Information Security Policy Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 1 of 25
Document Information Trust Policy Number : ULH-IM&T-ISP01 Version : 3.1 Status : Approved Issued by : Information Governance Manager Issued date : 31 March 07 Approved by : Executive Team Date of approval : 1 September 2003 Date of review : 1 April 2011 Change Control Previous Versions : 2.0 Changes: Additions : Reissue Modifications : Section 5 Deletions : Date of issue : 2 September 2003 Review date : 26 March 2008 Referenced Documents : See Appendix 1 Relevant Legislation : Data protection Act (1988) Copyright and Design Patents Act (1988) Computer Misuse Act (1990) Human Rights Act (1988) Freedom of Information Act (2000) Telecommunications Regulations (2000) Investigatory Powers Act (2000) Relevant Standards : Caldicott Report (1988) BS7799-2:2000 NHS Statement of Compliance Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 2 of 25
Table of Contents 1. Introduction 5 1.1 Purpose 5 1.2 Objectives 5 1.3 Scope 6 1.4 Code of Practice for Information Security Management 6 1.5 Information Security Management System 7 1.6 Legal Compliance 8 1.7 Retention of Records 8 1.8 Information Governance 9 2. Security Principles 10 2.1 Policy Statement 10 2.2 EIS Security Policy Principles 10 2.3 MIS Security Policy Principles 10 2.4 General Principles 11 2.5 Caldicott Principals 13 2.6 Patient Identifiable Information 13 2.7 Safe Havens 13 2.8 Sharing Information with Partner Organisations 14 2.9 Sharing Information with Non-partner Organisations 14 2.10 Sharing Information Internally 15 3. Communications 16 3.1 Policy Statement 16 3.2 Network Security 16 3.3 Home-working 16 3.4 Telephone Security 16 3.5 E-mail 16 3.6 Internet 17 3.7 Monitoring 17 3.8 Postal Communications 17 3.9 Verbal Communications 17 3.10 Fax Security 17 4. Quality Control and Data Validation 18 4.1 Policy Statement 18 4.2 Data Input 18 4.3 Validation 18 Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 3 of 25
5. Security Responsibilities 19 5.1 Overall responsibility 19 5.2 Associate Director of ICT Ops 19 5.3 Information Security Manager 19 5.4 Data Protection Officer 20 5.7 Caldicott Guardian 20 5.8 ICT Ops 20 5.9 Accreditation Authority 21 5.10 Information Governance Board 21 5.11 Director of Facilities 21 5.12 Line Managers 21 5.13 General Responsibilities 22 5.14 Project Board 22 Appendices: 1. References 23 2. Glossary of Terms 24 3. Guidance for Staff 25 Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 4 of 25
1. Introduction 1.1 Purpose This document defines the Information Security Policy for the United Lincolnshire Hospitals Trust (ULHT). The purpose of this policy is to recognise the security threats to information and to provide a management framework for reducing the likelihood of security incidents. It provides high level guidance on ensuring the confidentiality, integrity and availability of information. Specific procedures flowing from the guidance will be amplified in supporting policies as required. This Document: Sets out the organisation s policy for the protection of its information assets; that is information in all its forms, electronic information systems (EIS) including PCs, networks and applications and paper based manual information systems (MIS). Establishes the security responsibilities for information security. Provides reference to the documentation, which comprises the Information Security Management System (ISMS). 1.2 Objectives The objectives of this policy are: 1.2.1 To ensure the security of the Trust s information assets: To ensure Availability, that is to ensure that assets are available as and when required, adhering to the organisation s business objectives. To preserve Integrity, that is to protect assets from unauthorised or accidental modification, ensuring the accuracy and completeness of the organisation s assets. To preserve Confidentiality, that is to protect assets against unauthorised disclosure. 1.2.2 To provide the means to ensure that the Trust complies with legislation and directives regarding the security of information. 1.2.3 This policy aims to ensure that its information systems are properly assessed for security and that confidentiality, integrity and availability of information is maintained; staff are fully aware of their responsibilities, roles and accountability, and procedures are in place to detect and resolve security breaches. Where systems are managed by third parties, it is the Trust s responsibility to ensure that the information systems are managed in line with this policy. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 5 of 25
1.3 Scope This policy relates to information held in both manual and electronic form. The policy applies to all full-time and part-time employees of the Trust, non-executive directors, contracted third parties (including agency staff), students/trainees, secondees and other staff on placement with the Trust and staff of partner organisations with approved access. It applies to the provision, maintenance, support and use of EIS systems, including information systems, networks and applications, in support of the following business processes: All Clinical support: Diagnostic data, patient care information, central patient records, clinical support and administration information. All Corporate support: Organisational information - desktop services including e-mail, web access and office applications. Staff related information. 1.4 Code (s) of Practice for Information Security Management United Lincolnshire Hospitals Trust has adopted and will comply with the following standards: BS ISO/IEC 27001, British Standards for Information Security. NHS Code of Practice for Information Security Management All employees of ULHT are required to comply with these standards which will be outlined through the Information Security Policy and procedural document sets. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 6 of 25
