be read in the light of HR procedures.

12.2.2. Application for Access to Information System(s)

All users must complete an application form which their line managers must countersign prior

to email, intranet and internet or other system access is made available to them. The formsare available on the UHSM Intranet for:-

1. Corporate information systems

2. Clinical information systems (non-Smartcard)

3. Clinical information systems (where a Smartcard is necessary e.g. Lorenzo). Pleaseensure that you and your Sponsor complete RA01 and RA02 forms which are availablefrom IT ???


36/93


Staff user access to the National Care Record System (Lorenzo/ the Spine etc) isprotected via a smart card according to their role (i.e. Role Based Access). Staff mustnot share Smartcards unless authorised.

Remote access to the UHSM network is protected by strong authentication andpasswords. Staff must not share their authentication or passwords unless authorised.

Employees will normally be granted access only to such information that is required toperform their work duties. If they are erroneously granted any other access, then this fact

must be reported to their line manager immediately as it may become construed asunauthorised access.

When information is copied between systems within the network, then staff should ensurethat any confidential information remains secure and that the recipient system has thesame or greater standard of security protection as the sender.

12.2.4. Visitors

Definition: A visitor is anyone who is not UHSM staff such as a service user, engineer orcontractor.

Visitors must check in and out with an allocated supervisor. This supervisor mustknow the reason for the visit and any agreements that have been made.

Visitors must be supervised and only approved systems engineers may be allowedaccess to hardware or software.


37/93


13. INFORMATION SHARING

13.1. INFORMATION SHARING WITHIN THE NHS

IntroductionAll sharing of confidential information is governed by law, notably the Data Protection Act1998 (DPA 98). This DPA 98 states that generally consent must be obtained from theindividual whose data it is before sharing takes place with other organisations or individuals.Indeed it is quite a normal and sensible idea to get consent prior to sharing someonesconfidential information.

However in the NHS it is not always possible, practical or necessary as there are differentforms of consent and justifiable exemptions that can be claimed that permit legal data

sharing. (Refer to Information Sharing other NHS and/or to Information Sharing - non-NHS sections for further details.)

UHSM and its staff must be able balance openness with confidentiality in a legallycompliant way. Therefore staff must understand relevant law or consult their linemanager, senior manager, Caldicott Guardian or supporting Information Governance staffwhen doubt arises. (Refer to Contacts section of this document)

Information sharing is vital for the seamless provision of healthcare. NHS organisations are


38/93


14. INFORMATION SHARING

SHARING WITH NON-NHS ORGANISATIONS

14.1. Introduction

UHSM works with many partners, agencies, commercial third parties and experts. Dataneeds to be shared to varying degrees with them to achieve health care provision, localservices, emergency services and participate in valuable research.

14.2. Sharing under applicable law

Data sharing with various organisations, services and individuals that is governed byapplicable and specific law may facilitate information sharing e.g. the Data Protection Act

permits data to be shared for the prevention or detection of crime. Such sharing is notmandatory for the NHS and needs to be justifiable such as when a 'serious crime' has beencommitted. Therefore the Caldicott Guardian, HR staff, other experts such as legal advisorsmay need to decide on a course of action being taken.

Staff must be clear about why they share the information they do and that it is legal todo so.

Staff must be able to justify confidential data sharing. This is usually down to clear


39/93


PRINCIPLES OF CONFIDENTIALITY AND INFORMATION SHARINGWITH CARERS AND SIGNIFICANT OTHERS: OPERATIONALPROCEDURE

Introduction

Within the process of providing high quality health care to people who use services provided

by UHSM Foundation Trust there is a recognition that in many cases, carers are providingvalued and vitally important care and support, sometimes on a full-time basis.

There is also an understanding that carers often feel cut -off from, and ill-informed about,the care of people close to them, even though they may be providing a significant level ofcare.

Carers may also have different needs, views and expectations to service users and shouldtherefore be considered separately, in their own right, rather than being an addition to the

service users assessment and care plan.

Care co-ordinators/named nurses (within inpatient care) will be expected to listen to and takeinto account the views of carers in relation to the cared for person, including such issues asthe current position of the caring relationship and whether this can be maintained. It is alsoimportant to offer carers appropriate means of assessing their own needs within what is oftena demanding caring role.

