Appendices Device Destruction/ Disposal process 7
|
|
- Colin Watson
- 7 years ago
- Views:
Transcription
1 IM&T Electronic Information Security Policy Classification: Policy Lead Author: Jym Bates, Head of Information Assurance Additional author(s): N/A Authors Division: Corporate (IM&T) Unique ID: TI4(09) Issue number: 7.00 Expiry Date: November 2017 Contents Section Page Who should read this document 2 Key Messages 2 What is new in this version 2 Policy/Procedure/Guideline 2 Storage of Person Identifiable Information (PII) 3 Destruction of Trust Hardware 3 Research 4 Purchase of New Computer Hardware 4 Standards 5 Explanation of terms/ Definitions 5 References and Supporting Documents 5 Roles and Responsibilities 5 Appendices Device Destruction/ Disposal process 7 Document control information (Published as separate document) Document Control Policy Implementation Plan Monitoring and Review Endorsement Equality analysis Page 1 of 11
2 Who should read this document? This document is required reading for All IM&T staff Information Asset Owners All Trust staff as users of Trust Hardware and users of Trust data Key Messages This is an over-arching policy that represents the contents of the Trust s information governance policies in relation to the security of electronic PII. To allow the contemporaneous, effective and efficient treatment of patients and the day-to-day processes that underpin this care; Salford Royal NHS Foundation Trust (SRFT) has a requirement to process Person Identifiable Information (PII). This information can belong to patients, visitors, staff and other individuals and must be processed in line with the Data Protection Act (1998). What is new in this version? Expansion of definitions PII - Person Identifiable Information PIA - Privacy Impact Assessment reference to these for intended storage of PII outside UK ipads, any devices falling under the BYOD Policy No PII can be transferred using SMS / Text messaging services. Medical Equipment Hardware Destruction Process Research R&D as contact point Students require clinician authorisation, IG as contact point All access to patient information to support Trust Audit must have Trust Clinical Audit approval in place. Where appropriate contact the Clinical Audit team for supporting process on Audit consent approvals. All hardware in use by the Trust will be recorded and monitoring via the Asset Register. All Purchased of New Computer Hardware will require division sign off, as part of approval processes. Policy/ Guideline/ Protocol This Policy is aligned to the Trust Information Governance Policies and Data Protection principles for the governance of Information Security. Staff who fail to comply with this policy will be subjected to the Trust s disciplinary procedure. Page 2 of 11
3 Storage of Person Identifiable Information (PII) To maintain security of PII, PII must be stored on Trust approved systems, registered on the Trust Information Asset Register e.g. PAS, Electronic Patient Record (EPR), Medisec or on NHS systems e.g. CRIS, ESR. Each of these systems will be held on the Trust network which is secure to NHS standards. Any PII stored electronically locally by a service, outside a Trust approved system, must only be stored on a SRFT network drive. PII must not be stored on laptops, external storage devices e.g. hard drives, memory sticks, PDAs, CD / DVD ROMS, ipads, any devices falling under the BYOD Policy. If PII is to be stored outside the UK, a PIA (Privacy Impact Assessment) must be completed and discussed with the Head of Information Assurance In the case of national systems these will be accessed via Trust approved secure links, maintaining the security of data; however data is not stored by the Trust. Transfer of (Person Identifiable Information) PII Electronic transfer of PII must only be performed in accordance with the Trust s policy. No PII can be transferred using SMS / Text messaging services. PII should only be transferred when necessary to do so. Consideration to redaction should be made. Where transfers cannot be made by secure (NHS.net to NHS.net) files must be encrypted. All staff are responsible for each PII transfer the make to ensure this done securely PII may be transferred using encrypted laptops, encrypted external storage devices e.g. hard drives, memory sticks, PDAs, CD / DVD ROMS for work reasons alone e.g. working out of the office, case conferences etc. However the data must not be copied onto any non-trust / NHS system. Only Trust purchased encrypted laptops and external encrypted storage devices can be used to transfer (temporarily store) PII. All Trust laptops and external storage devices must be encrypted by the Trust IM&T department before use. It is the user s responsibility to ensure this occurs. Following the completion of the specific purpose that the PII was copied onto the laptop or external storage for, it must be deleted immediately. IM&T department must be contacted for advice in regards to data deletion. PII should not be transferred outside the UK. Where there is a need to do this, as routine or a one off transfer, this must be approved by the Deputy Chief Information Officer, Assurance & the PMO Page 3 of 11
