Bulk Data Transfer Guidelines



Similar documents
Information Governance Policy (incorporating IM&T Security)

Data Protection Policy

Information Management Policy CCG Policy Reference: IG 2 v4.1

Information Governance Policy

NHS Commissioning Board: Information governance policy

INFORMATION SECURITY POLICY

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework

Policy Document Control Page

Information governance

Version Number Date Issued Review Date V1 25/01/ /01/ /01/2014. NHS North of Tyne Information Governance Manager Consultation

INFORMATION GOVERNANCE POLICY

How To Ensure Information Security In Nhs.Org.Uk

Safe Haven Policy. Equality & Diversity Statement:

Use of the Internet and Policy

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

Name of responsible committee: Information Governance Board Date issued: 15 th April 09 Review date: 14 th April 11 Referenced Documents:

Information Governance Policy

INFORMATION RISK MANAGEMENT POLICY

and Internet Policy

Policy Information Management

Information Governance Policy

Policy Document Control Page

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE STRATEGY

IT change management policy

JOB DESCRIPTION. Information Governance Manager

NHS North Durham Clinical Commissioning Group. Information Governance Strategy 2015/16

Information Security Policy. Appendix B. Secure Transfer of Information

INFORMATION GOVERNANCE POLICY

Information Governance Strategy 2015/16

NHS Hartlepool and Stockton-on-Tees Clinical Commissioning Group. Information Governance Strategy 2015/16

Information Governance Framework

Information Governance Policy

Information Governance Strategy

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2015/16

INFORMATION GOVERNANCE POLICY

Information Governance Strategy

Central Alerting System Policy

BEFORE USING THIS GUIDANCE, MAKE SURE YOU HAVE THE MOST UP TO DATE VERSION GUIDANCE 2 POLICY AREA: INFORMATION GOVERNANCE

Data Encryption Policy

Information Governance Strategy :

Guidelines on use of encryption to protect person identifiable and sensitive information

Setting and Deactivating Alarm Parameters on Clinical Monitoring Devices Guidelines

How To Ensure Network Security

Safe Haven Procedure for the Secure Transmission of Personally Identifiable Information

Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs

Information Governance Policy

1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy.

Network Security Policy

INFORMATION MANAGEMENT & TECHNOLOGY SECURITY POLICY

MOBILE COMPUTING & REMOTE WORKING POLICY AND PROCEDURE. Documentation Control. Consultation undertaken Information Governance Committee

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February Title: Information Security Policy

CORE SKILLS FRAMEWORK INFORMATION GOVERNANCE LESSON NOTES AND TIPS FOR A SUGGESTED APPROACH

BARNSLEY CLINICAL COMMISSIONING GROUP S REMOTE WORKING AND PORTABLE DEVICES POLICY

Remote Working and Portable Devices Policy

Information Governance Policy

Information Governance Strategy. Version No 2.0

Business Continuity Access to Personally Stored Corporate Electronic Data (CED) Policy

Information Governance Strategy

INFORMATION GOVERNANCE POLICY & FRAMEWORK

Information Governance Strategy

NETWORK SECURITY POLICY

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

Policies for: Information Governance Information Quality Information Management Information Security. Version Control Version: 0.1

Version: 2.0. Effective From: 28/11/2014

MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY

NHS Business Services Authority Information Security Policy

Personal Data Handling and Sharing Policy

Information Governance Policy

USB Data Stick Procedure

Use Policy. All Staff Policy Reference No: Version Number: 1.0. Target Audience:

LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

Highland Council Information Security Policy

INFORMATION GOVERNANCE POLICY

Merthyr Tydfil County Borough Council. Information Security Policy

Information Governance Policy

Information Governance Policy

Information Governance Framework and Strategy. November 2014

INFORMATION GOVERNANCE

INFORMATION GOVERNANCE POLICY

Policy: Remote Working and Mobile Devices Policy

NHS Waltham Forest Clinical Commissioning Group Information Governance Policy

Information Governance Policy

Information Governance

Trust Informatics Policy. Information Governance. Information Governance Policy

INFORMATION GOVERNANCE POLICY

Acceptable Use Policy

Information Governance Policy

Rotherham CCG Network Security Policy V2.0

Information Governance Policy

INFORMATION GOVERNANCE POLICY

USE OF PERSONAL MOBILE DEVICES POLICY

Information & ICT Security Policy Framework

Corporate Affairs Overview and Scrutiny Committee

Date of review: Information Governance Group January Policy Category: CONTENT SECTION DESCRIPTION PAGE