1.5 Information Security Management System The ULHT Board is fully committed to the goals and principles of information security. To manage information security effectively within the organisation a security management system will be developed to provide a framework for information security. Owners will be identified for specific information systems and, where appropriate, specific datasets. These owners will work with the Caldicott Guardian to determine appropriate data sharing protocols, access protocols and appropriate security practices and procedures. There are a number of activities required in developing the overall ISMS: Policy definition. Determine Information Assets and document in a register. Risk assessment, identifying threats, vulnerabilities and impacts. Select appropriate controls & implement, developing procedure and process related documentation. Produce applicability statement and combine documentation for formal accreditation to standard (ISO17799). ISMS (Information Security Management System) Information Security Policy Information Asset Register Risk Assessment Report Statement of Applicability ISMS Supporting policy/procedures & those integrated/supported with other policy areas Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 7 of 25
1.6 Legal Compliance United Lincolnshire Hospitals Trust and its employees have a legal responsibility to implement, manage and maintain security and confidentiality under the following legislation: Data Protection Act (1998). Computer Misuse Act (1990). Copyright Design and Patents Act (1988). Criminal and Public Orders Act (1994). Human Rights Act (1998). Telecommunications Regulations (2000). Regulation of Investigatory Powers Act (2000). This policy describes the way in which information should be managed, in particular, the way in which personal or sensitive information should be protected. In addition to the above, other legislation can impact upon the way in which we should use personal information. This includes: Public Interest Disclosure Act 1998. Access to Health records Act (1990). Audit & Internal Control Act 1987. Public Health (Code of Practice) Act 1984. NHS (VD) Regulations 1974. National Health Service Act 1977. Human Fertilisation & Embryology Act 1990. Abortion Regulations 1991. The Terrorism Act 2000. Road Traffic Act 1988. Regulations under Health & Safety at Work Act 1974. Regulation of Investigatory Powers Act 2000. Freedom of Information Act 2000. In addition, ULHT is bound by the confidentiality aspects of common law and the Caldicott guidance on protection of patient information. 1.7 Retention of Records As part of, and in addition to the above legislation, ULHT is required to retain all records (health and administrative) for specified periods of time and in accordance with the Trust retention and disposal policies. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 8 of 25
1.8 Information Governance Information Governance provides a framework for the handling of both personal and patient information in a confidential and secure manner to appropriate ethical and quality standards. It brings together the following areas of governance: Information Governance Management Information Security Assurance Confidentiality and Data Protection Assurance Clinical Information Assurance Secondary use of Information Assurance Corporate Information Assurance Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 9 of 25
2. Security Principles 2.1 Policy Statement United Lincolnshire Hospitals Trust will seek to ensure the confidentiality, integrity and availability of its information is maintained by implementing best practice to minimise risk. Patient care and confidentiality are the driving forces of the information security processes and procedures. The integrity of information is essential for informed decision making about both the types of patients care and its delivery. Patients may accept that clinical information is available to other professionals but at times may wish that certain information is withheld. The principle of confidentiality will be upheld throughout the Trust and be reflected in its protocols and system procedures. 2.2 EIS Security Policy Principles The Trust will ensure that, EIS are available when needed, they can be accessed only by legitimate users and contain complete and accurate information. The EIS must also be able to withstand or recover from threats to their availability, integrity and confidentiality. This policy will support the development of the Electronic Care Record as part of the NHS Care Record Service (CRS), and The Trust will adhere to the NHS Care Record Guarantee. 2.3 MIS Security Policy Principles The Trust will ensure that MIS are available when needed, they are used only by legitimate personnel in the course of their duties and contain complete and accurate information. Manual records will remain confidential, be available when required and their integrity will be maintained. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 10 of 25
