Policies and Procedures. Policy on the Use of Portable Storage Devices

Transcription

1 Policies and Procedures Policy on the Use of Date Approved by Trust Board Version Issue Date Review Date Lead Person One May 2008 Dec 2012 Head of ICT Two Dec 2012 Dec 2014 Head of ICT Procedure /Policy number IMxx.V1 Procedure /Policy type Information Governance Policy 1 of 9

2 Contents Page No 1 Introduction 3 2 Background 3 3 Definitions 3 4 Risks 4 5 Authorised use of portable storage devices 5 6 Relevant Policies and Legislation 5 7 Scope 6 8 Responsibilities 6 9 Implementation and awareness 6 10 Reporting Procedures 6 11 Review and Monitoring 6 Appendices A B C Signature Sheet Data Log Transfer of Portable Storage Device 2 of 9

3 1.0 Introduction 1.1 There is a wide range of portable storage devices available, capable of holding huge amounts of data at relatively little cost. This policy has been developed to instruct staff in what the Trust policy is for use of these devices. Staff should observe these polices and be aware of the risks associated with the use of these devices, the limitations on their use and how they may be used in a controlled manner. 2.0 Background 2.1 There has been much publicity surrounding the loss of personal data in transit in both the public and private sector. Some incidents have involved the NHS, including the loss of numerous patient records. This has focussed attention on how organisations can best safeguard the data with which they are entrusted. This policy is part of the Trust s provision of guidance on the various data transfer methods in use to ensure good practice is followed. 3.0 Definitions 3.1 The term staff is used generically and covers all persons with access to Trust data including contractors and employees of the Trust. 3.2 The term confidential includes personal data (see below). The term also includes financial and operational data that should not be disclosed. Example reasons for non-disclosure include, but are not restricted to, the following: Financial data - disclosure of detailed building refurbishment costs could provide an outside body with a commercial advantage. Operational data disclosure of certain information regarding site security could compromise the Trust s business. 3.3 The term personal data includes data from which an individual can be identified or data which can contribute to the identification of an individual. Examples of personal data include name, address, video image, health records etc. 3.4 The terms data and information are used interchangeably. Examples include, but are not limited to, the following: MRI Images Computer files created using MS Office products such as Word and Excel PET/CT scans Case notes 3 of 9

4 3.5 The term storage device covers any medium that is capable of storing computerized data. The term portable means the medium may be connected to a different computer where data may be transferred, copied, read, amended or deleted. Examples of portable storage devices include, but are not limited to, the following: USB memory sticks Digital cameras Mobile telephones PDAs MP3 players, e.g. an ipod External hard drives Floppy discs, CDs and DVDs 3.6 Internal hard drives in PCs must not be used to store data. These drives are thus not treated as portable storage devices for the purposes of this policy. 4.0 Risks 4.1 Risks associated with the use of portable storage devices include, but are not limited to, the following: In the case of unauthorised use of a portable storage device, staff could be liable to prosecution under the Misuse of Computers Act Loss of Trust data, in which case staff may be liable to prosecution under the Data Protection Act 1998, may be effected in a number of ways: o o o The device may be lost or stolen. An authorised user may access data in an insecure physical environment, allowing data to be viewed by unauthorised persons. An authorised user may access data via an insecure computer, allowing data to be stolen by unauthorised persons. Spread of computer viruses and other malicious programmes from one computer to another. The data stored could be treated as if it were current even though it may have become out of date. Data held on the device is not backed up. Data held on the device is updated and the data held on the server is not, resulting in multiple, unsynchronised versions of the data. 4 of 9

5 5.0 Authorised use of portable storage devices 5.1 All Trust data must be stored on the appropriate server. Data may only be transferred from the server to a portable storage device as follows: Trust staff must only used portable storage devices provided by the Trust to store and process sensitive or health care related data. The use of personal storage devices for sensitive or health related data is strictly prohibited. In such cases, the device must have been supplied by the Trust and be used for the sole use of Trust business. Personal data sticks may be used for personal education, training purposes but must not contain sensitive data. Personal, medical or otherwise sensitive data must not be stored in unencrypted form on any portable computer storage media. The storage of unencrypted sensitive data on such devices is strictly prohibited. It must be absolutely necessary to transfer the data to a portable device for subsequent access on a different computer in order to conduct the Trust s business. The device must be available on request for inspection by the Trust IT manager. The IT department will keep a log of all portable storage devices issued and will allocate a named nominal owner to each. Data must be deleted from the device when no longer required. A description of all sensitive bulk data (file or files contain sensitive information about more than 10 patients) held on portable devices must be logged. (Appendix B) Where possible the device should bear a label displaying the number of its log entry and indicating the data present on the device. All devices held on Trust premises, whether containing data or not, must be securely stored. Staff must take personal responsibility for the safekeeping and, where appropriate, the safe return of storage devices removed from Trust premises. Where a portable storage device is passed to a non-trust body the IT department must be notified immediately via a signed form as set out in Appendix C. 5 of 9

6 6.0 Relevant Policies and Legislation 6.1 Relevant Trust policies include: IM&T Security Policy Data Protection Act and Access to Patient Records Trust Confidentiality Code of Conduct Staff and Public Disclosure Policy 6.2 Relevant legislation includes: Data Protection Act 1998 Access to Health Records Act Scope 7.1 This policy relates to the transfer of Trust data onto any removable storage device. This includes information relating to patients, expatients, staff, ex-staff, Trust financial matters and Trust operational issues. All staff are required to adhere to this policy. 8.0 Responsibilities 8.1 Managers are responsible for ensuring all staff adhere to this policy. 9.0 Implementation and Awareness 9.1 This policy should be implemented from the Issue Date. Managers should employ the Signature Sheet at Appendix A to ensure all their staff are aware of policy contents Reporting Procedures 10.1 All cases of deviation from this policy must be reported in accordance with incident management policies set out in the Trust IM&T Security Policy Review and Monitoring 11.1 This policy will be reviewed at two-yearly intervals or whenever a material change occurs. The content of relevant incident reports will be used to inform reviews. 6 of 9

7 Signature Sheet Policy on the Use of Appendix A This sheet should be used to record the names of staff members who have read and understood the above policy document. Name (please print) Job Title Date Signature 7 of 9

8 Data Log [Department Name] Appendix B Example 1 Device No: 1 Device Type: USB stick Category of data held: medical Current Owner Dr Who List of data held: Item Description No. 1 Medical notes for 52 ortho. patients Date copied to device 01/02/yyyy Date deleted 17/03/yyyy Notes 3 Radiology images for patients x,y,z etc. 13/02/yyyy 8 of 9

9 Appendix C South Tyneside NHS Foundation Trust Transfer of Portable Storage Device From: Department Name: Device Owner: Device Number: Device Type: I have transferred this device to the receiving person identified below. Signed: Date: To - Receiving Person: Organisation Name: Department: I acknowledge receipt of the device identified above. I undertake to ensure the data contained on the device will be treated strictly in accordance with the Data Protection Act 1998 and all other legislation relevant to its safekeeping. When the data is no longer required I further undertake to either: (a) Permanently delete data from the device, and will inform Tyneside NHS Foundation Trust accordingly or (b) Return the device intact to South Tyneside NHS Foundation Trust. Signed: Date: 9 of 9