INFORMATION GOVERNANCE POLICY

Information Governance Strategy Includes Information risk & incident management methodology

Remote Access Policy

Transcription:

Bulk Data Transfer Guidelines This procedural document supersedes: CORP/ICT 20 v.1 Bulk Data Transfer. Did you print this document yourself? The Trust discourages the retention of hard copies of policies and can only guarantee that the policy on the Trust website is the most up-to-date version. If, for exceptional reasons, you need to print a policy off, it is only valid for 24 hours. Author/reviewer: (this version) Date revised: January 2013 Approved by: Roy Underwood - Information Governance Lead Information Governance Group Date of approval: 18 th March 2013 Date issued: 28 March 2013 Next review date: January 2016 Target audience: Trust-wide Page 1 of 11

Bulk Data Transfer Guidelines Amendment Form Version Date Brief Summary of Changes Author Version 2 January 2013 New style format in accordance with CORP/COMM 1. New sections added: - Equality Impact Assessment - Associated Trust Procedural Documents - Definitions - References FTP section changed to Direct Electronic Transfer R Underwood Version 1 January 2009 This is a new policy R Underwood Page 2 of 11

Bulk Data Transfer Guidelines Contents Paragraph Page 1 Introduction 4 2 Purpose 4 3 Roles and Responsibilities 4 4 Legal and Professional Obligations 5 5 Risk Management 6 6 Monitoring Compliance with the Procedural Document 7 7 Guidelines 8 8 Training/Support 10 9 Definitions 11 10 Equality Impact Assessment 11 11 Associated Trust Procedural documents 11 12 References 11 Page 3 of 11

1. INTRODUCTION David Nicholson, NHS Chief Executive, has directed that there should be no transfers of unencrypted person identifiable data held in electronic format across the NHS. This is the default position to ensure that patient and staff personal data are protected. Any data stored on a PC or other removable device in a nonsecure area or on a portable device such as a laptop, PDA or mobile phone should also be encrypted. This is also now a requirement across all public sector organisations set by the Cabinet Secretary. It is recognised however that this may take some time to achieve in the NHS where patient care is our highest priority. The Doncaster & Bassetlaw Hospitals NHS Foundation Trust will need to make a local judgement on the balance of risk to patient care against risk to personal data security in determining whether use of unencrypted devices should continue as an interim measure. Where it is felt that continued reliance upon unencrypted data is necessary for the benefit of patients, the outcome of the risk assessment must be reported to the Trust Board, so that the Board is appropriately accountable for the decision to accept data vulnerability or to curtail working practices in the interests of data security. 2. PURPOSE This guidance document is in the format of the standard Trust procedure for Information Governance for common approach and consistency, and to include all of the mandatory elements of such documentation as agreed by the Information Governance Group. It incorporates Department of Health guidelines. 3. ROLES AND RESPONSIBILITIES 3.1 Chief Executive The Chief Executive has overall responsibility for security of data in the Trust. This responsibility should be discharged through a designated member of staff who has lead responsibility for information security management within the Trust. 3.2 Caldicott Guardian/Senior Information Risk Owner (SIRO) The Trust s Caldicott Guardian/SIRO has a particular responsibility for reflecting patients interests regarding the use of patient identifiable information and is responsible for ensuring patient identifiable information is stored and shared in an appropriate and secure manner. Page 4 of 11

