Training prepared by Geoff Webb Information Security & Governance Consultant. Data Protection isn t a choice, it s the law. What all CPH staff must do

Size: px

Start display at page:

Download "Training prepared by Geoff Webb Information Security & Governance Consultant. Data Protection isn t a choice, it s the law. What all CPH staff must do"

Mavis Charles
7 years ago
Views:

1 Training prepared by Geoff Webb Information Security & Governance Consultant Data Protection isn t a choice, it s the law What all CPH staff must do 1

2 Main Points Person Identifiable Data (PID) - the information that would enable a person s identity to be established 2

3 Person Identifiable Data (PID) The term applies to a combination of some of the following data items wherever it/they may appear and irrespective of the name of any data field in which it/they may appear, allowing that patient to be identified: Name - including last name and any forename or aliases Address including any current or past address of residence Postcode - including any current or past postcode of residence Telephone number Date of birth NHS number Ethnic category Local Patient identifier Hospital Encounter number Patient pathway identifier SUS spell ID Unique booking reference number Date of death 3

4 Main Points Person Identifiable Data (PID) - the information that would enable a person s identity to be established Security and confidentiality of PID 4

5 Security and confidentiality of PID Keep it safe Don t let someone else have it Don t give someone s secrets away 5

6 Security and confidentiality of PID Why not? The Data Protection Act is the law that protects us against illegal and inappropriate use of our personal information without our consent, and the same applies to us using the information of others 6

7 Data Protection Act Principles Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is: 1. Fairly and lawfully processed 2. Processed for limited purposes 3. Adequate, relevant and not excessive 4. Accurate and up to date 5. Not kept for longer than is necessary 6. Processed in line with your rights 7. Secure 8. Not transferred to other countries without adequate protection 7

8 Main Points Person Identifiable Data (PID) - the information that would enable a person s identity to be established Security and confidentiality of PID The need to identify individual data subjects 8

9 The need to identify individuals Do you really need to know who they are? If so, they must give informed consent Anonymisation and Pseudonymisation 9

10 Reasons to be careful part 1 Data Protection Act Civil Rights Freedom of Information 10

11 Reasons to be careful part 2 Information Commissioner s Office (ICO) Wrath of the ICO Legal and Financial penalties 11

12 Data Protection Act and the ICO If we breach any of the DPA Principles, the ICO can impose heavy financial penalties, up to 500,000 a time. If a person thinks that we are not doing all we should with their personal data they can ask the ICO to investigate. The ICO will arrive unannounced and will carry out a stringent audit on all our processes for handling Personal Data. 12

13 What can you do? Information Security Maintain Confidentiality Always keep on the right side of the law 13

14 Information Security Electronic data security Physical security What to watch out for 14

15 Maintain Confidentiality Don t gossip 15

16 Stay safe online What s at risk? Personal information Corporate information 16

17 Stay safe online Source of risk? Virus writers attachments Software 17

18 Stay safe online Types of risk? Worms Trojan Horses Botnet Phishing 18

19 Stay safe online Types of risk? Worms Trojan Horses Botnet Phishing 19

20 Stay safe online Types of risk? If you click on My Account Activity you will go to somewhere quite unexpected Worms Trojan Horses Botnet Phishing 20

21 Stay safe online Can you avoid the risk? 21

22 Stay safe online Can you avoid the risk? Not really 22

23 Stay safe online Can you avoid the risk? Not really Damage limitation 23

24 Stay safe online Can you avoid the risk? Not really Damage limitation Use Encryption 24

25 Stay safe online Avoid being the risk protocol Using social media Follow the rules 25

26 Stay safe online What if you are targeted? SPAM Suspected Malware You said something you shouldn t have 26

27 Stay safe online What you need to do 1. Think before you Send 2. Don t fall for hoaxes 3. Take care with social media 27

28 Always keep on the right side of the law Finally If a process isn t intuitive, use a Checklist Know where the Policies, Procedures and Guidelines are stored When in doubt, ask! 28

Information Security Incident Management Policy

Information Security Incident Management Policy Version: 1.1 Date: September 2012 Unclassified Version Control Date Version Comments November 2011 1.0 First draft for comments to IT Policy & Regulation