USB Data Stick Procedure

Transcription

1 SH IG 41 INFORMATION SECURITY SUITE OF POLICIES Procedure for the Management of Personal Data Summary: Keywords (minimum of 5): (To assist policy search engine) Target Audience: Next Review : This procedure details the process for ordering an encrypted data stick for use by staff as part of the management of personal information procedures. Data stick; USB stick; information security; mobile working; data transfers; All staff employed by Southern Health NHS Foundation Trust, Non-Executive Directors and Contractors. April 2019 (or earlier if required). Approved & Ratified by: Information Governance Group of meeting: 14/03/2016 issued: Author: Sponsor: Sharon France Information Governance Manager Lesley Barrington Head of Information Assurance 1

2 Version Control Change Record Author Version Page Reason for Change 02/04/2013 S France V1 All Update for SHFT 24/05/2013 S France V1 All IGG Approved 22/01/2016 S France V2 Formal review/general update, to include: The use of unencrypted data sticks for non PID. Pooled Assets Information Asset Owner Audit and Accountability. Loss of Data sticks. Update to Appendix A. Appendix B and C added. 25/01/16 P Whittle V2 All Formatting and added reallocation step Reviewers/contributors Name Position Version Reviewed & Lesley Barrington Head of Information Assurance V1 02/04/2013 Information Governance Group Membership for review V1 02/04/2013 Ed Purcell IT Security Specialist V2 10/02/2016 Donna Woolley Information Governance Facilitator V2 10/02/2016 Information Governance Group Membership for review V2 14/03/2016 2

3 Contents 1 Introduction 4 2 When to User a Data Stick 4 3 Alternatives to Data Sticks 4 4 Applying for an Encrypted Data Stick 5 5 Information Asset Owner (IAO) - Audit and Accountability 5 6 Lost or Stolen Data Stick Unencrypted Encrypted 6 Page Appendices A Encrypted USB Data Stick Request Form 7 B Unencrypted USB Data Stick Request Form 8 C Register for Data Sticks being used as a Pooled Asset 9 3

4 1 Introduction 1.1 Data sticks are small in size but can hold a significant amount of data. These characteristics make the devices convenient mechanisms to transfer electronic data but these same characteristics also increase the potential for the loss or theft of a device and the subsequent loss of data held on the device. This risk is effectively mitigated through the use of an encrypted stick as all the data on the device is unreadable, without the password to enable access to the files on the device. 2 When to Use a Data Stick 2.1 A data stick is NOT recommended for long term storage and should only be used as a means of safe transportation from one location to another. All Trust data should be downloaded as soon as practical and stored on secure network drives that are regularly backed-up. 2.2 Personal Information - Trust preferred Data sticks 2.3 If personal information is to be transferred via a data stick it must be via a Trust approved encrypted device which will be purchased via the Information Assurance Team, on completion of an approved request form - Appendix A. 2.4 Non-personal Information Unencrypted Data Sticks 2.5 These must NEVER be used for personal identifiable, or corporate sensitive information. The Information Asset Owner must be able to assure the Trust that unencrypted data sticks will only be used for the transfer of non-personal or non-sensitive information such as training resources (not considered commercially sensitive). 2.6 The use of these must also be noted by the Information Assurance Team and documented as an exception to using the Trust preferred SafeStick. 3 Alternatives to Data Sticks 3.1 The Information Asset Owner (IAO) has the responsibility of taking ownership of local asset control, risk assessment and management processes. Before approving a request for a data stick the IAO must: 3.2 Consider other alternative methods to transferring data before proceeding with the request for an encrypted device. 3.3 NHSmail considered NHSmail is the Trust preferred method and a secure way of transferring information but it has some limitations. The user needs an NHSmail account to send the message. The transfer will be secure if the data is sent to another NHSmail account or an account with one of the other public service organisations that are listed in SH IG 42 Procedure for the Management of Personal Information, available on the Trust web site. The maximum file size for an NHSmail transfer is 20MB. Data which is not Person Identifiable can be sent by ordinary Outlook . 4

5 3.4 Staff to have an encrypted laptop with a checkpoint account which allows for the data to be kept on a secure Trust server whilst the user gains access to the server/shared drives from a remote location (e.g. if working from home). 3.5 Staff to have a smart working laptop that is fully encrypted, and allows access to secure drives via 3G. 3.6 Staff are able to access to the NHS Secure File Transfer (SFT) process. Secure File Transfer (SFT) also requires the people at both ends to have NHSmail accounts but it can transfer files up to 1GB in size. SFT can be used from any Internet connection. More information about SFT is available at For use of file encryption to protect attachments sent via outlook please contact IT Service Desk Applying for an Encrypted Data Stick 4.1 If the alternatives listed above are not suitable and the member of staff wishes to proceed to use an encrypted data stick they should complete the request form, appendix A. 4.2 On receipt of the request form, if the Team Manager wishes to support the request they should sign it and provide the relevant budget code then pass to the relevant IAO for final authorisation. 4.3 The request form should be sent to the IG team for processing 4.4 hp-tr.informationassuranceteam@nhs.net 5 Information Asset Owner (IAO) - Audit and Accountability 5.1 IAO must keep a register of approved data sticks and their keepers, on their local IT equipment asset registers, for accountability and identification purposes. 5.2 Safesticks are allocated with a unique asset label by Information Governance (IG) that cross references the internal software serial number. 5.3 Note: nothing must be attached to the data stick that Identifies it belongs to the NHS or SHFT Identifies contents or data held on the data stick 5.4 Do not reveal the Password. 5.5 Some teams have a local process which requires a pool of data sticks. The IAO must ensure these data sticks are locally recorded and tracked on the Register for Data Sticks being used as a pooled Asset. Refer to Appendix D 5.6 IAO must notify the IG Team immediately if they plan to reallocate a Data Stick to another user and also complete Appendix A (for the new user). 5.7 IAO must retrieve any Datasticks from leavers and return them to IG for reallocation, please contact the IG Team on Any unencrypted datastick must be passed from hand to hand: it may not be posted or sent by courier. 5