4 Destruction of Trust Hardware All Trust hardware must be disposed of securely It is the main user of the equipment s responsibility to ensure that old equipment is stored securely until collection. IT Hardware Process Contact IM&T Service Desk and request removal IM&T will remove the hardware in the case of laptops and desktops. In the case of external storage devices e.g. hard drives, memory sticks, PDAs, CD / DVD ROMS, these should be delivered to the IM&T service desk for destruction Medical Equipment Hardware Process Medical Equipment with capacity to hold PII requires secure destruction. Contact Medical Physics who will arrange for collection and secure destruction. Research All patients who are having their personal data used as part of a research study must consent to this use of their information. Where appropriate contact R&D staff for the supporting process on Research consent approvals. All students must have clinical authorisation prior to access any PII for study support purposes. Where appropriate contact the Information Governance team for the supporting process on Study consent approvals. All access to patient information to support Trust Audit must have Trust Clinical Audit approval in place. Where appropriate contact the Clinical Audit team for the supporting process on Audit consent approvals. No PII is to be stored outside of Trust approved systems. Patients information for Research must be anonymised before transfer outside of the Trust, staff should seek assistance with this via IM&T Service desk where required. The sender of any information is accountable to ensure any release of information in anonymised prior to its release. Purchase of New Computer Hardware All hardware to be used on Trust systems must be purchased through the IM&T department. All hardware in use at the Trust will be recorded and monitored via the Trust Asset Register. Data will not be copied from old PC kit to new kit, where it is discovered that staff have held information on local drives, this will be transferred to an appropriate network drive. All Purchases of New Computer Hardware will require divisional sign off, as part of approval processes. Page 4 of 11
5 Standards Principle 7 of the Data Protection Act outlines the Trusts requirement to ensure the Security of all Person Identifiable Information held by the Trust. The Trust follows guidance set out in the Information Security Management: NHS Code of Practice. The Trust adheres to level 2 of Information Security standards within the Information Governance Toolkit, and strives to achieve level 3 standards. Explanation of terms & Definitions PII Person Identifiable Information. PII is any data that allows the identification of an individual. On the whole this can be seen as two or more factors e.g. name and date of birth. The more information stored in relation to an individual the more chance of the said individual being identified. PIA Privacy Impact Assessment Processing relates to the collection, recording, storage, transfer, retrieval and destruction of PII. References and Supporting Documents All Information Governance Policies All IM&T Trust Policies All Trust Record Management Policies Information Security Management: NHS Code of Practice. Records Management NHS Code of Practice Data Protection Act 1998 Health and Social Care Act 2012 Roles and responsibilities The Executive Director of Finance / SIRO The Executive Director of Finance will support the principles outlined in this policy and champion its implementation. The Executive Director for Finance as SIRO is accountable to the Trust Board for ensuring compliance with this policy across the Trust. Information Governance Steering Group Compliance with this policy will be assessed through the Trusts adverse incident reporting system and will be reviewed at the Information Governance Steering Group through summary reports. The Chief Information Officer The Chief Information Officer will ensure that appropriate mechanisms (both physical and electronic) are in place to provide security to the Trust s information systems. All systems will be tested on an annual basis as part of the Information Governance Toolkit Audit cycle. Page 5 of 11
6 Deputy Chief Information Officer, Assurance & the PMO The Deputy Chief Information Officer, Assurance & the PMO will ensure that this policy is maintained and updated to reflect changes in legislation, NHS requirements or circumstances. The Deputy Chief Information Officer, Assurance & the PMO has the delegated responsibility from the Chief Information Officer for defining, documentation and providing assurance in regards to user and system access controls. The Deputy Chief Information Officer, Assurance & the PMO will ensure that appropriate publicity and training is provided to ensure that all staff in the Trust are aware of the procedures that they should follow to comply with this policy. The Deputy Chief Information Officer, Assurance & the PMO will monitor compliance with this policy. All Department Managers To ensure that they bring this policy to the attention of any staff working under them and facilitate the adoption of the principles and practices as laid out in this policy. To ensure that any system holding personal data is adequately protected by access mechanisms as described in this policy. Report any contravention to the Deputy Chief Information Officer, Assurance & the PMO, to the Human Resources department and will ensure that an adverse incident report is raised. Information Governance Manager To monitor legislation and NHS requirements together with changes within the Trust in order to review this policy and its implementation. To monitor compliance with this policy through the Adverse Incident Reporting System. IAO Information Asset Owners Information Asset Owners are to ensure that annual risk assessments