Page 1 of 33 Information Security Policy The 4 key messages the reader should note about this document are: 1. It supports confidentiality, integrity and availability of all information and data 2. It covers all types of information, including structured paper and electronic systems, transmission of information via fax, e-mail, post and telephone Keep data secure 3. The Foundation Trust has a Senior Information Risk Owner (SIRO) and a Data Protection Officer (DPO) 4. Each Information Asset is required to have a named Information Asset Owner (IAO) responsible for its security 5. Workers must report all information security breaches You & Your Care
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1 of 33
Information Security Policy
The 4 key messages the reader should note about this document are:
1. It supports confidentiality, integrity and availability of all information and data
2. It covers all types of information, including structured paper and electronic systems, transmission of information via fax, e-mail, post and telephone Keep data secure
3. The Foundation Trust has a Senior Information Risk Owner (SIRO) and a Data Protection Officer (DPO)
4. Each Information Asset is required to have a named Information Asset Owner (IAO) responsible for its security
5. Workers must report all information security breaches
You & Your Care
Page 2 of 33
This document has been approved and ratified. Circumstances may arise where staff become aware that changes in national policy or statutory or other guidance (e.g. National Institute for Health and Care Excellence (NICE) guidance and Employment Law) may affect the contents of this document. It is the duty of the staff member concerned to ensure that the document author is made aware of such changes so that the matter can be dealt with through the document review process.
NOTE: All approved and ratified policies and procedures remain extant until notification of an amended policy or procedure via Trust-wide notification, e.g. through the weekly e-Update publication or global e-mail and posting on the Intranet (Connect).
Procedural Document Title: Information Security Policy
Version: 5-03 Final
Name and Title of Responsible Director:
Tim Rycroft, Associate Director of Informatics/CIO/SIRO
Name and Title of Responsible Deputy Director:
Delphine Fitouri, Head of Informatics
Name and Title of Responsible Senior Manager:
Gaynor Toczek – Information Governance and Records Manager/DPO
Name and Title of Author: Gaynor Toczek – Information Governance and Records Manager/DPO
Title of Responsible Committee / Group (or Trust Board):
Information Governance Group
Persons/Groups/Committees consulted:
Information Governance Group members
Service User, Patient and Carer consultation:
No
Procedural Document Compliance Checklist adhered to:
Yes
Target Audience: All staff
Approved by: Information Governance Group
Date Approved: 27/07/2018
Ratified by: Executive Management Team (EMT)
Date Ratified: 07/08/2018
Date Issued: 10/08/2018
Page 3 of 33
Review Date: 31/05/2020
(No later than May 2020)
Frequency of Review: 2 yearly
Minor review annually (ICO audit action) and internal review following cyber security internal audits/penetration testing
Responsible for Dissemination: Information Governance and Records Manager/DPO
Copies available from: Intranet - Connect
Where is previous copy archived
(if applicable):
Trust Network
Amendment Summary: Minor amendments as per below
Amendment detail:
Amendment number
Page Subject
1 10 Section 3.9 –includes requirements for information security certification from supplier
2 11 Section 3.11 includes Section 3.12 from the previous version, and includes some additions around regular test back up restores and documentation of process
3 15 Section 3.20 added on GDPR
4 20 Section on Duties updated to includes Data Protection Officer (DPO) role and responsibilities
3.15 Requirement for NHS organisations to report all incidents relating to information breaches ............................................................................................................ 14
3.16 The Data Protection Act 1998 (DPA) and the Confidentiality and Data Protection Policy ................................................................................................................. 15
3.17 Confidentiality: NHS Code of Practice ............................................................... 15
3.18 Information Security Management: NHS Code of Practice ................................ 16
Page 5 of 33
3.19 The Freedom of Information Act 2000 (FOIA) and the Freedom of Information policy ................................................................................................................. 16
3.20 General Data Protection Regulation (GDPR) .................................................... 16
3.21 The Incident Management Policy ...................................................................... 16
3.22 The Computer Misuse Act 1990 ........................................................................ 17
3.23 The Trust’s Health and Safety Policies including: the Security Policy, Lone Working, Working in the Community, and Site Safety ....................................... 17
3.24 Records Management Standards and the Trust’s Records Management policy ... .......................................................................................................................... 17
3.25 The Registration Authority Policy ...................................................................... 18
3.26 The Clinical Information System Policy ............................................................. 18
11 APPENDIX B: ADDITIONAL INFORMATION SUPPORTING THE INFORMATION SECURITY POLICY ................................................................................................... 29
11.6 Third Party administrators ................................................................................. 33
Page 7 of 33
1 INTRODUCTION
Information Governance is the framework that enables the Foundation Trust to handle
personal and corporate information legally and securely in the most efficient and effective
way to deliver patient care.
