Policies and Procedures. Policy on the Use of Portable Storage Devices

Similar documents
COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name

SCHEDULE 18. Premises. This Schedule 18 sets out certain terms relating to the Service Provider s Premises.

LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

MOBILE DEVICE SECURITY POLICY

How To Protect School Data From Harm

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

INFORMATION SECURITY POLICY

Grasmere Primary School Asset Management Policy

INFORMATION UPDATE: Removable media - Storage and Retention of Data - Research Studies

Policy Document. Communications and Operation Management Policy

DATA PROTECTION AND DATA STORAGE POLICY

How To Protect Decd Information From Harm

Dene Community School of Technology Staff Acceptable Use Policy

USE OF PERSONAL MOBILE DEVICES POLICY

MANAGEMENT OF USER ACCOUNTS AND PASSWORD POLICY AUGUST Version 2.0

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

Data and Information Security Policy

NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction

Standard Operating Procedure. Secure Use of Memory Sticks

Information Technology Policy and Procedures

Newcastle University Information Security Procedures Version 3

REMOTE WORKING POLICY

ABERDARE COMMUNITY SCHOOL

Informatics Policy. Information Governance. Network Account and Password Management Policy

Version: 2.0. Effective From: 28/11/2014

Personal Identifiable Data Security Policy

PS177 Remote Working Policy

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

Network Security Policy

Data Protection Breach Management Policy

SERVER, DESKTOP AND PORTABLE SECURITY. September Version 3.0

Portable Devices and Removable Media Acceptable Use Policy v1.0

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

DATA AND PAYMENT SECURITY PART 1

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

INFORMATION SECURITY POLICY

St. Peter s C.E. Primary School Farnworth , Internet Security and Facsimile Policy

Information Security Policy

IT Data Security Policy

Policy Document Control Page

Information Security

Name of responsible committee: Information Governance Board Date issued: 15 th April 09 Review date: 14 th April 11 Referenced Documents:

University of Birmingham. Closed Circuit Television (CCTV) Code of Practice

LSE PCI-DSS Cardholder Data Environments Information Security Policy

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board

Network Security Policy

Cyber-safety Agreements are also an educative tool and shall be used as a resource to support the professional development of the school community.

Ixion Group Policy & Procedure. Remote Working

Policy Document. IT Computer Usage Policy

The Ministry of Information & Communication Technology MICT

Remote Working and Portable Devices Policy

SECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

MOBILE COMPUTING & REMOTE WORKING POLICY AND PROCEDURE. Documentation Control. Consultation undertaken Information Governance Committee

Video surveillance policy (PUBLIC)

INFORMATION GOVERNANCE POLICY: NETWORK SECURITY

Estate Agents Authority

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING

Information Governance Policy (incorporating IM&T Security)

Rotherham CCG Network Security Policy V2.0

ITU Computer Network, Internet Access & policy ( Network Access Policy )

Highland Council Information Security Policy

Summary Electronic Information Security Policy

Virginia Primary School Learning Together, Learning for our Future

Angard Acceptable Use Policy

Acceptable Use of Information Systems Standard. Guidance for all staff

University of Liverpool

Information Security Policy. Policy and Procedures

E- Safety and Digital Photography - College ICT

Service Children s Education

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

Years 3-7 Acceptable Use Policy & Agreement

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Data Protection and Information Security. Data Security - Guidelines for the use of Personal Data

Transcription:

Policies and Procedures Policy on the Use of Date Approved by Trust Board Version Issue Date Review Date Lead Person One May 2008 Dec 2012 Head of ICT Two Dec 2012 Dec 2014 Head of ICT Procedure /Policy number IMxx.V1 Procedure /Policy type Information Governance Policy 1 of 9

Contents Page No 1 Introduction 3 2 Background 3 3 Definitions 3 4 Risks 4 5 Authorised use of portable storage devices 5 6 Relevant Policies and Legislation 5 7 Scope 6 8 Responsibilities 6 9 Implementation and awareness 6 10 Reporting Procedures 6 11 Review and Monitoring 6 Appendices A B C Signature Sheet Data Log Transfer of Portable Storage Device 2 of 9

1.0 Introduction 1.1 There is a wide range of portable storage devices available, capable of holding huge amounts of data at relatively little cost. This policy has been developed to instruct staff in what the Trust policy is for use of these devices. Staff should observe these polices and be aware of the risks associated with the use of these devices, the limitations on their use and how they may be used in a controlled manner. 2.0 Background 2.1 There has been much publicity surrounding the loss of personal data in transit in both the public and private sector. Some incidents have involved the NHS, including the loss of numerous patient records. This has focussed attention on how organisations can best safeguard the data with which they are entrusted. This policy is part of the Trust s provision of guidance on the various data transfer methods in use to ensure good practice is followed. 3.0 Definitions 3.1 The term staff is used generically and covers all persons with access to Trust data including contractors and employees of the Trust. 3.2 The term confidential includes personal data (see below). The term also includes financial and operational data that should not be disclosed. Example reasons for non-disclosure include, but are not restricted to, the following: Financial data - disclosure of detailed building refurbishment costs could provide an outside body with a commercial advantage. Operational data disclosure of certain information regarding site security could compromise the Trust s business. 3.3 The term personal data includes data from which an individual can be identified or data which can contribute to the identification of an individual. Examples of personal data include name, address, video image, health records etc. 3.4 The terms data and information are used interchangeably. Examples include, but are not limited to, the following: MRI Images Computer files created using MS Office products such as Word and Excel PET/CT scans Case notes 3 of 9

