INFORMATION MANAGEMENT & TECHNOLOGY SECURITY POLICY

Transcription

1 Information Management & Technology Security Policy INFORMATION MANAGEMENT & TECHNOLOGY SECURITY POLICY POLICY NO IM&T 003 DATE RATIFIED October 2010 NEXT REVIEW DATE October 2013 POLICY STATEMENT/KEY OBJECTIVE: To protect the information assets of Lancashire Care NHS Foundation Trust Accountable Director: Policy Author: Director of Finance, IM&T & Estates IM&T Project Manager

2 Contents Page Summary of Document Changes 2 Executive Summary 3 1 Introduction Rationale Scope Principles 4 2 Definitions 4 3 Legal Compliance 5 4 Policy Management Responsibilities Staff Responsibilities Risk Management Implementation 6 5 Audit & Monitoring 7 6 Reference Documents 7 7 Appendix no.1 - Data Protection guidance for staff 8 1

3 Summary of Document Changes / Adaptations. POLICY POLICY NO IM&T 004 IM&T Security DATE RATIFIED DEC 2009 PROPOSED REVIEW DATE Oct 2011 TO SMN Document section 1.2 Scope Page 2 Nature of change. Expanded scope to define who it applies to e.g. all Trust employees, people working on behalf of the Trust etc Applicability of business functions and what the networks are used for 3.0 Legal Compliance Page 3 Added this legislation: Access to Health Records 1990 The Human Rights Act 1998 Electronic Communications Act 2000 Regulation of investigatory powers Act 2000 Health & Social Care Act Management Responsibility Page Staff Responsibility Page Risk Management Page Implementation Page Audit and Monitoring Page Reference Documents Page 6 Appendix No.1 Taking Confidential data off site Page 10 Two more bullets added to the end of the list referring to: Secure and resilient remote access to network Ensure all users are provided with security guidance and training / awareness of security responsibilities Added bullet point 4 using home IT equipment for work purpose Added last bullet adherence to policy Paragraph on monitoring the policy has been moved to section 5.0 Audit and Monitoring Added in other means of communication and access e.g. Network Governance groups, IG e-learning package and weekly e-bulletin Refer to 4.3 paragraph moved from section 4.3 Expanded ref doc s Lifecycle of records policy superseded by Corporate Records Management Policy and Records Management strategy Added in Bullet point 2 reference re application of Safeboot on laptops Use of USB Memory sticks This page can be destroyed after the release of any subsequent Summary of Changes / Adaptations statements related to this policy or after 3 months. 2

4 Executive Summary Subject Security of Information and Information Technology Applicable to All Trust staff and those authorised to use or access the networks or systems on behalf of the Trust Key Policy Issues To protect Trust information assets Management responsibilities Staff responsibilities Risk management Date Issued December 2009 Dates Policy reviewed December 2009 Next review due date October 2013 Policy written by Michelle J Brammah Consultation IM&T Team Policy reviewed by: Lead responsible for policy Monitoring arrangements Approved by Authorised by IM&T Project Manager, IT Security, Information Governance and IM&T senior management Associate Director of IM&T Internal and external audit, compliance with annual IGT submission EMT Signature Related procedural documents Data Protection Guidance 3

5 1 Introduction The objective of the Information Management and Technology (IM &T) Security Policy is to protect the data assets processed by Lancashire Care NHS Foundation Trust. The organisation has a legal and moral responsibility to protect the personal data it holds. Compliance with this policy and the associated guidance is necessary to ensure business continuity, and minimise data loss. 1.1 Rationale The NHS Information Governance Toolkit sets out responsibilities for all NHS organisations to ensure data is secure. This policy reflects the requirements of the information governance toolkit. Further information can be found at Scope This policy applies to information (data), which is stored or processed in manual filing systems, on any form of computer. This Policy applies to all Trust employees, other persons working for or on behalf of the Trust and usage by anyone granted access to the Trust network. It is applicable to all business functions and information contained on the network, the physical environment and relevant people who support the network. The networks within the Trust are used for: Storage, sharing and transmission of clinical and non clinical data and images Printing or scanning of clinical or non clinical data or images The provision of internet systems for receiving, sending and storing of clinical and non clinical data and images Remote access by mobile users a, home workers and non NHS staff Storage and transportation of data and images on removable media 1.3 Principles The key principles are: - Information assets and information processing facilities shall be protected against unauthorised access and disclosure. Statutory and legal obligations must be met. Unauthorised use of information assets and information processing facilities shall be prohibited; the use of obscene, racist or otherwise offensive statements shall be dealt with in accordance with other relevant policies published by Lancashire Care NHS Foundation Trust All breaches of information security, actual or suspected, shall be reported and investigated in line with Lancashire Care NHS Foundation Trust s published policies 2 Definitions This policy uses the terms 'data' and 'processing' as defined by the Information Commissioner. ( 4

