Safe Haven Procedure for the Secure Transmission of Personally Identifiable Information

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Safe Haven Procedure for the Secure Transmission of Personally Identifiable Information"

Transcription

1 Safe Haven Procedure for the Secure Transmission of Personally Identifiable Information Im&t directorate\policies\approved ig policiesprocedures.1

2 Index 1. Purpose Introduction Scope Authorisation to transfer data Information Flow Mapping Electronic transfers of data on removable media (Disks/CDs/memory stick) Using NHSMail Approved encryption Additional guidance Sending Large Files Office 2007 encryption Fax Machines Communications by staff/post/courier Internal mail External Mail Verbal Communication Telephone Answering Machines SMS Text Messages Electronic Messaging Software Change Control Date Version Author Change 1.0 GL First version 7/ GL Correct re digital certificates Page 2 of 15

3 1. Purpose This procedure provides information on how to securely send personal identifiable information (PII) via: o NHS Mail o Voltage Encryption o SecureSend NHS Secure File Transfer (for large files) Office 2007 encryption Fax Staff/Post/Courier Verbal communication Telephone answering machines SMS text Instant Messaging 2. Introduction Transfers of information between an organisation s departments and sites, other NHS organisations, Councils with Social Service Responsibilities (CSSR) or other third parties are commonplace and may be achieved using a variety of transfer means and formats (ie digital and hardcopy). It is a legal responsibility of an organisation to ensure that transfers of personal information for which they are responsible are secure at all stages. The loss of personal information will result in adverse incident reports which will not only affect the reputation of the organisation but can also result in the organisation being fined by the Information Commissioner. Adherence to this procedure will ensure compliance with statutory obligations and NHS Guidance on keeping information secure. For more information on the obligations and requirements placed on the organization, please see the Policy for the Protection of Personal Information 3. Scope This procedure applies to all organisation employees, trainees, contractors, temporary staff, students, researchers, trainers, and consultants who may be involved in the transmission of PID in the course of their time with the organisation. 4. Authorisation to transfer data Authorisation is required to transfer new flows of PII between organisations. Authorisation will be gained either through a service level agreement, contract, information exchange agreement or an adhoc authorisation for which a template can be found in Appendix A. Page 3 of 15

4 5. Information Flow Mapping All transfers of PID will be identified as part of the quarterly data flow mapping exercise which will include authorisation for safe processes and alerts to relevant directors of those processes and flows deemed at risk. (See Information Flow Mapping Procedure). 6. Electronic transfers of data on removable media (Disks/CDs/memory stick) In 2008, the DoH prohibited the movement of unencrypted PII on removal media in the NHS 1. Removable media includes tapes, floppy discs, removable or external hard disc drives, optical discs DVD and CD-rom, solid state memory devices including memory cards and pen drives etc Since the organisation does not have routinely provided software to encrypt data on removable media to DoH standards, if there is a requirement to transfer data it must be done on an encrypted memory stick sourced from IM&T systems are inherently insecure and patient identifiable information or sensitive business information must not be sent via unless The address is in the NHS Northamptonshire network. (This network is defined as the PCT, Provider Services and Northamptonshire Healthcare Trust. It does not include GP s.) Communications between NHSN and MHSMK are yet to be secured. The is sent via NHSMail, i.e. if from an NHS.net account to o NHS (*.nhs.net) o GSi (*.gsi.gov.uk) o CJX (*.police.uk or.pnn.police.uk) o GSE (*.gse.gov.uk) o GSX (*.gsx.gov.uk) o GCSX (*.gcsx.gov.uk) o SCN (*scn.gov.uk) o CJSM (*cjsm.net) o MoD (*.mod.uk). Or vice versa. Note NHS Northants to NHS.Net is not secure A form of approved encryption is used. 1 Page 4 of 15

5 7.1 Using NHSMail It is recommended to use of generic (or shared) mailboxes for the transfer of confidential information particularly patient related which supports a regular business process. This is to limit the possibility that the communication of information will be delayed by the failure of individuals to check their personal NHS mail inboxes, i.e. when absent from work. A generic mailbox is a mailbox which is set up to receive personally identifiable information or other confidential information for a particular team and can be accessed by several members of staff, rather than information being sent to a personal mailbox, to which only one person has access. 1. A roster for checking the generic account inboxes MUST be put in place by the local manager which guarantees that the generic mailbox is checked regularly, for example at handover time. 2. Generic accounts need to be set up by the IM&T Service Desk. 3. When is sent via NHS mail the originator must request a read receipt. The receiving party must in turn agree to the read receipt being sent to the originator on opening the The read receipts on NHS mail make it easy for the originator to see which e- mails have or have not been read, and to chase up in the event of any delay. 7.2 Approved encryption NHSMail and digital certificates It is not currently possible to securely send an from an NHSMail account to a non secure address, although this facility is being tested by CfH. There are detailed instructions in NHSMail user guidance for using digital certificates for securely sending data between non NHSMail accounts. Seek advice from the Service Desk before attempting this Voltage encryption This is a software solution purchased by NHS Northamptonshire which offers the highest levels of encryption protection. The software needs to be installed on the sender s machine Contact the IM&T Service Desk for this installation. The receiver does not need any special software or version of software but the first time they receive an encrypted they will need to go on-line and download a licence key. Page 5 of 15