2.4 General Principles Information Security Principles Information Security Policy (Overall policy for confidentiality, integrity and availability of information) System & area specific policy & System & procedure areas specific policy & System & procedure areas specific policy & procedure The IS policy sets the high level direction and required standard across the organisation. This is supported where necessary by specific system & area policies, where the required controls are explained in detail. This also links to procedure documents & manuals. Acceptable Use Policies (Policies which make up the ISMS) To ensure compliance with BS ISO/IEC 27001 ULHT will: 2.4.1 Protect all information assets under its control including hardware, software, and electronic or manual records. This will be achieved through the implementation of a set of well balanced technical and non-technical measures. 2.4.2 Provide both effective and cost-effective protection that is commensurate with the risks to its assets. 2.4.3 Implement the Information Security Policy in a consistent, timely and cost effective manner. Carry out reviews at least annually or following a change that could affect the basis of the original risk assessment (e.g. security incident, new vulnerabilities or changes to the organisation or technical infrastructure). 2.4.4 Carry out security risk assessment(s) in relation to all the business process covered by this policy. These risk assessments will cover all information systems, applications and networks that are used to support those business processes. The risk assessment will identify the appropriate security countermeasures necessary to protect against possible breaches in confidentiality, integrity and availability. 2.4.5 Produce a comprehensive security document set, which will form the basis of the ISMS and will apply to all information systems, applications and networks. These policies will be developed on the basis of an analysis of risks. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 11 of 25
2.4.6 All security policies will be approved by the Information Security Manager (ISM) both at the beginning of the project and prior to the implementation of any information system. 2.4.7 Produce system acceptable use policies (AUP) and security contingency plans. 2.4.8 Ensure that all users of the system are made aware of the contents and implications of relevant AUP s. They must accept and follow the terms laid out in the Information Security Policy and relevant AUP s, before being granted permission to access systems. 2.4.9 Ensure that all users of information systems, applications and networks are provided with the necessary security guidance, awareness and where appropriate training to discharge their security responsibilities. 2.4.10 Implement procedures to ensure that any breach of security, suspect incident or security weakness is reported and subsequently investigated. 2.4.11 Ensure that any Information Security policy violations (irresponsible or improper actions) are investigated and may result in formal disciplinary procedures being taken (using the HR Disciplinary Policy), or criminal prosecution. 2.4.12 Develop a business continuity management policy to ensure that contingency and disaster recovery plans are produced for all critical applications, systems and networks. These plans will be reviewed by the ISM and tested on a regular basis. 2.4.13 Ensure that for all new systems, all relevant security documentation, security AUP s and contingency plans reflecting the requirements of the security policy are produced as part of the project. 2.4.14 Ensure that the relevant project/system manager reviews changes to the security of an information system, application or network. All such changes must be reviewed and approved by the ISM. 2.4.15 Ensure that all EIS are approved before they commence operation. 2.4.16 Ensure that measures are in place to detect and protect information systems, applications and networks from viruses and other malicious software. 2.4.17 Ensure that all connections to external networks and systems have documented and approved AUP s. 2.4.18 Ensure all connections to external networks and systems are approved by both the Network Security Manager and ISM before they commence operation. 2.4.19 Ensure that all third Party accesses and access rights are strictly controlled. Access will only be granted when a contractual agreement with the third party has been made, the third party has signed The Trust confidentiality agreement accepting the terms stated within the Information Security Policy and other conditions made within a contract. Should the connection be made via N3, the statement of compliance will form part of a conditional contract. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 12 of 25