are carried out for systems to which they are accountable. Any relevant action plans are developed and implemented to reduce any identified risks. Where necessary make recommendations to the Deputy Chief Information Officer, Assurance & the PMO for Trust wide solutions. Human Resources Human resources will ensure that the employee contract includes a form of words to ensure that all employees have an obligation to ensure the confidentiality of all personal information. Human Resources will ensure that the employee contract is signed before the commencement of employment. All Staff All individuals who work within, or under contract to, the Trust have a general responsibility for the information that they create or use in the performance of their responsibilities. All members of the Trust s staff will keep themselves informed of the various versions of this Policy as they are published by checking the Trust s Intranet for updates. All members of the Trust s Staff will comply with the requirements of this policy. Page 6 of 11
7 Appendices IM&T working Protocols are included as Appendices to this Policy Appendix 1 Device Destruction/ Disposal process Device Destruction/Disposal Procedure Document Document Properties Details Authors Robert Edwards/Nigel Care/Kevin Blow Document Type Procedure Development Area IM&T Document Version V3 Creation Date 12/05/2009 (Update 12/08/13) System All systems Change Request / Project Number N/A Approval List / Circulation List Name Role Contact Date Authorised Ste McNeill Service Desk Manager Christian Henson Service Delivery Manager Jym Bates Head of Information Assurance Overview This document details the procedure for the destruction and disposal of any IT equipment. Roles Responsibilities It is the responsibility of the user to log a call for the destruction/disposal of equipment with the IM&T service desk. It is the responsibility of the attending break fix technician to complete the IMT&T device destruction sheet and hand back to the procurement officer. It is the responsibility of the procurement officer to decide if the device is no longer of any use to the Trust, If it is of use the procurement officer should arrange for the device to be taken into stock and catalogued. Updated on the Asset Register. If the device if no longer of any use the procurement officer should arrange for the disposal of the device. Page 7 of 11
8 Device Disposal/Destruction process Stage #1 Identify that a PC needs to be taken out of production A device for decommissioning will be received either by request of the user (via the IM&T Service Desk), or as a result of a Service Call for a replacement device. User logs call with Service desk for device decommission When the call is logged the impact should be set to SRFT SR PC Laptop decommission An will be sent out to the break fix manager (if absent this should be picked up by covering manager) who will then assign the call to the break fix technician assigned to moves for completion within SLA If the required disposal is the result of a new hardware installation then the installing technician should perform the below steps as part of the install job. Technician meets with the user and retrieves the device Stage #2 Assess the worth of the device The asset officer will (with the advice of the technician) assess the worth of the device and the devices components to the Trust. Should the device or device components be judged to still be of value to the Trust, then the asset officer should place these into the store room; cataloguing this on the asset management tool. Should the asset officer (after consultation), consider the device or device components to no longer be of any value to the Trust; then he should arrange for the technician to carry out Stage #3 Stage #3 Decommission and remove the device from the network Technician completes IM&T device destruction form located here Decommission Form Technician removes the Hard Drive from the device; label it with the serial number and place in blue shredding bin located in the STOCK room. Technician places the Device in the cage in the STOCK room it should then be put back together to help correctly identify the device during the handover to the WEEE disposal company. (Monitors, printers and other equipment for disposal will remain in cage in the Workshop area until taken away by the recycling company). The technician will connect to Active Directory management tool, disable the computer account and then move the computer account into the SRHT\Hope\Computers\Deactivated OU. The technician will then update the configuration item for the device in HPOV, to reflect the new status of the device ( Decommissioned ) and its location. The technician will also copy the decommissioning form onto the configuration item record. Page 8 of 11
9 For Laptop PCs only Open \\srhtfilec3\laptopprofile$ Locate the host name in the list. Delete all files associated with the host name. E.g. If SRHT-ISC-WS10 is to be decommissioned; the following files need to be deleted: Stage # 4 Removal of Software licenses from the PC The asset officer will identify what licenced software is registered to the device; un-relate the device CI from the Software CI (Fig 2) and update the Actual Installations field on the CI to reflect any changes in numbers (Fig1). Fig1 Fig2 Page 9 of 11