A carer should be able to expect the following principles in their relationship with the care


40/93


Actively listen to the carer /significant others requests and respond accordingly.

15.1. General Information

Carers should be given/offered by the named nurse/care co-ordinator:

General information concerning:

health problems

Medication (dosages, side effects, what to be aware of)

Information re: care processes, routines

Signposting to and/or offered help to access organisations that can provide furtherinformation and support

Contact details of the named nurse/care co-ordinator on the unit/community team to

enable consistent support and reassurance, not only during periods of crises. Time and opportunity to share information re their unique knowledge of the service

user and that this is recognised as an important and valued part of the assessmentprocess.

This information should be discussed with the carer /significant other and also offered asprinted information where appropriate.


41/93


Where urgency does not allow for the process of an MDT to occur the decision to override aservice users unwillingness to share information will be based on an individuals ProfessionalCode of Conduct Performance and Ethics re confidentiality.

Where carers requests for confidential information cannot be met, staff must inform the carerof the process, be clear that their requests will be discussed with the MDT and the reasonsfor withholding information that is deemed to be confidential will be explained in full.Continued support to the carer from the staff involved with the service users care will beongoing.

Information shared by carers should also be entered into the service users case notes. Thisinformation will be classed as third party information and carers can, in fact, ask for thisinformation to remain confidential at the point of entry.

Carers should be informed that if a service user requests to see their notes under the DataProtection Act 1998, this information will only be revealed if the carer consents or if it ispossible to disclose the information without revealing the identity of the third party.

Staff can also restrict access to information if it may cause serious harm to the physicaland/or mental wellbeing of the service user or any other person. A clear statement ofconsent/dissent from the carer should be recorded in the case notes on each occasion thecarer provides information.


42/93


16. DISCLOSING INFORMATION TO THE POLICE: OPERATIONALPROCEDURE

16.1 Objective:

This procedure details how requests for personal data from the police should be dealt with.

16.2 Consent

The informed explicit consent of the individual must be gained prior to the release ofinformation to the police. Where the individual has given consent, proof of the consent, e.g. asigned consent form should be retained in the service users record. Only the minimuminformation to satisfy the request should be given. An example consent form is included in

Appendix A. The service user must understand what information is to be disclosed and that itmay be disclosed to third parties, including the defence and may also be referred to in openCourt.

If consent cannot be gained or gaining it might jeopardise the investigation consider whetherthere is a legal duty or power to share the information.

16.3 Legal Duty to Disclose Court Order


43/93


Producing or attempting to produce a controlled drug

Supplying or attempting to supply a controlled drug to another or offering tosupply a controlled drug to another

Preparing opium for smoking

Smoking cannabis, cannabis resin or prepared opium.

The Police will be informed where patients are suspected of supplying illicit drugs to other

patients.

16.7 Coroners Court

The Coroners Office may request a medical record in order to investigate the cause of deathof a person in suspicious or unnatural deaths.

Information may be requested by a police officer on behalf of the coroner. Staff can confirm

this with the Coroners Office. Identification should be requested from the police officer andthe officers name, rank and number logged. A receipt for the record should be obtained fromthe police officers property book.

The removal of the record must be recorded.

In the case of UHSM, such requests will be dealt with by the Complaints Manager. OriginalMental Health Records will not be sent.


44/93


The police may request information without the consent of the individual when makingenquiries concerned with the prevention and detection of crime or the apprehension andprosecution of offenders and consent would prejudice the purpose.

The Police must produce the Personal Data Request Form detailed in Appendix B to requestthe information. The form must be signed the Senior Officer in charge of the Investigation.This will ensure that satisfactory undertakings are in place with then police in respect of anyinformation released.

Information should only be supplied to the police if it is in the public interest to do so. Thedecision should be made by health professional who is responsible for the relevant aspect ofthe patients health care the time. Further advice may be sought if necessary e.g. LegalServices Manager, Caldicott and Data Protection Officer or Caldicott Guardian. The CaldicottGuardian will make the final decision in complex cases.

Information may also be proactively disclosed to the police if it is in the public interest to doso.

The following must be considered when making the decision: -Is the request in relation to a serious crime or to prevent serious harm or abuse to an

individual (See further advice in Appendix C of this procedure).

