Information Governance Policy (incorporating IM&T Security)

(incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the Trust and third parties supplying goods and services to the Trust Author Information Governance Manager Version 3.0 Issue 2 Issue Date July 2011 Review Date May 2013 Status Approved Approved by Caldicott and Information Governance Committee Approved by Date April 2010 Ratified by Trust Management Committee Ratified by Date May 2010 Document Number IG0005 BHT Pol No 051 Lead Director Chief Operating Officer EIA 22nd January 2010 Location BHT Intranet/Trust Polices/Information Governance Polices CHB folder/pct Intranet

Approval and Authorisation Completion of the following detail signifies the review and approval of this document, as minuted in the senior management group meeting shown. Version Authorising Group Approver Date 2.0 Caldicott & Information Governance Committee Anne Chilcott Dec 07 3.0 Ratified Trust Management Committee Anne Chilcott April 10 Change History Version Status Reason for change Author Date 2.0 Approved Caldicott & Information Governance Committee A Chilcott Dec 2007 2.1 Draft Formal review and incorporation of IM&T Security A Chilcott Sept 09 Policy IG0001, Data Protection Policy IG0002, IM&T Policy IG0006 2.5 Draft Changes to reflect comments by IT department and A Chilcott Dec 09 addition of reference to Care Records Guarantee section 5 2.5 Draft Circulated to Caldicott & Information Governance A Chilcott Committee for comments Dec 09 2.6 Draft Minor amendments following consultation A Chilcott Dec 09 2.6 Draft Circulated to Joint Management & Staff Committee A Chilcott Jan 2010 3.0 Approved Caldicott & Information Governance Chairman s A Chilcott April 10 action 3.0 Ratified Ratified Trust Management Committee A Chilcott May 10 3.0 Informal annual review no changes A Chilcott July 11 Document References Ref # Document title 1 Document Reference Document location 1 Confidentiality Code of Practice IG0008 Intranet 2 IT Access to Secure Areas Procedure IG0047 Intranet 3 Confidentiality and Data Protection Code of Conduct & Agreement IG0012 Intranet for Third Parties Supplying Goods, Services or Consultancy to the Trust 4 Freedom of Information Policy BHT Pol 042 Intranet 5 IT Network Remote Access Policy IG0056 Intranet 6 IT Asset Management procedure IG0054 Intranet 7 Safe Haven Procedure IG0048 Intranet 8 Computer User Access Management Policy IG0031 Intranet 9 IT Computer Usage Policy IG0009 Intranet 10 Trust Incident Reporting Policy & Procedure Intranet 11 Handling Reported Information Security Incidents Procedure IG0043 Intranet 12 IT Virus Control Procedure IG0044 Intranet 13 IT Network Security Policy IG0042 Intranet 14 IT Internet Access Policy IG0034 Intranet 15 IT User Account and E-Mail Usage Policy IG0035 Intranet 16 Procedure for Implementing New Databases and Information Flows IG0025 Intranet 17 IT Server Security Procedure IG0055 Intranet 18 Information Governance Strategy IG0041 Intranet 19 Risk Management Policy BHT Pol 079 Intranet 20 Risk Management Strategy BHT S019 Intranet

Ref # Document title Document Reference Document location 21 Waste Management Policy BHT Pol 095 Intranet 22 Records Management Policy BHT Pol 125 Intranet 23 Records Management Strategy BHT S018 Intranet 24 Information Risk Policy IG0088 Intranet 25 NHS Care Records Guarantee Intranet 2

Table of Contents 1. PURPOSE... 4 2. SCOPE... 4 3. POLICY PRINCIPLES... 4 3.1 Openness... 5 3.2 Legal Compliance... 5 3.3 Information Security... 6 3.4 Information Quality Assurance... 6 4. RESPONSIBILITY... 6 5. LEGISLATION AND KEY REFERENCE DOCUMENTS... 8 6. MONITORING THIS POLICY... 9 7. REVIEW OF THIS POLICY... 10 APPENDIX A - INFORMATION MANAGEMENT AND SECURITY FRAMEWORK. 11 3