6 Encrypted s using Voltage can be sent anywhere at any time and are not restricted to the NHS alone. Guidance on using Voltage is available on the intranet. /DepartmentsFunctions/Info_Governance/Voltage_instructions.pdf Securesend SecureSend provides a facility to securely send documents that are encrypted to nationally approved NHS security standards (using 256 bit AES encryption). It has been developed by Somerset Primary Care Trust and offered free of charge to other NHS and partner organisations Additional guidance Whichever method of encryption you use the following procedure should always be followed when sending confidential - You should make sure that any exchange of confidential information is part of an agreed process. This means that both those sending and receiving the information know what is to be sent; what it is for and have agreed how that information will be treated. Under no circumstances should the encryption password be sent alongside the encrypted . It is best practice to send the password either by separate or over the telephone. In the subject line of the , begin by typing CONFIDENTIAL (this informs the receiving team that personal or sensitive information is enclosed) and then enter the subject of the . Minimise the use of personally identifiable information use only the NHS Number as personal identifier is this is possible. Do not use any names or identifiers in the subject line. 8. Sending Large Files If user who is connected to the N3 needs to send a large file (between 20Mb and 1Gb) to another use on the N3 network, the NHS Secure File Transfer Program should be required. Page 6 of 15

7 Both the sender and recipient will need to have NHS Mail accounts A detailed user guide is available here. 2 Access to the secure file transfer web site is available here Office 2007 encryption Office 2007 normally encrypts files to a standard (AES 128 bit) below the DoH recommendations (AES 256 bit). Password protecting files (eg using Microsoft Office 2007) will assist in preventing casual compromise if the file is sent to the wrong recipient but is of limited use to prevent a person with a little knowledge or determination accessing the file. The more complex the password used to encrypt the file the more secure the data will be. Users are recommended to use a password of a minimum of 8 characters, containing upper and lower case characters, numbers and special characters (for #) Use of Office password protection should be subject to risk assessment considering the content and volume of data to be transmitted. Advice on the suitability of using Office encryption can be obtained from Information Governance. 10. Fax Machines All safe haven fax machines should be located in a secure environment and the faxes removed from the machine on receipt. The sender should be contacted to confirm receipt and the fax appropriately dealt with and safely stored. Improper use of fax machines have resulted in many confidentiality breaches throughout the Public Sector. Therefore, fax machines must only be used to transfer personal information where it is absolutely necessary to do so. The following rules must apply: The fax is sent to a Safe Haven location where only staff that have a legitimate right to view the information can access it. The sender must be certain that the correct person will receive it and that the fax number is correct i.e. phone the recipient to say that you are sending a confidential fax and to confirm the fax number and ask the recipient to confirm that the fax has arrived. 2 Secure File Transfer User Guide 3 Secure File Transfer web site Page 7 of 15

8 Care should be taken when dialling the number. Best practice involves always checking the safe-haven fax number before dialling; never dial from memory. Valid sources would include a locally compiled safe haven directory; alternatively a telephone call to the safe haven to check up to date details. It is good practice to identify frequently used numbers and program these into a fax machine "memory dial" facility; equally computer dialling facilities may be used where available. However, numbers must be tested in conjunction with a telephone call before using them for confidential information. Faxes containing personal information should not be left lying around for unauthorised staff to see. Only the minimum amount of personal information should be sent. Where possible the data should be anonymised or a unique identifier used. Faxes should include a front sheet, which contains a suitable confidentiality clause. For example, IMPORTANT NOTICE The information in this fax is confidential and privileged If you are not the intended recipient please accept our apologies. Please do not disclose copy or distribute information in this fax or take any action in reliance on its contents to do so is strictly prohibited and may be unlawful. Please inform us that this message has been received in error, by contacting the sender. The sender will advise you of suitable action to take regarding the material received, as we may require information to be reclaimed. Thank you for your co-operation Fax machines should have a code password and be turned off out of office hours where the fax is not in a secured office. 11. Communications by staff/post/courier All personal information/data should be addressed to a person, post holder, a consultant or a legitimate Safe Haven location - but not to a department, a unit or an organisation Internal mail Page 8 of 15

9 Mail containing PID should be sent in a securely sealed envelope and marked accordingly e.g. Confidential or Addressee only as appropriate External Mail Mail containing PID should be sent in a securely sealed envelope and marked accordingly e.g. Confidential or Addressee only as appropriate Additional special care should be taken with bulk and/or sensitive personal information such as health records, financial records, or collections of paper records. These should be either: Hand delivered by NHSN staff in a new sealed envelope; taped to seal it shut, and signed over the seal. Packages should be kept out of sight and locked away if left unattended for short periods. Sent by Royal Mail special delivery allowing tracking of delivery and signature by receiver or By an approved courier service providing proof of receipt and an audit trail. Procedures around using an approved courier service are given below. Health records, case notes and other bulky material should only be transported in approved boxes and never in dustbin sacks, carrier bags or other containers. These containers should not be left unattended unless stored, waiting for collection, in a secure area e.g. locked. The containers should only be taken and transported by the approved courier or authorised internal transport systems. Individual sets of health records and case notes should still be handled with extreme care and attention. When a record is transferred by courier it should be Placed in an new sealed envelope (not a transit envelope) Taped to seal it shut Signed over the seal When a record is transferred by a clinician it should be: Placed in a new sealed envelope (not a transit envelope) and Not left open Not left unattended Kept out of sight (locked in the boot of your car not left on the back seat) Staff should make a log of what health records/case notes have left the department (e.g. home visits etc), with who, when taken, when returned. This is formally referred to as systems for tracking records. Electronic media e.g. CD s DVD s tapes etc transported between departments, sites or organisations should be properly packaged in tamper proof envelopes and clearly and labelled confidential (See 5). Page 9 of 15