How do the benefits of making the disclosure balance against the harms associatedwith breaching a patients confidential?

Without disclosure, would the task of preventing, detecting or prosecuting the crime beseriously prejudiced or delayed?


45/93


If the information requested relates to a deceased person, the Data Protection Act no longerapplies, however, confidentiality obligations remain and the guidance above must befollowed.

16.10 Process for disclosure

The flowchart detailed in Appendix D should be followed when dealing with a request forinformation. In particular: -

Ensure a lawful basis for the disclosure

Only disclose information that is relevant to the enquiry.

Disclose information securely, following the Trusts Safe Haven Procedure.

Seek advice from colleagues and line managers when making a decision about adisclosure

Record the reasoning used, circumstances prevailing and decisions made in theservice users record.

Even talking to the police about a service user will constitute a disclosure and must followthis procedure.

Staff may face disciplinary proceedings if information is disclosed outside the remit of thisprocedure.

The Caldicott Guardian will make the final decision in complex cases.


46/93


17. IT SECURITY

17.1. Introduction

IT Security supports Information Security. Information systems must be robustly protected soas to enable business as usual and continuity at the various levels agreed and thus support

the provision of health and social services to the necessary standard.

17.2. Risk

All information systems and the data they contain have some level of risk attached to them.Data and equipment can be stolen or lost.

Staff must help protect the information assets, equipment and information that they

use by being vigilant and following best practice in information security as outlined inthis policy and supporting documents.

This will help to prevent inappropriate access, data loss, system compromise, equipmentloss or failure, disasters and loss of business operations. It will also help to prevent a varietyof crimes being carried out such as theft and fraud.

17.3. Aims & Objectives


47/93


Carry out security risk assessment(s) in relation to all the business process covered bythis policy. These risk assessments will cover all information systems, applications andnetworks that are used to support those business processes. The risk assessment willidentify the appropriate security controls required to protect the information systems.

Produce system security policies and procedures for all information systems,applications and networks. These policies or procedures should be developed on thebasis of an analysis of risks and approved by the Information Governance Manager

(IGM).Ensure that all users of the system are made aware of the contents and implications ofrelevant system security policies and security operating procedures.

Ensure that all users of information systems, applications and the networks areprovided with the necessary security guidance, awareness and where appropriatetraining to discharge their security responsibilities. All staff to be made aware thatirresponsible or improper action may result in disciplinary action(s).

Ensure that all newly developed information systems, applications and networks areapproved by the IGM and the Caldicott Guardian and SIRO before they commenceoperation.

Ensure that measures are in place to detect and protect information systems,applications and networks from viruses and other malicious software.

Ensure that changes to the security of an information system, application or networkare reviewed by the relevant project/system manager. All such changes must be


48/93


17.4. Physical Security

17.4.1. Objective: To maintain the security of UHSM information processing facilitiesand prevent unauthorised access, damage and interference to businesspremises, equipment and information.

Staff must :

Report problems with IT and information systems to the appropriate staff. (seeContacts section at end of this document). The more serious the fault or incident (orpotential for one to occur) the sooner it must be reported.

Comply with UHSM policies, procedures and guidelines

Comply with the law

Report accidental information access and security breaches immediately tomanagement

Report unsafe or unsatisfactory equipment promptly to the IT Service Desk and

Facilities

Report any deficiencies in security without actively trying to find any more toInformation Governance. For example: Equipment must be sited in order to avoidcomputer screens being able to be read by unauthorised staff or the public. If this isnot the case it should be reported.

Staff must wear ID cards in areas where they will not be recognised, i.e. out of theiroffice or department as other staff may challenge anyone without an ID card that they


49/93


Move computers, printers or other desktop equipment without notifying IT ServiceDesk unless authorised.

Allow computers, electronic media (e.g. floppy disks, CD disks, USB pen drives) to beexposed to extreme temperatures, fluids or corrosive substances.

Connect unapproved, unconfigured computers to the UHSM network.

Eat, and especially drink, in the vicinity of computers and related equipment. Eatingand drinking is forbidden in areas where there are important computers such asfileservers. The penalty could be loss of fileservers, harm or even death (not byUHSM but by the electrified equipment!). Any foodstuffs that present a risk to facilitiese.g. liquids, soup or cans of drink must not be taken near equipment that it couldpresent a risk to.