6 3 Legal Compliance The Trust has a legal obligation to protect the data it processes. The legislation directly relating to this policy is: Data Protection Act, 1998 Access to Health Records Act 1990 Freedom of Information Act, 2000 The Human Rights Act 1998 Computer Misuse Act, 1990 Electronic Communications Act 2000 Regulation of Investigatory Powers Act 2000 Copyright, Designs and Patents Act, 1993 Health & Social Care Act Policy Every person in the organisation has a responsibility for data protection. The Trust processes very sensitive personal data and everyone has an obligation to protect this data. All employees must make themselves familiar with Data Protection Guidance. 4.1 Management Responsibilities Management must ensure that all employees are updated and informed of their security responsibilities and that an adequate confidentiality clause is contained in contracts of employment. In addition they must also: Ensure all breaches in the operation of this policy and the procedures laid down herein are dealt with promptly and in an appropriate manner. Ensure all employees have adequate opportunities to familiarise themselves with data processing systems. Ensure only authorised employees are allowed to use data processing systems with appropriate levels of access where applicable. Ensure appropriate business continuity plans are in place in the event of systems failure. Ensure adequate controls are in place for monitoring usage of data processing systems and that staff are aware of them. Ensure IT equipment is maintained and secure. Ensure that all removable media (USB pens, floppy disks etc), and confidential hard copy material, including microfiche are stored in a secure environment and are securely disposed of and that all redundant or faulty hardware is returned to the IM&T department. Patient relevant information must be dealt with in accordance with the Health Records Policy. Ensure suppliers and third party contractors comply with this policy and that a Data Processing Agreement covers any external data processing. Ensure appropriate data sharing agreements are in place with external agencies and that staff are aware of these. Provide secure and resilient remote access to Trust Information systems. 5

7 Ensure that all users of the network are provided with the necessary security guidance, awareness and appropriate training to discharge their security responsibilities 4.2 Staff Responsibilities All employees are responsible for ensuring that breaches of information security do not result from their actions and that they have made themselves familiar with their security responsibilities before handling data or using data processing systems. In addition they must also: Seek further assistance from management or the IM & T department if unclear of their responsibilities. Never share system passwords with anyone else and always log off from the computer / system when not in use. Always store Trust data on central systems; never store data where it is not backed-up or retrievable by Trust staff. Refrain from using personal home IT equipment for work purposes unless arrangements have been made with the IT Service for access to VPN (Virtual Private Network) using a secure fob. Any transfer of electronic information onto home IT equipment is strictly prohibited regardless of method used i.e. portable media or Make sure they are aware of any emergency procedures in the event of a system failure. Keep IT hardware safe and secure. Always take IT equipment back to the IM & T Department if leaving the Trust or if it is no longer needed. Always ensure that personal data copied to removable media (USB Pens, floppy disks, etc) is encrypted. If unsure how to do this check with the IM & T department. Report suspected breaches of data security using the Trust's incident reporting procedures. Failure by an employee of the Trust to adhere to the policy and any associated guidance may result in disciplinary action. 4.3 Risk Management Requirements for information security risk analysis and management can be found within ISO27001, to which the IM & T department is working toward accreditation. To ensure compliance with the IM&T Security Policy regular assessments of security will be conducted to identify security countermeasures necessary to protect against possible breaches in confidentiality, integrity and availability. 4.4 Implementation This policy will be communicated to all employees via Network Directors and Service Leads Corporate Inductions Network Governance Groups Information Governance e-learning package (available on the Trust s intranet) Intranet Weekly e-bulletin 6

