DOCUMENT CONTROL PAGE

Transcription

1 DOCUMENT CONTROL PAGE Title: Title Version: 0.2a Reference Number: Supersedes Supersedes: IT Encryption and Security Policy and Guidelines Description of Amendment(s): Clarification of document approval routes. Originated by: Lois Critchley Originator Designation: Head of infrastructure and Continuity Modified by: Designation: Approval Approval by: Informatics Strategic Board Date: March 2014 Application All Staff Circulation Issue Date: March 2014 Circulated by: Informatics Issued to: All Divisions and Corporate Services / Staffnet Version: 0.2a Page 1 of 21

2 Central Manchester and Manchester Children's University Hospitals NHS Trust Review Review Date: October 2016 Responsibility of: Head of Infrastructure & Continuity Version: 0.2a Page 2 of 21

3 ISSUE DATE: March 2014 VERSION: 0.2a Version: 0.2a Page 3 of 21

4 CONTENTS 1. Introduction Purpose Audience Scope Definitions Used Code of Practice Desktops Laptops Trust Mobile Devices including tablets and mobile devices such as ipads Usernames, Passwords and PIN codes Anti-virus / Malware Protection / Software Patching Software Licences Security Internet Security Working from Home / Remote Working Network Links with Other NHS Trusts and third party Suppliers Removable Media Bring Your Own Device (BYOD) and use of Personal Devices Mobile Phones Digital Cameras / IPods / Mp3 Players Cloud Storage Disposal of Redundant /Obsolete Trust IT Equipment Dealing with Breaches of Security User Responsibility Manager Responsibility Informatics Responsibility FURTHER INFORMATION Version: 0.2a Page 4 of 21

5 1. Introduction 1.1 Purpose The purpose of this document is to clearly define the code of practice for the use of IT to maximise security and governance to prevent unauthorised disclosure, modification, removal or destruction of data and or IT systems owned by Central Manchester University Hospitals NHS Foundation Trust (CMFT) and to ensure that disruption to Trust activities is minimised. The code of practice applies to all authorised users of CMFT data and systems including staff who are not employed by CMFT but use CMFT data or systems. The code of practice defines the responsibility of: Users Managers Informatics Any employee who breaches standards within the IT code of practice may be subject to disciplinary action, in accordance with the Trust s disciplinary procedures. This may result in summary dismissal for gross misconduct. It may also result in criminal proceedings being taken. Action will also be taken against any user not employed by the Trust and who breaches the standards of this document. This action will be in line with relevant Contract arrangements and may include criminal proceedings. 1.2 Audience This document is aimed at users and the code of practice within the document should be self-explanatory. However if there is anything within the document that any member of staff does not understand they should contact the Informatics Service Desk. 1.3 Scope This document covers desktops, laptops, tablet devices, other mobile devices including smart phones, software, , storage mediums such as, but not limited to, cloudbased storage, CDs, USB pens, memory sticks, portable hard drives and other devices such as digital cameras and so on. The document is not intended to stand in isolation and a number of legislative acts and CMFT policies are relevant to the interpretation and application of this document. These include, but are not limited to: Data Protection Act 1998 Version: 0.2a Page 5 of 21

6 Computer Misuse Act 1990 NHS Caldicott Principles CMFT Network Security Code of Practice CMFT Internet and Code of Practice CMFT Data Protection Policy CMFT Disciplinary Policy CMFT Record Keeping Policy CMFT Handling Sensitive Information Procedure The above list is not exhaustive and all legislative acts are subject to updates. 1.4 Definitions Used For the purpose of this document, the wording Sensitive Data refers to all information which relates to an identifiable living or deceased individual, all confidential data, commercially sensitive data. Identifiable data includes, but is not limited to, Surname Forenames Date of Birth Post Codes / Address Telephone Numbers Casenote Numbers Diagnosis, Procedures, Treatment details This list is not exhaustive. The NHS Number may be used without encryption as long as it is sent on its own without any further identifiable information. For the purpose of this document, the wording Trust PC refers to any Trust device used for data collection and processing; including (but not limited to) desktops, laptops, tablets and other mobile devices that are capable of local storage and installation of software. 2. Code of Practice Sensitive data must not be saved on the local hard drive of a PC, mobile device or any other data storage medium (such as a cloud-based storage or USB pen etc.) that is not owned or approved by the Trust or not meeting the required standards outlined in this document. Users must only use security and encryption hardware / software which is recommended and approved by Informatics. Version: 0.2a Page 6 of 21