2.4.20 Ensure that: Security responsibilities are included in job descriptions. All employees sign The Trust code of practise for confidentiality. System Managers/ICT Ops are informed of new employees, change to employees job roles and when employees leave the Trust. 2.5 Caldicott Principles United Lincolnshire Hospitals Trust is fully committed to the Caldicott Principles regarding the protection and use of patient-identifiable information, namely: Use and transfer of such information will only take place where the purpose is fully justified. Use and transfer will only occur when absolutely necessary. Use the minimum required where possible, all data should be anonymised. Access strictly need to know. Everyone must understand his or her responsibilities. Understand and comply with the law. 2.6 Patient Identifiable Information Information routinely flows within the NHS community and between NHS organisations and other bodies concerned with patient care or an individual s medical condition. The misuse of patient identifiable information for non-clinical purposes could have an adverse effect on the clinician/patient relationship and could also infringe individuals legal rights. With this in mind ULHT has established a Caldicott Guardian to ensure that the flow of patient identifiable information is appropriately controlled. All data sharing will be strictly undertaken against the principle that only those who are involved with the direct provision of care or with broader work concerned with the treatment or prevention of disease in a population should normally have access to patient identifiable information. This is not restricted to clinical staff but may include other staff, where they need access to clinical information systems (manual and electronic). 2.7 Safe Haven Principles The Trust will adhere to the Safe Haven principles outlined in the Caldicott report. Areas will be identified where patient identifiable information can be handled in a controlled environment and information can be received, transmitted, processed and stored safely. Details will be outlined in the Safe Haven and Communications Policy. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 13 of 25
2.8 Sharing Information with Partner Organisations United Lincolnshire Hospitals Trust works with partner organisations which all have a legitimate role to play in delivering care to NHS patients. Partners, in this context, are taken to be: Lincolnshire Primary Care Trust (LPCT) Lincolnshire Partnership Trust (LPT) East Midlands Ambulance Service Lincolnshire County Council St Barnabas Hospice HM Prison Morton Hall A formal Lincolnshire community wide Information Protection and Sharing Protocol has been developed and published which makes the standards of information protection control explicit. 2.9 Sharing Information with Non-partner Organisations In addition to partner organisations, ULHT receives requests for person-identifiable information from external and non-nhs sources. Organisations requesting such information include: Private Healthcare providers Police Insurance companies Solicitors Whilst such requests may be legitimate, ULHT will ensure the use of such information is not abused, by applying the following principles when considering the release of the information to non-partner organisations: Information will not normally be released without the written consent of the individual concerned. Individuals will normally be fully informed: - That information is being released. - Of the purpose(s) for which it is being used. Individuals will wherever possible be given the right to review the information being released and given the opportunity to correct or otherwise amend such information before release. These requirements may be waived in certain conditions such as where we have a legal requirement to release without the individuals consent (e.g. as a result of a court order) but only after authorisation has been obtained from the Data Protection Office. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 14 of 25
2.10 Sharing Information Internally United Lincolnshire Hospitals Trust shares its internal network with other NHS organisations which all have a legitimate role to play in delivering care to NHS patients and who are based within trust facilities. Such organisations include: Macmillan nurses. Path Links. Cancer Collaborative Staff. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 15 of 25
3. Communications 3.1 Policy Statement The use of IT networks will continue to increase and will become the primary means of communication within and between the various organisations providing services to clients throughout the NHS. One consequence of this is that the networking infrastructure will be increasingly used for a wide variety of purposes to facilitate more flexible working practices and delivery of care, for example, home-working by both clinical and managerial staff. Domestic dwellings may be more vulnerable than work premises to theft and subsequent loss or disclosure of information. Increased use of fax and email also introduces the vulnerability to interception or misdirection. It is appropriate to include postal and verbal communications as part of an information security policy as these elements are integral parts of the information management culture. 3.2 Network Security United Lincolnshire Hospitals Trust will manage its network services to at least the level of the N3 Data Networking Security Policy and its associated Statement of Compliance. Full details are set out in the Network Security Policy. 3.3 Home-working United Lincolnshire Hospitals Trust will implement a set of strict controls and procedures that apply to all home-working activity. Only those members of staff prepared to accept the controls and certify that they have done so will be permitted to work on ULHT information at home. Full details are set out in the Mobile Computing and Homeworking Policy. 3.4 Telephone Security It is essential that all staff are aware of the need to check the credentials and identity of all callers requesting patient-identifiable or other sensitive information and that all Trust protocols and procedures, regarding the release of patient identifiable information, are adhered to. Full details are set out in the Safe Haven and Communications Policy. 