17.4.2. Access to premises: Secure areas

Most staff need access to premises and many staff access secure areas within them.

Staff must not share secure areas access passwords, PIN codes, ID cards or keyswith anyone unless authorised or they have the necessary management level ofauthority to permit it.

17.4.3. Computer hardware and software protection

Staff must not load onto any UHSM computer or device, use (or cause to be used), anysoftware application, batch file, script or executable file that has not been approved by


50/93


17.4.5. Equipment & Information Disposal

Equipment that contains or may have contained confidential data must be securely disposedof when disposal is agreed by management.

17.4.5.1. Computers and computer files

17.4.5.1.1. Device to be reused

Data existing prior to formatting must be erased/purged so that it can never be recovered.

Only qualified staff in the IT Services Department or an approved contractor using specifiedsecure methods must carry out complete low level formatting of the entire hard disk drive tothe CfH approved standard or higher.

For removable media (e.g. USB pendrive/memory sticks) floppy disks/ CDs/DVDsand backup tapes (please refer to Portable Media Policy).

17.4.5.1.2. Device to be destroyed

Storage devices or media must be disposed of by being put beyond any means of datarecovery such as by being physically destroyed. This includes floppy disks, backup tapesand any other conceivable media used for storing data on. This can be done on site byqualified IT staff, or via an approved contractor. A destruction log (certificates of destruction)must be provided by a contractor.


51/93


be granted access to information systems after they have signed the ConfidentialityAgreement [see HR intranet for ???].

17.7. Data Backup

Objective: To preserve the integrity and availability of information and enable recovery inevent of disaster.

Files must be stored on a users network drive. This will mean they are then saved onto asecure and resilient file server. This is not the same as saving data onto a computer harddrive. For instance a laptop would have to be plugged into the network to do this. Anycomputer that stands alone does not backup onto a file server. [Information stored onnetwork servers with secure, authorised access helps to maintain confidentiality, availabilityand integrity of the information and reduce the impact of breaches in physical security.]

Important backup tapes and media must be stored safely and securely.

Confidential or business critical information must not be stored on individualcomputer hard drives. The line manager in charge of the staff that process suchinformation must ensure that adequate physical security and backup arrangements are put inplace by seeking advice from senior IT staff or the IG Team.

Data located upon critical network servers must be backed up in accordance with ITback-up procedures to provide at least ??? period of information retention. Suchinformation will also be stored at another site to facilitate a maximum loss of ??? ofinformation destroyed as a result of local building or system damage.


52/93


17.8.1. Introduction

Registration for computer use, computer network use and hence office applications such asemail and MS Office, intranet, and internet usage is made via line management to ITServices. Applications will be made available to you according to your role and Smartcardprofile.

To register to use an information system (e.g. Sunrise) staff must have this arrangedthrough their sponsor who will usually be their line manager.

To de-register from using an information system the sponsor (line manager) should benotified unless there are circumstances where they cannot be.

Information system administrators are not permitted to register or de-register staff to or fromsystems without authorisation from the users sponsor unless there is a justifiable reason.

17.8.2. New Users

17.8.2.1. User Registration

Access to any UHSM system can only be provided after proper procedures are completed.There is a formal user registration process beginning with a formal notification from a linemanager to the System Administrator. A request for access to services (systems andapplications) must be made in writing (email or hard copy) by the member of staffs linemanagement.

Each System Administrator will maintain a record of all applications.


53/93


Confirm the identity of the user by question about existing services/access or by reference toa work colleague

17.8.2.6. Staff Changes Notifications Starting and Leaving

Line managers are responsible for notification of new staff to the relevant System

Administrator so as to allow access rights to be established from required dates.System Administrator must be notified of leavers and staff changes that affect computeraccess by line managers (for example job function changes / leaving department ororganisation) so that computer network access rights may be amended or deleted.

When an individual leaves the UHSMs employment, all his/her system logons must berevoked unless there is a justifiable reason not to such as business continuity. Even so thepassword must be changed.

Leavers reports should be distributed to relevant administrators in a timely manner.All leavers must hand over current files, however IT Services can move a leavers files tospecific areas if requested. Normally a leavers data will be left in its existing directory untilauthorised to be deleted and then archived off system (so it can be recovered if required).

