Information Security Adults Services. Practice guidance. Revised Version: 1.2 Effective from: August 2014 Next review date: August 2015

Transcription

1 Information Security Adults Services Practice guidance Revised Version: 1.2 Effective from: August 2014 Next review date: August 2015 Sign off: Jenny Daniels Title: Head of Health and Social Care Practice Date: 11 th August 2011

2 Information security practice guidance 2 Status Revised document Version number 1.2 Issue date 11th August 2014 Author Greg Slay, lead for Quality Assurance Owner Sharon Gogan, Head of Adult Social Care Signed off by Jenny Daniels, Head of Health and Social Care Practice Date 11 th August 2011 Issue Date Author Principal Changes number 1 11 th August 2011 Greg Slay Published version on WSCC intranet nd April 2012 Greg Slay 1.2 Aug 2014 Greg Slay Updated to include cross-referencing to the county council s Acceptable Use Policy for IT facilities. Development of a Quick Reference guide. General revisions and reference to the relevant and applicable Management and Professional Instructions. Revised Quick Reference guide. Feedback: Our customers expect first class service and we aim to provide it. We therefore welcome feedback about our policies and procedures. If you have any comments about this document please socialcare@westsussex.gov.uk Copyright West Sussex County Council / Version 1.2 /August 2014 Page 2

3 Information security practice guidance 3 Contents Policy 1. Why information security is important 4 2. Information security the national picture 5 3. Data Protection Act: access to records 7 4. Passwords for computers and 7 Practice guidance 5. Information security is everybody s responsibility 7 6. Secure use of faxes 8 7. Clear desks at work 8 8. Document management away from the office 9 9. Case files (paper) retrieved from the File Store Sources of further information 9 Copyright West Sussex County Council / Version 1.2 /August 2014 Page 3

4 Information security practice guidance 4 Policy 1. Why information security is important 1.1 The county council, like many other public sector organizations, handles and manages a wide range of information, including personal data, as part of its business. Using that information appropriately can improve public services, as provided for both individual customers and carers and to local communities. But there is no place in our organisation for lax data protection practices: we need to ensure that we always have appropriate levels of security in place for the handling of sensitive information. Information is a critical business asset. 1.2 Across the county council, we are committed to working within the requirements of the Data Protection Act. In particular we want all our staff to comply with the eight principles of the Data Protection Act, to make sure that personal information is: Fairly and lawfully processed; Processed for limited purposes; Adequate, relevant and not excessive; Accurate and up to date; Not kept for longer than is necessary; Processed in line with citizen rights; Secure; and Not transferred to other organisations and/or countries without adequate protection measures being in place. 1.3 We need information to be handled in a way that protects the public. We would be vulnerable to a legal challenge under the Data Protection Act if, for example, secure arrangements were not in place for the distribution of sensitive customer-related information to our partner organisations and other audiences. 1.4 We understand and respect the need for our customers to have their privacy protected. We therefore have to ensure that only the right people get the information they need about our individual customers, whether on paper or by electronic means. Achieving this is particularly challenging against a background of changing services, expectations and technology developments. 1.5 The introduction of Frameworki, as a bespoke case recording and case management system for Adults Services, meant that we were much better placed than ever before to ensure the safety of personal data concerning our customers. Frameworki does not however, in itself, guarantee information security. Copyright West Sussex County Council / Version 1.2 /August 2014 Page 4