Bradford District Care Foundation Trust (BDCFT) recognises the value of the data within
its information systems. The Foundation Trust also recognises its responsibility to ensure
the appropriate use, security, reliability, and integrity of this data; to safeguard it from
accidental or unauthorised access, modification, disclosure, use, removal, or destruction;
and to comply with relevant legislation.
This policy provides the framework to manage and secure data in all Trust physical and
electronic information systems.
This policy is supplemented by the Information Governance Strategy which details how the
Trust will implement this policy.
2 SCOPE
This policy supports the confidentiality, integrity and availability of all information and data
the Trust holds in physical and electronic Information Assets. It relates to all electronic and
manual data and information held by the Trust, this may be held in any format eg. paper,
electronic, audio or visual.
This information will relate to patients, staff and others: service users, employees,
customers, suppliers, contractors, agents, elected members, volunteers, charitable groups,
partners and other business contacts.
This policy covers all types of information, including structured paper and electronic
systems, transmission of information via fax, e-mail, post and telephone.
This policy also covers all data and information held in systems purchased, developed and
managed by, or on behalf of the Trust and any individual directly employed or otherwise by
the Trust.
The policy applies to all employees of the Trust, contractors, agents, elected members,
volunteers, charitable groups, partners and other business contacts.
Penalties could be imposed upon the Foundation Trust and its employees for non-
compliance with this legislation.
3 INFORMATION SECURITY
Information is critical in supporting the Foundation Trust to deliver care and carry out its
activities. Effective data and information security is vital to ensure the confidentiality,
integrity and availability of information. The objectives of this policy are to establish and
Page 8 of 33
maintain the security and confidentiality of information, information systems, applications
and networks owned, operated and or managed by the Trust.
3.1 Delivering Robust Information Security
The purposes of this Information Security policy and related procedures are:
• To ensure that necessary controls are in place to effectively manage information and
ensure its security within the organisation.
• To protect the information assets of the Trust and provide assurance to our customers
that the Trust takes a proactive approach to protecting all the information it holds.
• To protect BDCFT’s information assets from all threats, whether internal or external,
deliberate or accidental. The Foundation Trust will ensure:
• Information will be protected against unauthorised access
• Confidentiality of information
• Integrity of information will be maintained
• Information will be supported by the highest quality data
• Regulatory and legislative requirements will be met
• Business continuity plans will be produced, maintained and tested regularly
• Information security training will be available to all staff
• All breaches of information security, actual or suspected, will be reported to, and
investigated by the Information Governance Manager
• New facilities should have appropriate user management approval, authorising
their purpose and use
• To ensure all staff including subcontractors and agency staff acting on behalf of the
Trust are aware of and adhere to the law of informational privacy and the Data
Protection Act and all other information security related national requirements and
standards as well as the Trusts Information Governance related policies. Staff will be
aided in this by the Trust:
• To produce a framework of related information management and security
procedural documents, guidance and leaflets to underpin this policy
• To delivere robust mandatory training and awareness at the Trust’s central
induction which all employed staff attend on appointment to the Trust.
• To deliver robust mandatory refresher training and awareness to all staff
The following requirements, legislation and national standards govern this policy. There
are also a number of supporting policies and procedures which relate to specific aspect of
information management and/or security.
Page 9 of 33
3.2 Establishing an Information Security Framework
The Trust has developed a framework for its Information Security Policy. This is supported
by a set of Information Governance policies and procedures and guidance to cover all
aspects of Information Security. The Policy framework encompasses the following
legislation, national standards and requirements and corporate policies:
3.3 NHS Information Governance Toolkit Statement of Compliance
BDCFT has a signed NHS Information Governance Statement of Compliance with NHS
requirements including compliance with the NHS IG Toolkit, replaced from April 2018 with
the Data Security and Protection Toolkit, which is regularly reviewed to ensure that its
working practices are conducted in a safe, secure and confidential manner.
