Name of responsible committee: Information Governance Board Date issued: 15 th April 09 Review date: 14 th April 11 Referenced Documents:

Transcription

1 Storage and Transfer of Person Identifiable Information Policy Trust Wide Policy number: ULH-IM&T-AUP03 Version: 1.1 New or Replacement: New Approved by: Executive Board Date approved: 14 th April 09 Name of author: Andrew Stocks Name of Executive Sponsor: Michael Humber Name of responsible committee: Information Governance Board Date issued: 15 th April 09 Review date: 14 th April 11 Referenced Documents: Information Security Policy Computer Acceptable Use Policy Mobile Computing and Home Working Policy Relevant Legislation: Data protection Act (1988) Computer Misuse Act (1990) Relevant Standards: ISO NHS code of Practice for Information Security Management NHS N3 Statement of Compliance ULH-IM&T-AUP03 1 of 15

2 Storage and transfer of person identifiable information policy Contents Section Page 1 Introduction 3 2 Core Principles 4 3 ing and other electronic transfers of personidentifiable information 5 4 Mobile Computing Equipment 7 5 Passwords 9 6 Visitors/Third Parties 10 7 Incident Reporting 10 8 Implementation and Compliance 11 Appendix 1 Data Classifications 12 Appendix 2 Secure File Transfer 13 ULH-IM&T-AUP03 Page 2 of 15

3 1. Introduction 1.1. Rationale: Following recent concerns about public sector data protection and, in particular, the security of information being transferred between locations and organisations, the NHS Chief Executive, David Nicholson, has written to all NHS organisations with a list of requirements. One of these requirements is to ensure that all person-identifiable information being stored or transferred is properly protected against security and confidentiality breaches Purpose: To provide clear direction, support and commitment to the protection of electronic person-identifiable data (PID), through the issue and maintenance of a storage and transfer of person-identifiable information policy across the Trust. This document sets out minimum policy standards and common policy directions across the Trust for the protection of electronic person-identifiable information Scope: Personnel: The policy applies to all full-time and part-time employees of the Trust, non-executive directors, contracted third parties (including agency staff), students/trainees, secondees and other staff on placement with the Trust, and staff of partner organisations with approved access. It applies to all areas in support of the Trusts business objectives both clinical and corporate Visitors and third parties Data Classifications: Although this policy applies primarily to PID it is equally relevant to other categories of sensitive Trust data See appendix Objectives: The intention is to promote and build a level of consistency across the Trust: This policy covers all aspects of storing electronic person-identifiable information on devices, including (but not limited to): Desktop PCs. Laptops/notebook computers. Mobile/portable computers such as PDAs, mobile phones, Smartphone s, etc. Mobile computer media such as solid state memory cards, memory sticks, pen drives, USB drives, DVDs, CD-ROM, etc This policy covers all aspects of transferring electronic person-identifiable information, including (but not limited to): . FTP. Internet submissions. ULH-IM&T-AUP03 Page 3 of 15

4 1.5. All staff are required to adhere to this policy and it is the responsibility of the individual to ensure that they understand this policy. Managers at all levels are responsible for ensuring that the staff for whom they are responsible are aware of and adhere to this Policy. They are also responsible for ensuring staff are updated in regard to any changes in this Policy Failure to adhere to this policy may result in disciplinary action being taken and, in serious cases, could constitute gross misconduct. 2. Core Principles General 2.1. The Computer Acceptable Use Policy (Section 2.3) specifically prohibits the use of any privately owned equipment or media within the Trust s computer system. Therefore, ONLY Trust owned or managed equipment, or media may be connected to our computer system or used to store the Trust s data. It is unacceptable to process (including to store or transfer) person-identifiable information on non-trust equipment Confidentiality must always be maintained for all Person Identifiable Data (PID), which includes information about our patients and staff. Ethical duties of confidence must be observed and extreme caution should be exercised where (PID) is being transferred electronically ensuring that all the data is fully protected to the required standards outlined in this policy. Data (Information) Storage 2.3. All PID must be stored on Trust networked data servers (where data is both secure and backed up) unless there is an operationally essential reason for storing the data on another storage device Storage for backup purposes must only be undertaken where central storage on the Trust network is not available All PID not being held on the network is to be held in a secure (encrypted) environment Data must not be routinely stored on desktop PC hard drives unless there is an operationally essential requirement to do this (such as a stand alone PC or a software programme which will only save data to the local drive). In this case all data must be backed up and both the local hard drive and any backup media is to be encrypted using trust approved software All laptop computers must be fully encrypted using Trust approved software. Data (Information) Transfer 2.8. All files containing PID being transferred externally by any electronic means must be encrypted using a Trust approved encryption process. ULH-IM&T-AUP03 Page 4 of 15