7 Users must not tamper with or alter the hardware specification of any Trust-owned PC without prior approval from the Informatics. If a supplementary resource is required, such as additional memory, then a call must be logged with the Informatics Service Desk. Users must not wilfully, intentionally or negligently damage or destroy any hardware, software or data belonging to the Trust. Deletion of any information or disposal of PCs or storage devices must be in line with legislation and Trust policies such as CMFT Record Keeping Policy. All data handling must be line with the Data Protection Policy (1998) and NHS Caldicott guidelines. There are 8 key principles for Data Protection; these are: One: Personal data will be processed fairly and lawfully. Two: Personal data will be obtained for specified and lawful purposes and will not be used in a way which is unsuited to those purposes. Three: Personal data will be adequate, relevant and not excessive for the purposes for which it is used. Four: Personal data will be accurate and up to date. Five: Personal data will not be kept for longer than is necessary. Six: Personal data will be processed in line with individuals rights. Seven: Appropriate technical and organisational measures will be taken to protect against unauthorised or unlawful processing, accidental loss, destruction or damage to personal data. Eight: Personal data will not be transferred to a country which does not have adequate levels of protection for the information. There are seven NHS Caldicott Principles which are: Justify the purpose for using personal confidential information. Don t use personal confidential information unless it is absolutely necessary. Use the minimum necessary personal confidential data. Access to personal confidential data should be on a strict need-to-know basis. Everyone with access to personal confidential data should be aware of their responsibilities. Version: 0.2a Page 7 of 21

8 Comply with the law. The duty to share information can be as important as the duty to protect patient confidentiality Further information on the Data Protection Policy and NHS Caldicott Principles can be found in the Trust Data Protection Policy held on the Staffnet. 2.1 Desktops Desktops PCs that are installed within Trust premises in a secure location with restricted physical and system access are considered to be at low risk and require no mandatory security requirements. Desktop PCs that are installed in insecure locations or in areas accessed by the public will require additional physical security whereby the desktop is physically locked down, for example to the desk or table. Sensitive data should not be stored on desktop PCs installed in insecure locations or are in general usage with unrestricted access (also referred to as insecure desktop). In these instances the Trust s network storage (network folder, SAN) should be used. To set this up, a call needs to be logged with the Informatics Service Desk. It is recommended that data/files such as Microsoft Word, Excel documents, are not stored on desktop local hard drive but on the Trust network drives. For further information on this or to arrange transfer of your data to a network drive, please contact the Informatics Service Desk. Desktop PCs must be suitably protected by Trust recommended antivirus software. If a user is unsure of anti-virus protection then please contact the Informatics Service Desk for advice. 2.2 Laptops Laptop PCs that are installed within Trust premises as the main PC, require additional physical security whereby the laptop is physically locked down at the main location, for example to the desk or table. All laptops must be fully encrypted at hard disk level and this is undertaken by informatics as part of the installation. Where full encryption of the laptop is not possible then a risk assessment must be completed. A copy of the completed risk assessment form must be sent Informatics for approval. If you need any assistance in carrying out a risk assessment on a PC, please contact the Informatics Service Desk for advice. Version: 0.2a Page 8 of 21