8 5 Audit & Monitoring Use of the Trust's data processing systems is subject to monitoring by the IM & T department. All employees should be aware that and Internet usage is monitored to ensure compliance with legislation and policy. Implementation of the policy and all systems will be subject to periodic review by both internal and external auditors. All recommendations will be implemented unless senior Trust management gives specific dispensation. This policy will be implemented in line with NHSLA requirements to ensure the effectiveness of its implementation and staff knowledge and understanding of the content. Standard Timeframe How audited Lead Annual IGT submission IG Leads 6 Reference Documents This policy should be considered in relation to the following policies and guidance: Corporate Records Management Policy Records Management Strategy Policy For the Control And Use Of Mobile Phone Devices Health Records Service Security and Confidentiality Policy Policy for the Communication of Clinical Information via Policy for Electronic Communications Access to Health Records Policy Data Quality Policy ISO Information Security principles NHSIA Information Governance Toolkit - Information Security Workbook Requirements ITIL Standards Please refer to the Recording Service Users Details on the NHS Care Record Service and ecpa, which is available on the intranet if you are required to record clinical activity. 7

9 Appendix 1 Data Protection guidance for employees Introduction The Data Protection Act 1998 provides a legal framework for ensuring that personal information is handled properly. Firstly it requires that anyone who processes personal information must comply with the following eight principles to ensure that information is: Fairly and lawfully processed Processed for limited purposes Adequate, relevant and not excessive Accurate and up to date Not kept for longer than necessary Processed in line with the rights of the individual concerned Secure Not transferred to other countries without adequate protection. The second area covered by the Act provides individuals with important rights, including the right (with certain exemptions) to find out what personal information is held about them on computer and most paper records. In addition, the NHS also has its own Code of Practice on Confidentiality. This paper provides a general checklist of requirements/good practice in relation to the handling of personal data held by the Lancashire Care NHS Foundation Trust. It is not exhaustive and should be read in the context of the legislation itself. Obviously more detailed advice may need to be sought where specific issues arise. 8

10 Checklist of requirements/good practice Paper records Do not store any records, which contain personal data unnecessarily or for longer than necessary (check the NHS guidelines on retention of records). Files containing such information should be clearly marked Private and confidential and kept in secure locked filing cabinets or locked desk drawers with access strictly on a need to know basis. Do not leave files of this nature lying about on your desk for others to see. Where departments/individuals need to keep large volumes of such records then managers should consider installing a key entry pad on the office door or some other form of lock. Everybody should take care when opening confidential mail to ensure it is not simply left in full view on a desk or elsewhere in the office. When distributing sensitive mail internally this should be sent in sealed envelopes clearly marked Private & confidential for the personal attention of X. Where possible person-to-person delivery of such items is best. Destroying confidential records All files should be checked before discarding to ensure that they do not contain personal/sensitive data. Under no circumstances should confidential files be disposed of via general waste collection systems. Confidential files should be either shredded or sent for incineration. White sacks for confidential waste are available throughout the Trust and must not be left unsecured. Check when you are photocopying / printing that you have not accidentally discarded any confidential material or sent it to the wrong printer. Never leave personal data on the printer for any period of time. 9

11 Faxing Avoid using personally identifiable information where possible in s. Do not use people s names and other personal information in the subject strap-line (instead use, e.g., initials or ref no s). In particular do not include several pieces of personal info about the same individual (e.g. name/date of birth/address) which could allow for identity theft. Under Freedom of Information and Data Protection legislation, beware of what you write in s. Also, when forwarding an containing a string of previous messages, take care that these do not contain anything sensitive. If you have to send personal data using to an external recipient it must be encrypted. Attachments are also unsafe unless they have been encrypted; a password on a file is not sufficient. Always seek advice from the IM & T Department if you are planning to send large amounts of personal data Post is the absolute last option for sending sensitive personal data but, where the need does occur, always use recorded delivery. Always have a process in place to confirm that the delivery has reached its destination as required. Please report to your line manager/information governance lead whenever confidential data has come into your possession inappropriately and ensure that the sender is notified and rectifies their processes for the future. Double-check the fax no. Use a cover sheet stating clearly who the fax is for (an identifiable individual); who it is from (your name/phone/fax no); and marked Private & confidential. If appropriate ask for a report sheet to confirm transmission. For sensitive faxes ring ahead and make sure the intended recipient is available to receive it. Better still check whether there is a safe-haven fax facility available. Ask the recipient to ring and confirm receipt this is important. For incoming faxes, someone should be assigned responsibility for checking the fax machine. They should check the fax machine several times a day (particularly first thing in the morning and last thing at night) and ensure incoming faxes are distributed appropriately. Taking confidential data off-site This should be avoided as much as possible and line managers need to be aware of the extent of this practice to assess risk. Confidential information on laptops or other portable electronic equipment must be encrypted and kept to an absolute minimum. The IT Dept are ensuring that all laptops have full disk encryption (SafeBoot) available to store confidential and sensitive data. A password locking system is not sufficient. Where there is a need for staff to hold sensitive data on mobile devices and media other than their laptops, a Trust encrypted memory (USB) stick must be used. The IT 10