10 Packaging should be checked to ensure it is sufficient to protect the contents from any physical damage likely to arise during transit such as exposure to heat, moisture or electromagnetic fields. These should be hand delivered, sent by Royal Mail special delivery allowing tracking of delivery and signature by receiver (not recorded or registered delivery), or by approved courier service as above. Staff should request that external organisations use secure post when forwarding PII to the organisation, with tamper-evident packaging that will clearly show if the information has been accessed without authorisation Use of couriers If a courier is used, the courier used should have a contract that includes agreed minimum standards relating to security and confidentiality. The organisation will draw up an authorised list of trusted and reliable courier services for routine and secure courier transfers. Note that the internal delivery van service should be regarded as a courier service and, where relevant, the same processes followed as for an external courier. When using a courier service for the transfer of personally identifiable information the following process must be followed: Routine Courier Services For transfer of non-personal or non-sensitive information only) Authority to use courier service is obtained from appropriate level of management. Courier is selected from contracted or authorised list. A telephone call is made from the despatching organisation to the intended recipient at the receiving organisation to notify despatch Information for despatch is placed in a sealed envelopes or wallet. A signature sheet is signed by despatching and receiving organisations Secure Courier Process For transfer of person identifiable or sensitive information A Secure Courier will provide a secure and tracked mode of collection and delivery rather than a by hand / personal delivery service. Some Secure Courier services allocate a container to an organisation s items while others may store them in the same container as other organisations courier items at lesser cost. A Secure Page 10 of 15

11 Courier will be an organisation providing courier services which provide adequate security assurances set out in a written contract. For public sector bodies these courier organisations may have already signed up to the OGC buying solutions framework agreement and therefore already been assessed on the basis of their technical ability and financial standing, eg (as at June 2009): CitySprint DX Group E-Courier UK Ltd Government Car and Despatch Agency TNT UK Royal Mail Group Procedure Authority to use courier service is obtained from appropriate level of management. Only authorised courier services used A signature sheet is used to capture details of handover/takeover of the data disks The data file creation is authorised (name/role/date/time). Packaging is checked to ensure it is sufficient to protect the contents from any physical damage likely to arise during transit such as exposure to heat, moisture or electromagnetic fields; The identification of courier is checked before handover of media The courier collects the information and the signature sheet is signed by both parties. A telephone call to notify despatch is made from the despatching organisation to a named individual in the receiving organisation. Nominated staff at the destination receive the information and sign the signature sheet. 12. Verbal Communication The security and confidentiality of telephone and personal conversations should be considered within the organisation s policy and procedures and included in staff training. Staff should be mindful of the need to maintain security and confidentiality when discussing personal or other sensitive information. Page 11 of 15

12 13. Telephone Answering Machines Recorded telephone messages may contain personal or sensitive information such as names and addresses of service users, details of health or social care professionals phoning with queries about service users or applicants for jobs advertised. Consideration should be given to which staff members have access to answering machines. Password protected voic boxes can be used to control access where this functionality is available on the phone. Otherwise, physical protection should be considered, eg locating the phone in a lockable office, lowering the speaker volume, etc. 14. SMS Text Messages There are various potential applications for text messages in the provision of services, eg service user appointments. The benefits of using text messages to convey personal information must be weighed against the risks. Key considerations when using text messages are: is the mobile phone number correct? is the mobile phone receiving the text message being used by the intended recipient of the message? has the message been received, and what provision is there to audit message receipt? text messages are normally stored on SIM cards and are typically only cleared when overwritten (not necessarily when erased) - as mobile phones are easy to misplace or may get stolen, there is a danger of a breach of confidentiality occurring that the patient / service user may find distressing or damaging. Text messages should not normally be used to convey sensitive information, eg test results and the use of text messages for the transfer of personal data should be kept to a minimum, eg an appointment reminder does not need to include the name of the specific clinic. When consent is sought for appointment reminder services, service users should be informed of what information will be included in standard SMS messages sent to them via the service and the option to opt out must be available on request. 15. Electronic Messaging Software Electronic instant messaging (IM) software, such as MSN Messenger and Yahoo! Messenger is not suitable for use for the transmission of personal data as it presents a number of risks: IM software is particularly vulnerable to malware, such as virus, Trojans and worms; in many IM services, data is unencrypted. Such services therefore do not provide sufficient security for transmission of service user data, as they are at risk of unauthorised access and electronic surveillance; Page 12 of 15

13 in many IM services, there are no audit trails of access and transmission. The Care Record Guarantee (NHS and Social Care) has a requirement for systems to maintain audit trails for the access and transmission of service user data; IM services can be used to bypass restrictions on what can be sent as e- mail attachments. Whilst it is possible that solutions will be developed in future which offer the necessary security and audit controls, there are no IM solutions currently recognised by the NHS nationally as suitable for transmission of personal information. Page 13 of 15

