Information Security Policy

Transcription

1 Information Security Policy JUNE 2014 Author Responsibility Lynda Harris, Head of Information Governance, Central Eastern CSU, Bedfordshire and Luton All staff Effective Date June 2014 Review Date June 2015 Reviewing/Endorsing Committees Risk Management Group Approved by Risk Group 7 July 2014 Date ratified by CCG Executive Team Version number 2 Information Security Policy Page 1

2 Policy Development Process Names of those involved in policy development Name Designation Lynda Harris Head of Information Governance Elaine Baugh Information Governance Names of those consulted regarding the policy approval Date Name Designation Equality Impact Statement prepared and held by Date Name Designation Lynda Harris Head of Information Governance Committee where policy was discussed/approved/ratified Committee/Group Date Status Risk Management Group Approved Equality Impact Statement Bedfordshire Clinical Commissioning Group is committed to promoting equality in all its responsibilities as commissioner of services, as a provider of services, as a partner in the local economy and as an employer. This policy will contribute to ensuring that all users and potential users of services and employees are treated fairly and respectfully with regard to the protected characteristics of age, disability, gender, reassignment, marriage or civil partnership, pregnancy and maternity, race, religion, sex and sexual orientation. Information Security Policy Page 2

3 Contents Page Introduction 4 Purpose 4 Definitions 4 Scope and limitations 5 Context 5 Responsibilities 6 Development Process 7 Information Security 7 Information Quality Assurance 7 Records Management 7 Information Security Management 8 BCCG Information Security 8 Human Resources Security 8 Physical and Environmental Security 8 Communications and Operations Management 8 Incident Management 9 Reporting an information governance incident 9 Training requirements 9 Monitoring 9 Related documents 10 Appendix 1 11 Information Security Policy Page 3

4 Introduction This policy ensures that all information and information systems within Bedfordshire Clinical Commissioning Group (BCCG) are secured in such a way it would be highly unlikely that unauthorised persons would have access to the data contained therein. This policy is written as an overarching Information Security Policy. Individual detailed policies for each aspect of information security are referenced from this policy. New referenced policies will be added or amended as and when appropriate. Purpose To ensure that BCCG complies with legislation and NHS standards in respect of Information Security and in particular the requirements of the NHS in respect of securing electronic data through encryption. However this overarching policy is not specific to electronic data and also applies to manually held records. It is necessary to ensure that any information, but personally identifiable data is particular, is secure and unable to be seen by any unauthorised person. Definitions Audit Breach a systematic check or assessment, especially of the efficiency or effectiveness of an organization or a process. a failure to obey, keep, or preserve something such as a law, trust, or promise. Caldicott Guardian a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing. Confidentiality - carried out or revealed in the expectation that anything done or revealed will be kept private. Encryption to convert computer data and messages into something incomprehensible using a key, so that only a holder of the matching key can reconvert them. IG Toolkit an online system which allows NHS organisations and partners to assess themselves against Department of Health Information Governance policies and standards. Information Governance a framework to bring together all the legal rules, guidance and best practice that apply to the handling of information. Information Security Policy Page 4

5 Information security technical and organisational measures taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data Personal Identifiable Data (PID) information that can be used on its own or with other information to identify an individual. Records management the practice of maintaining the records of an organisation from the time they are created up to their eventual disposal. Senior Information Risk Owner (SIRO) responsible for managing information risks, incidents and management of all information assets. Scope and limitations This policy applies to all employees (permanent, seconded, contractors, management and clinical trainees, apprentices, temporary staff and volunteers) of BCCG. Third parties with whom BCCG may agree information sharing protocols will be governed by the associated information sharing agreements and will be made aware of this policy. This policy covers all information systems purchased, developed and managed by or on behalf of BCCG and its partners. It also applies to any person directly employed, contracted or volunteering to BCCG. This policy covers all aspects of information within BCCG, including but not limited to: Patient/client/service user information Personnel information Organisation information This policy covers all aspects of handling information, including (but not limited to): Structured record systems paper and electronic Transmission of information fax, , post and telephone Storage systems such as cabinets, servers, etc for both paper and electronic Electronic information includes computer disc, USB memory stick, CD, DVD, internet files Context BCCG recognises the need for appropriate sharing of information whilst maintaining confidentiality of personal information. BCCG supports the principles of corporate Information Security Policy Page 5

