Information Security Policy (Incl Laptop Security) V1.00

Information Security Policy version 1.
00
Information Security Policy

(Inc Laptop Security Policy)
Version: Ratifying Committee: Date ratified: Name of originator/author/job title:
1.00 Healthcare Governance Group 25 March 2011 Colin Owen: Head of Clinical Coding Ray Burdge: Software Development Manager Andrew Robinson: Information Governance Manager (Interim)
Name of responsible committee/individual: Date published on intranet: Review date: Target audience:
Information Governance Group June 2011 March 2013 Organisation-wide
EQUALITY IMPACT
University Hospital of South Manchester NHS Foundation Trust (UHSM) strives to ensure equality of opportunity for all service users, local people and the workforce. As am employer and a provider of health care UHSM aims to ensure that none are placed at a disadvantage as a result of its policies and procedures. This document has therefore been equality impact assessed by the Healthcare Governance Group to ensure fairness and consistency for all those covered by it regardless of their individuality. The results are shown in the Equality Impact Tool at Appendix B.
This Review Date: May 2011 Next Review Date: May 2013
Information Security Policy version 1.00
University Hospital of South Manchester NHS Foundation Trust
VERSION CONTROL SCHEDULE
Version number
Issue Date
Revisions from previous issue
Date of Ratification by Committee 25th March 2011
1.0
Complete Re-write: Replaces Previous IT security policy and Laptop Policy
DOCUMENT CONTROL
Summary of consultation process
Intranet for all staff commencing 1/3/11 Information Governance Group
Control arrangements
[Set out : Minimum requirement to be monitored Process for monitoring e.g. audit HIRS, Security Audits, IGG Action Plan Responsible individual/ group/ committee
[Reviews shall generally be undertaken every 2-3 years or more frequently to take account of organisational learning]
Information Governance Group Frequency of monitoring Via review date or as and when required by change in guidance Responsible individual/ group/ committee for review of results Information Governance Group Responsible individual/ group/ committee for development of action plan Information Governance Group Responsible individual/ group/ committee for monitoring of action plan Information Governance Group
Associated documentation and references
[Set out relevant documents and materials considered or influencing the document] Data Protection Act IG Toolkit Caldicott Principles
SECTION
CONTENTS
PAGE
EQUALITY IMPACT ....................................................................................................... 1 1. 2. 3. 4. 5. 6. 7 8 9. 10. 11. 13. 14. INTRODUCTION ..................................................................................................... 6 DEFINITIONS ......................................................................................................... 8 DUTIES AND RESPONSIBILITIES ...................................................................... 11 STAFF TRAINING ................................................................................................ 16 POLICY EFFECTIVENESS MONITORING ........................................................... 17 BREACH OF POLICY & SANCTIONS ................................................................. 19 INFORMATION OWNERSHIP ............................................................................. 20 INFORMATION TYPES ........................................................................................ 20 INFORMATION SECURITY: BASICS................................................................... 22 INFORMATION SECURITY PRINCIPLES ........................................................ 22 SAFE HAVEN PROCEDURES FOR INFORMATION TRANSFERS ................ 24 INFORMATION SHARING ................................................................................ 37 INFORMATION SHARING ................................................................................ 38
SHARING WITH NON-NHS ORGANISATIONS ........................................................... 38 15. PRINCIPLES OF CONFIDENTIALITY AND INFORMATION SHARING WITH CARERS AND SIGNIFICANT OTHERS: OPERATIONAL PROCEDURE ................... 39 17. 18. 19. 20. 21. 22. 23. IT SECURITY .................................................................................................... 46 DATA QUALITY ................................................................................................ 62 PASSWORD PROCEDURE.............................................................................. 63 IT NETWORKING ............................................................................................. 64 RISK ASSESSMENT PROCESS ...................................................................... 69 LEGAL GUIDANCE .......................................................................................... 70 GUIDANCE & STANDARDS ............................................................................ 75
REFERENCES ............................................................................................................. 90 CONTACTS .................................................................................................................. 92
Appendices Appendix A Appendix B Appendix C Appendix D Appendix E Appendix F Appendix G Appendix H Appendix I Disclosing Information to the Police: Form of Authority Disclosing Information to the Police: Form Disclosing Information to the Police Guidance Disclosing Information to the Police: Flow Chart Health Care Governance Committee Terms of Reference Information Governance Group Terms of Reference Plan for Dissemination Equality Impact Assessment Checklist for review and Ratification of UHSM Trust wide Policy
1. INTRODUCTION
This document defines the Information Security Policy for the University Hospital of South Manchester (UHSM).
1.1.
Scope
The Information Security Policy for the Trust applies to all Information Assets:Information this includes databases, system documentation and procedures, archive media and data including data processing, collection, analysis and presentation. (In general this is health and social care data or data that supports health and social care service provision. This may also include partner organisations, agencies and individuals data as necessary. N.B. This policy applies to all confidential electronic and manual information and systems.) Information systems, networks, physical environment and relevant services that support them. Software this includes application programs, systems, development tools and utilities. Physical this includes infrastructure, equipment, furniture and accommodation used for data processing Services including computing and communications, heating, lighting, power, air conditioning used for data processing. People including qualifications, skills and experience in the use of information systems.
1.2.
Approach
The core policy is supported by attached procedures, processes and guidelines and other useful material and links. This is intended to help staff find what they are looking for.
1.3.
Purposes