17.8.2.7. Revoking User Accounts

Senior management with the necessary authority have the right to revoke user(s) access toinformation systems. This action, the circumstances and the reason(s) must be notified to


54/93


The System Administrator may conduct a review of all user access rights when necessary,which is designed to positively confirm all users.

The relevant manager may request an access rights review.

The Information Governance Manager may request or conduct an access rights review.

Any lapsed or unwanted logon, which is identified, will be disabled and may be deleted afterconfirmation with the relevant line manager.

Systems Administrators may conduct reviews of access to applications. This will be done inco-operation with the application owner.

Directors may order reviews

17.8.2.10. Review of user access

The line managers may request a user access review.

The System Administrator may conduct a review of user access when requested by seniormanagement

The Information Governance Manager may request user access reviews.

Directors may order reviews

17.8.2.11. Review approach


55/93


Passwords should be changed at intervals in line with Trust policy, when prompted or if theaccount may have been compromised. Where unique passwords are available within asystem they must be used. Confidential personnel or commercially sensitive data should bepassword protected. Further advice for creating a secure password can be found in Appendixb.

The security of manager or supervisor passwords should be treated with the highest regardfor security. Only authorised personnel should be aware of current manager/supervisorrelated passwords.

These passwords should be kept in a secure area, in a lcocked and in a sealed envelope. Inthe absence of the manager/supervisor, authorised users will then have access to theappropriate passwords as necessary. As well as the systems manager there should be atleast one recognised deputy. There should also be additional personnel aware of back upprocedures in the event of the absence of managers and deputies.

17.8.2.13. Remote Access

Certain staff may need to use Trust IT equipment in geographically dispersed locations. Thismight include:-

Travelling Users - staff working across site or temporarily based at other locations

Home Workers (IT Support, Corporate Managers, IT Development Staff, Clinicians

Non-NHS Staff (Social Services, Contractors and other Third Party organisations)

A detailed policy the Remote Access Policy exists to provide guidance to users in these


56/93


17.9.3. C:drive (or any Hard Disk Drives)

Under no circumstances should staff save any of their work data to the c: drive. This is thehard drive of the individual computer they working on, and the information is unprotected andopen to loss or misuse. All staff should be aware of the relevant drive on the network inwhich they can save their work securely.

17.9.4. Desktop

Staff must not save work to the desktop area of their computer as this is unprotected and

puts information at risk from loss or misuse. It has limited capacity, and the Trust is operatinga policy to clear all computer desktops of documents and file folders. Please note this is notthe same as shortcut link to a file on the network, which is allowed on the desktop.

17.9.5. Portable Media Devices Security

This includes, but is not limited to:17.9.5.1. USB Memory Sticks

The use by anyone, of unprotected, unencrypted USB memory sticks (or other such devices,cds dvds), for containing person identifiable, sensitive or confidential data, is strictlyprohibited by UHSM.

Staff who need a USB stick for containing confidential data must apply to their Sponsor whowill normally be their line manager. If approved by the Sponsor then subsequently IT


57/93


Laptops which are operated by departments, using 3rd party software, for clinical relatedactivities will do so with prior knowledge of the IT department, to ensure that sufficientsafeguards for the storage and use of such a laptop has been put in place.

All encrypted laptops will be logged on to the network once every 60 days. This allows antivirus updates to be loaded to the laptop, ensuring continued compliance with securitystandards. A failure to log on to the network within the allotted 60 days will result in thecomputer becoming in operable, and the laptop will have to be returned to the IT departmentto be unlocked.

Responsibilities

The IT manager is responsible for ensuring encryption applied to IT systems and laptops isup to NHS standards, and delegates the collection of laptop registration.

Individual staff members who use laptops as part of their job roles, are ultimately responsiblefor maintaining the security of that laptop, and the information processed through the laptop.

Laptop Registration

All Trust owned laptops will be registered with the IT department, this should be done at timeof purchasing. Staff will need to ensure a relevant registration form has been completed andthis is attached.