3.4 Allocation of Information Security Responsibilities
The Trust recognises the value of the information it holds and its responsibility to ensure
the appropriate use, security, reliability, and integrity of that information; to safeguard it
from accidental or unauthorised access, modification, disclosure, use, removal, or
destruction; and to comply with relevant legislation. Each manager and data owner is
responsible for the assets allocated to them and these responsibilities are clearly stated
and the following must be in place:
• For each information asset security processes will be clearly defined and documented
• A manager will be responsible for each information asset or security process and the
details of that responsibility will be documented
• Authorisation levels, for access to systems, data and information will be clearly defined
and documented
3.5 Authorisation Process for Information Processing Facilities
A management authorisation process for new information processing facilities is
established and includes the following:
• New facilities should have appropriate user management approval, authorising their
purpose and use. Approval should also be obtained from the manager responsible for
maintaining the local information system security environment to ensure that all
relevant security policies and requirements are met
• Hardware and software should be checked to ensure that it is compatible with other
system components
• The use of personal information processing facilities for processing business
information and any necessary controls should be authorised.
• The use of personal information processing facilities in the workplace may cause new
vulnerabilities and should therefore be assessed and authorised
3.6 Co-operation between Organisations
The Trust will ensure appropriate contacts with law enforcement authorities, regulatory
bodies, information service providers and telecommunications operators are maintained, to
Page 10 of 33
enable quick action and advice in the event of a security incident.
The Informatics department will also ensure regular contact with the local CCGs, Acute
Hospitals Trust’s Information Governance Steering Committees and Information
Governance staff to co-operate on addressing emerging issues efficiently and in a timely
manner
3.7 Independent Review of Information Security
An independent review will be undertaken to provide assurance that organisational
practices properly reflect the policy and that it is feasible and effective.
3.8 Security of Third Party Access
Access to the Trusts information processing facilities by third parties will be controlled (see
Appendix B). Where there is a need for such third party access, a risk assessment will be
undertaken to determine security implications and control requirements.
Formal contracts will be produced for third party access; this should refer to all security
requirements for compliance with the organisations security policy and standards.
Access to information and information processing facilities by third parties will not be
provided until the appropriate controls have been implemented and a contract has been
signed defining the terms for the connection or access.
A non-disclosure agreement will be included in all contracts with third parties.
3.9 Outsourcing
The Trust will ensure that a contract has been agreed, the contract should address:
• how the legal requirements are to be met, e.g. data protection legislation;
• what arrangements will be in place to ensure that all parties involved in the
outsourcing, including subcontractors, are aware of their security responsibilities
and can prove these with a security accreditation (e.g. Cyber Essential Plus,
ISO/IEC 27001);
• how the integrity and confidentiality of the organisation’s business assets are to be
maintained and tested;
• what physical and logical controls will be used to restrict and limit the access to the
organisations sensitive business information to authorised users;
• how the availability of services is to be maintained in the event of a disaster;
• what levels of physical security are to be provided for outsourced equipment;
• the right of audit
3.10 Risk Management and Business Continuity
Business continuity management is an ongoing process of risk assessment and
management with the purpose of ensuring that the business can continue if risks
materialise. It is put in place to counteract interruptions to business activities and to protect
critical business processes from the effects of major failures or disasters.
The Trust has a managed process in place to develop and maintain business continuity for
Page 11 of 33
the organisation. The following key areas are part of the business continuity process and
are carried out on the Trusts business critical information systems:
• Identify the risks that could affect the organisation
• Identify and prioritise critical business processes
• Understand the impact and consequences, should anyone or combination of events
occur within the organisation
• Ensure that the business continuity strategy is formulated and documented and is
consistent with the agreed objective and priorities of the organisation
• Develop and document business continuity plans in line with the agreed strategy
• Regular testing and updating of the plans and processes put in place
• Responsibility for co-ordinating the business continuity management process is
assigned at an appropriate level within the organisation
3.11 Protection against malicious software procedures
The Trust has a responsibility to ensure that the necessary controls are in place to prevent
and detect the introduction of malicious software which may cause damage and misuse of
the Organisation’s systems, data and information. This Policy is compliant with the
recognised Information Security Standard ISO 27000 series.