14 Appendix A PID Transfer Authorisation Form (process) Process Authorisation Form Outbound Transmission of Personally Identifiable Data/Information (PID) - Before creating a new process to send bulk or sensitive PID, please complete this form, and submit it to the Caldicott Guardian for approval. Please note that this form should be used for all bulk and sensitive transmissions of PID across or out of NHSN. What is the data? What is the purpose of the transfer? Approximately how many records at a time? Is it sensitive data? Which location is it going to? Which organisation/person is it going to? Destination description (optional) By ? By fax? By post? By text message? Is data ed to and from NHSmail account? Do you confirm the address before sending? Do you request receipt of ? Do you encrypt ed data by recommended method? Do you phone/fax recipient in advance? Is a cover sheet used? Do you receive confirmation of fax? Is data faxed to a safe haven? Page 14 of 15

15 Is data sent on removable media? Is data encrypted by recommended method? Is data sent by courier or registered post? Is receipt of post confirmed? Is data sent in tamperproof wallet? Is data sent to a safe haven? Authorised by Director or Associate Director, signature and date Authorised by Caldicott Guardian, signature and date Contact details for Caldicott Guardian: Medical Director/Caldicott Guardian Dr Sarah Whiteman Francis Crick House Tel: Page 15 of 15

Information Governance Toolkit. Information Security Assurance. Detailed Guidance on Secure Transfers

Information Governance Toolkit. Information Security Assurance. Detailed Guidance on Secure Transfers Information Governance Toolkit Information Security Assurance Detailed Guidance on Secure Transfers Information Transfers/Flows - Security Measures 1. The outcomes of information mapping and identified

More information

IG Toolkit Version 8. Information Security Assurance. Requirement 322. Detailed Guidance on Secure Transfers

IG Toolkit Version 8. Information Security Assurance. Requirement 322. Detailed Guidance on Secure Transfers IG Toolkit Version 8 Information Security Assurance Requirement 322 Detailed Guidance on Secure Transfers IG Toolkit Version 8 Requirement 322: Detailed guidance on secure transfers Page 1 of 7 All transfers

More information

Safe Haven Policy. Equality & Diversity Statement:

Safe Haven Policy. Equality & Diversity Statement: Title: Safe Haven Policy Reference No: 010/IT Owner: Deputy Chief Officer Author Information Governance Lead First Issued On: November 2012 Latest Issue Date: March 2015 Operational Date: March 2015 Review

More information

Email Policy. Version: 1.1. Date ratified: February 2014 Name of originator /author (s): Responsible Committee / individual:

Email Policy. Version: 1.1. Date ratified: February 2014 Name of originator /author (s): Responsible Committee / individual: Version: 1.1 Ratified by: NHS Bury CCG IM&T Steering Group Date ratified: February 2014 Name of originator /author (s): Responsible Committee / individual: Greater Manchester CSU - IT Department NHS Bury

More information

Information Governance

Information Governance Information Governance Safe Haven Procedures; Guidance for all BHR CCG Staff Fax Machines Email Postage Telephone Conversations Fax Machines Confidential information faxed in emergency situations only

More information

Safe Haven Procedure. Final. Date Issued March 2009 Review Date March 2010 NHS East Midland Employees. Safe Haven Procedure: v1.

Safe Haven Procedure. Final. Date Issued March 2009 Review Date March 2010 NHS East Midland Employees. Safe Haven Procedure: v1. Safe Haven Procedure Final Version 1.0 (Final) Ratified By Executive Team Originator/Author Fabian Henderson Date Issued March 2009 Review Date March 2010 Target NHS East Midland Employees Safe Haven Procedure:

More information

Data Transfer Policy. Data Transfer Policy London Borough of Barnet

Data Transfer Policy. Data Transfer Policy London Borough of Barnet Data Transfer Policy Data Transfer Policy London Borough of Barnet Document Control POLICY NAME Data Transfer Policy Document Description Policy surrounding data transfers (electronic and paper based).

More information

Information Governance

Information Governance Information Governance Information for Patients Information Governance (IG) Contents: Identifying the IG Lead for the Practice. This identifies the main people responsible for Information Governance Policy.

More information

Secure Storage, Communication & Transportation of Personal Information Policy Disclaimer:

Secure Storage, Communication & Transportation of Personal Information Policy Disclaimer: Secure Storage, Communication & Transportation of Personal Information Policy Version No: 3.0 Prepared By: Information Governance, IT Security & Health Records Effective From: 20/12/2010 Review Date: 20/12/2011

More information

Name of responsible committee: Information Governance Board Date issued: 15 th April 09 Review date: 14 th April 11 Referenced Documents:

Name of responsible committee: Information Governance Board Date issued: 15 th April 09 Review date: 14 th April 11 Referenced Documents: Storage and Transfer of Person Identifiable Information Policy Trust Wide Policy number: ULH-IM&T-AUP03 Version: 1.1 New or Replacement: New Approved by: Executive Board Date approved: 14 th April 09 Name

More information

Secure Transfer of Information Guidance for staff

Secure Transfer of Information Guidance for staff Secure Transfer of Information Guidance for staff Document number CCG.GOV.013.1.1 Version: 1.1 Ratified by: NHS Bury CCG Quality and Risk Committee Date ratified: 8 th January 2014 Name of originator /author

More information

Mobility and Young London Annex 4: Sharing Information Securely

Mobility and Young London Annex 4: Sharing Information Securely Young London Matters April 2009 Government Office For London Riverwalk House 157-161 Millbank London SW1P 4RR For further information about Young London Matters contact: younglondonmatters@gol.gsi.gov.uk