58/93


59/93

Appendix E: Laptop Registration Form

Laptop Registration Form

Registration No:

Type:

Owner (UHSM Department)

Contact Name:

Title:

Department:


60/93

Mobile Computing Device Registration Form

Registration No:

Type:

Owner (UHSM Department)

Contact Name:

Title:

Department:

Contact No:


61/93

17.9.5.3. CDs/ DVDs

It is absolutely forbidden for staff to copy or store confidential or sensitive data ontoCDs, DVDs or any other such media. Biometric and encrypted memory sticks havereplaced such media.

It is contrary to CfH guidelines to do this as it may be the cause of massive data loss.

Only if there is a mission critical need to do so then senior management in consultationwith the Caldicott Guardian and SIRO must consider whether to authorise the data to beencrypted to the CfH approved standard or higher prior to it being copied or transmitted.

The encrypting and copying process must be undertaken by IT Services as staff wouldnot have the tools or expertise to do this safely. This authorisation, encryption andcopying process must be recorded and signed off by the SIRO.

17.9.5.4. Blackberrys

All Blackberrys supplied to Trust staff will be protected up to NHS standards, andaccessible only by using a secure pass phrase. Staff will protect the integrity of that pass

phrase by not sharing it with other members of staff and ensuring it is not recordedanywhere accessible by others.

17.9.5.5. PDAs

The use of PDAs is restricted to non Personal Identifiable Data (PID, and they will notbe able to log in to the UHSM network.


62/93

18. DATA QUALITY

Data Quality and Information Security

High quality, reliable information underpins health service delivery within the NHS.Information that retains its integrity, while being accessible and accurate and remainingconfidential, is vital to the NHS and this Trust as a whole.

Inaccurate, outdated or inaccessible information that is the result of one or moreinformation security weaknesses can quickly devalue information and result in adetrimental affect on business and mission critical processes.

Good security measures will function as quality internal controls, helping to eliminatemistakes. The Data Quality Policy should be read in conjunction with this policy toensure staff are fully informed about the importance of maintaining the integrity of theTrusts data. Accuracy is vital in the creation and subsequent use of clinical records.

Data Quality Policy can be found on the Intranet.


63/93

19. PASSWORD PROCEDURE

19.1. Creating a Secure Password

Passwords are your legal responsibility so its worth making them extra secure.

Mnemonics is a proven way of creating a secure and memorable password.

Why?

The human brain remembers a sentence far better than a single word.

Let us take an example we all might know:

Richard Of York Gave Battle In VainSo your password would be:

R O Y G B I V

Not clear? Ok, lets take another example.

As we have to change our passwords every 2 months, you may want to pick somethingapplicable to those months like a partners birthday, for example:

Richards birthday is the 17

th

of FebruarySo the password would be:

R b d i 1 7 F

See how this now allows a combination of numbers and letters that you require for mostpasswords. Other ways of adding in numbers and symbols could be as follows:

3 for E (as these sound similar)


64/93

20. IT NETWORKING

Introduction

This section of the document sets out UHSM's computer network services provision'ssecurity.

Aim

The aim of this section is to ensure the information security of UHSM's computernetworks and devices that connect to them.

20.1. Network definition

The network is comprised of connected computer and communication equipment. Thenetwork is created to support business operations by sharing data, applications,

software, and peripherals such as printers, routers, fax machines, and other datastorage equipment.

20.2. Scope

This section applies to:-

all computers and computer networks that support UHSM in delivery of health andsocial care and supporting services


65/93

assessment will identify the appropriate security countermeasures necessary toprotect against possible breaches in confidentiality, integrity and availability.

Risk assessment will be conducted to determine the CfH and ISO 27001 and 27002assurance levels required for security controls and countermeasures that protect thenetwork. This will include penetration testing when necessary.

20.5. Physical & Environmental Security

Network computer equipment will be housed in a controlled and secureenvironment. Critical or sensitive network equipment will be housed in an

environment that is monitored for temperature, humidity and power supply quality.Critical or sensitive network equipment will be housed in secure areas, protected bya secure perimeter, with appropriate security barriers and entry controls.

The Support Manager is responsible for ensuring that door lock codes are changedperiodically, following a compromise of the code, if s/he suspects the code has beencompromised, or when required to do so by the senior IT management

Critical or sensitive network equipment will be protected from power supply failures.

Critical or sensitive network equipment will be protected by intruder alarms and firesuppression systems.

Smoking, eating and drinking is forbidden in areas housing critical or sensitivenetwork equipment.