9 The principal, named user of a laptop is the person requesting the order of the laptop. The principal user will then be fully responsible for the security of that laptop and data stored on it. If the laptop is transferred to another user, then it is the principal user s responsibility to inform the Informatics of the transfer and the name of the new user. Responsibility for the laptop will remain with the principal user until the Informatics has been notified of the laptop transfer. To prevent unauthorised disclosure of information, the principal user is responsible for ensuring that all data that is no longer required to be held on the laptop is removed from the laptop prior to its transfer to another user. For assistance with this, a call should be logged with the Informatics Service Desk. Laptops must never be left unattended unless stored out of sight in a safe and secure location with restricted authorised access only. When travelling and not in use, avoid placing laptops in locations where they may be forgotten or left behind e.g. overhead racks. When in transit, laptops should be stored in car boots; however laptops must never be left in car boots overnight. Sensitive data stored on a laptop should be kept to the minimum required for its effective clinical or business use in order to minimise the risks and impacts should a breach occur. Laptops must be suitably protected by Trust recommended antivirus software. If a user is unsure of virus protection then please contact the Informatics Service Desk for advice. Remote transmission of sensitive data from a laptop must be encrypted and in line standards outlined in this document. Trust laptops must only be used by authorised CMFT users. Department Heads, or appropriate line managers, must authorise the use of any laptop which is to be used outside premises owned by CMFT. Additional authorisation must be obtained from the Trust Caldicott Guardian, or nominated officer, where the processing of sensitive data is proposed. 2.3 Trust Mobile Devices including tablets and mobile devices such as ipads Mobile device management (MDM) is installed on all Trust-owned mobile devices, where possible. MDM is used to manage the device, including monitoring of app deployment, location tracking and remote wiping of the device including data if the devices is reported as mislaid, lost or stolen. Mobile apps that are installed on Trust-owned devices must be licenced and purchased through authorised APP stores. Version: 0.2a Page 9 of 21

10 Where possible, Trust data should not be stored on Trust-owned mobile devices. Additionally, Trust data must not be stored solely on these devices. If a Trust mobile device is mislaid, lost or stolen, it must be reported immediately to the Informatics Service Desk. 2.4 Usernames, Passwords and PIN codes Passwords should be strong, that is one that cannot easily be guessed. Personal information such as name, date of birth or dictionary words should not be used. Where possible, passwords should be a minimum of six characters and should use a mix of upper and lower case letters, numbers and other characters such as,$,%, for example the word password could become P4$$w0rd. The longer the password, the harder it is for someone else to guess it. Pin numbers should not be obvious e.g If you find it hard to remember PINs, consider creating bogus contacts on your mobile phone with your PIN as part of the number (you must ensure they appear to be real contacts) Users are responsible for any work undertaken on any system using their personal logon credentials (username/password). Logon credentials must remain confidential at all times and must not be disclosed. Any breach of this may invoke the Trust Disciplinary Procedure. For further information of passwords/pin codes please see the Handling Person Identifiable Information Policy on Staffnet. 2.5 Anti-virus / Malware Protection / Software Patching Desktops and laptops (including windows tablet devices) that are installed on Trust premises must be suitable protected by Trust authorised anti-virus / malware software (AV software) and other associated security software / patches. The PC configuration must allow for: automatic updates of AV definitions Checking of PC memory and Files on start-up Checking of each of these files upon use Checking of removable drives upon use Warning messages / quarantine of suspicious files/programs Scanning of All files, on request Warning message when virus definition is over two weeks old Automatic update of other security patches such as Windows Operating System patches. Users must not disable or interfere with AV or other security software installed on any PC. Version: 0.2a Page 10 of 21