Some information transfers are necessarily ad-hoc in their nature. The Caldicott Guardian/SIRO must always be consulted wherever practical in the approval of all data transfers involving bulk personal data. 3.3 Head of Information Governance The Trust s Head of Information Governance is responsible for providing updated guidance to all managers throughout the Trust. The Trust s Head of Information Governance will carry out periodic security reviews in all areas where trust patient identifiable information is transferred in bulk, reporting findings to the Trust Board via the Controls Assurance sub- Committee. 3.4 Line Managers Managers should ensure all current and future staff are instructed in their security and IG responsibilities including Standing Orders and policy on potential personal conflicts of interest, and all policies and procedures concerning confidentiality and information security. 3.5 All Staff Each employed, contracted and voluntary staff member is personally responsible for ensuring that no breaches of information security result from their actions; Each staff member (as above) must comply with the Trust s relevant security and confidentiality policies and procedures. Failure to comply with these responsibilities could result in disciplinary action. 3.6 Other Authorised Users Other NHS and authorised external users are personally responsible for ensuring that no breaches of information security result from their actions and shall comply with the Trust s security policies and procedures. 4. LEGAL AND PROFESSIONAL OBLIGATIONS All NHS records and most information are Public Records under the Public Records Acts. The Trust will take actions as necessary to comply with the legal and professional obligations set out in the Information Security Management: NHS Code of Practice. Page 5 of 11

The key statutory requirement for NHS compliance with Information Security Management principles, is the Data Protection Act 1998 and in particular its seventh principle. The Trust has legal obligations to maintain security and confidentially, in particular in accordance with the following: Data Protection Act (1998) Copyright Patents and Designs Act (1988) Computer Misuse Act (1990). Public Records Act 1958; Freedom of Information Act (2000); Common Law Duty of Confidentiality; NHS Confidentiality Code of Practice any new legislation affecting records management as it arises. 5. RISK MANAGEMENT 5.1 Objective To identify and counter possible threats to the security policy and standards. 5.2 Methodology All areas where trust patient identifiable information is taken off site will be subject to periodic security reviews by the Information Governance Group and conducted using the IG Toolkit and with specific reference to ISO17799. The Trust has a corporate risk management strategy 1 and procedures in place. 5.3 Reporting Security reviews can come about because changes to National Policy, the Law, and as a result of actions from local and external adverse IM&T incidents. Any security reviews will be reported through the Information Governance Group Minutes to the Audit & Non Clinical Risk sub Committee (A&NCRsC). 1 Risk Management Strategy CORP/RISK 10 Page 6 of 11

6. MONITORING COMPLIANCE WITH THE PROCEDURAL DOCUMENT The Information Governance Group will monitor the implementation of these guidelines, and any subsequent revisions, as part of the annual Information Governance Self Assessment during collection of evidence that the correct actions have been carried out. What is being Monitored Who will carry out the Monitoring How often How Reviewed/ Where Reported to Staff adherence to the policy Head of IG As and when requests are made to transfer data. Report to the IG Group through the Annual IG Report to A&NCRsC As alerted by the weekly reports of downloads to USB devices through the Network reporting functionality Page 7 of 11

CORP/ICT 20 v.1 7. GUIDELINES Good Practice Guidelines are provided for the transfer of bulk person identifiable data (PID) as follows: Moveable media o USB Memory Sticks & Pen Drives o Tapes o Floppy discs o Removable hard discs o Laptop & handheld computers o Optical discs DVD & CD-rom o Solid state memory cards Data Transfer Matrix Moveable Media Organisationally sanctioned transfer of removable media containing personal data DBHFT RDaSH DPCT DMBC HMP Other NHS Trusts GP 3rd Parties DBHFT Encrypt Encrypt WZip WZip Encrypt/ Wzip/CG Encrypt Encrypt RDaSH Encrypt Encrypt WZip WZip Encrypt Encrypt Encrypt DPCT Encrypt Encrypt WZip WZip Encrypt Encrypt Encrypt DMBC WZip WZip WZip Unknown Unknown Unknown Unknown HMP WZip WZip WZip Unknown Unknown Unknown WZip Unknown Other NHS Trusts Encrypt/ Wzip/CG Encrypt Encrypt Unknown Unknown Encrypt Unknown Unknown GP Encrypt Encrypt Encrypt Unknown WZip Unknown Encrypt Unknown 3rd Parties Encrypt Encrypt Encrypt Unknown Unknown Unknown Unknown Unknown Encrypt - 256k SSL Encryption WZ - Winzipped [Document/s] Password Protected CG - Risk Assessment & Caldicott Guidance on a case by case basis Page 8 of 11