5 2.9. In addition, all bulk PID (more than 50 individuals) MUST be encrypted when transferred electronically whether internally or external All mobile computer devices (including PDAs, mobile phones, Smartphones, etc.) used for processing PID must be fully encrypted using Trust approved software (with the exception of those devices where Trust acceptable built-in security is turned on) All USB memory sticks used for processing person-identifiable information must be fully encrypted. The Trust provides an encrypted memory stick which is the only external storage device which can be used with Trust equipment. The Trust network will be locked down so that only approved devices can be used All files transferred on any mobile computer media (such as DVDs, CD-ROM, etc.) must be encrypted using Trust approved software. Staff should use the Secure File Transfer Services for this purpose wherever possible Strong passwords must be used for all encryption software 8 characters or more in length and containing a combination of upper and lower case letters, numbers and special characters (like punctuation marks) Encryption standards: Data encryption must be to an appropriate CfH approved standard such as 256-bit Advanced Encryption Standard [AES-256] algorithm. 3. ing and other electronic transfers of person-identifiable information 3.1. The above principles apply to all forms of electronic transfer of PID including e- mail, FTP, internet submissions, etc All files containing PID being transferred externally by any electronic means must be encrypted using a Trust approved method: File encryption using trust approved software; by using NHS mail accounts. *Please note this data is only encrypted when sending from one NHS mail account to another, or to another approved government system such as; o NHS: NHSmail (*.nhs.net) o Central Government xgsi (*.x.gsi.gov.uk) GSI (*.gsi.gov.uk) GSE (*.gse.gov.uk) GSX (*.gsx.gov.uk) CJX (*.police.uk *.pnn.police.uk *.cjsm.net) SCN (*.scn.gov.uk) o Local Government GCSX (*.gcsx.gov.uk) or, by using the CfH approved Secure File Transfer Services (which can be used for up to 1 GB of data) See appendix 2 for details ULH-IM&T-AUP03 Page 5 of 15

6 3.3. All files containing PID being transferred Internal should wherever possible be stored in a secure network storage area and shared between departments using shared storage areas Internal should only be use for the transfer of PID in accordance with the Trust Acceptable Use Policy. Where internal is the only viable method of the data transfer, all bulk transfer of PID must still be encrypted and all non bulk should be anonymised where possible. As a minimum any files transferred should be password protected and if possible encrypted using the Trust approved encryption product The electronic transfer of unencrypted non-bulk person-identifiable information (including , FTP, internet submissions, etc.) within the Trust is acceptable because the risk to the information is minimised when it is being transferred within the Trust. However, in addition to Para 3.4 above, the following guidance must be adhered to: Extreme care must be taken that this information is not inadvertently sent or forwarded to recipients outside of the Trust PID should not be sent via except as part of an agreed and documented workflow or in a clinical emergency Unless a clinical emergency has arisen, or specific authority has been granted by the Caldicott Guardian, s are only to be sent to other internal addresses in the Global Address Book Only the minimum amount of data needed to identify the patient should be used. Anonymisation of data should be considered - Where possible, only use the NHS Number as the identifier Individuals are responsible for carrying out a risk assessment prior to transferring data for this purpose. Is there a safer way of passing this information that meets the users requirements; does the risk of inadvertent disclosure justify using this method of communication (ultra sensitive information should not be sent except in a medical emergency) Users are to make sure that any messages sent are part of a formal and documented workflow process. Clinical information should never be sent as an attachment between clinicians unless it is part of an agreed process Ensure that any clinical information sent conforms to the Caldicott principles. When setting up any clinical information flow using , work flows should be reviewed and if necessary approved, by the Caldicott Guardian via the Information Governance Department Never include PID within the name of a file or the Subject heading of an . This information could be overseen on a computer screen even if the file or has not been opened by the intended recipient. ULH-IM&T-AUP03 Page 6 of 15