11 Where Trust authorised AV software is not able to be installed on a Trust Desktop or laptop (for example, where the AV software causes a conflict with other software or hardware such as a clinical analyser) then a risk assessment must be completed by the User for that PC. A copy of the completed risk assessment form must be sent Informatics for approval. If you need any assistance in carrying out a risk assessment on a PC, please contact the Informatics Service Desk for advice. Trust-owned laptops must be regularly connected (as a minimum, once every two weeks) to the Trust network to ensure that the AV software is maintained and up-todate. All new desktops and laptops ordered through the Trust recommended stock process will have an AV licence purchased and allocated as part of the ordering process. If any desktop or laptop is ordered outside this process, then a licence for Trust approved anti-virus software must be purchased through Informatics. Please contact the Informatics Service Desk for advice. Users must not disable or interfere with anti-virus software installed. If you are unsure of AV protection on your PC then please contact the Informatics Service Desk for advice. Users must not open any attachment in an that is known to be infected by a virus. If an from a known source is received with an unexpected or unusual message and / or attachment, the user should contact the sender for clarification prior to opening the . Caution must be used when an with an attachment is received from an unknown source. If there is any doubt regarding attachments on an , then do not open the attachment but contact the Informatics Service Desk for advice. Users must not send or forward any messages containing warnings about viruses, even if the warning has been received from a known source. If a user is concerned regarding a warning received by then please contact the Informatics Service Desk for advice. If unexpected s are received from sources such as Bank, Building Societies, Clubs etc. then do not respond unless the request has been verified and confirmed as genuine. Users must not disclose personal details by unless the source has been verified and confirmed as genuine. In practice, this is highly unlikely as legitimate sources do not request this type of information by . If there is any doubt regarding s received from sources such as above then please contact the Informatics Service Desk for advice. Version: 0.2a Page 11 of 21

12 s sent to and from the system will pass through filtering software and any considered to be containing inappropriate or malicious content will be quarantined. A message is sent to the recipient advising of the quarantine. In these instances if the is considered to be genuine then please contact the Informatics Service Desk. As soon as a virus is found or suspected this must be logged immediately by telephone with the Informatics Service Desk. The PC must not then be used until authorisation has been given by corporate IM&T department. 2.6 Software Licences Only Trust-licensed and authorised software may be loaded on to a Trust desktop/laptop. Adequate licences must be maintained for all installed software and installation of software must be in line with license agreements. Installation and removal of software must be undertaken by the Informatics department. This may be requested through the Informatics Service Desk. Informatics will request proof of purchase of licences as part of regular auditing. Where stored locally, master copies of software, backup tapes and manuals should be kept in a locked, secure location with restricted access and be protected from environmental damage such as fire, flood and extreme temperatures and humidity. Backups of master disks should be taken (subject to licence agreement) and used to install applications. Master copies should not be in general use (unless copyright forbids making backups). Users accessing any Trust application (such as PAS, Medisec, Symphony, or the Electronic Staff Record etc.) must ensure adherence to relevant legislation and Trust policies such as Handling Sensitive Information Procedure, Data Protection Policy, Code of Practice for Internet and Use Security The Trust recommends two systems, its own system (@CMFT.nhs.uk) and the NHS-wide system (@nhs.net). If patient identifiable or other sensitive or confidential information is unencrypted then it can be sent as follows: From: No Version: 0.2a Page 12 of 21

13 Any other address No Any other No However, whenever possible, anonymised data should be used rather than identifiable data and sensitive data should only be sent in line with Data Protection and NHS Caldicott principles. Secure encrypted s can be sent from CMFT system to any external NHS or non-nhs address and this can be used for patient or other sensitive/confidential data. To encrypt the you need to put the word encrypt in square brackets in the subject box before the rest of the subject detail; (e.g. Subject: [encrypt] important update on patient condition). The (including any attachments) will be sent as an encrypted to the recipients. The first time the recipient receives an encrypted they will need to register by following the on-screen instructions which comes with the encrypted ; after that they will be able to access any further encrypted s using their registered credentials. The is still encrypted if the recipient then replies to the original encrypted . As long as [encrypt] is in the subject line before the rest of the subject detail then the is encrypted. The wording [encrypt] may need to be re-inserted if the same is being responded to more than once. Further guidance on the encryption facility can be found on Staffnet. If unencrypted sensitive information is sent from a non-cmft to address or from a non-nhs.net to address then this has been sent at risk. These s should not be replied to if the reply would mean that the sensitive information would be sent out again. A separate should be sent to the sender advising that unencrypted sensitive information was sent used an unapproved method and an alternative method for communicating the unencrypted sensitive information must be established. If s are held on a PC using Microsoft Outlook cached facility (where a copy of your mailbox is stored locally on your PC), then this must be in line with the PC requirements as stated elsewhere within this document. Private accounts such as Hotmail, yahoo etc. must not be used for any Trust business. and Internet usage must be in line with the Trust s Internet and Usage Code of Practice and other policies. 2.8 Internet Security Sensitive data must not be processed through the Internet unless it is encrypted, using a security certificate; generally the web address begins This type of Version: 0.2a Page 13 of 21