All visitors to secure network areas must be authorised by the Network Manager .

All visitors to secure network areas must be made aware of network security


66/93

Security privileges (i.e. 'superuser' or network administrator rights) to the networkwill be allocated on the requirements of the user's job, rather than on a status basis.

Access will not be granted (copy paste in User access from above) registers a user.All users to the network will have their own individual user identification andpassword.

Users are responsible for ensuring their password is kept secret (see UserResponsibilities).

User access rights will be revoked when known removed or reviewed for thoseusers who have left the Trust or changed jobs.

20.8. Third Party Access Control to the Network

Third party access to the network must be based on a formal contract that satisfiesall necessary NHS security conditions and requirements of both the law and IG.

All new systems must have a Privacy Impact Assessment conducted by the IG team

and where deemed necessary by the IGG, legacy/inherited systems must also havethem.

All third party access to the network must be logged by Service desk.

20.9. External Network Connections

Ensure that all connections to external networks and systems have documented


67/93

20.13. Security Operating Procedures (SyOps)

Produce SyOps and security contingency plans that reflect changes to operating proceduresauthorised by the Head of IT

20.14. Network Operating Procedures

Documented operating procedures should be prepared for the operation of the network, toensure its correct, secure operation.

Changes to operating procedures must be authorised by the Head of IT

20.15. Data Backup and Restoration

The Network Manager is responsible for ensuring that backup copies of networkconfiguration data are taken regularly.

Documented procedures for the backup process and storage of backup tapes will beproduced and communicated to all relevant staff.

All backup tapes will be stored securely and a copy will be stored in another location fromservers they are backed up from.

Backup media must be securely destroyed when authorized by the Head of IT.

20.16. User Responsibilities, Awareness & Training

The Trust will ensure that all users of the network are provided with the necessary securityguidance, awareness and where appropriate training to discharge their securityresponsibilities.


68/93

Staff with administration rights must be careful not to delete or modify other user's rightsand account settings.

20.19. Malicious Software

UHSM will ensure that measures are in place to detect and protect the network from virusesand other malicious software.

20.20. Secure Disposal or Re-use of Equipment

This work is mostly undertaken by contractors. Where it is not the following applies:-

Staff must contact IT to arrange disposal under contract or advise on appropriate methods. Alog must be kept by IT which is accessible to SIRO/CG appointed risk assessors.

20.21. System Change Control

Ensure that the Change Advisory Board reviews changes to the security of the network. Allsuch changes must be reviewed and approved by the Change Managers are responsible forupdating all relevant Network Security Policies, design documentation, security operatingprocedures and network operating procedures.

Change Advisory Board may require checks on, or an assessment of, the actualimplementation based on the proposed changes.

Change Advisory Board is responsible for ensuring that selected hardware or software meetsagreed security standards.

Testing facilities will be used for all new network systems. Development and operationalfacilities will be separated.


69/93

short time. Workstations must be locked or a screensaver password activated if a workstationis left unattended for a short time. This is especially required in areas that are accessed bythe public.

Users failing to comply in full knowledge will be subject to disciplinary action.

20.26. Security Responsibilities

The Chief Executive has delegated the overall security responsibility for security, policy andimplementation to the SIRO

Responsibility for implementing this policy within the context of IT systems development anduse in the organisation is delegated further to the Head of Health Informatics.

21.0 RISK ASSESSMENT PROCESS

21.1. Purpose

To empower SIRO, IAOs, IAAs and risk assessors to perform periodic information

security risk assessments (RAs) for the purpose of determining areas of vulnerability,and to initiate appropriate remediation.

21.2. Scope

Risk assessments can be conducted on any entity within UHSM or any outside entitythat has agreed this and/or signed an agreement including this with UHSM. RAs can beconducted on any information system, to include applications, servers, and networks,


70/93

21. LEGAL GUIDANCE

Introduction

Staff must comply with the law. In order to do this staff must be aware of thelaw.

Staff must read and comply with this policy, related policy, procedures andguidance that is applicable to their work and which can be found on UHSMsIntranet.