1. PURPOSE Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in corporate governance, service planning and performance management. It is of paramount importance to ensure that the Trust s information and key information assets are efficiently managed, and to have a solid strategy in place to comply in full with the legal, regulatory and governance requirements and mandates. The purpose of the Policy is to establish a robust governance framework for information management for preserving the confidentiality, integrity, security and accessibility of data, processing systems and information in Buckinghamshire Healthcare NHS Trust. Appendix A provides a more detailed set of requirements in relation to information management and technology security controls. The Trust monitors its Information Governance (IG) controls through the Department of Health NHS IG Toolkit, which is a mandatory performance and management, self assessment tool, ensuring compliance with the legal and regulatory requirements of handling information, covering the areas of: Information Governance Management Confidentiality and Data Protection Assurance Information Security Assurance Clinical Information Assurance Secondary Use Assurance Corporate Information Assurance All information security requirements in the NHS Information Governance toolkit are based on the international standard BS ISO/IEC 27002:2005. 2. SCOPE This policy applies to all information, information systems, networks, applications, location, staff employed or working on behalf of the Trust and third parties supplying goods and services to the Trust. 3. POLICY PRINCIPLES The principles are to establish and maintain the security and confidentiality of information, information systems, applications and networks owned or held by the Trust by: Ensuring that all members of staff are aware of their personal responsibilities and fully comply with the relevant legislation as described in this and other policies. Introducing a consistent approach to security, ensuring that all members of staff fully understand their own responsibility and the need for an appropriate balance between openness and confidentiality in the management and use of information. Creating and maintaining within the organisation a level of awareness of the need for Information Security as an integral part of the day to day business and explaining how they shall be implemented in the organisation. Supporting the principles of corporate governance and recognising its public accountability and at the same time safeguarding the confidentiality and security of both personal information about patient and staff and commercially sensitive information. 4

5 Information Governance Policy Recognising the need to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest. Protecting information assets under the control of the Trust. There are 4 key interlinked strands to the Information Governance Policy: Openness Legal compliance Information security Quality assurance 3.1 Openness Non-confidential information about the Trust and its services should be available to the public through a variety of media, in line with the Trust s Code of Conduct & Accountability for Trust Staff & Members of the Board The Trust will establish and maintain policies to ensure compliance with the Freedom of Information Act 2000 The Trust will undertake or commission regular assessments and audits of its policies and arrangements for openness Patients should have ready access to information relating to their own health care, their options for treatment and their rights as patients The Trust will have clear procedures and arrangements for liaison with the press and broadcasting media The Trust will have clear procedures and arrangements for handling queries from patients and the public 3.2 Legal Compliance The Trust will comply with the Data Protection Act 1998 and will establish and maintain appropriate and adequate administration arrangements for responding to data subject access requests within the timescales defined under the Act. The Trust regards all identifiable information relating to patients and staff as confidential except where exemptions can be applied. Trust staff will be made aware of all other relevant legislation and guidance relating to information security and confidentiality. Patients will be informed of the purpose for which information is being collected and who may access it. Direct consent will be sought from the patient where appropriate for the collection, processing and disclosure of data. Procedures and guidance will be provided to ensure appropriate disclosure of patient information, having regard to established professional ethics, patient consent, and formal access controls for clinical records and statutory requirements The Trust will undertake or commission regular assessments and audits of its compliance with legal requirements The Trust will establish and maintain policies to ensure compliance with the common law duty of confidentiality and all relevant Acts of Parliament