14 processing is quite common during participation in research programmes where there is data capture or input using web-based third party software. Please log a call with the Informatics Service Desk for confirmation that data collection using the Internet meets Trust encryption requirements. Files must only be downloaded onto a Trust-owned PC that has up-to-date anti-virus software installed. File downloads must be done in accordance with the English and European Laws, for example, the Copyright, Designs and Patents Act. Staff must not download, install and/or run files that can disable the network or compromise the integrity and security of any IT equipment. If in any doubt contact the Informatics Service Desk for advice and assistance prior to undertaking the download. Access to downloadable files, the downloading of files and transmission of files may be restricted by Web Monitoring Software, Content Filtering Software and / or NHS and Trust network settings. These restrictions may include files of a certain type (e.g. ZIP files) and / or files that exceed specific size thresholds and may change in line with security advice. Informatics Department reserves the right to exclude access to certain websites. Web Monitoring Software is used to manage such restrictions in a real-time environment. and Internet usage must be in line with the Trust s Internet and Usage Code of Practice and other policies. 2.9 Working from Home / Remote Working Remote access can be provided for staff that Work from home Work at remote sites that are not connected to the Trust s data network, including other NHS and non-nhs premises You can connect to your , network files and folders through: OWA - Outlook Web Access (Webmail) VPN - Virtual Private Network VDI - Virtual Desktop OWA provides access to your mailbox through a secure, encrypted web link using Internet Explorer. OWA can be used from any PC with an internet connection. You must ensure that you fully sign out of OWA when you have finished and close down the Internet browser window. Please contact the Informatics service desk for further information on using this facility. Version: 0.2a Page 14 of 21

15 Both VPN and VDI provide secure, encrypted access to Trust systems and applications. Access through VPN and VDI is controlled by RSA token and username/password two factor authentication process. RSA tokens are charged for and need to be requested, authorised and supplied via Informatics. VPN connections require clean access control software and a VPN client to be installed on the PC. Clean access ensures that a device connecting to VPN has up to date Antivirus and windows patches applied. Instructions for installing VPN can be provided by the Trust s Informatics department. VDI is accessible from any internet connected device that has VMware View Client installed. This is the preferred method for providing remote access to Trust systems and applications as all the processing is done on Trust servers. Instructions for installing VDI can be provided by the Informatics department. When accessing Trust systems and applications remotely or from home you must ensure that no Trust data is saved on the local hard drive of a PC (desktop or laptop), mobile device or any other data storage medium (such as a cloud-based storage or USB pen) that is not owned or approved by the Trust or not meeting the required standards outlined in this document. When working remotely in public places, meeting rooms and other unprotected areas care should be taken to avoid the unauthorised access to or disclosure of the information stored and processed during the remote session. Care should be taken by the staff to minimise the risk of unauthorised persons overlooking the screen. Confidentiality Policies apply equally to information whether in the office or at home. Failure to maintain confidentiality may result in a disciplinary action Network Links with Other NHS Trusts and third party Suppliers In line with the Trust Network Security code of practice transmission of data using N3 to other NHS Trusts and third party suppliers must be encrypted using VPN technology, Remote Desktop with TLS encryption or other approved encryption software or technologies. For further information regarding this, then please log a call with the Informatics Service Desk. Further information on network security can be found in the Network Code of Practice Removable Media Removable media refers to any kind of portable data storage device that can be connected to and removed from the PC. This incorporates: Data DVDS or CDs Zip Drives and portable hard drives USB Pens Version: 0.2a Page 15 of 21