7 Delete the file or as soon as possible once it is no longer required If storing the file or outside of Microsoft Outlook it must be properly protected as stated above when stored on the sender s and receiver s computer devices. 4. Mobile Computing Equipment 4.1. All mobile computing is to be carried out in accordance with the Trust Mobile Computing and Home-Working Security Policy. Which sates that: Sensitive or confidential data must only be removed from the Trust premises in exceptional circumstances with the consent of the data owners who are, where appropriate, required to seek advice from the Data Protection Officer and/or the Caldicott Guardian. In addition, employees must ensure that written authorisation is obtained from their Line Manager prior to taking the data away from trust premises General - When using mobile/portable computer storage media: Ensure that authority to use these devices has been granted from an appropriate senior manger and that there is a justifiable business case for transferring or storing data in this way Ensure all such media is stored in a secure environment when not in use Ensure that no one else uses them (e.g. members of your family) Keep them with you at all times when travelling USB Memory Sticks USB Memory Sticks should only be used on an exceptional basis where it is essential to store or temporarily transfer data Any PID transferred to a USB Memory Stick must remain encrypted throughout its journey and must not be transferred to any non approved other system in an unencrypted form All USB Memory Sticks and the data they contain remain the property of the Trust. When a member of staff leaves their department or Trust they are responsible for relocating any stored data appropriately and returning their empty USB Memory Stick to ICT Ops (Security and Access Services) for redistribution Data should always be removed from the USB Memory Stick when no longer required When using mobile/portable computers such as laptops, notebook computers, PDAs, etc. ULH-IM&T-AUP03 Page 7 of 15

8 Ensure any data stored is for operational reasons only and that the data is routinely backed up to a network storage area Do not use them for the storage or bulk transfers (more than 50 individuals) of PID without the express permission of the Caldicott Guardian Do not load them with any unauthorised software Ensure any security features are switched on at all times Ensure other people cannot see any information on the screen, particularly when travelling on public transport Store them in a secure environment when not in use Ensure that no one else uses them (e.g. members of your family) Do not write down any user names or passwords Keep them with you at all times when travelling. Do not leave them unattended in your vehicle, or whilst you are fetching refreshments or visiting the cloakroom - particularly if you are attending conferences in hotels, conference venues, etc Keep them out of sight when driving (for example, in the boot), to minimise the risk of anyone taking them whilst you are stationary Remove any detachable media such, as an external memory card (which must be encrypted), and carry them separately (e.g. inside a coat pocket or briefcase) Cameras and Mobile Phones/Camera Phones Taking photographs or making video records of patients or other members of the public must only be done with informed consent. This consent must be documented Users must exercise care to ensure that all cameras and/or the associated film, memory cards or memory sticks are protected from theft or loss Photographs and/or video must not be stored on these devices for any longer than is necessary. The images must be transferred to a secure location (e.g. a user s network storage facility) at the earliest opportunity, and then deleted from the portable device The Trust does not permit the use of personally owned devices for taking photographs or video of patients. ULH-IM&T-AUP03 Page 8 of 15

