Appendices Device Destruction/ Disposal process 7

Transcription

1 IM&T Electronic Information Security Policy Classification: Policy Lead Author: Jym Bates, Head of Information Assurance Additional author(s): N/A Authors Division: Corporate (IM&T) Unique ID: TI4(09) Issue number: 7.00 Expiry Date: November 2017 Contents Section Page Who should read this document 2 Key Messages 2 What is new in this version 2 Policy/Procedure/Guideline 2 Storage of Person Identifiable Information (PII) 3 Destruction of Trust Hardware 3 Research 4 Purchase of New Computer Hardware 4 Standards 5 Explanation of terms/ Definitions 5 References and Supporting Documents 5 Roles and Responsibilities 5 Appendices Device Destruction/ Disposal process 7 Document control information (Published as separate document) Document Control Policy Implementation Plan Monitoring and Review Endorsement Equality analysis Page 1 of 11

2 Who should read this document? This document is required reading for All IM&T staff Information Asset Owners All Trust staff as users of Trust Hardware and users of Trust data Key Messages This is an over-arching policy that represents the contents of the Trust s information governance policies in relation to the security of electronic PII. To allow the contemporaneous, effective and efficient treatment of patients and the day-to-day processes that underpin this care; Salford Royal NHS Foundation Trust (SRFT) has a requirement to process Person Identifiable Information (PII). This information can belong to patients, visitors, staff and other individuals and must be processed in line with the Data Protection Act (1998). What is new in this version? Expansion of definitions PII - Person Identifiable Information PIA - Privacy Impact Assessment reference to these for intended storage of PII outside UK ipads, any devices falling under the BYOD Policy No PII can be transferred using SMS / Text messaging services. Medical Equipment Hardware Destruction Process Research R&D as contact point Students require clinician authorisation, IG as contact point All access to patient information to support Trust Audit must have Trust Clinical Audit approval in place. Where appropriate contact the Clinical Audit team for supporting process on Audit consent approvals. All hardware in use by the Trust will be recorded and monitoring via the Asset Register. All Purchased of New Computer Hardware will require division sign off, as part of approval processes. Policy/ Guideline/ Protocol This Policy is aligned to the Trust Information Governance Policies and Data Protection principles for the governance of Information Security. Staff who fail to comply with this policy will be subjected to the Trust s disciplinary procedure. Page 2 of 11

3 Storage of Person Identifiable Information (PII) To maintain security of PII, PII must be stored on Trust approved systems, registered on the Trust Information Asset Register e.g. PAS, Electronic Patient Record (EPR), Medisec or on NHS systems e.g. CRIS, ESR. Each of these systems will be held on the Trust network which is secure to NHS standards. Any PII stored electronically locally by a service, outside a Trust approved system, must only be stored on a SRFT network drive. PII must not be stored on laptops, external storage devices e.g. hard drives, memory sticks, PDAs, CD / DVD ROMS, ipads, any devices falling under the BYOD Policy. If PII is to be stored outside the UK, a PIA (Privacy Impact Assessment) must be completed and discussed with the Head of Information Assurance In the case of national systems these will be accessed via Trust approved secure links, maintaining the security of data; however data is not stored by the Trust. Transfer of (Person Identifiable Information) PII Electronic transfer of PII must only be performed in accordance with the Trust s policy. No PII can be transferred using SMS / Text messaging services. PII should only be transferred when necessary to do so. Consideration to redaction should be made. Where transfers cannot be made by secure (NHS.net to NHS.net) files must be encrypted. All staff are responsible for each PII transfer the make to ensure this done securely PII may be transferred using encrypted laptops, encrypted external storage devices e.g. hard drives, memory sticks, PDAs, CD / DVD ROMS for work reasons alone e.g. working out of the office, case conferences etc. However the data must not be copied onto any non-trust / NHS system. Only Trust purchased encrypted laptops and external encrypted storage devices can be used to transfer (temporarily store) PII. All Trust laptops and external storage devices must be encrypted by the Trust IM&T department before use. It is the user s responsibility to ensure this occurs. Following the completion of the specific purpose that the PII was copied onto the laptop or external storage for, it must be deleted immediately. IM&T department must be contacted for advice in regards to data deletion. PII should not be transferred outside the UK. Where there is a need to do this, as routine or a one off transfer, this must be approved by the Deputy Chief Information Officer, Assurance & the PMO Page 3 of 11