3.5 E-mail E-mail is not a secure method for the transfer of information, and unless an approved encryption process is used as part of an organised workflow, the content should not contain patient identifiable or sensitive business information. E-mail accounts are given to all ULHT employees as a business tool and may with discretion be used for personal use but employees will be made aware that e-mails will be monitored and therefore privacy cannot be expected. The use of e-mail must be in accordance with the Trust's Email Acceptable Use Policy. Commercial Web based e-mail. The use of commercially available web based e-mail such as hotmail and mail.com is specifically prohibited for any patient identifiable information or official information relating or belonging to ULHT. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 16 of 25
3.6 Internet Access to the Internet is a useful tool in the workplace and can be a significant source of reference information. It can also be the source of inappropriate material. ULHT is committed to giving all staff access to the internet for both work and limited personal use (break times, with line management authority) whilst at the same time ensuring that their use of it does not breach any acceptable standards which may bring the organisation into disrepute. Staff are advised that use of the Internet may be monitored and that appropriate technical controls will be put in place. This is to ensure that the Trust Board meets their Legal Obligations, that the system is only used in accordance with Trust policy and that ULHT's information resources are protected from malicious attack. All staff are to abide by the Trust's Web Services (Internet/Intranet) Acceptable Use Policy. 3.7 Monitoring In order to ensure that staff do not breach any legislation that may have an impact upon ULHT during their personal use of the e-mail and Internet the organisation will monitor its IT systems. This monitoring will be carried out in accordance with the Information Commissioners guidance in this area and will comply with the Regulation of Investigatory Powers Act. 3.8 Postal/Courier Communications All staff should ensure that arrangements for sending and receiving information through the post are adequate particularly in relation to personal identifiable information. The use of tamper proof envelopes is mandatory for all non-encrypted bulk date transferred by hand or courier. The use of Special Delivery is mandatory for all bulk non-encrypted data sent in the post. 3.9 Verbal Communications Under the Caldicott guidelines, staff are obliged to respect the privacy of individual patients. This means holding conversations about patients discreetly and with due regard to the sensitivity of the subject under discussion. Staff should be aware of the dangers of conversations being overheard both in the workplace and particularly when away from it. Users of mobile phones should take particular care when in public areas especially whilst on public transport. 3.10 Fax Security All users of Fax machines should implement controls to ensure that fax communications are protected at all times. The faxing of Patient Identifiable Information must only be sent to and received from a secure environment in accordance with Safe Haven principles. For further guidance refer to the Safe Haven and Communications Policy. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 17 of 25
4. Quality Control and Data Validation 4.1 Policy Statement The integrity of data is a key component of information security and it is essential that confidence be maintained in data accuracy for use in decision making. Therefore it is vitally important that data held by ULHT is of the highest possible quality. Inaccuracies in data, particularly that relating directly to patient care, have the potential to adversely affect a patient s treatment or to seriously disrupt the running of ULHT's operations. This requirement extends to both computerised and manual data. 4.2 Data Input Data accuracy is the direct responsibility of the person inputting the data supported by their line manager. All systems will include validation processes at data input to check in full or in part the acceptability of the data. Depending on the system, later validation may be necessary to maintain referential integrity. Systems should report all errors together with a helpful reason for the rejection to facilitate correction. Error correction should be done at the source of input as soon as it is detected. Such correction is increasingly important as systems are linked and errors can be transmitted between systems. Any loss or corruption of data should be reported to the relevant system manager at once - this should involve the incident recording mechanism immediately and possibly major incident control (dependant upon the severity of the problem). 4.3 Validation All electronic systems will incorporate validation processes and audit trails to detect and record problems with processing or data integrity. Where this is not achievable, due to system limitations, manual validation systems will continue to support information requirements. For further guidance refer to the Data Quality Assurance Policy Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 18 of 25