6 5.9 IAO must review the purpose and need for each data stick at least annually and report back to the IG Team if there are any anomalies 6 Lost or Stolen Data Stick 6.1 Unencrypted In the event that an Unencrypted USB Data Stick is lost or stolen, the member of staff, upon discovery, must immediately: Report the loss to their Team Manager to enable; a) The amendment of the local IT Asset Register b) The loss is escalated to the relevant IAO Complete an incident form on Ulysses. The incident type - general category will be Information Governance and Confidentiality Breach and the subcategory will be Lost or Stolen Electronic/Equipment In the event that the Data Stick has Personal Information stored on it, a full assessment of the potential data breach MUST be undertaken to enable appropriate recording of severity and impact of the incident Inform the Information Assurance team NOTE: Transporting/storing personal identifiable information on an unencrypted USB Data Stick could result in disciplinary actions, or in the case where there is a potential breach of the data protection act, the incident may be reportable to the Information Commissioners Office. 6.2 Encrypted In the event that an encrypted USB Data Stick is lost or stolen, the member of staff, upon discovery, must immediately: Report the loss to their Team Manager to enable; a) The amendment of the local IT Asset Register b) The loss is escalated to the relevant IAO Complete an incident form on Ulysses. The incident type - general category will be Security Concern and the subcategory will be Loss or Missing Property Inform the Information Assurance team to enable them to update the Trust s Data Stick Asset Register. 6

7 Appendix A - Encrypted USB Data Stick Request Form Name Team Division Full base Location / Postal Address Contact Number Team Budget Cost Code (Sxxxxx) (Cost = per 4GB USB data stick) For what purpose is the USB data stick to be used? Please confirm the following in next column: It is not practical to retain the data on a secure Trust server and use Check Point for remote access. It is not practical to the data (using encrypted i.e. NHSmail, for personal data). It is not practical to transport the data on an encrypted Trust laptop. It is not practical to transfer the data via NHS Secure File Transfer (SFT) or approved dropbox, or WINZIP encryption The USB data stick will be used for appropriate information in accordance with the Data Protection Act. The USB data stick will be kept in a secure place, using the same level of care as is applied to laptops. The USB data stick will be returned to Information Asset Owner if it is no longer required or its use no longer authorised. Does the Information Asset Owner accept the proposed use of the data stick? (please circle Y or N) Y / N The Information Asset Owner (IAO) has the responsibility of taking ownership of local asset control, risk assessment and management processes before approving this request for a data stick. The requester is accountable to the IAO for ensuring appropriate use of the USB data stick. Is this request for a new Datastick or reallocation of previous purchase (Please circle New or Reallocation) Signature of Requester NEW REALLOCATION PRINT Requester s name Signature of Line Manager PRINT Line Manager s name Signature of Information Asset Owner (IAO) PRINT IAO s name Send completed forms to hp-tr.informationassuranceteam@nhs.net 7

8 Appendix B Unencrypted USB Data Stick Request Form For the transfer of Non-Personal and Non-Corporate Sensitive Information Name Team Division Contact Number Full base Location / Postal Address For what purpose is the USB data stick to be used? Please confirm the following in next column: The Unencrypted USB data stick will only be used for the transfer of Non-Personal Information The Unencrypted USB data stick will not be used for the transfer of Corporate Sensitive Information It is not practical to transport the data on an encrypted Trust laptop. The USB data stick will be returned to Information Asset Owner if it is no longer required or its use no longer authorised. Does the Information Asset Owner accept the proposed use of the data stick? (please circle Y or N) Y / N The Information Asset Owner (IAO) has the responsibility of taking ownership of local asset control, risk assessment and management processes before approving this request for a data stick. The requester is accountable to the IAO for ensuring appropriate use of the USB data stick. Signature of Requester PRINT Requester s name Signature of Information Asset Owner (IAO) PRINT IAO s name Send completed forms to hp-tr.informationassuranceteam@nhs.net 8

9 Appendix C - Register for Data Sticks being used as a Pooled Asset Division / Team Base Location Information Asset Owner (IAO) Your datastick will have an asset sticker similar to the example on the left. This is a unique number and is cross referenced with the serial number in our asset data base. It is the responsibility of the IAO to ensure datasticks are accounted for and to be able to demonstrate this during any audit spot checks. Datastick asset No. Where is the Datastick being assigned to e.g. clinic, training session etc. taken DD/MM/YY Print Name Signature returned DD/MM/YY Contents erased Y/N Print name Signature 9