4 Destruction of Trust Hardware All Trust hardware must be disposed of securely It is the main user of the equipment s responsibility to ensure that old equipment is stored securely until collection. IT Hardware Process Contact IM&T Service Desk and request removal IM&T will remove the hardware in the case of laptops and desktops. In the case of external storage devices e.g. hard drives, memory sticks, PDAs, CD / DVD ROMS, these should be delivered to the IM&T service desk for destruction Medical Equipment Hardware Process Medical Equipment with capacity to hold PII requires secure destruction. Contact Medical Physics who will arrange for collection and secure destruction. Research All patients who are having their personal data used as part of a research study must consent to this use of their information. Where appropriate contact R&D staff for the supporting process on Research consent approvals. All students must have clinical authorisation prior to access any PII for study support purposes. Where appropriate contact the Information Governance team for the supporting process on Study consent approvals. All access to patient information to support Trust Audit must have Trust Clinical Audit approval in place. Where appropriate contact the Clinical Audit team for the supporting process on Audit consent approvals. No PII is to be stored outside of Trust approved systems. Patients information for Research must be anonymised before transfer outside of the Trust, staff should seek assistance with this via IM&T Service desk where required. The sender of any information is accountable to ensure any release of information in anonymised prior to its release. Purchase of New Computer Hardware All hardware to be used on Trust systems must be purchased through the IM&T department. All hardware in use at the Trust will be recorded and monitored via the Trust Asset Register. Data will not be copied from old PC kit to new kit, where it is discovered that staff have held information on local drives, this will be transferred to an appropriate network drive. All Purchases of New Computer Hardware will require divisional sign off, as part of approval processes. Page 4 of 11

5 Standards Principle 7 of the Data Protection Act outlines the Trusts requirement to ensure the Security of all Person Identifiable Information held by the Trust. The Trust follows guidance set out in the Information Security Management: NHS Code of Practice. The Trust adheres to level 2 of Information Security standards within the Information Governance Toolkit, and strives to achieve level 3 standards. Explanation of terms & Definitions PII Person Identifiable Information. PII is any data that allows the identification of an individual. On the whole this can be seen as two or more factors e.g. name and date of birth. The more information stored in relation to an individual the more chance of the said individual being identified. PIA Privacy Impact Assessment Processing relates to the collection, recording, storage, transfer, retrieval and destruction of PII. References and Supporting Documents All Information Governance Policies All IM&T Trust Policies All Trust Record Management Policies Information Security Management: NHS Code of Practice. Records Management NHS Code of Practice Data Protection Act 1998 Health and Social Care Act 2012 Roles and responsibilities The Executive Director of Finance / SIRO The Executive Director of Finance will support the principles outlined in this policy and champion its implementation. The Executive Director for Finance as SIRO is accountable to the Trust Board for ensuring compliance with this policy across the Trust. Information Governance Steering Group Compliance with this policy will be assessed through the Trusts adverse incident reporting system and will be reviewed at the Information Governance Steering Group through summary reports. The Chief Information Officer The Chief Information Officer will ensure that appropriate mechanisms (both physical and electronic) are in place to provide security to the Trust s information systems. All systems will be tested on an annual basis as part of the Information Governance Toolkit Audit cycle. Page 5 of 11

6 Deputy Chief Information Officer, Assurance & the PMO The Deputy Chief Information Officer, Assurance & the PMO will ensure that this policy is maintained and updated to reflect changes in legislation, NHS requirements or circumstances. The Deputy Chief Information Officer, Assurance & the PMO has the delegated responsibility from the Chief Information Officer for defining, documentation and providing assurance in regards to user and system access controls. The Deputy Chief Information Officer, Assurance & the PMO will ensure that appropriate publicity and training is provided to ensure that all staff in the Trust are aware of the procedures that they should follow to comply with this policy. The Deputy Chief Information Officer, Assurance & the PMO will monitor compliance with this policy. All Department Managers To ensure that they bring this policy to the attention of any staff working under them and facilitate the adoption of the principles and practices as laid out in this policy. To ensure that any system holding personal data is adequately protected by access mechanisms as described in this policy. Report any contravention to the Deputy Chief Information Officer, Assurance & the PMO, to the Human Resources department and will ensure that an adverse incident report is raised. Information Governance Manager To monitor legislation and NHS requirements together with changes within the Trust in order to review this policy and its implementation. To monitor compliance with this policy through the Adverse Incident Reporting System. IAO Information Asset Owners Information Asset Owners are to ensure that annual risk assessments are carried out for systems to which they are accountable. Any relevant action plans are developed and implemented to reduce any identified risks. Where necessary make recommendations to the Deputy Chief Information Officer, Assurance & the PMO for Trust wide solutions. Human Resources Human resources will ensure that the employee contract includes a form of words to ensure that all employees have an obligation to ensure the confidentiality of all personal information. Human Resources will ensure that the employee contract is signed before the commencement of employment. All Staff All individuals who work within, or under contract to, the Trust have a general responsibility for the information that they create or use in the performance of their responsibilities. All members of the Trust s staff will keep themselves informed of the various versions of this Policy as they are published by checking the Trust s Intranet for updates. All members of the Trust s Staff will comply with the requirements of this policy. Page 6 of 11