5 Security Responsibilities 5.1 Overall Responsibility The Chief Executive is ultimately responsible for information security, both policy and implementation, within the Trust and has agreed with the Board of Directors to the implementation and management of BS ISO/IEC 27001 as an Information Security Management System. The overall responsibility is delegated to the Associate Director of ICT who will appoint a dedicated Information Security Manager. 5.2 Associate Director of ICT The Associate Director of ICT is responsible for: 5.2.1 Making arrangements for information security by setting an overall information security policy for the organisation. 5.2.2 Appointing the Information Security Manager. 5.2.4 Ensure that, where appropriate, staff receives information security awareness training. 5.3 Information Security Manager The Information Security Manager is responsible for: 5.3.1 Acting as a central point of contact on information security within the organisation, for both staff and external organisations. 5.3.3 Implementing an effective framework for the management of security. 5.3.4 Assisting in the formulation of information security policy. 5.3.5 Advising on the content and implementation of the information security programme. 5.3.6 Co-ordinating the production of organisational standards, procedures and guidance on information security matters for approval by the Information Security Forum. 5.3.7 Co-ordinating information security activities particularly those related to shared information systems or IT infrastructures. 5.3.8 The development and implementation of the Information Security Management System to ensure Trust compliance with the requirements of BS ISO/IEC 27001. 5.3.9 Investigating and reporting on all information security incidents. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 19 of 25
5.4 Data Protection Officer The data protection officer is responsible for: 5.4.1 Ensuring that appropriate Data Protection Act notifications are maintained for applicable organisation s systems and information. 5.4.2 Dealing with enquires, from any source, in relation to the Data Protection Act and facilitating Subject Access Requests. 5.4.3 Advising users of information systems, applications and networks on their responsibilities under the Data Protection Act, including Subject Access. 5.4.4 Advising the Trust Executive Board on breaches of the Act and the recommended actions. 5.4.5 Encouraging, monitoring and checking compliance with the Data Protection Act. 5.4.6 Liaising with external organisations on Data Protection Act matters. 5.4.7 Promoting awareness and providing guidance and advice on the Data Protection Act as it applies within the organisation. 5.5 Caldicott Guardian The Caldicott Guardian is responsible for ensuring that the Caldicott principles for the handling of patient identifiable data are adhered to in relation to all Information systems both manual and automated. 5.6 ICT Ops ICT Ops are responsible for: 5.6.1 Ensuring that all EIS are configured and managed in accordance with Trust information security policies and specific systems AUP s and procedures. 5.6.2 Ensuring that only individuals who have the necessary authority are allocated system accounts. 5.6.3 Ensuring that risks to IT systems are reduced to an acceptable level by applying security countermeasures identified in a timely manner. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 20 of 25
5.7 Accreditation Authority Before any IT system is allowed to store, process or forward any Trust information on the ULHT LAN, or confidential information in stand alone mode, it must be given security approval, known as Accreditation. The Accreditation Authority (AA) has delegated authority by the Trust Board to: Review the Security Policy Documentation. Request security enhancements. Grant authority to process data in accordance with the AUP. Deny authority to process data where the security of an EIS is deemed to be unacceptable. 5.8 Information Governance Board The Information Governance Board will act as the AA and will promote the security of the Trust by: Implementing the Information Security Policy throughout the Trust. Ensure awareness of all employees' accountabilities and responsibilities. Reviewing and where appropriate authorising information security policies and responsibilities. Review incident reports relating to security and ensure appropriate action is taken to reduce or eliminate the risk. Develop and enforce Trust security. 5.9 Director of Facilities The Director of Facilities is the designated Trust Director who, with Senior management, ensures key tasks are carried out and that adequate policies, procedures and systems are in place for the protection of persons and property and to the deterrent and prevention of crime. 5.10 Line Managers Line Managers are directly responsible for: 5.10.1 Ensuring the security of the organisation s assets, that is information, hardware and software used by staff and, where appropriate, by third parties is consistent with legal and management requirements and obligations. 5.10.2 Determining members of staff who require access to specific systems based on their role and their need to access information held on that particular system. 5.10.3 Ensuring that system administrators are informed when members of staff no longer require access to a particular system. 5.10.4 Ensuring that their staff are aware of their security responsibilities. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 21 of 25