10 Stage # 5 - Disposal of the Asset by WEEE Registered Companies The asset officer will then arrange disposal of the device through a WEEE registered Disposal Company (see sections PC/Laptop Disposal by WEEE Registered Company and Hard Drive Disposal by WEEE Registered Company ). Prior to the disposal company arriving on-site, the asset officer will verify that the number of pc s/laptops consigned for disposal, matches the number of decommission forms sent through and that the details of the devices match the details entered on the form. Additionally, the devices are checked to confirm that the hard drives have been removed. The asset officer will log a job ticket for the work to take place. This will then have any relevant documentation scanned and attached for auditing purposes. The asset officer will watch the loading of the decommissioned devices onto the vehicle, in order that only the verified devices are removed. The asset officer will verify the number of devices recorded by the disposal company matches the number of devices removed from site. The asset officer will then update the configuration item to reflect the new status of the device ( WEEE Disposal ) and its location. Stage # 6 - Hard Drive Disposal by WEEE Registered Company The asset officer must arrange disposal of all hard drives through a WEEE registered Disposal Company and the destruction must take place on-site. Prior to the disposal company arriving on-site, the asset officer will count the number of hard drives placed in the shredding bin. The asset officer will log a job ticket for the work to take place. This will then have any relevant documentation scanned and attached for auditing purposes. It is an IG requirement that the asset officer or designated other, watches the disposal process from start to finish to verify every hard drive is destroyed. The asset officer will then verify that the number of hard drives recorded as being destroyed matches the number recorded prior to the company arriving on-site. Page 10 of 11
11 Page 11 of 11
INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK
INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire
More informationInformation Security Assurance Plan 2015/16
Information Security Assurance Plan 2015/16 Policy number: N/A Version 2.0 Approved by Name of author/originator Owner (Exec Director) Date of approval August 2015 Date of last review July 2015 Next due
More informationSecure Storage, Communication & Transportation of Personal Information Policy Disclaimer:
Secure Storage, Communication & Transportation of Personal Information Policy Version No: 3.0 Prepared By: Information Governance, IT Security & Health Records Effective From: 20/12/2010 Review Date: 20/12/2011
More informationINFORMATION GOVERNANCE POLICY & FRAMEWORK
INFORMATION GOVERNANCE POLICY & FRAMEWORK Version 1.2 Committee Approved by Audit Committee Date Approved 5 March 2015 Author: Responsible Lead: Associate IG Specialist, YHCS Corporate & Governance Manger
More informationPolicy: Remote Working and Mobile Devices Policy
Policy: Remote Working and Mobile Devices Policy Exec Director lead Author/ lead Feedback on implementation to Clive Clarke SHSC Information Manager SHSC Information Manager Date of draft 16 February 2014
More informationAGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader
AGENDA ITEM: SUMMARY Report for: Committee Date of meeting: 30 May 2012 PART: 1 If Part II, reason: Title of report: Contact: Purpose of report: Recommendations Corporate objectives: Implications: INFORMATION
More informationHow To Ensure Information Security In Nhs.Org.Uk
Proforma: Information Policy Security & Corporate Policy Procedures Status: Approved Next Review Date: April 2017 Page 1 of 17 Issue Date: June 2014 Prepared by: Information Governance Senior Manager Status:
More informationVersion: 2.0. Effective From: 28/11/2014
Policy No: OP58 Version: 2.0 Name of Policy: Anti Virus Policy Effective From: 28/11/2014 Date Ratified 17/09/2014 Ratified Health Informatics Assurance Committee Review Date 01/09/2016 Sponsor Director
More informationInformation Governance Management Framework
Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date
More informationUniversity of Liverpool
University of Liverpool IT Asset Disposal Policy Reference Number Title CSD 015 IT Asset Disposal Policy Version Number v1.2 Document Status Document Classification Active Open Effective Date 22 May 2014
More informationAll CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.
Policy Type Information Governance Corporate Standing Operating Procedure Human Resources X Policy Name CCG IG03 Information Governance & Information Risk Policy Status Committee approved by Final Governance,
More informationAcceptable Use of Information Systems Standard. Guidance for all staff
Acceptable Use of Information Systems Standard Guidance for all staff 2 Equipment security and passwords You are responsible for the security of the equipment allocated to, or used by you, and must not
More informationVersion Number Date Issued Review Date V1 25/01/2013 25/01/2013 25/01/2014. NHS North of Tyne Information Governance Manager Consultation
Northumberland, Newcastle North and East, Newcastle West, Gateshead, South Tyneside, Sunderland, North Durham, Durham Dales, Easington and Sedgefield, Darlington, Hartlepool and Stockton on Tees and South
More informationCCG: IG06: Records Management Policy and Strategy
Corporate CCG: IG06: Records Management Policy and Strategy Version Number Date Issued Review Date V3 08/01/2016 01/01/2018 Prepared By: Consultation Process: Senior Governance Manager, NECS CCG Head of
More informationInformation Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.