7 Appendices IM&T working Protocols are included as Appendices to this Policy Appendix 1 Device Destruction/ Disposal process Device Destruction/Disposal Procedure Document Document Properties Details Authors Robert Edwards/Nigel Care/Kevin Blow Document Type Procedure Development Area IM&T Document Version V3 Creation Date 12/05/2009 (Update 12/08/13) System All systems Change Request / Project Number N/A Approval List / Circulation List Name Role Contact Date Authorised Ste McNeill Service Desk Manager Christian Henson Service Delivery Manager Jym Bates Head of Information Assurance Overview This document details the procedure for the destruction and disposal of any IT equipment. Roles Responsibilities It is the responsibility of the user to log a call for the destruction/disposal of equipment with the IM&T service desk. It is the responsibility of the attending break fix technician to complete the IMT&T device destruction sheet and hand back to the procurement officer. It is the responsibility of the procurement officer to decide if the device is no longer of any use to the Trust, If it is of use the procurement officer should arrange for the device to be taken into stock and catalogued. Updated on the Asset Register. If the device if no longer of any use the procurement officer should arrange for the disposal of the device. Page 7 of 11

8 Device Disposal/Destruction process Stage #1 Identify that a PC needs to be taken out of production A device for decommissioning will be received either by request of the user (via the IM&T Service Desk), or as a result of a Service Call for a replacement device. User logs call with Service desk for device decommission When the call is logged the impact should be set to SRFT SR PC Laptop decommission An will be sent out to the break fix manager (if absent this should be picked up by covering manager) who will then assign the call to the break fix technician assigned to moves for completion within SLA If the required disposal is the result of a new hardware installation then the installing technician should perform the below steps as part of the install job. Technician meets with the user and retrieves the device Stage #2 Assess the worth of the device The asset officer will (with the advice of the technician) assess the worth of the device and the devices components to the Trust. Should the device or device components be judged to still be of value to the Trust, then the asset officer should place these into the store room; cataloguing this on the asset management tool. Should the asset officer (after consultation), consider the device or device components to no longer be of any value to the Trust; then he should arrange for the technician to carry out Stage #3 Stage #3 Decommission and remove the device from the network Technician completes IM&T device destruction form located here Decommission Form Technician removes the Hard Drive from the device; label it with the serial number and place in blue shredding bin located in the STOCK room. Technician places the Device in the cage in the STOCK room it should then be put back together to help correctly identify the device during the handover to the WEEE disposal company. (Monitors, printers and other equipment for disposal will remain in cage in the Workshop area until taken away by the recycling company). The technician will connect to Active Directory management tool, disable the computer account and then move the computer account into the SRHT\Hope\Computers\Deactivated OU. The technician will then update the configuration item for the device in HPOV, to reflect the new status of the device ( Decommissioned ) and its location. The technician will also copy the decommissioning form onto the configuration item record. Page 8 of 11

9 For Laptop PCs only Open \\srhtfilec3\laptopprofile$ Locate the host name in the list. Delete all files associated with the host name. E.g. If SRHT-ISC-WS10 is to be decommissioned; the following files need to be deleted: Stage # 4 Removal of Software licenses from the PC The asset officer will identify what licenced software is registered to the device; un-relate the device CI from the Software CI (Fig 2) and update the Actual Installations field on the CI to reflect any changes in numbers (Fig1). Fig1 Fig2 Page 9 of 11

10 Stage # 5 - Disposal of the Asset by WEEE Registered Companies The asset officer will then arrange disposal of the device through a WEEE registered Disposal Company (see sections PC/Laptop Disposal by WEEE Registered Company and Hard Drive Disposal by WEEE Registered Company ). Prior to the disposal company arriving on-site, the asset officer will verify that the number of pc s/laptops consigned for disposal, matches the number of decommission forms sent through and that the details of the devices match the details entered on the form. Additionally, the devices are checked to confirm that the hard drives have been removed. The asset officer will log a job ticket for the work to take place. This will then have any relevant documentation scanned and attached for auditing purposes. The asset officer will watch the loading of the decommissioned devices onto the vehicle, in order that only the verified devices are removed. The asset officer will verify the number of devices recorded by the disposal company matches the number of devices removed from site. The asset officer will then update the configuration item to reflect the new status of the device ( WEEE Disposal ) and its location. Stage # 6 - Hard Drive Disposal by WEEE Registered Company The asset officer must arrange disposal of all hard drives through a WEEE registered Disposal Company and the destruction must take place on-site. Prior to the disposal company arriving on-site, the asset officer will count the number of hard drives placed in the shredding bin. The asset officer will log a job ticket for the work to take place. This will then have any relevant documentation scanned and attached for auditing purposes. It is an IG requirement that the asset officer or designated other, watches the disposal process from start to finish to verify every hard drive is destroyed. The asset officer will then verify that the number of hard drives recorded as being destroyed matches the number recorded prior to the company arriving on-site. Page 10 of 11

11 Page 11 of 11