In order for the Trust to illicit confidence in its users, staff, customers and commissioners it
must ensure computer software within the Trust is kept safe and secure and to establish
any dangers or threats that may come about during daily activity.
The Trust has a responsibility in ensuring the correct software and precautions are in place
to protect against malicious software.
It is the responsibility of the individual employee to ensure they are using the computer
correctly and safely to minimise any damage that may come through to the Trust.
All staff must refer to all removable media procedures, advice and guidance when working
with portable devices.
The Trust has a responsibility to ensure:
• Staff Awareness
• Users must be briefed in induction training about the dangers of malicious software.
• Users must be aware of the reporting procedure when a virus is detected or
suspected.
• Users will receive regular reminders of potential cyber-attack strategies to reduce
the risks of malicious emails
• Detection and Reporting processes are in place:
• Any files on electronic media of uncertain or unauthorised origin or files
received over un-trusted networks must be checked for viruses before use.
Page 12 of 33
• Procedures must be established for when a data security incident, such as a
virus, is detected / suspected and investigated accordingly. Emergency changes
may take place subject to approval from a senior informatics manager.
• Staff and contractors must be aware of reporting procedures, including the
loss or theft of IT corporate equipment.
• A record must be maintained of data security incidents
• Procedures should be developed for review / follow up of a malicious software
attack and must include:
• disciplinary procedures as appropriate
• review the virus protection procedures
• report to management
• Recovery processes are in place:
• Adequate backups must be available to recover from a malicious software
attack. These would have been tested on a regular basis, see Section 3.12
• Master copies of software must be stored securely and keep up to date with
the latest patches to reduce any potential threats
• Computer media should be write-protected where possible.
• Restore procedures must be documented and kept up to date.
• An appropriate business continuity plan and a more detailed incident
response plan for recovering from a virus attack should be established
3.12 Data Back-up and Restore procedures
The Trust is committed to ensuring the correct procedures are in place to maintain the
integrity and availability of information, processing and communication services. This
standard is to ensure that necessary controls are in place to protect data in the event of
a hardware failure, accidental deletion or unauthorised changes. Effective controls are
critical to ensuring the Trust can continue with its business critical services, these
controls are:
• Data and software backups are taken on an agreed appropriate timely basis.
• The number of copies must be adequate i.e. daily, weekly. At least three
generations/ cycles must be kept for important business applications.
• Backup copies of data will be taken prior to any new software or changes being
installed e.g. software fixes, upgrades, new releases.
• The backup database will be included in the backup process.
• Alternative backup arrangements should be available.
3.13 User Access Control
In order to ensure that information is protected against unauthorised access the Trust has
robust access control processes and procedures in place which set out both its and the
Page 13 of 33
users responsibilities. These restrictions aide the Trust to ensure that information is
available to authorised users only and aides the detection of unauthorised activities.
Key responsibilities are defined as follows:
3.13.1 User Access Management
• A formal user registration and de-registration procedure for granting access to
information systems will be established and documented for each system.
• The allocation and use of privileges will be restricted and controlled
• The allocation of passwords will be controlled
• The use of authentication methods e.g. biometrics and hardware tokens for user
identification and authentication will be controlled
• Access rights will be reviewed on a regular basis
3.13.2 User Responsibilities
• Guidelines will be issued to all users for good security practices in the selection and
use of passwords – See Appendix B
• Users will ensure that unattended equipment has adequate protection to prevent
rogue access to information
3.13.3 Network Access Control
• The network path from the user terminal to the provided IT services will be controlled
and maintained
• External connections will be tightly controlled via strong authentication
• Where dial up access is permitted strong authentication must be used which may
include cryptographic techniques, authentication challenge (CHAPS), dedicated private
lines
• Where external connections are allowed to the Trust’s network, enforced pathways
must be used e.g. firewall controls and policies must restrict the external access only to
the authorised areas
• Connections to remote computers must be authenticated
• Access to diagnostic ports will be securely controlled
• Controls will be in place to segregate groups of information services, users and
information systems
• Network connection controls will be implemented to restrict the connection capability of
users e.g. network gateways that filter traffic by a method of predefined tables or rules
• Network routing controls will be implemented to ensure that computer connections and
information flows are controlled
• Network services will be provided by secure and monitored gateways
3.13.4 Operating System Access Control
• The computer log on procedure will be adequately controlled
• All users will be given a unique user ID. Where access to shared resources is required
a shared network drive or email account will be created. Approval by management will
Page 14 of 33
be documented for such cases. Additional controls may be required to maintain
accountability
• Inactive computers in high risk locations, e.g. public areas, will shut down or activate a
screen saver with a password login after a period of inactivity to prevent unauthorised
access
3.13.5 Application Access Control
• User access to information and application system functions will be controlled in
accordance with a defined business access control procedures e.g. providing menus to
control access to applications, controlling access rights of users
• When possible, access control will be enable and managed centrally through Active
Directory
3.13.6 Monitoring System Access and Use
• Responsibility for security monitoring will be clearly allocated
• Audit logs will be produced and kept for an agreed period and will include:
• user Ids, dates and times of log and log off
• terminal ID or location (where possible)
• records of successful and rejected system access attempts
• records of successful and rejected data and other resource attempts.