Patient and/or staff information will be shared with other agencies in accordance with agreed protocols and relevant legislation (e.g. Health and Social Care Act, Crime and Disorder Act, Protection of Children Act) 3.3 Information Security Systems will be established to ensure that corporate records including health records are available and accessible at all times. The Trust will establish effective authorisation procedures for the use and access to confidential information and records. Control over access and disclosure to health records is overseen by the Caldicott Guardian The Trust will establish and maintain policies for the effective and secure management of its information assets and resources The Trust will undertake or commission regular assessments and audits of its information and IT security arrangements The Trust will promote effective confidentiality and security practice to its staff through policies, procedures and training The Trust will establish and maintain incident reporting procedures which will include the monitoring and investigation where appropriate, of reported instances of actual or potential breaches of confidentiality and security 3.4 Information Quality Assurance The Trust will establish and maintain policies and procedures for information quality assurance and the effective management of records The Trust will undertake or commission regular assessments and audits of its information quality and records management arrangements Managers are expected to take ownership of, and seek to improve, the quality of information within their services Wherever possible, information quality should be assured at the point of collection Data standards will be set through clear and consistent definition of data items, in accordance with national standards 4. RESPONSIBILITY All Trust staff are required to maintain the security, confidentiality, integrity and availability of all Trust information including that which relates to patients and staff. Information governance responsibilities will be detailed in all job descriptions and staff contracts of employment and in the contracts for all suppliers and other external users. Non compliance with the policy can result in disciplinary action. Trust Board It is the role of the Trust Board to define the Trust s policy in respect of Information Governance and risk and meeting legal, statutory and NHS requirements. Is responsible for ensuring that sufficient resources are provided to support the requirement of the policy. The responsibility for this is delegated through the Chief Executive Officer to the Chief Operating Officer (COO) as Senior Information 6

Risk Owner (SIRO). Trust Management Committee Chief Operating Officer (COO) /Senior Information Risk Owner (SIRO) Information Asset Owner (IAO) Caldicott & Information Governance Committee this committee is the forum for making major operational decisions and assists the Chief Executive in the performance of their duties. development and implementation of strategy, operational plans, policies, procedures and budgets monitoring of operating and financial performance the assessment and control of risk, prioritisation and allocation of resources. receives and acts on reports from the SIRO through the Caldicott & Information Governance Committee. the Chief Operating Officer is the Senior Information Risk Owner and is responsible for and takes ownership of the organisation s information governance/risk policy and acts as advocate for information governance risk on the Board. authorises the Information Governance Toolkit Self-Assessment submissions. ensures that an effective information assurance governance infrastructure is in place including information asset ownership, reporting, defined roles and responsibilities. ensures that the Caldicott and Information Governance Committee has a suitably experienced chairman in place Information Asset Owners are senior individuals involved in running the relevant business. Their responsibility is to identify, understand and address risk to the information assets they own Accountable to the SIRO for providing assurance on the security and use of their information assets. this committee is responsible for overseeing day to day Information Governance issues. develop, maintain and approve policies, standard procedures and guidance coordinate and raise awareness of Information Governance in the Trust report on an exception basis to the Trust Management Committee on information Governance issues and risk Support the Senior Information Risk Manager in completion of their delegated duties. Caldicott Guardian the Caldicott Guardian acts in a strategic, advisory and facilitative capacity in the use and sharing of patient information. responsible for approving, monitoring and reviewing protocols governing access to person identifiable information by staff within the Trust and other organisations both NHS and non NHS 7