5.10.5 Ensuring that their staff have had suitable security training. 5.12.6 Ensure that any actual or potential breach of information security policy within their area of responsibility is reported via the trust incident reporting system and for serious incidents, direct to the ISM. 5.13 General Responsibilities All personnel or agents acting for the organisation have a duty to: 5.13.1 Safeguard hardware, software and information in their care and ensure confidentiality is maintained. 5.13.2 Ensure that all computer accounts are protected by the safeguarding of their individual username and passwords. 5.13.3 Ensure that no breach of information security results from their action. 5.13.4 Prevent the introduction of malicious software on the organisation s EIS. 5.13.5 Report on any suspected or actual breaches in information security to their line manger or via the trust incident reporting procedure. 5.13.6 Accept and follow the terms laid out in the information security policy and all other relevant security policies and procedural documents. A guide for EIS users is at appendix 3. 5.14 IT Project Board s IT Project Board s are responsible for ensuring that security is properly considered when applications and systems are under development or enhancement. In the absence of a Project Board the responsibility for security falls to a nominated project officer. The development of a security policy for the application or system should commence at the earliest opportunity following the initiation of the project and should result in the development of security procedures. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 22 of 25
Appendix 1 - References Reference No Document Title Document Owner 7974 NHS Code of Practice for Information Security Digital Information Policy Management NHS Connecting for Health 15279 Protecting and Using Patient Information A NHS Executive manual for Caldicott Guardians ULH-IM&T-COP01 Confidentiality Code of Practice Information Governance for the United Lincolnshire Hospitals Trust ULH-IM&T-ISP02 E-mail Acceptable User Information Governance ULH-IM&T-ISP03 Internet Acceptable User Information Governance ULH-IM&T-ISP04 Computer Acceptable User Information Governance ULH-IM&T-ISP05 Mobile Computing and Home Working Information Governance ULH-IM&T-GP02 Safe Haven and Communications Policy Information Governance ULH-IM&T-DQA01 Data Quality Assurance Policy Information Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 23 of 25
Appendix 2 - Glossary of Terms ULHT ICT IT EIS MIS ISO 27001 ISMS CRS CRG AUP AUP HR ISM AA United Lincolnshire Hospitals Trust Information Communications Technology Information Technology Electronic Information System Manual (paper based) Information Systems British standard for information security Information Security Management System Care Record Services Care Record Guarantee Acceptable Use Policy Acceptable Use Policy (System Security) Human Resources Information Security Manager Accreditation Authority Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 24 of 25
Appendix 3 - Guidance for EIS Users Data Protection: Keep all personal/sensitive information/data confidential (Data Protection Act 1998). Never divulge more information than is required, Patient Information must only be given to authorised personnel. Try to use anonymised data using NHS numbers as an identifier whenever possible. Systems Access: Do not access or help someone to access any computer system, modify any program or data unless you are authorised to do so. Never allow another individual to use your system account without the authority of the Systems Manager. Passwords: Passwords must be kept secure and changed at regular intervals. You should never give out your password to others. Anti-Virus procedures: All downloaded files, email attachments and floppy disks should be scanned for viruses using virus protection software. Physical Security: Observe building security procedures such as locking doors and windows after working hours. Wear your identity badge at all times and challenge strangers that act suspiciously or are in restricted areas. You should take steps to prevent the theft of any assets, especially information assets. Configuration Control: Hardware and software purchases must be processed though the Supplies Manager in conjunction with Computer Services. No systems software or application programmes are to be introduced onto any computer system unless authorised by Computer Services. Unattended Workstations: Log off or lock your P.C. if you intend to leave it unattended. If provided, use the screensaver password protection facility. Data Storage: Do not store information/data locally on a P.C. unless your system has facilities to backup the data to an external device. Please ask your line manager to request network access for storage if required. You are responsible for backing up anything that is not stored on the network. Magnetic Media Security: Storage media such as floppy disks must be securely stored, please note the manufacturer guidelines for storage conditions You must comply with the Information Security Policy, all legal requirements and relating policies and procedures: Data Protection Act (1998) Computer Misuse Act (1990) Copyright Design and Patents Act (1988) Criminal and Public Orders Act (1994) Human Rights Act (1998) Telecommunications Regulations (2000) Regulation of Investigatory Powers Act (2000) BS7799-2:2002 Security Operating Procedures Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 25 of 25