More information

Data Encryption Policy

Data Encryption Policy Data Encryption Policy Number: THCCGCG36 Version: 01 Executive Summary This Policy defines the Security requirements for data encryption upon laptops, physical media and Secure File Transfer within the

More information

Personal Identifiable Data Security Policy

Personal Identifiable Data Security Policy Personal Identifiable Data Security Policy Number: THCCGCG43 Version: 01 Executive Summary This Policy defines the Security requirements for all Staff involved in handling Person Identifiable Data (PID)

More information

Personal Data Handling and Sharing Policy

Personal Data Handling and Sharing Policy Personal Data Handling and Sharing Policy Originator Richard Gibson Date 20 June 2012 Verifier Lynda Oliver Date 20 June 2012 Reviewed Richard Gibson, Lynda Oliver Date July 2013 Contents Page 1. Introduction

More information

Bulk Data Transfer Guidelines

Bulk Data Transfer Guidelines Bulk Data Transfer Guidelines This procedural document supersedes: CORP/ICT 20 v.1 Bulk Data Transfer. Did you print this document yourself? The Trust discourages the retention of hard copies of policies

More information

your hospitals, your health, our priority STANDARD OPERATING PROCEDURE: Safe Haven Procedure TW10-110 SOP 3 SOP NO: VERSION NO:

your hospitals, your health, our priority STANDARD OPERATING PROCEDURE: Safe Haven Procedure TW10-110 SOP 3 SOP NO: VERSION NO: STANDARD OPERATING PROCEDURE: Safe Haven Procedure SOP NO: VERSION NO: APPROVING COMMITTEE: DATE THIS VERSION APPROVED: TW10-110 SOP 3 3 Information Governance Committee July 2013 RATIFYING COMMITTEE:

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Policy for the electronic transfer of Person Identifiable Data - harmonised Version: 5 Reference Number: CO51 Supersedes Supersedes: 4 Description of Amendment(s):

More information

Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3

Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3 Paper 9 Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3 Please ensure that all THREE pages of this contract are returned to: Information Governance Manager, Health Informatics, Chertsey House, St Peter

More information

A Framework for the Safe and Secure Use & Management of Community Pharmacy NHSmail email including Generic Mailboxes

A Framework for the Safe and Secure Use & Management of Community Pharmacy NHSmail email including Generic Mailboxes A Framework for the Safe and Secure Use & Management of Community Pharmacy NHSmail email including Generic Mailboxes Contents 1 Introduction 3 2 NHSmail Acceptable Use Policy 3 3 Objectives 4 4 General

More information

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff DATA PROTECTION IT S EVERYONE S RESPONSIBILITY An Introductory Guide for Health Service Staff 1 Message from Director General Dear Colleagues The safeguarding of and access to personal information has

More information

Information Security Policy. Appendix B. Secure Transfer of Information

Information Security Policy. Appendix B. Secure Transfer of Information Information Security Policy Appendix B Secure Transfer of Information Author: Data Protection and Information Security Officer. Version: 0.7 Date: March 2008 Document Control Information Document ID Document

More information

Email Services Policy

Email Services Policy Email Services Policy CONTENTS Page 1 Introduction 3 2 Scope 3 3 Review and Evaluation 3 4 General Principles 4 5 Responsibilities 4 6 Business Use and Continuity 4 7 Personal Use 6 8 Managing Email Messages

More information

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY Policy approved by: Audit and Governance Committee Date: 4 th December 2014 Next Review Date: December 2016 Version: 1 Information Security Policy Page 1 of 17 Review and Amendment

More information

Data Transfer Policy London Borough of Barnet

Data Transfer Policy London Borough of Barnet London Borough of Barnet DATA PROTECTION 11 Document Control Document Description Data Transfer Policy Version v.2 Date Created December 2010 Status Authorisation Name Signature Date Prepared By: IS Checked

More information

Why do we need to protect our information? What happens if we don t?

Why do we need to protect our information? What happens if we don t? Warwickshire County Council Why do we need to protect our information? What happens if we don t? Who should read this? What does it cover? Linked articles All WCC employees especially mobile and home workers

More information

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING Introduction and Policy Aim The Royal Borough of Windsor and Maidenhead (the Council) recognises the need to protect Council

More information

INFORMATION MANAGEMENT & TECHNOLOGY SECURITY POLICY

INFORMATION MANAGEMENT & TECHNOLOGY SECURITY POLICY Information Management & Technology Security Policy INFORMATION MANAGEMENT & TECHNOLOGY SECURITY POLICY POLICY NO IM&T 003 DATE RATIFIED October 2010 NEXT REVIEW DATE October 2013 POLICY STATEMENT/KEY

More information

Information Security Policy London Borough of Barnet

Information Security Policy London Borough of Barnet Information Security Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Document Description Information Security Policy Policy which sets out the council s approach to information

More information

Trust Informatics Policy. Information Governance. Secure Transfer of Information Policy

Trust Informatics Policy. Information Governance. Secure Transfer of Information Policy Trust Informatics Policy Information Governance Policy Reference: 3628 Document Title Author/Contact Document Reference 3628 Document Control Pauline Nordoff-Tate, Information Assurance Manager Document

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY Rev Date Purpose of Issue/ Description of Change Equality Impact Assessment Completed 1. June 2011 Initial Issue 2. 29 th March 2012 Second Version 3. 15 th April 2013 Third

More information

Introduction to the NHS Information Governance Requirements

Introduction to the NHS Information Governance Requirements Introduction to the NHS Information Governance Requirements 2 Version April 2014 Information Governance ensures necessary safeguards for, and appropriate use of, patient and personal information. The widely