Information Governance Manager/Information Security Officer provides expert technical advice and guidance to the Trust on matters relating to information governance acts as the Trust Information Security Manager develops and provides suitable information governance training for all staff monitors actual or potential reported information security incidents within the organisation supports and assists the IT security officer with regard to IT/information security incidents IT Services Manager/ IT Security Officer provides expert technical advice to the Trust on matters relating to IT Security and ensures compliance and conformance acts as the Trust IT Security Manager supports and assists Information Security Officer with regard to IT/information security incidents. Managers responsible for ensuring that the policy and its supporting standards and guidelines are built into local processes and that there is on going compliance. that all staff job descriptions contain the relevant responsibility for information security, confidentiality and records management. that staff undertake information governance mandatory training and ongoing training needs are routinely assessed. managers shall be individually responsible for the security of their physical environment where information is processed and stored. All staff all staff shall comply with information security policy and procedures including the maintenance of data confidentiality and data integrity and ensure that no breach of information security or confidentiality, result from their actions. Failure to do so may result in disciplinary action. each member of staff shall be responsible for the operational security of the information systems they use. all staff are required to undertake relevant information governance training covering confidentiality and information security. Third Party Contractors/third parties Appropriate contracts and confidentiality/ information security agreements shall be in place with third party contractors/ third parties where potential or actual access to information assets is identified. 5. LEGISLATION AND KEY REFERENCE DOCUMENTS 5.1 The Trust is obliged to abide by all relevant UK and European Union legislation. The requirement to comply with this legislation shall be devolved to employees and agents of the Trust, who may be held personally accountable for any breaches of information security for which they may be held responsible. The Trust shall comply with the following legislation, key documents and other legislation as appropriate: The Data Protection Act (1998) 8

9 Information Governance Policy The Data Protection (Processing of Sensitive Personal Data) Order 2000 The Copyright, Designs and patents Act (1988) The Computer Misuse Act (1990) The Health and Safety at Work Act (1974) Human Rights Act (1998) Regulation of Investigatory Powers Act 2000 Freedom of Information Act 2000 Health & Social Care Act 2008 Confidentiality: NHS Code of Practice Records Management: NHS Code of Practice Information Security Management: NHS Code of Practice 5.2 The NHS Care Record Guarantee for England 2005 (Revised 2011) sets out the rules that govern how patient information is used in the NHS and what control the patient can have over this. It covers people's access to their own records, controls on others' access, how access will be monitored and policed, options people have to further limit access, access in an emergency, and what happens when someone cannot make decisions for themselves. Everyone who works for the NHS or for organisations delivering services under contract to the NHS has to comply with this guarantee. 5.3 The Department of Health Committee s Report on the Review of Patient Identifiable Information published December 1997 made a number of recommendations including the appointment of a Caldicott Guardian in all NHS organisations (Health Service Circular 1999/012 ) and also led to the establishment of a set of clear principles, reflecting best practice in the handling of confidential patient information. The report called for regular and routine testing of information flows against these principles and this would be developed and overseen by a network of Caldicott Guardians who would act, within each organisation, in a strategic, advisory and facilitative capacity to their Board. 5.4 During 2007 and 2008 a number of letters from the NHS Chief Executive to NHS Chief Information Officers restated the accountability and responsibility framework already in place for securing effective information governance and the action required by organisations as part of the assurance process. They also set out specific requirements for securing data in transfer. A further Cabinet Office data handling review December 2008 mandated a range of standards for managing information and to ensure compliance with the Data Protection Act 1998. These are reflected within the NHS Information Governance Toolkit (D of H mandated self-assessment against compliance with current legislation, standards and national guidance. Performance is monitored by a number of external bodies). This policy is in line with these standards. 6. MONITORING THIS POLICY The Caldicott and Information Governance Committee will monitor the implementation of this policy and subsequent revisions through: Ensuring that the roles identified within this policy are supported by key documented responsibilities and these are reviewed annually Ensuring that staff are identified for the key roles Ensuring that appropriate policy and procedures are in place and are regularly reviewed to ensure that legal and statutory requirements are being met Regular review of reported information security incidents

7. REVIEW OF THIS POLICY This document should be subject to review when any of the following conditions are met: a. The adoption of the Code of Conduct highlights errors and omissions in its content b. Where other standards / guidance issued by the Trust conflict with the information contained c. Where the knowledgebase regarding interpretation of the legislation evolves to the extent that revision would bring about improvement d. 3 years from the date of approval of the current version 10