• Procedures for monitoring use of information processing facilities will be established.
The level of monitoring required will be determined by a risk assessment
• Procedures will be in place to ensure that computer clocks are set accurately for
recording.
3.14 Criminal Justice Act
The Criminal Justice Act came into force in November 2008. The Act provides for fines of
up to £500,000 to be imposed on organisations and individuals who are aware of
information risks but have not taken reasonable and appropriate steps to reduce those
risks.
3.15 Requirement for NHS organisations to report all incidents relating to information breaches
All incidents that involve a breach of information security must be reported through the
normal incident management reporting procedures and the IG Toolkit/Data Security and
Protection Toolkit serious incident (SIRI) procedure. Examples of breaches include
missing patient records, unauthorised access to clinical systems, loss or theft of equipment
holding personal data such as lap tops and memory sticks, cyber security attacks.
An announcement by the Cabinet Office in May 2008 has changed the classification of all
breaches in data security to a Serious Incidents (SI):
“There is no simple definition of a Serious Incident (SI) in relation to Personal Identifiable Data (PID). As a guide, any incident involving the actual or potential loss of personal information that could lead to identity fraud or have other significant impact on an individual should be considered as serious.”
Page 15 of 33
Bulk data transfers, requires that all bulk data transfers i.e. of 5 or more items are
controlled. These transfers will also shall be approved by the Caldicott Guardian and
conducted in accordance with the measures set out in supporting policies such as the
Removable Media Procedure, Data Encryption procedures and the Use of Secure Courier
Services procedures.
3.16 The Data Protection Act 1998 (DPA) and the Confidentiality and Data Protection Policy
BDCFT needs to obtain and retain personal information about the people it serves and
others in order to provide its services and carry out its business. Such people include
patients, employees (present, past and prospective), suppliers, contractors and other
business contacts. The information includes private/confidential personal information and
other sensitive information. In addition, we may occasionally be required to collect and use
certain types of personal information to comply with the requirements of the law.
No matter how it is collected, recorded and used (e.g. on a computer or on paper) this
personal information must be dealt with properly to ensure compliance with the Data
Protection Act 1998.
The Data Protection policy gives more information about how the DPA affects BDCFT and
how the Trust complies with the eight principles of the Act which are summarised below:
• Personal data shall be processed fairly and lawfully.
• Personal data shall be obtained/processed for specific lawful purposes.
• Personal data held must be adequate, relevant and not excessive.
• Personal data must be accurate and kept up to date.
• Personal data shall not be kept for longer than necessary.
• Personal data shall be processed in accordance with rights of data subjects.
• Personal data must be kept secure.
• Personal data shall not be transferred outside the European Economic Area (EEA) unless there is adequate protection.
3.17 Confidentiality: NHS Code of Practice
The NHS Confidentiality Code of Practice was approved by the Department of Health in
November 2003. This code is a guide to required practice for those who work within or
under contract to NHS organisations concerning confidentiality and patients’ consent to the
use of their health records. All parts of the NHS need to establish working practices that
effectively deliver the patient confidentiality that is required by law, ethics and policy. The
NHS is committed to the delivery of a first class confidential service. This means ensuring
that all patient information is processed fairly, lawfully and as transparently as possible so
that the public:
• understand the reasons for processing personal information;
• give their consent for the disclosure and use of their personal information;
• gain trust in the way the NHS handles information and;
• understand their rights to access information held about them.