More information

USB Data Stick Procedure

USB Data Stick Procedure SH IG 41 INFORMATION SECURITY SUITE OF POLICIES Procedure for the Management of Personal Data Summary: Keywords (minimum of 5): (To assist policy search engine) Target Audience: Next Review : This procedure

More information

E-Mail Use Policy. All Staff Policy Reference No: Version Number: 1.0. Target Audience:

E-Mail Use Policy. All Staff Policy Reference No: Version Number: 1.0. Target Audience: E-Mail Use Policy Authorship: Barry Jackson Information Governance, Security and Compliance Manager Committee Approved: Integrated Audit and Governance Committee Approved date: 11th March 2014 Review Date:

More information

E-Mail, Calendar and Messaging Services Good Practice Guideline

E-Mail, Calendar and Messaging Services Good Practice Guideline E-Mail, Calendar and Messaging Services Good Practice Guideline Programme NPFIT Document Record ID Key Sub-Prog / Project Information Governance NPFIT-FNT-TO-IG-GPG-0017.01 Prog. Director Mark Ferrar Status

More information

Version: 2.0. Effective From: 28/11/2014

Version: 2.0. Effective From: 28/11/2014 Policy No: OP58 Version: 2.0 Name of Policy: Anti Virus Policy Effective From: 28/11/2014 Date Ratified 17/09/2014 Ratified Health Informatics Assurance Committee Review Date 01/09/2016 Sponsor Director

More information

Ixion Group Policy & Procedure. Remote Working

Ixion Group Policy & Procedure. Remote Working Ixion Group Policy & Procedure Remote Working Policy Statement The Ixion Group (Ixion) provide laptops and other mobile technology to employees who have a business requirement to work away from Ixion premises

More information

Emailing and Texting with Patients

Emailing and Texting with Patients Emailing and Texting with Patients Trust Board Meeting - Part 1 Item: 8.4 25 September 2013 Enclosure: I Purpose of the Report: This paper explores the use of email and texting in certain forms of communication

More information

Hulme Hall Medical Group

Hulme Hall Medical Group Beacon Practice for Patient Online Hulme Hall Medical Group Fax and Emailing Handling Policy Written By: Joanne Revell Signed: Authorised by: Anna Webster Signed: Job Title: Practice Manager CQC Lead Effective

More information

PAPER RECORDS SECURE HANDLING AND TRANSIT POLICY

PAPER RECORDS SECURE HANDLING AND TRANSIT POLICY PAPER RECORDS SECURE HANDLING AND TRANSIT POLICY CORPORATE POLICY Document Control Title Paper Records Secure Handling and Transit Policy Author Information Governance Manager ** Owner SIRO/CIARG Subject

More information

Policy Document. IT Computer Usage Policy

Policy Document. IT Computer Usage Policy Policy Document IT Computer Usage Policy ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Author IT Services Manager Version 4.1 Issue Issue Date

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Electronic Mail Policy Version: 5 Reference Number: CO6 Keywords: (please enter tags/words that are associated to this policy) Email Supersedes Supersedes: Version

More information

Best practice guidance for information security within Choose and Book May 2009

Best practice guidance for information security within Choose and Book May 2009 Best practice guidance for information security within Choose and Book May 2009 Best practice guidance for information security within Choose and Book This guidance has been prepared to help organisations

More information

Remote Access and Home Working Policy London Borough of Barnet

Remote Access and Home Working Policy London Borough of Barnet Remote Access and Home Working Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Remote Access and Home Working Policy Document Description This policy applies to home and

More information

Policies and Procedures. Policy on the Use of Portable Storage Devices

Policies and Procedures. Policy on the Use of Portable Storage Devices Policies and Procedures Policy on the Use of Date Approved by Trust Board Version Issue Date Review Date Lead Person One May 2008 Dec 2012 Head of ICT Two Dec 2012 Dec 2014 Head of ICT Procedure /Policy

More information

Information Protective Marking and Handling Policy

Information Protective Marking and Handling Policy Information Protective Marking and Handling Policy Change History Version Date Description Author 0.1 11/01/2013 First Draft Anna Moore 0.2 28/02/2013 Amended taking into account SSTP protective marking

More information

Somerset County Council - Data Protection Policy - Final

Somerset County Council - Data Protection Policy - Final Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council

More information

Information governance

Information governance Information governance Staff handbook RDaSH 88 02 Information governance Introduction to information governance Overview 88 03 Information governance or IG - includes information security and confidentiality,

More information

Policy Document Control Page. Updated to include new NHS mail encryption feature

Policy Document Control Page. Updated to include new NHS mail encryption feature Policy Document Control Page Title Title: Electronic Mail Policy Version: 6 Reference Number: CO6 Keywords: (please enter tags/words that are associated to this policy) Email Supersedes Supersedes: Version

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Corporate Affairs Overview and Scrutiny Committee

Corporate Affairs Overview and Scrutiny Committee Agenda item: 4 Committee: Corporate Affairs Overview and Scrutiny Committee Date of meeting: 29 January 2009 Subject: Lead Officer: Portfolio Holder: Link to Council Priorities: Exempt information: Delegated

More information

Acceptable Use Policy

Acceptable Use Policy Acceptable Use Policy Recommending Committee: Approving Committee: Information Governance Steering Group Patient Safety & Experience Council Signature: Designation: Chief Executive Date: Version Number:

More information

INFORMATION GOVERNANCE POLICY & FRAMEWORK

INFORMATION GOVERNANCE POLICY & FRAMEWORK INFORMATION GOVERNANCE POLICY & FRAMEWORK Version 1.2 Committee Approved by Audit Committee Date Approved 5 March 2015 Author: Responsible Lead: Associate IG Specialist, YHCS Corporate & Governance Manger

More information

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire

More information

Information Security Adults Services. Practice guidance. Revised Version: 1.2 Effective from: August 2014 Next review date: August 2015

Information Security Adults Services. Practice guidance. Revised Version: 1.2 Effective from: August 2014 Next review date: August 2015 Information Security Adults Services Practice guidance Revised Version: 1.2 Effective from: August 2014 Next review date: August 2015 Sign off: Jenny Daniels Title: Head of Health and Social Care Practice

More information

DATA ENCRYPTION POLICY

DATA ENCRYPTION POLICY DATA ENCRYPTION POLICY Contents 1. Introduction...4 2. Purpose...4 3. Audience...4 4. Responsibilities/Duties...4 4.1 Individual Staff Responsibilities...4 4.2 Accountable Officer...5 4.3 Director of Strategy

More information

Data Protection and Information Security. Data Security - Guidelines for the use of Personal Data

Data Protection and Information Security. Data Security - Guidelines for the use of Personal Data Data Protection and Information Data - Guidelines for the use of Personal Data Page 1 of 10 Created on: 21/06/2013 Contents 1. Introduction... 3 2. Definitions... 3 4. Physical... 4 5 Electronic... 6 6

More information

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

LSE PCI-DSS Cardholder Data Environments Information Security Policy

LSE PCI-DSS Cardholder Data Environments Information Security Policy LSE PCI-DSS Cardholder Data Environments Information Security Policy Written By: Jethro Perkins, Information Security Manager Reviewed By: Ali Lindsley, PCI-DSS Project Manager Endorsed By: PCI DSS project

More information

Information Governance Policy (incorporating IM&T Security)

Information Governance Policy (incorporating IM&T Security) (incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

Dene Community School of Technology Staff Acceptable Use Policy

Dene Community School of Technology Staff Acceptable Use Policy Policy Overview Dene Community School of Technology The school provides computers for use by staff as an important tool for teaching, learning, and administration of the school. Use of school computers,

More information

Bexley Safeguarding Children Board. Information Sharing and Secure Document Transfer Guidance

Bexley Safeguarding Children Board. Information Sharing and Secure Document Transfer Guidance Bexley Safeguarding Children Board Information Sharing and Secure Document Transfer Guidance All professionals who work with children and young people, or with adults who are parents or carers, should

More information

Information Sharing Policy

Information Sharing Policy Information Sharing Policy REFERENCE NUMBER IG 010 / 0v3 February 2013 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive Committee 5.2.13 REVIEW DUE DATE February 2016 West Lancashire CCG is committed

More information

Data Encryption Policy

Data Encryption Policy Data Encryption Policy Please be aware that this printed version of the Policy may NOT be the latest version. Staff are reminded that they should always refer to the Intranet for the latest version. Purpose

More information

Privacy & Security Standards to Protect Patient Information

Privacy & Security Standards to Protect Patient Information Privacy & Security Standards to Protect Patient Information Health Insurance Portability & Accountability Act (HIPAA) 12/16/10 Topics An An Introduction to to HIPAA HIPAA Patient Rights Rights Routine

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Governance and Corporate Affairs Committee Date: December 2014 Next Review Date: August 2016 Version: 0.2 Page 1 of 14 Review and Amendment Log / Control Sheet

More information

NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction

NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction NHSnet : PORTABLE COMPUTER SECURITY POLICY 9.2 Introduction This document comprises the IT Security policy for Portable Computer systems as described below. For the sake of this document Portable Computers

More information

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three Data Handling in University Information Classification and Handling Agenda Background People-Process-Technology

More information

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE

More information

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review

More information

Acceptable Use of Information Systems Standard. Guidance for all staff

Acceptable Use of Information Systems Standard. Guidance for all staff Acceptable Use of Information Systems Standard Guidance for all staff 2 Equipment security and passwords You are responsible for the security of the equipment allocated to, or used by you, and must not

More information

INFORMATION GOVERNANCE STAFF HANDBOOK AND CODE OF CONDUCT

INFORMATION GOVERNANCE STAFF HANDBOOK AND CODE OF CONDUCT e-health Cumbria INFORMATION GOVERNANCE STAFF HANDBOOK AND CODE OF CONDUCT TABLE OF CONTENTS 1. INTRODUCTION... 4 2. INFORMATION GOVERNANCE... 4 3. WHAT DO YOU NEED TO KNOW ABOUT INFORMATION GOVERNANCE?..

More information

Angard Acceptable Use Policy

Angard Acceptable Use Policy Angard Acceptable Use Policy Angard Staffing employees who are placed on assignments with Royal Mail will have access to a range of IT systems and mobile devices such as laptops and personal digital assistants

More information

Remote Data Extraction Policy and Procedure

Remote Data Extraction Policy and Procedure Remote Data Extraction Policy and Procedure Prepared by PRIMIS June 2015 The University of Nottingham. All rights reserved. Contents 1. Introduction... 3 2. Purpose and scope... 3 3. Policy Statement...