Appendix A - INFORMATION MANAGEMENT AND SECURITY FRAMEWORK Information takes many forms and includes data stored on computers, transmitted across networks, printed copy, handwritten, sent by fax, stored on tapes, diskettes, CDs, DVDs, USB memory sticks and other mobile media, or spoken in conversation and over the telephone. Data represents an extremely valuable asset and to ensure its integrity the Trust must safeguard accuracy and completeness by protecting against unauthorised use/disclosure, modification or intelligent interruption. The increasing reliance of the NHS on information technology for the processing of data and delivery of healthcare makes it necessary to ensure that these systems are developed, operated, used and maintained in a safe and secure fashion to protect from events, accidental or deliberate, that may jeopardise healthcare activities. The key issues addressed by this framework are: Confidentiality Data is secure and access is confined to those with specified authority to view the data Integrity All system assets are operating correctly according to specification and in the way the current user believes them to be operating Availability Relevant information is delivered to the right person when it is needed 1. Information Security Awareness Training Information security awareness training shall be included in the staff induction process. An ongoing awareness programme shall be established and maintained in order to ensure that staff awareness is refreshed and updated annually. 2. Contracts of Employment Staff security requirements shall be addressed at the recruitment stage and all contracts of employment shall contain a confidentiality clause. Information security expectations of staff shall be included within appropriate job definitions. All contract agreement with a Third party supplier of goods, services or consultancy shall contain a confidentiality clause and an undertaking that any information obtained during the course of performing the contract is confidential and shall only be used for the sole purpose of the execution of the contract and will provide all necessary precaution to ensure that all such information is kept secure. 11

3. Security Control of Assets Each information asset, (hardware, software, IT application or data) shall have a named information asset owner who shall be responsible for the information security of that asset. A register of all computing assets and their owners will be established and maintained by the IT department. 4. Access Controls to IT secure Areas Only authorised personnel who have a justified and approved business need shall be given access to restricted areas containing information system and data storage facilities. Records of access will be maintained. 5. User Access Controls and monitoring Access to information shall be restricted to authorised users who have a bona-fide business need to access the information. Audit trail of system access and data use by staff shall be maintained and reviewed on a regular basis where the system is capable of providing this. 6. Computer Access Control Access to computer facilities shall be restricted to authorised users who have a business need to use the facilities. Access to data, system utilities and program source libraries shall be controlled and restricted to those authorised users who have a legitimate business need e.g. systems or database administrators. 7. Security of IT system In order to minimise loss of, or damage to all assets, equipment shall be physically protected from threats and environmental hazards. The Trust will define certain locations as IT secure areas and the equipment will be installed and sited in accordance with the manufacturer s specification. All items of computer equipment must be recorded on the Trust register of IT assets. IT equipment should be kept out of view of the general public if possible: where this is not possible computer screens should not normally be visible from public circulation areas. Wherever possible screen savers should be applied. Areas housing computer equipment should keep the doors and windows closed or locked when unattended. 8. IT System Management Responsibilities will be appropriately assigned for the management of IT systems. These will include the management, monitoring and auditing of access to IT systems and the timely management of new starters and leavers and those changing job role. In addition, the National Programme for IT (NPfIT) requires Trusts to have established appropriate confidentiality audit procedures. 9. Computer and Network Procedures Management of computer and networks shall be controlled through standard documented procedures that have been authorised by the IT Department. 12