9 5. Passwords 5.1. Strong passwords All password used are to be in accordance with the Trust Computer Acceptable Use Policy. Encryption software is only effective if strong passwords are used. Staff are therefore required to: Change their passwords at least every 60 days if not prompted Treat all passwords as confidential and never share them with anyone Change passwords whenever the users believes it may have been compromised Employ passwords with a minimum length of 8 characters, which are to be made up of a combination of letters, numbers and special characters such ^ = $ *! When choosing passwords avoid personal names and common words which might easily be guessed or associated with them Do not use a password containing a single word that can be found in a dictionary or a combination or 2 or more such words Do not use a password containing any names or dates of birth as it could be easy to guess Combinations of words and numbers are more effective and enhance security for example goldfish25' is a more secure password than 'goldfish'. A password you can remember that is not a word is even better. One technique is to use the first letters from a sentence or rhyme, for example The Cat Sat On The Mat to give a password tcsotm and then include numbers tcsotm46 and possibly mix upper and lower case characters and add a special charcter TcsOtM23! Communicating passwords If sending an encrypted file containing PID it is unacceptable to transfer the password with the file Whenever possible send the password via a different medium. For example if sending an encrypted CD-ROM or DVD via post, telephone through the password or send it by . Never send the password in the same packaging as the disk. If sending an encrypted file by telephone through the password or send it by post. Never send the password in the body (or as an attachment) of the with the encrypted file attached If the encrypted file and password MUST be sent via the same medium send them separately and never together sending encrypted files and passwords by the same medium is strongly discouraged and should only be used as a last resort. For example, if you must send an encrypted CD- ULH-IM&T-AUP03 Page 9 of 15

10 6. Visitors/Third Parties ROM or DVD and the password by post send them in different packages. If you must send an encrypted file and the password by send them as separate s and remove all references to each other to make it harder for anyone other than the intended recipient to recognise that the two are linked Visitors will include, for example, lecturers, contractors, company representatives, etc Staff must ensure that visitors are aware of this aspect of the policy before they arrive on site: Visitors must not connect any device, including USB sticks and Laptops, or insert any media to any equipment belonging to the Trust without prior authorisation, which must be from a Head of Department or member of the Security and Access Team. Any approved connection must also be undertaken under appropriate supervision (Head of department, member of the ICT Department or Security and Access team) and may need the ICT Technical Services team to active the connection. Visitors must not, under any circumstances, copy Trust information of any description to any device or media without explicit consent. This may be regarded as theft of Trust property and result in legal action. Where possible, visitors must use stand-alone PCs or laptops for such devices or media instead of networked equipment. 7. Incident Reporting 7.1. Any loss of portable media potentially constitutes a serious breach of Trust security and should immediately be reported to line management and recorded as an incident Staff should report all information security breaches or near misses via the Trust Incident Reporting process (IR1 s). This can be done via the Trust intranet site, and, in serious cases direct to the Information Security Manager so that immediate mitigation action can be taken This is the ONLY way the Trust can put countermeasures in place to ensure that security breaches cannot happen. ULH-IM&T-AUP03 Page 10 of 15

11 8. Implementation and Compliance 8.1. Corporate oversight The Director of Operations, on behalf of the Chief Executive, will take steps to ensure that all staff adhere to this Policy Training The Associate Director of ICT will ensure that training on the use of the encryption software is available to staff who require it Monitoring The Trust will actively monitor the removal of data from the Trust network onto external storage devices such as USB data sticks. This is for the following reasons: Identify system and user problems. Monitor and investigate acceptable usage. Investigate clinical and disciplinary incidents. ULH-IM&T-AUP03 Page 11 of 15