Information Governance Strategy and Policy Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.0 Status: Final Revision and Signoff Sheet Change Record Date Author Version Comments
More informationRD SOP17 Research data management and security
RD SOP17 Research data management and security Version Number: V2 Name of originator/author: Dr Andy Mee, R&I Manager Name of responsible committee: R&I Committee Name of executive lead: Medical Director
More informationINFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER
INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE
More informationRecords Management Policy
Records Management Policy Document information Document type: Operational Policy Document title: Records Management Policy Document date: November 2014 Author: NHS South Commissioning Support Unit, Information
More informationHighland Council Information Security Policy
Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...
More informationSafe Haven Policy. Equality & Diversity Statement:
Title: Safe Haven Policy Reference No: 010/IT Owner: Deputy Chief Officer Author Information Governance Lead First Issued On: November 2012 Latest Issue Date: March 2015 Operational Date: March 2015 Review
More informationBARNSLEY CLINICAL COMMISSIONING GROUP S REMOTE WORKING AND PORTABLE DEVICES POLICY
Putting Barnsley People First BARNSLE CLINICAL COMMISSIONING GROUP S REMOTE WORKING AND PORTABLE DEVICES POLIC Version: 2.0 Approved By: Governing Body Date Approved: Feb 2014 (initial approval), March
More informationINFORMATION GOVERNANCE POLICY
INFORMATION GOVERNANCE POLICY Version: 3.2 Authorisation Committee: Date of Authorisation: May 2014 Ratification Committee Level 1 documents): Date of Ratification Level 1 documents): Signature of ratifying
More informationInformation Governance Strategy. Version No 2.1
Livewell Southwest Information Governance Strategy Version No 2.1 Notice to staff using a paper copy of this guidance. The policies and procedures page of LSW Intranet holds the most recent version of
More informationINFORMATION SECURITY INCIDENT REPORTING POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationData Encryption Policy
Data Encryption Policy Please be aware that this printed version of the Policy may NOT be the latest version. Staff are reminded that they should always refer to the Intranet for the latest version. Purpose
More informationINFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY Policy approved by: Audit and Governance Committee Date: 4 th December 2014 Next Review Date: December 2016 Version: 1 Information Security Policy Page 1 of 17 Review and Amendment
More informationIM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...
IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This
More informationInformation Security Management Criteria for Our Business Partners
Information Security Management Criteria for Our Business Partners Ver. 2.0 October 1, 2012 Procurement Group, Manufacturing Enhancement Center, Global Manufacturing Division Information Security Group,
More informationPayment Card Industry (PCI) Policy Manual. Network and Computer Services
Payment Card Industry (PCI) Policy Manual Network and Computer Services Forward This policy manual outlines acceptable use Black Hills State University (BHSU) or University herein, Information Technology
More informationINFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK
INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic
More informationDATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff
DATA PROTECTION IT S EVERYONE S RESPONSIBILITY An Introductory Guide for Health Service Staff 1 Message from Director General Dear Colleagues The safeguarding of and access to personal information has
More informationRECORDS MANAGEMENT FRAMEWORK
RECORDS MANAGEMENT FRAMEWORK Policy Number: 253 Supersedes: Standards For Healthcare Services No/s 1, 19, 20 Version No: Date Of Review: Reviewer Name: 1.1 Nov 2011 Alison Gittins 1.2 Mar 2015 Alison Gittins
More informationScope and Explanation
The Moray Council Retention & Disposal Schedule for documents and records [paper and electronic] Scope and Explanation 1 Document Control Sheet Name of Document: The Moray Council Records Retention Schedule
More informationINFORMATION GOVERNANCE POLICY
Directorate of Performance Assurance INFORMATION GOVERNANCE POLICY Reference: DCP074 Version: 2.5 This version issued: 27/03/15 Result of last review: Minor changes Date approved by owner (if applicable):
More informationInformation Governance Framework
Information Governance Framework Authorship: Chris Wallace, Information Governance Manager Committee Approved: Integrated Audit and Governance Committee Approved date: 11th March 2014 Review Date: March
More informationRecords Management Policy & Guidance