16 This list is not exhaustive. Sensitive data must not be stored on any removable media unless the device meets the Trust s encryption standards. Removable media must not in normal circumstances be used to store Trust data unless you have a legitimate and justifiable requirement and it is absolutely necessary to do so. Trust data must not be stored solely on these devices. For advice on backing up your files and folders, please log a call with the Informatics Service desk. Trust approved USB pens can be obtained through the Informatics Service Desk Bring Your Own Device (BYOD) and use of Personal Devices Trust can be accessed on your personal smartphone/tablet device using the BYOD facility or through the normal network connectivity your device uses (3G/4G/Wi- Fi). The following applies irrespective of the network connection used by your personal device. The Trust provides BYOD (Bring Your Own Device) access at its central-island site location. This facility allows staff to use their own personal mobile device at work to access Trust and also the Internet. BYOD access can be applied for by completing the BYOD form found under forms on Staffnet. The BYOD facility is currently offered for the following devices / operating systems: Apple ipad / iphone ios 5 and above Android devices Android 2.3 (Gingerbread) and above Windows devices Windows 8 Information on connecting your personal device through 3G/4G/Wi-Fi can be provided by the Informatics Servicedesk. If you wish to use your personal smartphone/tablet device to access your Trust , a security code will be required on your device; this is mandatory and is installed as part of the connection process. If you do not wish to have a security code then you will not be allowed to connect your device to your Trust account. With the exception of s, you must not store any Trust data or information relating to patients, staff or any other confidential or sensitive data on your personal mobile device. You must not store any Trust data or information on cloud storage accessed through your personal device. If your personal device has been set up to access your Trust account then you must inform Informatics Servicedesk on immediately if your device is Version: 0.2a Page 16 of 21

17 mislaid, lost or stolen. In this instance, Informatics will remotely wipe your device. This will remove ALL data from your device, including personal data. In line with recommended good practice you should ensure that all your own data and information stored on your personal device is regularly backed up. Your device will also be wiped if your security code is incorrectly entered more than 5 times. The Trust is not responsible for any loss of data / information on your personal device through using its BYOD facility or as a result of a remote wipe Mobile Phones Mobile phones should not be used to record images of patients. Personal mobile phones should not be used to hold work information and Trust-owned mobile phones should not be used to store sensitive data in messages or photographs. For further guidance on mobile phones please refer to the Mobile phone policy on Staffnet Digital Cameras / IPods / Mp3 Players Digital cameras and other devices used to take images must be used in line with the Trust Patient Images Policy. No sensitive data must be held on a digital camera, ipod or MP3 player but should be transferred to an approved storage device Cloud Storage Cloud storage must not be used for storing sensitive (identifiable living or deceased individual, confidential data, commercially sensitive) data. Cloud storage may occasionally be used where data has been approved as nonsensitive and available in the public domain (e.g. an informative presentation). However care must be taken in the use of cloud storage and you must ensure that the data is not put at risk through breach of copyright, data ownership or breach of other Trust policies, codes of practice or legalisation. Where a member of staff chooses to store their own personal details regarding work on cloud storage (e.g. a shift rota pattern) then this is at their own risk and the Trust is not responsible for any misuse or inappropriate access to that data. If other staff details are included (whether implicitly or explicitly) then explicit permission must be given by those staff members. In order to protect its network, systems, data and information from risk of breaches of security, viruses and other malware, some cloud storage and particularly hosting Version: 0.2a Page 17 of 21

18 services such as Dropbox, will not be available through the Trust s network. For further details on Internet access please see the Trust s Internet and Usage Code of Practice Disposal of Redundant /Obsolete Trust IT Equipment IM&T equipment may be classed as redundant / condemned (obsolete) when: It has failed and is beyond economic repair It is below recommended minimum specification and is not fit for its purpose of use The Informatics department will confirm when a piece of IM&T equipment falls within the above. Redundant / condemned IM&T equipment will be removed by the Informatics department or their nominated representative. No other person must remove redundant or condemned IM&T equipment without prior permission from the Informatics department. Informatics will ensure that hard drives and other storage mediums are destroyed in line with governance standards to ensure that there is no risk of breach of confidentiality/security of the data/information stored on them. In line with legislation such as Health and Safety, Electrical Regulations etc., redundant / condemned IM&T equipment is not sold to staff. Trust IM&T equipment which is no longer required for its original purpose but still meets or exceeds minimum specification will be re-allocated within the Trust. For further information regarding the above please contact the Informatics Service Desk. For information on the safe disposal of Trust mobile phones please contact the Facilities department. 3 Dealing with Breaches of Security Any breach or potential breach in security must be reported through the Trust Incident Reporting procedure. A full investigation, following any reported breach, must be undertaken by appropriate Managers. Where required, external bodies must be notified of reported breaches Version: 0.2a Page 18 of 21