Page 16 of 33
3.18 Information Security Management: NHS Code of Practice
The Information Security Management NHS Code of Practice was approved by the
Department of Health in April 2007. This code is a guide to the methods and required
standards of practice in the management of information security for those who work within
or under contract to, or in business partnership with NHS organisations in England. It is
based on current legal requirements, relevant standards and professional best practice.
The Code provides a key component of Information Governance arrangements for the
NHS. NHS organisations need robust information security management arrangements for
the protection of their patient records and key information services, to meet the statutory
requirements set out within the Data Protection Act 1998 and to satisfy their obligations
under the Civil Contingencies Act 2004.
3.19 The Freedom of Information Act 2000 (FOIA) and the Freedom of Information policy
The Freedom of Information (FOIA) gives a general right of access to all types of recorded
information held by public authorities. The Act sets out exemptions to that right but
requires public authorities to actively publish certain categories of information.
BDCFT’s Freedom of Information policy and related procedures include guidance on the
actions that should be taken when a FOI request is received by the Trust.
3.20 General Data Protection Regulation (GDPR)
GDPR which applies from May 2018 enhance the DPA and confidentiality principles. The right to data portability is new. It only applies:
• to personal data an individual has provided to a controller;
• where the processing is based on the individual’s consent or for theperformance of a contract; and
• when processing is carried out by automated means.
BDCFT rely on individuals’ consent to process their data in some parts of the business. Arrangements are in place to make sure it meets the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn.
The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals.Data Protection Impact Assessments (DPIAs) becomes mandatory in certain circumstances. A DPIA is required in situations where data processing is likely to result in high risk to individuals, and is required where a new technology is being deployed.
3.21 The Incident Management Policy
BDCFT is committed to a philosophy of improvement and learning, believing that no
person should be harmed or disadvantaged due to failure of its services or by actions or
omissions of its employees. BDCFT is committed to ensuring that incidents are managed
so that the impact of such incidents is minimised and that harm to service users,
employees and visitors is contained. This will be achieved through an open, honest and
Page 17 of 33
transparent process whereby safety is a key factor of service delivery, and an
acknowledgement that safety must not be compromised by any conflicting pressures. This
process should ensure that the Trust learns from these incidents and near-misses in each
case how to reduce the risk of them happening again.
The effective management of incidents is the cornerstone of service user safety,
fundamental to the facilitation of Trust wide learning, thereby continuously strengthening
the safety culture and contributing to improved safer systems of working. Incorrectly
managed incidents could result in a loss of public confidence in the Trust and a loss of
assets.
3.22 The Computer Misuse Act 1990
This Act was created to criminalize unauthorized access to computer systems and to deter
offenders from using computers to assist in the commission of a criminal offence or from
impairing or hindering access to data stored in a computer. The basic offence is to attempt
or achieve access to a computer or the data it stores by inducing a computer to perform
any function with intent to secure access.
3.23 The Trust’s Health and Safety Policies including: the Security Policy, Lone Working, Working in the Community, and Site Safety
These policies are aimed at creating a deep awareness and responsibility for the
assessment and management of all security risks at all levels in the organisation through
individual practices and in management arrangements. These responsibilities include the
awareness of risks to the security of Trust assets, data and personal information.
Awareness of these policies will help to deter those who may be minded to breach
security. The purpose of these policies is to prevent security incidents or breaches from
occurring, detect security incidents or breaches, investigate security incidents or breaches,
and to apply sanctions against those responsible for security incidents or breaches.
Guidance includes risks to information security and to Trust assets.
3.24 Records Management Standards and the Trust’s Records Management policy
Records Management is a discipline which utilises an administrative system to direct and
control the creation, version control, distribution, filing, retention, storage and disposal of
records, in a way that is administratively and legally sound, whilst at the same time serving
the operational needs of the Trust and preserving an appropriate historical record. The key
components of records management are:
• record creation;
• record keeping;
• record maintenance (including tracking of record movements);
Annually Information Governance and Records Manager
Page 25 of 33
Criteria Evidence identified to indicate compliance
with policy
Method of monitoring, i.e. how/where will this be
gathered?
Frequency of monitoring
Lead responsible for monitoring
Registers
Information Asset registers
Training numbers
b. Process for assessing compliance with legislation, national requirements and standards
Information Governance Toolkit Scores: Baseline, Performance Update and Final Submission
Online submission and formal response.