More information

NHS Information Governance:

NHS Information Governance: NHS Information Governance: Information Risk Management Guidance: Short Message Service (SMS) & Texting Department of Health Informatics Directorate April 2010 1 Amendment History Version Date Amendment

More information

Security Incident Management Policy

Security Incident Management Policy Security Incident Management Policy January 2015 Document Version 2.4 Document Status Owner Name Owner Job Title Published Martyn Ward Head of ICT Business Delivery Document ref. Approval Date 27/01/2015

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September

More information

Policy: Remote Working and Mobile Devices Policy

Policy: Remote Working and Mobile Devices Policy Policy: Remote Working and Mobile Devices Policy Exec Director lead Author/ lead Feedback on implementation to Clive Clarke SHSC Information Manager SHSC Information Manager Date of draft 16 February 2014

More information

Information Security Code of Conduct

Information Security Code of Conduct Information Security Code of Conduct IT s up to us >Passwords > Anti-Virus > Security Locks >Email & Internet >Software >Aon Information >Data Protection >ID Badges > Contents Aon Information Security

More information

Information Governance

Information Governance Information Governance What you will learn in this session? 1. Principles of Information Governance and their application to health and social care organisations 2. Accessing Information Governance resources

More information

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013 Information Security Incident Management Policy Policy and Guidance June 2013 Project Name Information Security Incident Management Policy Product Title Policy and Guidance Version Number 1.2 Final Page

More information

Findings from ICO audits and reviews of community healthcare providers. June 2013 to December 2014

Findings from ICO audits and reviews of community healthcare providers. June 2013 to December 2014 Findings from ICO audits and reviews of community healthcare providers June 2013 to December 2014 Introduction The Information Commissioner s Office (ICO) is the regulator responsible for ensuring that

More information

Information Governance Training Booklet for Pharmacy Staff January 2010

Information Governance Training Booklet for Pharmacy Staff January 2010 Information Governance Training Booklet for Pharmacy Staff January 2010 dra_schwartz/istock 2 Introduction To ensure compliance with the law and NHS requirements, all staff working in pharmacies that have

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

Information Governance Manual Training Booklet

Information Governance Manual Training Booklet Information Governance Manual Training Booklet Introduction This booklet is aimed at staff who do not access a computer whilst working for the Trust. If you have access to a computer, you must complete

More information

Information Governance Performance Manager. Important Note: The Intranet version of this document is the only version that is maintained.

Information Governance Performance Manager. Important Note: The Intranet version of this document is the only version that is maintained. Document Summary DOCUMENT NUMBER DATE RATIFIED POL/002/004 14 October DATE IMPLEMENTED October 2013 NEXT REVIEW DATE October 2015 ACCOUNTABLE DIRECTOR POLICY AUTHOR Director of Business Development Information

More information

Acceptable Use of ICT Policy For Staff

Acceptable Use of ICT Policy For Staff Policy Document Acceptable Use of ICT Policy For Staff Acceptable Use of ICT Policy For Staff Policy Implementation Date Review Date and Frequency January 2012 Every two Years Rev 1: 26 January 2014 Policy

More information

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy DOCUMENT INFORMATION Author: Vince Weldon Associate Director of IM&T Approval: Executive This document replaces: IM&T Policy No. 1 Anti Virus Version

More information

Information Governance

Information Governance CONTROLLED Information Governance Caldicot Version-Workbok Non Caldicott Version - Workbook Version 12 January 2015 40 1 Don t Get Bitten by the Data Demon Notes Using this Workbook The objective of this

More information

Information Governance Staff Handbook. Information Governance Staff Handbook

Information Governance Staff Handbook. Information Governance Staff Handbook Information Governance Staff Handbook Information Governance Staff Handbook August 2014 Version 2 Page 1 of 35 Document History Document Reference: IG42 The document compliments all other Information Governance

More information

LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee

More information

ABERDARE COMMUNITY SCHOOL

ABERDARE COMMUNITY SCHOOL ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been

More information

MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY

MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY Moorland is committed to ensuring that, as far as it is reasonably practicable, the way we provide services to the public and the way we treat

More information

Originator: Chris Parkin Date: 4 March 2015 Approved by: Senior Management Team Type: Policy. Computer Security Policy

Originator: Chris Parkin Date: 4 March 2015 Approved by: Senior Management Team Type: Policy. Computer Security Policy Originator: Chris Parkin Date: 4 March 2015 Approved by: Senior Management Team Type: Policy Computer Security Policy Contents 1 Scope... 3 2 Governance... 3 3 Physical Security... 3 3.1 Servers... 3 3.2

More information

CONTACTING SERVICE USERS BY TEXT MESSAGES (SMS) POLICY

CONTACTING SERVICE USERS BY TEXT MESSAGES (SMS) POLICY CONTACTING SERVICE USERS BY TEXT MESSAGES (SMS) POLICY POLICY NUMBER 098/Corporate POLICY VERSION 1 RATIFYING COMMITTEE Information Governance Group DATE RATIFIED May 2012 DATE OF EQUALITY & HUMAN RIGHTS

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

Informatics Policy. Information Governance. Network Account and Password Management Policy

Informatics Policy. Information Governance. Network Account and Password Management Policy Informatics Policy Information Governance Policy Ref: 3589 Document Title Author/Contact Document Reference 3589 Document Control Network Account Management and Password Policy Pauline Nordoff-Tate, Information

More information