5 Information security practice guidance The way in which we manage information is critical to our ability in Adults Services to protect the organisation - and the sensitive information held about customers and carers from unintended or deliberate security breaches. We therefore expect our staff to understand and embrace the need for information security to be a core part of their daily work and, at the same time, to be focused on the learning for themselves from actual security breaches caused by others. 1.7 We are committed to the maintenance of high practice standards for information management and sharing. We support the development of a working culture that properly values, protects and uses data, both in the planning and delivery of public services. We recognise that the task of improving information security will always be a continuing process. 1.8 Work was undertaken in 2011 to provide secure accounts to all Adults Services Helpdesks as well as key individuals. This was in order that we had robust arrangements in place to be able to respond to the particular need around secure e-communication with Sussex Police on adult safeguarding issues. Work to enhance encryption arrangements, thorough the introduction and use of the Voltage encryption system on standard s, will be introduced in autumn The county council s ing controlled access information policy confirms that the county council s internal corporate service is considered a secure service but only as long as mail is sent from one such corporate account to another. Particularly sensitive information should also be encrypted wherever possible. 2. Information security the national picture 2.1 The public sector in the UK holds vast amounts of sensitive information, something which unscrupulous other organizations are only too eager to access and exploit. Just one single breach of personal data could affect the lives of millions of people and seriously undermine public confidence. The pressure for public transparency coupled with the need for online information-sharing efficiencies therefore exposes public sector organisations, both centrally and locally, to significant risk. 2.2 The Government has introduced a secure computer network to connect all local authorities, called the Government Connect Secure Extranet (GCSx). GCSx is part of the wider Government Secure Intranet (GSi) and provides connectivity to virtually all central government departments. It also allows local authorities to securely exchange data electronically. Copyright West Sussex County Council / Version 1.2 /August 2014 Page 5

6 Information security practice guidance We use the GCSx network to securely exchange sensitive information (up to HM Government s classification level of restricted ) with: central government departments, for example, the Department for Work and Pensions, the Department of Health (secure or the Home Office; the NHS (secure Sussex Police and other police authorities (secure pnn.police.uk); criminal justice agencies such as Sussex Probation Service and with prisons; other local authorities, at county, unitary and borough/ district levels. 2.4 The Government defines restricted information in a number of ways, including: information whose compromise would be likely to cause substantial distress to individuals; breaches of statutory restrictions on the disclosure of information; and breaches that would impede the effective development or operation of government policies. Breaches of restricted information: three examples Example 1: a member of staff working for a local social services authority ed a file containing sensitive personal information relating to 241 individuals physical and mental health. The file was sent to the wrong group address and the address that received the file included a large number of transportation companies, including taxi firms, coach and minibus hire services. Attempts to recall the were not entirely successful. As the information was neither encrypted nor password protected, it had the potential to be viewed by a significant number of unauthorised individuals. Example 2: confidential personal data relating to a number of individuals was mistakenly ed to over 100 unintended recipients who had, in fact, registered to receive a council newsletter. Example 3: a member of staff sent confidential sensitive information, including data relating to an individual s health, to the wrong internal group address. While the data in this breach did not leave the council s internal network, it did lead to sensitive data being circulated to individuals who should not have received it. These examples are from local authority cases investigated by the Information Commissioner and publicly reported. Copyright West Sussex County Council / Version 1.2 /August 2014 Page 6

7 Information security practice guidance Although most people know how to use appropriately, it is clear from the examples in the text box above that errors can easily be made in an era of instant communication : as a result s are often sent to the wrong people. The Information Commissioner (website: ico.gov.uk) has therefore levied significant fines on local authorities for data breaches that have arisen from poor practice. 3. Data Protection Act: access to records 6.1 Health and social care workers working for Adults Services cannot disclose personal or personal sensitive information about customers to third parties unless specific conditions are met. A person (such as a family member or friend) cannot make a subject access request on the part of a relative or friend unless he/she has the consent of that person, or he/she is already invested with a Power of Attorney authority. 4. Passwords for computers and 4.1 Passwords are the backbone of information security in the computer age, whether in the context of Chip and Pin technology for debit/credit or P-cards, access to both wired and wireless computer networks, or access to . Passwords are also often used to protect documents sent in transit electronically. 4.2 Staff in Adults Services already and frequently send documentation attachments with . These documents often relate to our customers (identifying customers by full name or initials and address for example) and/or relating to personnel matters. 4.3 Unless such documents are attached to a secure and sent to and from a person in an organisation with a secure system, the documents are themselves not secure and are vulnerable to interception, thus compromising data security. Practice guidance 5. Information security is everybody s responsibility 5.1 Information security is the responsibility of every single member of staff in Adults Services. This means all permanent, contract and temporary members of staff, such as students on placement. Copyright West Sussex County Council / Version 1.2 /August 2014 Page 7