Records Management Policy & Guidance COMMERCIALISM Document Control Document Details Author Nigel Spencer Company Name The Crown Estate Department Name Information Services Document Name Records Management
More informationInformation Security Policy
Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September
More informationHSCIC Audit of Data Sharing Activities:
Directorate / Programme Data Dissemination Services Project Data Sharing Audits Status Approved Director Terry Hill Version 1.0 Owner Rob Shaw Version issue date 20/04/2016 HSCIC Audit of Data Sharing
More informationInformation Security Code of Conduct
Information Security Code of Conduct IT s up to us >Passwords > Anti-Virus > Security Locks >Email & Internet >Software >Aon Information >Data Protection >ID Badges > Contents Aon Information Security
More informationHIPAA Privacy & Security Health Insurance Portability and Accountability Act
HIPAA Privacy & Security Health Insurance Portability and Accountability Act ASSOCIATE EDUCATION St. Elizabeth Medical Center Origin and Purpose of HIPAA In 2003, Congress enacted new rules that would
More informationBurton Hospitals NHS Foundation Trust. On: 16 January 2014. Review Date: December 2015. Corporate / Directorate. Department Responsible for Review:
POLICY DOCUMENT Burton Hospitals NHS Foundation Trust INFORMATION SECURITY POLICY Approved by: Executive Management Team On: 16 January 2014 Review Date: December 2015 Corporate / Directorate Clinical
More informationInformation Security Policy. Chapter 12. Asset Management
Information Security Policy Chapter 12 Asset Management Author: Policy & Strategy Team Version: 0.5 Date: April 2008 Version 0.5 Page 1 of 7 Document Control Information Document ID Document title Sefton
More informationHow To Manage A University Computer System
PC asset management policy Name of policy, procedure or regulation Purpose of policy, procedure or regulation PC asset management policy To provide a policy framework in relation to PC asset management
More informationINFORMATION GOVERNANCE POLICY (INCORPORATING INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK)
Ref No: IN-101 INFORMATION GOVERNANCE POLICY (INCORPORATING INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK) AREA: POLICY SPONSOR: Trust Wide Director of Finance IMPLEMENTED: October 2009 REVISED: June 2011
More informationMike Casey Director of IT
Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date
More informationRECORDS MANAGEMENT POLICY
RECORDS MANAGEMENT POLICY October 2015 1 Subject and version number of document: Serial Number: Records Management Policy COR/010/V2.00 Operative date: October 2015 Author: CCG Owner: Links to Other Policies:
More informationLSE PCI-DSS Cardholder Data Environments Information Security Policy
LSE PCI-DSS Cardholder Data Environments Information Security Policy Written By: Jethro Perkins, Information Security Manager Reviewed By: Ali Lindsley, PCI-DSS Project Manager Endorsed By: PCI DSS project
More informationSomerset County Council - Data Protection Policy - Final
Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationPolicy Document Control Page
Policy Document Control Page Title Title: Policy for the electronic transfer of Person Identifiable Data - harmonised Version: 5 Reference Number: CO51 Supersedes Supersedes: 4 Description of Amendment(s):
More informationOrder. Directive Number: IM 10-3. Stephen E. Barber Chief Management Officer
Pension Benefit Guaranty Corporation Order Subject: Protecting Sensitive Information Directive Number: IM 10-3 Effective Date: 4/23/08 Originator: OGC Stephen E. Barber Chief Management Officer 1. PURPOSE:
More informationRemote Working and Portable Devices Policy
Remote Working and Portable Devices Policy Policy ID IG04 Version: V1 Date ratified by Governing Body 29/09/13 Author South Commissioning Support Unit Date issued: 21/10/13 Last review date: N/A Next review
More informationInformation Management Policy
Information Management Policy Document Control Title Organisation Description Author(s) Information Management Policy London Legacy Development Corporation The Information Management Policy describes how
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationInformation Governance Framework and Strategy. November 2014
November 2014 Authorship : Committee Approved : Chris Wallace Information Governance Manager CCG Senior Management Team and Joint Trade Union Partnership Forum Approved Date : November 2014 Review Date
More informationINFORMATION RISK MANAGEMENT POLICY
INFORMATION RISK MANAGEMENT POLICY DOCUMENT CONTROL: Version: 1 Ratified by: Steering Group / Risk Management Sub Group Date ratified: 21 November 2012 Name of originator/author: Manager Name of responsible
More informationCCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY
CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review
More informationYMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY
YMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY Author Head of IT Equality impact Low Original Date September 2003 Equality No This Revision September
More informationHow To Protect School Data From Harm
43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:
More informationINFORMATION TECHNOLOGY EQUIPMENT PROCUREMENT AND DISPOSAL POLICY
INFORMATION TECHNOLOGY EQUIPMENT PROCUREMENT AND DISPOSAL POLICY Version: 1.4 Ratified by: Date Ratified: 14 October 2014 Name of Originator/Author: Name of Responsible Committee/Individual: Date issued:
More informationPolicy: D9 Data Quality Policy
Policy: D9 Data Quality Policy Version: D9/02 Ratified by: Trust Management Team Date ratified: 16 th October 2013 Title of Author: Head of Knowledge Management Title of responsible Director Director of
More informationCARE RECORDS MANAGEMENT POLICY
CARE RECORDS MANAGEMENT POLICY POLICY NUMBER & CATEGORY C 12 Clinical VERSION NUMBER & DATE 3 August 2009 RATIFYING COMMITTEE Clinical Governance Committee DATE RATIFIED 1 September 2009 NEXT REVIEW DATE
More informationSECURITY POLICIES AND PROCEDURES
2014 WorldEscrow N.V./S.A. SECURITY POLICIES AND PROCEDURES This document describes internal security rules within the WorldEscrow N.V./S.A. organization. Content 1) Employee Responsibilities... 1 2) Use
More information2014 Core Training 1
2014 Core Training 1 Course Agenda Review of Key Privacy Laws/Regulations: Federal HIPAA/HITECH regulations State privacy laws Privacy & Security Policies & Procedures Huntsville Hospital Health System
More information2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy
Version History Author Approved Committee Version Status date Eddie Jefferson 09/15/2009 Full Governing 1.0 Final Version Body Eddie Jefferson 18/08/2012 Full Governing Body 2.0 Emended due to the change
More informationData Protection Policy
Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review
More informationInformation Governance Policy
Policy Policy Number / Version: v2.0 Ratified by: Audit Committee Date ratified: 25 th February 2015 Review date: 24 th February 2016 Name of originator/author: Name of responsible committee/individual:
More informationDocument Number: SOP/RAD/SEHSCT/007 Page 1 of 17 Version 2.0
Standard Operating Procedures (SOPs) Research and Development Office Title of SOP: Computerised Systems for Clinical Trials SOP Number: 7 Version Number: 2.0 Supercedes: 1.0 Effective date: August 2013
More informationRECORDS MANAGEMENT POLICY
RECORDS MANAGEMENT POLICY Version 8.0 Purpose: For use by: This document is compliant with /supports compliance with: To outline the lifecycle of a record and to provide guidance on retention and disposal
More informationIM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers
IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy DOCUMENT INFORMATION Author: Vince Weldon Associate Director of IM&T Approval: Executive This document replaces: IM&T Policy No. 1 Anti Virus Version
More informationPS177 Remote Working Policy
PS177 Remote Working Policy January 2014 Version 2.0 Statement of Legislative Compliance This document has been drafted to comply with the general and specific duties in the Equality Act 2010; Data Protection
More informationInformation Security Policy [for electronic and manual information]
Information Security Policy [for electronic and manual information] Produced by: Department: Ruth Drewett Information Governance Date of Document: August 2010 Date effective from: September 2010 Version:
More informationHIPAA 101: Privacy and Security Basics
HIPAA 101: Privacy and Security Basics Purpose This document provides important information about Kaiser Permanente policies and state and federal laws for protecting the privacy and security of individually
More informationTemporary Records Procedure
Procedure Temporary Records Procedure Please note this procedure is mandatory and staff are required to adhere to the content DECD 07/6197 Summary That DECD Central Office, Regional Offices and sites will
More informationRecords management policy. Document author Assured by Review cycle. Audit and Risk Commitee. 1. Introduction...3. 2. Purpose or aim...3. 3. Scope...
Records management policy Board library reference Document author Assured by Review cycle P017 Head of Compliance Audit and Risk Commitee 3 Years This document is version controlled. The master copy is
More informationData Protection and Information Security. Data Security - Guidelines for the use of Personal Data
Data Protection and Information Data - Guidelines for the use of Personal Data Page 1 of 10 Created on: 21/06/2013 Contents 1. Introduction... 3 2. Definitions... 3 4. Physical... 4 5 Electronic... 6 6
More informationSupplier Remote Access Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Purpose or aim...3. 3. Scope...3. 4. Definitions...