Regular external audit.
3 times per year and audited
twice Annually
Information Governance and Records Manager
c. Process for reporting all incidents/near misses, involving person identifiable information – staff and patients/service users
Competed IR1 forms (Cross section involving person identifiable information – staff and patients/service users )
Quarterly incident reports
Annual reports
Completed SI forms
Monthly incident reports to IG&RM SI database Emails and faxes
Incident Management System
Incident Reports from Incident Management System
Internal Audit reports
Annual report
Annually Information Governance and Records Manager
d. Process for testing understanding of policy
Regular Staff Surveys (at least 3 times annually)
Locality based IG Audits
Locality based Records Audits
Completed declaration forms from Information Governance Staff Handbook
Certificated IG refresher course
Survey Monkey website and reports to IG Group and Resource Committee
Audit tools, reports and action plans
Training database
3 times per year
At induction and then 3 yearly
Annually
Information Governance and Records Manager
Page 26 of 33
Criteria Evidence identified to indicate compliance
with policy
Method of monitoring, i.e. how/where will this be
gathered?
Frequency of monitoring
Lead responsible for monitoring
e. Process for reporting to external agencies
Completed IR1 forms
SI Alert forms
Emails and letters
Annual reports
Annually Information Governance and Records Manager
8 REFERENCES TO EXTERNAL DOCUMENTS
• Confidentiality: NHS Code of Practice
• CQC National study: The right information, in the right place, at the right time. A study of how healthcare organisations manage personal data
• Confidentiality: NHS Code of Practice
• General Data Protection Regulation (GDPR)
• HCC Standards for Better Health (13b)
• Information Commissioners Website
• Information Security Management: NHS Code of Practice
• Information Sharing and Mental Health Guidance to Support Information Sharing by Mental Health Services
• Information Security Management: NHS Code of Practice
• Mental Capacity Act 2005
• Multi-Agency Public Protection Arrangements (MAPPA) and the duty to cooperate
• NHS Information Governance Guidance on Legal and Professional Obligations
• NHSi 2017/18 Data Security Protection - 2017/18 Data Security and Protection Requirements
• Records Management: NHS Code of Practice
• The Access to Health Records Act 1990
• The Data Protection Act 1998
• The Children Act 2004
• The Crime and Disorder Act 1998
• The Criminal justice Act 2008
• The Computer Misuse Act 1990
• The Freedom of Information Act 2000
• The Health and Safety at Work Act 1974
• The Human Rights Act 1998
• The NHS Information Governance Toolkit / Data Security and Protection Toolkit
• The Privacy and Electronic Communications (EC Directive) Regulations 2003
• The Public Records Act 1958
Page 27 of 33
Email Security and Use Procedure Data Protection Procedures Informatics Business Continuity Procedures
Use of Faxes procedure Freedom of Information Procedures Informatics Disaster Recovery Procedures
Seizure of IT Equipment Procedure Records Management Procedures User Access Procedures
Internet Security Procedure RiO Audit Procedure Data Backup Procedures
Laptop Security Procedure Procedures for Dealing with Dataset Changes Data Recovery and Restore Procedures
Mobile Phone and Blackberry User Procedure Procedure for Tracing NHS Numbers Encryption Procedures
Personal Security Procedure and Statement Change Control Procedures Equipment Lockdown Procedures
Portable Media and Devices Procedure System Development and Maintenance Procedure Exchange of Information and Software Procedure
Use of Secure Courier Procedure Disposal / Destruction of Records Procedure Installing Virus Scan Procedures
Registration Authority Procedures SystmOne Procedures Protection Against Malicious Software Processes
RiO Procedures Use of persoanl Equipment Procedure
Data Quality Guidance Procedures Virus Protection Procedure
Information Governance Handbook Data Protection Guidance
Mobile Phone and Blackberry User Guidance Data Quality Procedures
Email Security and User Guidance Freedom of Information Guidance
How we Use Your Information Leaflet Records Management Guidance
Transporting Personal and Trust Information Registration Authority Guidance
Information Handling Best Practice Clinical Systems Guidance
Disclosure of Personal Information to The Police RiO Guidance
Freedom of Information Act Access to information
Information for Patients on Freedom of Information
Record Retention Guidance
Safe Haven Guidance
Confidentiality Code of Conduct
Guide for Handling Patient Information