6 governance and recognises its public accountability in the use of commercially sensitive information and of personal information about patients and staff. BCCG recognises the need to share patient information with other health organisations and other agencies in a controlled manner, consistent with the interests of the patient and with the public interest. Accurate, timely and relevant information support the delivery of high quality health care. Responsibilities The Accountable Officer is responsible for information Security and the systems of Internal Controls. The Caldicott Guardian is responsible for ensuring the confidentiality of Patient based information. This was defined in the Caldicott Report of December The Caldicott Guardian will ensure that there are robust policies in place to ensure that patient information will remain confidential and be seen only by those clinicians authorised to see that data. The Caldicott Guardian will ensure breaches of this policy in respect of patient information are investigated and will also ensure that Information Governance is duly regards at Board level when appropriate. The Senior Information Risk Owner (SIRO) takes ownership of information risk and is a key factor in successfully raising the profile of information risks and to embedding information risk management into BCCG s culture. Their responsibilities are:- To oversee the development of an Information Risk Policy To take ownership of risk assessment process for information risk, including review of the annual information risk assessment to support and inform the Statement of Internal Control To review and agree action in respect of identified information risks To ensure that the BCCG s approach to information risk is effective in terms of resource, commitment and execution and that this is communicated to all staff To provide a focal point for the resolution and/or discussion of information risk issues To ensure the Board is adequately briefed on information risk issues The Head of Information Governance (NHS Central Eastern CSU) will, through the Information Governance Toolkit, ensure that BCCG has robust policies, procedures, strategies, training and awareness programmes and monitoring schedules in place Information Security Policy Page 6

7 to ensure the confidentiality, integrity and availability of data and ensure that BCCG complied with relevant current legislation. The Head of ICT will ensure that technical solutions are in place to protect all personal and otherwise sensitive electronic information, wherever this information is accessed. The Information Asset Administrator (IAA) who will typically be the member of staff who manages the local systems on a day to day basis will be responsible for ensuring System Level Security Policies are in place, and through these policies will ensure most risks are mitigated. Any remaining risk will be advised to the Information Asset Owners and SIRO. Development process The policy has been developed and reviewed in line with developments within the Information Governance agenda: Information Security BCCG has policies for management of its information assets and resources and will undertake risk assessments and audits of its ICT and network security arrangements, to ensure compliance with legal requirements. BCCG supports the establishment of an organisation-wide information asset register which lists the organisation s information assets, including risk assessments and action plans for each information asset. All information assets will have an owner and administrator. BCCG maintains incident reporting procedures and investigates all reported breaches of information security or confidentiality. BCCG will promote information security and confidentiality practices to all employees, through the organisation s policies and procedures. BCCG will provide training to raise staff awareness of information confidentiality and security. Information quality assurance BCCG will promote information quality and records management via policies, procedures, guidelines, user manuals and training. Data standards will set through clear and consistent definitions of data, adhering to national standards. BCCG will establish and maintain policies and procedures for information quality and the effective management of records, including an annual corporate records audit. BCCG will undertake or commission annual assessments and audits of its information quality and records management arrangements. Information Security Policy Page 7