As required and necessary staff must comply with the following legislation:

Data Protection Act 1998

Human Rights Act 1998

Freedom of Information Act 2000

Regulation of Investigatory Powers Act 2000

Computer Misuse Act 1990

Health and Safety at Work Act 1974 (Computers)

Copyright Designs and Patents Act 1988

There is also an obligation for the Trust and it's IT Services to conform to theCommon Law Duty of Confidence and Caldicott principles.


71/93

SCHEDULE 2

Conditions relevant for purposes of the first principle: processing of any personal data

1The data subject has given hisconsentto the processing.

2The processing is necessary

(a)for the performance of a contract to which the data subject is a party, or

(b)for the taking of steps at the request of the data subject with a view to enteringinto a contract.

3The processing is necessary for compliance with any legal obligation to which the datacontroller is subject, other than an obligation imposed by contract.

4The processing is necessary in order to protect the vital interests of the data subject.

5The processing is necessary

(a)for the administration of justice,

(aa)for the exercise of any functions of either House of Parliament,]

(b)for the exercise of any functions conferred on any person by or under any

enactment,

(c)for the exercise of any functions of the Crown, a Minister of the Crown or agovernment department, or

(d)for the exercise of any other functions of a public nature exercised in the publicinterest by any person.

and in the case of sensitive personal data, at least one of the conditions set out in


72/93

Fourth principle

Personal data shall be accurate and, where necessary, kept up to date.

Fifth principle

Personal data processed for any purpose or purposes shall not be kept for longer than isnecessary for that purpose or those purposes.

Sixth principle

Personal data shall be processed in accordance with the rights of data subjects underthis Act.

Seventh principle

Appropriate technical and organisational measures shall be taken against unauthorisedor unlawful processing of personal data and against accidental loss or destruction of, ordamage to, personal data.

Eighth principle

Personal data shall not be transferred to a country or territory outside the EuropeanEconomic Area, unless that country or territory ensures an adequate level of protectionfor the rights and freedoms of data subjects in relation to the processing of personaldata.

UHSM staff must strive at all times to comply with the requirements of theData Protection Act 1998.


73/93

22.2 COPYRIGHT, DESIGNS & PATENT ACT 1988

This Act states that it is illegal to copy or use software without the copyright owners

consent or the appropriate licence to prove the software was legally required.Staff are individually responsible for ensuring no unauthorised software is used withinthe organisation, and each manager is responsible for ensuring that all items of softwarein their department are purchased through or sanctioned by the Information Technologydepartment.

Staff must not load onto any UHSM computer or device, use (or cause to beused), any copyrighted material without the authors permission.

As a basis of the Act the copyright owners reserve the right to prosecute any individualor organisation found to breach their copyright, and this may be the basis for disciplinaryaction.

22.3 Computer Misuse Act 1990

This act states that it is a criminal offence to attempt to gain access to computerinformation for which you have no authorisation. If it is suspected that any unauthorised

access is made to a computer system then disciplinary action may be taken under thehospital Disciplinary Policy.

All staff that use Smartcards must be familiar with the Registration Authority (RA) policy,offering instruction for the correct registration and use of RA cards throughout the Trust.

Where required managers are responsible for ensuring that all new members of staffobtain an authorised RA card on the day employment commences and the RAdepartment is notified on termination. The RA policy will be available on the Intranet.


74/93

being of the country, for the prevention of disorder or crime, for the protection ofhealth or morals, or for the protection of the rights and freedoms of others.


75/93

22. GUIDANCE & STANDARDS

23.1 Information Governance (NHS standard)

The Information Governance Toolkit is a requirement for all NHS organisations. Anannual IG Toolkit assessment submission is made to CfH.

An annual IG Toolkit assessment will be submitted in accordance withDepartment of Health (Connecting for Health) requirements.

23.2 Caldicott (NHS standard)

23.2.1 Caldicott Report 1997

The department of Health issued the Caldicott report which dictates levels andstandards for securing information and computer systems. The increased emphasis onthe Electronic Patient Record and Clinical Governance has combined to heightensecurity awareness. The main objective of the report was to outline measures tomaintain the security of patient identifiable information.

It is the responsibility of all staff to ensure that they adhere to Caldicott Guidance, further

information surrounding confidentiality of patient identifiable data and best p

Information Security Policy (Incl Laptop Security) V1.00

Documents

Transcript of Information Security Policy (Incl Laptop Security) V1.00