12 department are enforcing the use of USB sticks with appropriate software (Sanctuary). Should any item go missing while containing sensitive data, the user must immediately inform their line manager and complete an IR1 form. Paper records must be kept secure during transit, for example in a locked briefcase/folder etc. When driving, laptops/files etc should be kept out of sight (e.g. in a boot or under a seat). Under no circumstances should files (whether electronic or paper) containing personal data be left unattended in your car. If you are keeping information overnight then laptops/folders etc should be moved from your car to your home Keep laptops, bags etc away from main doors and front halls where they are at greater risk from opportunist burglars. Keep confidential information out of sight of family and friends (e.g. in a cupboard) Never allow friends or family to use your NHS IT equipment. Avoid doing NHS work on your home computer unless it is using the authorised secure home access system. This not only avoids the exposure of NHS systems to viruses but also avoids copies of confidential documents being left on hard drives of home computers. Miscellaneous Unless you can be sure of, or verify, the caller s identity, you should never disclose personal information over the phone. Ensure that when you are viewing person-identifiable data on a screen, that the data is not viewable by others, especially if being viewed in a public accessed area (for instance a reception). You are responsible for the safety of your IT equipment. The IM & T Department is responsible for the disposal of all IT equipment. Remember - Data Protection Is Everyone s Responsibility 11

13 Lancashire Care NHS Foundation Trust Initial Equality Impact Assessment Department/Function Person responsible Contact details IM&T Michelle J Brammah Michelle.brammah@lancashirecare.nhs.uk Name of policy/procedure/service IM&T Security Policy to be assessed Date of assessment 28 July 2009 Is this a new or existing policy/procedure/service? 1. Briefly describe the aims, objectives and purpose of the policy/procedure/service? Existing The aim of the policy is to set out requirements to protect all Trust data assets. The Trust has a legal and moral responsibility to protect personal data it holds. Compliance with the Policy is to ensure business continuity and to minimise data loss. It applies to all Trust employees, those working on behalf of the Trust and those granted access to the systems. 2. Who is intended to benefit? All Trust Users 3. What outcomes are wanted? Trust Users take responsibility for the use and security of all IM&T systems 4. Who are the main stakeholders? All Trust Users including contractors and third parties undertaking work on behalf of the Trust 5. Who is responsible for implementation? Management and employees 12

14 6. Are there concerns that there could be differential impact on the following groups and what existing evidence do you have for this? People from a Black or minority ethnic background Women or men Including trans people People with disabilities or long term health conditions Y N This policy is applicable to all employees who are authorised to access and use the Trust systems and networks. Ethnicity and background has no bearing on individual responsibility. Y There are no gender issues associated with the understanding N and implementation of this policy. The policy applies equally to men and women. Y N This Policy can be made available in audio or large print for users who have visual impairment. People with or without a religion or beliefs Y N This policy neither infers or refers to religion or a specific belief. Religion or specific beliefs have no impact on adhering to the requirements of the Policy. Lesbian, gay,bisexual or heterosexual people Y N The sexuality of an individual has no implications for complying with responsibilities outlined in the policy Older or younger people Y N There is no anticipated impact or concerns for these groups. However assistance to aid understanding can be provided by line management or IM&T advisors. 7. Could any differential impact identified above be potentially adverse? 8. Can any adverse impact be justified on the grounds of promoting equality of opportunity? 9. Have you consulted with those who are likely to be affected? 10. Should the policy/procedure/service proceed to full impact assessment? Y N No Y N No Y N No Y N No I understand the impact assessment of this policy/procedure/service is a statutory obligation and take responsibility for the completion of this process. Names of assessors: Michelle J Brammah Date of assessment: July 2009 Date of next review: October

15 14