Data Protection Act Code of Practice
Data Protection Act Advice to Managers
FAQs: Access to Records
Core Procedures and Guidance for the Whole Trust
Level 5 Useful Publications
for staff, service
users and carers
Core policies for the Whole Trust
Confidentiality and Data Protection Policy
Freedom of Information Policy
Records Management Policy
Registration Authority Policy
Clinical Systems Policy
Data Quality Policy
Level 3 Underpinning policies
Level 4 Procedures and
Guidance and
processes for
complying with the
IG Policy Framework
Informatics Procedures
level 1 Overarching IG
Policy RequirementsStatement of Compliance with the IG Toolkit
Information Governance Policy
Level 2 Overarching
Information Security
Policy Requirements
Information Security Policy
Legal or National Requirements
Level 0 Overarching Trust
Policies Connected
to IG
Social Media Policy Incident Management Policy
Health and Safety policies including Security
Policy
9 ASSOCIATED INTERNAL DOCUMENTATION
Page 28 of 33
10 APPENDIX A: EQUALITY IMPACT ASSESSMENT (EQIA) Area Response
Policy/Procedure Information Security Policy
Manager Head of Informatics
Directorate Informatics
Date May 2018
Review date May 2020
Purpose of Policy To provide a policy and procedural guidance on the Trusts legal responsibilities
Associated frameworks e.g. national targets NSF’s
The Information Governance Toolkit provides a framework to enable organisations to assess their compliance with current legislation, Government directives and other national guidance. The framework also provides assurance for NHSLA and Standards for better Health. NHS organisations are mandated to assess themselves against the toolkit annually
Who does it affect All staff
Consultation process carried out
Yes
QA Approved by
Equality protected characteristic
Impact Positive
Impact Negative
Rationale for response
Age ✓ Positive impact expected outcome. There is currently no information identified through the Equality Impact Assessment that would suggest that this policy has the potential to disadvantage any individual or function if implemented and operated in a manner that is laid out within the policy statement.
Disability ✓
Gender Reassignment
✓
Race ✓
Religion or Belief
✓
Pregnancy & Maternity
✓
Sex ✓
Sexual Orientation
✓
Equality Analysis SIGN - OFF
Have any adverse impacts been identified on any equality groups which are both highly significant and illegal?
Are you satisfied that the conclusions of the EqIA Screening are accurate? The Trust will publish a summary of the impact analysis carried out to meet the duty and make this available to the public on the Trust Internet site.
Completed by Manager
Q A approved
Director approved
Page 29 of 33
11 APPENDIX B: ADDITIONAL INFORMATION SUPPORTING THE INFORMATION SECURITY POLICY
11.1 Password Policy
All BDCFT users are required to have a strong password.
Your password must:
• Be at least 8 characters long
• Contain 1 uppercase character
• Contain 1 lowercase character
• Contain 1 numeric character
You will be asked to change your password every 90 days.
Strong passwords will be enforced by regular password audits of our password database.
If you are found to have a weak password you will be required to change it.
Please note: if you have any issues with your password or are locked out, please phone
01274251251 (diverted to On Call after 5pm to 8am) or email [email protected]
11.2 How to choose a strong password and avoid choosing weak passwords
What do we mean by a ‘strong’ password?
When we say a password is 'strong', we mean it's hard to guess. Hackers use computer
programmes to try millions of possible passwords until one works, so choosing a password
that is not guessable (such as those based on easily-discoverable information). is harder
than it sounds.
This advisory will help you choose a password that is strong.
1. Avoid the obvious choices
Lots of people really do choose things like ‘12345’, ‘qwerty’ or ‘password’. Or they use
the name of the town - ‘Bradford1’, for example. Don’t do this.
2. Don’t use an actual word for your password
Password cracking software can simply try every word in the dictionary until it finds
your password. So, using an actual word as your password isn’t a good idea. If you
must try using two or three words instead.
3. Avoid common passwords
When you are forced to follow rules when setting up a password, saying you must use
at least one capital letter, number and special character etc. So, you might choose the
word ‘halifax’, then make the first letter a capital H, add a couple of numbers at the end
probably a significant year so you can remember it. Halifax2018