CORP/ICT 20 v.1 email o The trusts preferred email medium for the authorised transfer of patient data is NHS Mail which is encrypted end-to-end o The Trust Internet and email Policy CORP/EMP 16 also allows the use of trust email where files are appropriately password protected. Data Transfer Matrix - email Organisationally sanctioned transfer of email containing personal data DBHFT RDaSH DPCT DMBC HMP Other NHS Trusts GP 3rd Parties DBHFT NHSMail NHSMail CG CG NHSMail NHSMail CG RDaSH NHSMail NHSMail CG CG NHSMail NHSMail CG DPCT NHSMail NHSMail CG CG NHSMail NHSMail CG DMBC CG CG CG CG CG CG Unknown HMP CG CG CG CG Unknown CG CG Unknown Other NHS Trusts NHSMail NHSMail NHSMail CG CG NHSMail NHSMail Unknown GP NHSMail NHSMail NHSMail CG CG NHSMail NHSMail Unknown 3rd Parties CG CG CG Unknown Unknown Unknown Unknown Unknown NHSMail - NHSMail or password protected document if the PD (personal data) content is minimal (Caldicott et al) CG - Risk Assessment & Caldicott Guidance on a case by case basis Direct Electronic Transfer o Transfer of bulk data via Direct Electronic Transfer covers all of the various mechanisms that allow the DBHFT to safely and securely share information with other organisations. The transfer must be authorised, and carried out over secure or encrypted channels (ordinary FTP isn t secure). Some examples would include Secure Web-based transfers, NHS Commissioning Data Sets (CDS) and other Secure File Transfer Protocol (SFTP) mechanisms. Page 9 of 11

CORP/ICT 20 v.1 Hard copy documents o The bulk data transfer of hard copy documents should in the main be handled by the Trust s inter-site NHS Mail Service. o On occasion where it is necessary to mail personal data documents in bulk then that posting process must be very carefully considered and agreed with the Caldicott Guardian. Senders should always consider the relative merits and costs of registered and recorded delivery, and the use of professional courier services. Data Transfer Matrix Hard Copy Documents (Letters, Med Recs etc) >50 records = Bulk Data Transfer (BDT) DBHFT RDaSH DPCT DMBC HMP Other NHS Trusts GP 3rd Parties DBHFT MV MV SM SM SM MV CG RDaSH MV MV SM SM SM MV CG DPCT MV MV SM SM SM MV CG DMBC SM SM SM SM SM SM Unknown HMP SM SM SM SM Unknown SM SM Unknown Other NHS Trusts SM SM SM SM SM SM SM Unknown GP MV MV MV SM SM SM MV Unknown 3rd Parties CG CG CG Unknown Unknown Unknown Unknown Unknown MV - RDaSH Mail Van SM - Secure Mail Service (Recorded or Special Delivery if > 50 records, i.e. BDT (Bulk Data Transfer)) CG - Risk Assessment & Caldicott Guidance on a case by case basis 8. TRAINING/SUPPORT Ensure that all staff involved in data transfer are appropriately trained and have access to clear policies and guidelines. This is achieved through training programs managed by HR and the Information Governance and Security Manager. Information Governance training, provided at Induction and later through specific IG Awareness training, will include explanation of the IG documentation filing system and awareness of the DoH document called Information Security: NHS Code of Practice. Page 10 of 11

CORP/ICT 20 v.1 9. DEFINITIONS Equality Impact Assessment (EIA) Audit & Non Clinical Risk sub Committee (A&NCRsC) Senior Information Risk Owner (SIRO) Personally Identifiable Data (PID) Secure File Transfer Protocol (SFTP) Commissioning Data Sets (CDS) 10. EQUALITY IMPACT ASSESSMENT An Equality Impact Assessment (EIA) has been conducted on this procedural document in line with the principles of the Equality Analysis Policy (CORP/EMP 27) and the Fair Treatment For All Policy (CORP/EMP 4). The purpose of the EIA is to minimise and if possible remove any disproportionate impact on employees on the grounds of race, sex, disability, age, sexual orientation or religious belief. No detriment was identified. A copy of the EIA is available on request from the HR Department. 11. ASSOCIATED TRUST PROCEDURAL DOCUMENTS Risk Management Strategy CORP/RISK 10 12. REFERENCES Data Protection Act (1998) Copyright Patents and Designs Act (1988) Computer Misuse Act (1990) Public Records Act (1958) Freedom of Information Act (2000) Common Law Duty of Confidentiality NHS Confidentiality Code of Practice Page 11 of 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information