Supplier Remote Access Policy Board library reference Document author Assured by Review cycle P157 Information Security and Technical Assurance Manager Finance and Planning Committee 1 year This document
More informationScottish Rowing Data Protection Policy
Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this
More informationData Protection Breach Reporting Procedure
Central Bedfordshire Council www.centralbedfordshire.gov.uk Data Protection Breach Reporting Procedure October 2015 Security Classification: Not Protected 1 Approval History Version No Approved by Approval
More informationRecords Management - Department of Health
Policy Directive Records Management - Department of Health Document Number PD2009_057 Publication date 24-Sep-2009 Functional Sub group Corporate Administration - Records Ministry of Health, NSW 73 Miller
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationIntel Enhanced Data Security Assessment Form
Intel Enhanced Data Security Assessment Form Supplier Name: Address: Respondent Name & Role: Signature of responsible party: Role: By placing my name in the box above I am acknowledging that I am authorized
More informationINFORMATION GOVERNANCE POLICY
INFORMATION GOVERNANCE POLICY Name of Policy Author: Name of Review/Development Body: Ratification Body: Ruth Drewett Information Governance Steering Group Committee Trust Board : April 2015 Review date:
More informationNHS Commissioning Board: Information governance policy
NHS Commissioning Board: Information governance policy DOCUMENT STATUS: To be approved / Approved DOCUMENT RATIFIED BY: DATE ISSUED: October 2012 DATE TO BE REVIEWED: April 2013 2 AMENDMENT HISTORY: VERSION
More informationRemote Access and Home Working Policy London Borough of Barnet
Remote Access and Home Working Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Remote Access and Home Working Policy Document Description This policy applies to home and
More informationCOVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name
COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name Introduction Removable Media and Mobile Device Policy Removable media and mobile devices are increasingly used to enable information access
More informationSCHEDULE 18. Premises. This Schedule 18 sets out certain terms relating to the Service Provider s Premises.
Business Operations- Schedule 18 (Premises) SCHEDULE 18 Premises This Schedule 18 sets out certain terms relating to the Service Provider s Premises. 1. Service Provider's Premises The following provisions
More informationCentral Bedfordshire Council. IT Acceptable Use Policy. Version 1.7 January 2016 Not Protected. Not Protected Page 1 of 11
Central Bedfordshire Council IT Acceptable Use Policy Version 1.7 January 2016 Not Protected Not Protected Page 1 of 11 Policy Approval Central Bedfordshire Council acknowledges that information is a valuable
More informationNetwork Security Policy
Department / Service: IM&T Originator: Ian McGregor Deputy Director of ICT Accountable Director: Jonathan Rex Interim Director of ICT Approved by: County and Organisation IG Steering Groups and their relevant
More informationInformation Governance Framework. June 2015
Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review
More informationRemote Data Extraction Policy and Procedure
Remote Data Extraction Policy and Procedure Prepared by PRIMIS June 2015 The University of Nottingham. All rights reserved. Contents 1. Introduction... 3 2. Purpose and scope... 3 3. Policy Statement...
More informationRECORDS MANAGEMENT POLICY
[Type text] RECORDS MANAGEMENT POLICY POLICY TITLE Academic Year: 2013/14 onwards Target Audience: Governing Body All Staff and Students Stakeholders Final approval by: CMT - 1 October 2014 Governing Body
More informationBERKELEY COLLEGE DATA SECURITY POLICY
BERKELEY COLLEGE DATA SECURITY POLICY BERKELEY COLLEGE DATA SECURITY POLICY TABLE OF CONTENTS Chapter Title Page 1 Introduction 1 2 Definitions 2 3 General Roles and Responsibilities 4 4 Sensitive Data
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationABERDARE COMMUNITY SCHOOL
ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been
More informationInformation Governance Policy
Information Governance Policy Version 1.1 Responsible Person Information Governance Manager Lead Director Head of Corporate Services Consultation Route Information Governance Steering Group Approval Route
More informationInformation Governance Policy
Information Governance Policy Version: 4 Bodies consulted: Caldicott Guardian, IM&T Directors Approved by: MT Date Approved: 27/10/2015 Lead Manager: Governance Manager Responsible Director: SIRO Date
More informationInformation Governance Strategy :
Item 11 Strategy Strategy : Date Issued: Date To Be Reviewed: VOY xx Annually 1 Policy Title: Strategy Supersedes: All previous Strategies 18/12/13: Initial draft Description of Amendments 19/12/13: Update
More informationFHFA. Privacy Impact Assessment Template FM: SYSTEMS (SYSTEM NAME)
FHFA Privacy Impact Assessment Template FM: SYSTEMS (SYSTEM NAME) This template is used when the Chief Privacy Officer determines that the system contains Personally Identifiable Information and a more
More informationINFORMATION GOVERNANCE STRATEGY NO.CG02
INFORMATION GOVERNANCE STRATEGY NO.CG02 Applies to: All NHS LA employees, Non-Executive Directors, secondees and consultants, and/or any other parties who will carry out duties on behalf of the NHS LA.
More information