8 Information security practice guidance Management and Professional Instructions 04 and 05 refer to arrangements in place within Adults Services for information security and for Frameworki and information security respectively. These Management and Professional Instructions can be accessed in the Professional Zone on West Sussex Connect to Support (visit: westsussexconnecttosupport.org). Compliance with these Management and Professional Instructions is overseen by the Adults Services Quality Assurance Management Board. 5.3 In the event that any member of the our staff becomes aware of any loss or theft of material protectively marked as Restricted, the arrangement we have put in place in West Sussex is that this must be immediately reported this to the IT Service Desk and following the normal county council information security reporting procedure. The corporate Security Incident Checklist template can be accessed in the Professional Zone on the West Sussex Connect to Support website. 5.4 Guidance on the use of the Voltage encryption system, used in Microsoft Outlook , will be advised to staff from autumn 2014 onwards. 6. Secure use of faxes 6.1 The introduction of Frameworki has led to a reduction in alternative routes of communication with Adults Services - as most communications are now handled electronically. 6.2 Faxes are not a secure means of transferring information from one person or organisation to another. In order to protect information being transmitted by fax, it is essential that staff check first to see if there is a more secure way to send the information in the first place such as secure , encrypted mail, or the use of a courier. Having exhausted other possibilities, it is important to: Check that the number is accurate (it is all too easy to get one of the digits wrong); Only send the information that actually needs to be sent; Confirm with the recipient that he/she is physically available to receive the , so that the fax is not sitting around uncollected; Use a cover sheet, identify for whom the fax is intended, and explain whether it is confidential or sensitive; and Ask for confirmation by telephone or that all the fax has in fact arrived at its destination. 7. Clear desks at work 7.1 Clear desk spot checks are periodically undertaken in county council offices. They take place early in the day, outside of office hours and the Copyright West Sussex County Council / Version 1.2 /August 2014 Page 8

9 Information security practice guidance 9 corporate spot check team is instructed to remove items which are left out. 7.2 The majority of teams now ensure their areas are left clear at the end of the day. But there is always room for improvement and staff must ensure all personal data is secured overnight. 7.3 Staff should not leave customer files in trays, make sure all cupboards and roller racks are locked and the keys put away. The tops of cupboards are not to be used for storage. 8. Document management away from the office 8.1 Adults Services staff visit customers and/or carers in their own homes and notes are often taken of discussions that have taken place. The need to be vigilant in relation to the management of person-sensitive information remains. Information collected should be transferred into Frameworki as soon as possible. If information needs to be kept for professional reasons over and above what can be inputted to Frameworki or kept otherwise on county council-supplied electronic equipment, it must be stored securely. 9. Case files (paper) retrieved from the File Store 9.1 Adults Services staff who request a customer and/or carer case file from the File Store are expected to return the file within the allotted timeframe. Where a file is subsequently reported as missing or lost, the guidance note on what arrangements need to be instituted in terms of reporting should be read and acted upon. Visit the Professional Zone on West Sussex Connect to Support (westsussexconnecttosupport.org) to access this guidance note. 10. Sources of further information 10.1 The county council s latest guidance on all matters relating to information management and security can be accessed on the county council s intranet, The Point (type information security in the search engine). Other resources available on The Point include information on setting up secure accounts (type secure in the search engine). A short e-learning course that must be completed by the relevant member of staff before any such account can be activated Guidance about information sharing in relation to people who lack mental capacity is provided in chapter 16 of the Mental Capacity Act Code of Practice. Visit: gov.uk for further information. Copyright West Sussex County Council / Version 1.2 /August 2014 Page 9