19 Action required from the outcome of the investigation will be in line with appropriate Trust policies. 4 User Responsibility This Code of Practice applies to all authorised users of Central Manchester University Hospitals NHS Foundation Trust (CMFT) data and systems including staff who are not employed by CMFT but use CMFT data or systems. It is the responsibility of all users within CMFT to ensure that the computer systems and data are safe and secure. This includes physical access such as ensuring unattended offices are locked and system or data access such as ensuring passwords are changed regularly and not disclosed to anyone else. Each user is responsible for ensuring that no breaches of information security result from their actions. Each user is responsible for reporting any breach, or suspected breach of security. Each user is responsible for ensuring that deletion or disposal of data or physical devices is in line with Trust policies and procedures. These include, but are not limited to, the Trust Record Keeping Policy and Trust Data Protection Policy. Each user is responsible for ensuring that appropriate backups of data have been made, where data is stored locally and not held on centrally provided storage (e.g. network drive / SAN). For further information regarding backups, please log a call with the Trust Informatics Service Desk. 5 Manager Responsibility Each manager must ensure that their staff, including those staff not employed by CMFT but under their management remit, are instructed in their security responsibilities and are aware of confidentiality clauses in their contract of employment. Each manager must ensure that each member of staff only has access to systems or data which is appropriate to their job function. Each manager must ensure that risk assessments in accordance with organisational policy and NHS Information Governance guidance are undertaken with regard to using laptops and transfer of sensitive data outside of the Trust. Department Heads, or appropriate managers, must authorise the use of any laptop which is to be used outside premises owned by CMFT and ensure that additional authorisation has been obtained from the Trust Caldicott Guardian, or nominated officer, where the processing of sensitive data is proposed. Version: 0.2a Page 19 of 21

20 Each manager must ensure that any breach or potential breach of security in their area is investigated appropriately and recommended actions following the investigation are implemented. Each manager is also responsible for ensuring that any reported breach in security is disclosed to the appropriate authorities including external bodies such as the Information Commissioner s Office and the Police. Each manager must ensure that the correct procedures are followed when staff transfer from their department or leave the employment of the Trust. This includes the return of all Trust devices such as laptops and removal of system / data access. 6 Informatics Responsibility Informatics is responsible for: ensuring that all security and encryption devices or software meet the necessary standards as required by NHS Information Governance and other local policies and legislative acts. ensuring that appropriate guidance is available to all CMFT users in relation to data security and that this guidance is updated as technologies develop. ensuring that all PC installations undertaken by the Informatics department include the required level of security and encryption hardware / software and that security updates are applied in a timely manner. Ensuring that appropriate hardware / software is deployed to protect the Trust from virus / malware. Ensuring that in the event of a virus outbreak / attack, virus definitions and other appropriate patches are deployed in an emergency manner and that immediate action is taken to minimise the impact on the Trust of a virus attack Ensuring that redundant hard drives and other storage mediums passed to them are destroyed in line with governance standards to ensure that there is no risk of breach of confidentiality/security of the data/information stored on them monitoring and analysing breaches of data security and ensuring corrective action is taken, including pro-active steps to reduce the risk of breach. undertaking audits, on a planned and spot-check basis, to ensure security and compliance with Trust guidelines. The Informatics reserves the right to take preventative action if a breach or potential breach of security is identified. This includes withdrawing the use of IT facilities until corrective actions have been undertaken and approved. Version: 0.2a Page 20 of 21

21 7 FURTHER INFORMATION If further information is required regarding this Code of Practice or any security issue, please log a call with the Informatics Service Desk. Version: 0.2a Page 21 of 21