3.5 The term storage device covers any medium that is capable of storing computerized data. The term portable means the medium may be connected to a different computer where data may be transferred, copied, read, amended or deleted. Examples of portable storage devices include, but are not limited to, the following: USB memory sticks Digital cameras Mobile telephones PDAs MP3 players, e.g. an ipod External hard drives Floppy discs, CDs and DVDs 3.6 Internal hard drives in PCs must not be used to store data. These drives are thus not treated as portable storage devices for the purposes of this policy. 4.0 Risks 4.1 Risks associated with the use of portable storage devices include, but are not limited to, the following: In the case of unauthorised use of a portable storage device, staff could be liable to prosecution under the Misuse of Computers Act 1990. Loss of Trust data, in which case staff may be liable to prosecution under the Data Protection Act 1998, may be effected in a number of ways: o o o The device may be lost or stolen. An authorised user may access data in an insecure physical environment, allowing data to be viewed by unauthorised persons. An authorised user may access data via an insecure computer, allowing data to be stolen by unauthorised persons. Spread of computer viruses and other malicious programmes from one computer to another. The data stored could be treated as if it were current even though it may have become out of date. Data held on the device is not backed up. Data held on the device is updated and the data held on the server is not, resulting in multiple, unsynchronised versions of the data. 4 of 9

5.0 Authorised use of portable storage devices 5.1 All Trust data must be stored on the appropriate server. Data may only be transferred from the server to a portable storage device as follows: Trust staff must only used portable storage devices provided by the Trust to store and process sensitive or health care related data. The use of personal storage devices for sensitive or health related data is strictly prohibited. In such cases, the device must have been supplied by the Trust and be used for the sole use of Trust business. Personal data sticks may be used for personal education, training purposes but must not contain sensitive data. Personal, medical or otherwise sensitive data must not be stored in unencrypted form on any portable computer storage media. The storage of unencrypted sensitive data on such devices is strictly prohibited. It must be absolutely necessary to transfer the data to a portable device for subsequent access on a different computer in order to conduct the Trust s business. The device must be available on request for inspection by the Trust IT manager. The IT department will keep a log of all portable storage devices issued and will allocate a named nominal owner to each. Data must be deleted from the device when no longer required. A description of all sensitive bulk data (file or files contain sensitive information about more than 10 patients) held on portable devices must be logged. (Appendix B) Where possible the device should bear a label displaying the number of its log entry and indicating the data present on the device. All devices held on Trust premises, whether containing data or not, must be securely stored. Staff must take personal responsibility for the safekeeping and, where appropriate, the safe return of storage devices removed from Trust premises. Where a portable storage device is passed to a non-trust body the IT department must be notified immediately via a signed form as set out in Appendix C. 5 of 9

6.0 Relevant Policies and Legislation 6.1 Relevant Trust policies include: IM&T Security Policy Data Protection Act and Access to Patient Records Trust Confidentiality Code of Conduct Staff and Public Disclosure Policy 6.2 Relevant legislation includes: Data Protection Act 1998 Access to Health Records Act 1990 7.0 Scope 7.1 This policy relates to the transfer of Trust data onto any removable storage device. This includes information relating to patients, expatients, staff, ex-staff, Trust financial matters and Trust operational issues. All staff are required to adhere to this policy. 8.0 Responsibilities 8.1 Managers are responsible for ensuring all staff adhere to this policy. 9.0 Implementation and Awareness 9.1 This policy should be implemented from the Issue Date. Managers should employ the Signature Sheet at Appendix A to ensure all their staff are aware of policy contents. 10.0 Reporting Procedures 10.1 All cases of deviation from this policy must be reported in accordance with incident management policies set out in the Trust IM&T Security Policy. 11.0 Review and Monitoring 11.1 This policy will be reviewed at two-yearly intervals or whenever a material change occurs. The content of relevant incident reports will be used to inform reviews. 6 of 9

Signature Sheet Policy on the Use of Appendix A This sheet should be used to record the names of staff members who have read and understood the above policy document. Name (please print) Job Title Date Signature 7 of 9

Data Log [Department Name] Appendix B Example 1 Device No: 1 Device Type: USB stick Category of data held: medical Current Owner Dr Who List of data held: Item Description No. 1 Medical notes for 52 ortho. patients Date copied to device 01/02/yyyy Date deleted 17/03/yyyy Notes 3 Radiology images for patients x,y,z etc. 13/02/yyyy 8 of 9

Appendix C South Tyneside NHS Foundation Trust Transfer of Portable Storage Device From: Department Name: Device Owner: Device Number: Device Type: I have transferred this device to the receiving person identified below. Signed: Date: To - Receiving Person: Organisation Name: Department: I acknowledge receipt of the device identified above. I undertake to ensure the data contained on the device will be treated strictly in accordance with the Data Protection Act 1998 and all other legislation relevant to its safekeeping. When the data is no longer required I further undertake to either: (a) Permanently delete data from the device, and will inform Tyneside NHS Foundation Trust accordingly or (b) Return the device intact to South Tyneside NHS Foundation Trust. Signed: Date: 9 of 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information