INFORMATION GOVERNANCE POLICY: DATA BACKUP, RESTORE & FILE STORAGE HANDLING

Transcription

1 INFORMATION GOVERNANCE POLICY: DATA BACKUP, RESTORE & FILE STORAGE HANDLING Original Approved by: Policy and Procedure Ratification Sub-group on 23 October 2007 Version 2.2 Approved by : Information Governance Group Approval Date: 16 December 2009 Review Date: 16 December 2011 Responsible Person: Steve Ingleson, Director of Performance Management Circumstances may arise or there may be a change in guidance (e.g. NICE or Employment Law) where changes may be required to the Policy before the planned review date. Staff are responsible to identify this to the Policy Group via their Line Manager who will then put in place a policy review process. NOTE: All policies remain extant until notification of an amended policy is placed on the intranet. Policy Name: Data Backup, Restore & File Storage Handling Author: Carol Mitchell, Information Governance Manager Version: 2.2 Date: December 2009

2 Version Control Sheet: Version Date Author Status Comment 2.1 Sept 07 C Mitchell Approved 2.2 Dec 09 C Mitchell Approved Reviewed no changes required 2 of 6

3 NHS BRADFORD AND AIREDALE 4.5 DATA BACKUP, RESTORE & FILE STORAGE HANDLING Introduction The purpose of this policy is to maintain the integrity and availability of information, processing and communication services. This Policy is to ensure that necessary controls are in place to protect data in the event of a hardware failure, accidental deletion or unauthorised changes. Supporting Procedures None Risk Management The risks identified under this policy include unauthorised changes to information, loss of information, inaccurate information. 1.0 Backup Cycle / Generation 1.1 IT Services are responsible for taking and securing backups for all data and software stored on servers. Users are responsible for backups of data and software held on laptops. 1.2 Data and software backups will be taken on an appropriate timely basis. 1.3 The number of copies must be adequate i.e. daily, weekly. At least three generations/cycles must be kept for important business applications. 1.4 Backup copies of data will be taken prior to any new software or changes being installed e.g. software fixes, upgrades, new releases. 1.5 The backup database will be included in the backup process. 1.6 Alternative backup arrangements should be available. 2.0 Tape / Disk Identification 2.1 Backup tapes /disks will be suitably labelled to ensure that an unauthorised person cannot identify the contents. 3.0 Checking and Recording of Backups 3.1 IT Services will maintain a record to reflect: 3 of 6

4 when the backup was taken the serial number of the tape / disk used the volume of data backed up elapsed time initials of person checking backup comments as necessary e.g. errors 3.2 The backup copy will be verified against the original as part of the backup job. 4.0 Secure Storage of Backups 4.1 On site backup copies will be stored in a suitable location e.g. a fireproof cabinet. 4.2 Fireproof cabinets used to store backups will be serviced / checked annually. 4.3 Current backup copies will be stored off site at a secure location, at a sufficient distance to escape any damage from a disaster at the main site. 4.4 Copies of key master software will be stored off site. 4.5 Procedures will be established for emergency access to off site storage. 4.6 Backup copies will be transported to off site storage securely. 4.7 Periodic audits of backup copies and storage locations will be undertaken. 4.8 Long term storage will be reviewed annually where appropriate. 4.9 Long term storage media will be rotated and checked for reliability and errors. 5.0 Restores 5.1 Backup copies will be regularly tested where practicable to ensure that it can be relied upon for emergency use when necessary. 5.2 Restore procedures will be regularly checked and tested to ensure that they are effective and that they can be completed within the time allocated in the recovery procedures. 5.3 Restores will be authorised and documented. 6.0 Review 4 of 6

5 6.1 The frequency and content of backups will be reviewed to ensure that they are adequate. 6.2 Long term backup copies will be reviewed to: confirm the need ensure reliability of copies 7.0 Documentation 7.1 Backup procedures will be documented and should include: responsibility for backups including a nominated deputy what is backed up frequency and time of backup 7.2 Restore procedures will be documented and should include: clearly identified responsibilities control checks and recording plans for testing of the restore process to reflect how, frequency, sign off process etc. 7.3 A copy of the backup and restore procedures will be stored off site. 8.0 Staff awareness 8.1 Users will be advised that: data should not be held on local drives a copy of data stored on portable equipment e.g. laptops must be taken regularly backup copies must be stored securely and where appropriate stored off site 9.0 Legal Requirements 9.1 The retention and use of backup copies of data must be in compliance with legal requirements File Storage Handling and Security 10.1 Where necessary and practical, authorisation will be required for all copies of data removed from the tpct and a record must be maintained Where no longer required, the previous content of any re-usable file storage media that are to be removed from the tpct will be erased. 5 of 6

6 10.3 All file storage media will be stored in a safe, secure environment, in accordance with manufacturer s specifications Procedures will be established to ensure that file storage media containing sensitive information is disposed of securely and safely. (see Information Governance Website) 10.5 System documentation will be stored securely and access to it must be kept to a minimum and controlled by the application owner. 6 of 6