12 Appendix 1 Personal Identifiable Information What is personal information? - Personal information is information we hold about an individual, patient, client or member of staff. It can be their name, address, or telephone number. It can also be the type of job you do, the attendances you have had at clinics and the place you went to school and or live. Personal data - Personal data means information about an individual who can be identified from that information and other information which is in, or likely to come into, the Data Controller's (The Trusts) possession. Person-Identifiable information - Can be any information that may identify an individual. It may be related to clients, staff, contractor s, student placements, and or their family and friends. It may consist but is not limited to one or more of the examples listed below: Name Date of Birth Sex Address (Including Key Codes/Door Access Codes) Telephone number Visual images Sensitive Information Some personal information is classed as Sensitive Information. This type of information is subject to further regulations under the Data Protection Act. Personal data becomes sensitive if it includes any of the following types of information about an identifiable, living individual: Racial or ethnic origin; political opinions; religious beliefs; trade union membership; physical or mental health; sexual life; commission of offences or alleged. Business Sensitive Information Business Sensitive Information, is other confidential information which may not include person identifiable data items, but its content, if disclosed, may risk the continued provision of care or compromise the Trust s operational standing or reputation. Examples of documents covered by Business Sensitive Data are: Financial Information Tenders Legal Information Complaints data Business cases ULH-IM&T-AUP03 Page 12 of 15

13 Appendix 2 Secure File Transfer (SFT) What is SFT? The SFT is a web service provided by Connecting for Health designed to allow the secure transfer of data between NHS users The SFT is designed to replace physical media transfers CD or DVD Memory sticks, USB pen drives Printouts Comparing SFT & NHSmail SFT NHSmail Data sizes suitable for transfer Up to 1GB Up to 20MB Can already encrypted or password protected zip files be sent? Yes Usually not Number of recipients per transfer Up to 10 Essentially unlimited Potential recipients for secure transfers Files retained in system Anyone on NHSmail with N3 access Deleted after 3 days (sender can specify less) Anyone on NHSmail or other trusted domains Indefinitely Please see the user guide below, or contact ICT Operations for more Information: ULH-IM&T-AUP03 Page 13 of 15

14 Secure File Transfer Users Guide Getting Started Before using the Secure File Transfer system (SFT) to send files, check the following: Make sure that you have a NHSmail account. Visit the SFT website at and register with the SFT service. (Remember to add the website to your web browser favourites). The people you are sending data to also need to have NHSmail accounts and to register with the SFT. Once you have done this, you can immediately start to use the SFT. Why do we have to have NHSmail accounts? One of the security checks that the SFT makes is making sure that the senders and recipients of data are valid NHS users. The SFT does this by checking with the NHSmail system. The SFT also sends its notification messages using NHSmail. I cannot connect to the web site If you are manually typing the SFT address into your web browser, double check that you have typed https: and not http: at the start of the web address. Also senders and recipients need to have access to the N3 network. ULH-IM&T-AUP03 Page 14 of 15

15 Sending files with the SFT 1. Using your web browser, connect to the SFT web site ( 2. Enter your address and the PIN that you received during registration If you forget your PIN, contact the Exeter helpdesk Enter the addresses of the people you are sending the files to. You can send to up to ten people at a time. 4. Enter a password to protect the file. If you provided mobile phone numbers, the SFT will text the password to those numbers. 5. You can add a comment that the SFT will send to the recipients. Also you can ask to be notified when the file is downloaded. You can also ask the SFT to delete the file sooner. 6. Tick the box that says you understand the terms and conditions, and click on the Check Steps 1-3 box. 7. Upload the file that you wish to send. You can send compressed or encrypted files or archives (and password protected ZIP files). You cannot currently send a file larger than 1GB (~1000MB). 8. Send the file. 9. You may need to send the password you used to the recipients if you did not ask the SFT to do this for you. You need to do this in a secure way. If you are unsure how to do this, contact your Information Governance Manager. Do I need to delete the file after it has been downloaded? Files uploaded to the SFT will automatically be deleted after three days. If the recipients do not download the files before this, you will need to resend them. If you wish, you can ask the SFT to delete the files sooner. Downloading files from the SFT 1. The SFT will send an to the recipients you provided with a link to click on and instructions. 2. The recipients enter their PIN (from their registration) and the file password you specified (The SFT might have sent this as a text message). 3. They can then download and save the file. ULH-IM&T-AUP03 Page 15 of 15