8 Records management BCCG will comply with Records Management: NHS Code of Practice so that: Records (both live and archived) are available when needed; Records can be located and displayed, and the current version can be identified, where multiple versions exist; Records can be interpreted in context, i.e. who created / amended the record, and when; Records can be trusted their authenticity can be demonstrated; Access to records is secure; disclosure is controlled, and audit trails track use and changes; Records are retained, as specified in the retention schedule; records are disposed of appropriately; Staff are trained, and aware of their responsibilities for record management. Information Security Management The following sections represent the section identified in the ISO standard for Information Security Management systems. BCCG Information Security BCCG needs a culture to be instilled whereby the security and confidentiality of information, whether personal or corporate, is paramount. This is done through having enforceable policies and procedures in place, as well as having training available to staff. This enables staff to understand the issues and be monitored in their understanding. Human Resources Security It is necessary that BCCG has robust policies and procedures in place such that when a breach occurs, there are sufficient grounds for disciplinary action to be brought. It is also necessary that staff have adequate contractual conditions set. Physical & Environmental Security Any location where information is stored, whether that be in computer systems or in paper based records, will be physically secure. This level of security will be determined through risk assessments in consultation with the Estates Department. However the physical security is only as good as the diligence of staff to enable it to operate. Wedging open doors, leaving windows open and allowing unknown people to tailgate through security doors unchallenged all contribute to a breakdown in those security measures. Communications & Operations Management Information Security Policy Page 8

9 For BCCG to operate it has to communicate information internally, between departments, and externally with other organisations. This has to be done in a secure and confidential manner. Again the need to communicate information can apply to both electronically held data and paper based information. in particular provides great organisational potential, but used inappropriately can also greatly increase the potential risk to BCCG. Only authorised user will be given access to operate IT systems and they will need to have a genuine need before access will be granted. A Network Access Request form will need to be completed. System Managers will organise access to other systems as appropriate. Incident Management The incident management systems used for reporting incidents concerning information are the same systems used for reporting any other type of incident within BCCG. Reporting an information governance incident All incidents must be reported to the CSU IG team by ringing or via to LyndaHarris2@nhs.net. The IG team will record and investigate the incident. The incident and outcome of the investigation will be reported to the Risk Management Group. See Appendix 1 for copy of the IG incident form. Training Requirements All Staff will ensure that they have read this policy and have undertaken the relevant mandatory Information Governance training. Information Governance Training is mandatory for staff and can be completed via on-line training modules ( or within a face to face training session provided by the Information Governance Team (CSU) where particular needs have been identified. Training is required annually for all staff which ensures they are kept up to date with any changes. In addition all staff will abide by the policies and the procedures, regarding information governance which has been ratified by BCCG as well as all legislation and law. Monitoring Staff are expected to comply with the requirements set out within the Information Security Policy and related policies. Compliance will be monitored via Manager and Information Security Policy Page 9

10 Information Governance Team report of spot checks, completion of staff questionnaires, incidents reported, electronic audit trails and submission of the Information Governance Toolkit. Non adherence to the Information security policy and related policies will result in local Disciplinary Policies being implemented. Related Documents This policy complies with the national requirements listed below: Data Protection Act 1998 Freedom of Information Act 2000 Public Records Act 1958 Access to Health Records Act 1998 Information Governance Toolkit ( and subsequent versions ISO/IEC Information Security Management Standard NHS Code of Practice Confidentiality Caldicott2 Review The following BCCG policies are referred to in this policy: Confidentiality and Data Protection Policy Freedom of Information Policy and Procedures Information Governance Strategy Information Governance Policy Information Risk Management Policy Safe Haven Policy Information Security Policy Page 10

11 Appendix 1 NHS Information Governance: Incident Log Report General Information Reported By: Department: Title: Phone: Address: Postal Address: Type of Incident: Date/Time Detected: Date/Time Reported: Mobile: Fax: Additional Information: Incident Details Confidentiality / Integrity / Availability Impacts on the Department (total failure, business as usual etc): Type of affected System: Patient information, finance, administration etc Incident Details: Site Details: Site Point of Contact: Actions Taken: Information Security Policy Page 11

12 Information Security Policy Page 12