Network risk assessments will be developed and undertaken routinely by the IT Department. A register of both internal and external users and systems will be maintained by the IT department who will be responsible for determining and controlling access rights. 10. Protection from Malicious Software The Trust shall use software countermeasures and management procedures to protect itself against the threat of malicious software. The Trust will maintain an IT Virus control Procedure. 11. User media Removable media of all types that contain software or data from external sources, or that have been used on external equipment, require the approval of the IT Security Officer before they may be used on the Trust s systems. Such media must also be fully virus checked before being used on the organisation s equipment. Users breaching this requirement may be subject to disciplinary action. Staff and contractors who are permitted to use portable media to transfer person identifiable data in the performance of their duties must apply industry standard AES256 data encryption procedures. Only the Trust approved encrypted memory/usb sticks may be used where use of these are deemed necessary. 12. Access to the Internet and Email The Trust will ensure adequate provision of user training to support access to Internet and Email. The Trust will maintain appropriate policies covering all areas regarding access to the internet and use of email. 13. System Procurement and Acceptance Trust policies on security and confidentiality must be reflected in any procurement for new or enhanced systems. All purchases of hardware, software and other related IT services e.g. IT support, maintenance, consultancy must be made through the Trust s approved purchasing arrangements using the standard NHS Terms and Conditions. Managers must ensure that acceptance criteria are agreed with the supplier and Trust IG & IT services and must be thorough and adequately documented and demonstrate conformance to security and confidentiality specifications. 14. Accreditation of Information Systems The Trust shall ensure that all new information systems, applications and networks include a security plan and are approved by the IT Security Officer and Information Security Officer before they commence operation. 15. System Change Control Changes to information systems, applications or networks shall be reviewed and approved by the IT Network Manager or IT Services Manager as appropriate. 13

16. Intellectual Property Rights The Trust shall ensure that all information products are properly licensed and approved by the IT Department. Users shall not install software on the Trust s property without permission from the IT Department. 17. Information Risk Assessment and Management All key/critical computer systems will be subject to periodic risk assessments carried out by systems managers/administrators. In the cases of manual information processes, line managers will carry out risk assessments. The Trust will develop a procedure for carrying out IM&T systems risk assessments. The procedure will include: Roles and Responsibilities Timescales Planned and unplanned assessments Assessment of assets of the system Evaluation of potential threats/risks Assessment of likelihood of threats/risks occurring Identification of practical cost effective treatment plans Implementation programme for treatment plans Reporting Once identified, information security risks shall be managed on a formal basis. They shall be recorded within a baseline risk register and action plans shall be put in place to effectively manage those risks. The risk register and all associated actions shall be reviewed at regular intervals. Any implemented information security arrangements shall also be a regularly reviewed feature of Trust s risk management programme. 18. Business Continuity and Disaster Recovery Plans The Trust shall ensure that business impact assessment, business continuity and disaster recovery plans are produced for all mission critical information, applications, systems and networks. Departmental system/application managers are responsible for ensuring that business continuity plans are in place and identifying need for early review due to, for example, system or environment changes. Each plan for coping with disastrous failure must be approved by the appropriate level of authority in the Trust and be adequately resourced. 19. Data Quality and Validation The Trust will ensure there is up to date, complete and accurate data within information system that support operational and clinical decision-making. Where possible validation of data entry and data analysis at input stage will be incorporated and maintained. 14

20. Information Security Incident Management All information security events and suspected weaknesses must be reported through the Trust Incident Reporting Policy & Procedures. The Information Security officer/information Governance Manager will maintain an Information Governance procedure for Reported Information Security Incidents. All reported information security events shall be investigated to establish their cause and impacts with a view to avoiding similar events. 21. Disposal of IT Equipment and/or confidential/sensitive data IT equipment disposal must only be authorised by the IT Department. The IT department must ensure that, where possible, data storage devices are purged of sensitive data before disposal and organise any proposed secure destruction arrangements where it is not. A procedure for disposal will be documented and retained by the IT department. Unusable computer media should be destroyed (e.g. floppy disks, magnetic tapes, CD-ROMS). Where this is performed by an approved third party organisation, a certificate of disposal must be obtained. All data must be disposed off securely and in accordance with the relevant legislation and Trust policies. Contracts with the third party suppliers must have clauses relating to the safe and secure disposal of media containing data processed on behalf of the Trust. Disposal of equipment must be in accordance with the Trust Standing Orders and Standing Financial Instructions 22. Standards of Business Conduct/Declaration of Interests All Trust staff and members of the Board must comply with the Trust Guidance on Standards of Business Conduct for Trust Staff available on the Trust intranet. 15