The purposes of this policy are as follows:To implement Information Security at UHSM. To provide clear direction, policy, procedure and guidance on Information Security to all staff. To manage risk associated with data processing (use) and information system usage. Information security is vital in order to ensure the protection of information and information systems from unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: digital, paper-based:- e.g. patient records, computer files, prints, photocopies, film footage, audio recordings, x-rays, scans or any other forms. These may contain confidential data and therefore need to be appropriately secure. More detailed purposes are given next:-
Confidentiality:
To ensure that information is accessible to only those authorised to have access to it. This normally means staff that need to process (use) data in the scope of a care programme/pathway or processing derived from or supporting it. Where there is an organisational need or legal requirement for data to be kept secure then staff must do so.
Integrity:
To safeguard the accuracy and completeness of information and processing methods. Information needs to have integrity: to be accurate and complete and resistant to unauthorised modification or destruction. All systems, assets and networks must operate correctly, according to specification. To ensure that authorised users have access to information and associated assets when required
Availability:
For the purposes of the risk management approach a fourth purpose is defined as:Legality: To facilitate legal compliance.
1.4.
Outcomes
The intended outcomes of this policy are as follows:To facilitate all staff in ensuring an appropriate and robust Information Security at UHSM. This includes facilitating staff in ensuring and maintaining compliance with the law regarding the use of information, notably but not exclusively, the Data Protection Act.
2. DEFINITIONS
Term Data Information Personal data or personal information
Definition Items that make up information e.g. DoB, NHS number etc A particular arrangement of data items into a meaningful form Personal data/information is information which can identify a person in which the person is the focus of the information and which links that individual to details which would be regarded as private e.g. name and private address, name and home telephone number etc. Where the personal information contains details of that persons: Health or physical condition Sexual life Ethnic origin Religious beliefs Political views Criminal convictions
Sensitive personal information
Anonymised data
Data concerning an individual from which the identity of the individual cannot be determined. The second Caldicott principle is that patient identifiable information should not be used unless absolutely necessary: use anonymised data instead. In practice, anonymised data should exclude the name, address and full post code, and any other information which when combined with other information likely to be held by or available to the recipent could allow the individual to be identified. Unique identifiers such as hospital or NHS number should also be excluded if there is any possibility that any recipient of the anonymised data has access to the 'key' to that identifier and could thereby trace the identity of the individual. Anonymised and aggregated information can only be used for justified purposes. Staff must ensure that individuals cannot be identified from the information.
Pseudonymised data
Pseudonymisation is a process which involves the removal of identifying information from data but does so in such a way as to allow the data to be restored to an identifiable format when required. It differs from anonymisation, which is characterised by the irreversible removal of identifying data. Pseudonymised data continues to be "personal data" for the purposes of the Data Protection Act because, in the words of section 1 DPA, it is data relating to an individual who can be identified from that data together with other data in the possession of the data controller.
PID PII CfH Information security
Personal indentifiable data Personal identifiable information Connecting for Health (Department of Health) Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. The common goals of Information Security are protecting the confidentiality, integrity and availability of information.
Information system (IS)
Any combination of information technology and people's activities using that technology to support operations, management, and decision-making. Note: In the NHS structured filing systems as defined by the DPA also constitute 'information systems' in a broad sense. (See DPA 1998 and refer to Records Management Policy)
DH FT UHSM Risk management
Department of Health Foundation Trust University Hospital of South Manchester The process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization. NB: this needs to be tempered by legal compliance. All staff i.e. UHSM staff, contractors, third parties engaged on work at UHSM. In particular:All UHSM employees that are engaged in work for the 9
Staff - In this policy all of the personnel defined are referred to
simply as staff.
UHSM. This is irrespective of their location. Any other persons working for UHSM, such as persons engaged on UHSM business or persons using UHSM equipment and/ or networks. All usage by anyone granted access to the UHSM information systems, such as maintenance and support services or contractors. Personnel on temporary or honorary contracts, nonexecutive directors, agency staff and students
Entity
Any business unit, department, group, or third party, internal or external to UHSM, responsible for maintaining UHSM assets. Those factors that could affect confidentiality, availability, and integrity of UHSM's key information assets and systems. UHSM is responsible for ensuring the integrity, confidentiality, and availability of critical information and computing assets, while minimizing the impact of security procedures and policies upon its business productivity. The SIRO in conjunction with the Caldicott Guardian and support staff govern this. Any event that has or could: cause an information unauthorised disclosure of confidential
Risk
Security incident
put the integrity of a computer system or data at risk put the availability of the system or information at risk have an adverse impact e.g. embarrassment to UHSM and the NHS. All incidents or information indicating a suspected or actual security breach should be reported, via your line manager and by using the HIRS system.
10
3. DUTIES AND RESPONSIBILITIES

3.1 Introduction
In this section the duties of accountable and responsible staff and committees are set forth with respect to information security in the context of the wider Information Governance agenda (of which it is a fundamental part):-
3.2

Executive sponsors of this policy

Trust Board Chief Executive as Accountable Officer Senior Information Risk Owner (SIRO) Caldicott Guardian
STAFF
3.3 Chief Executive - Accountable Officer (AC)
The Chief Executive, as Accountable Officer, has overall responsibility and accountability for Information Governance, of which Information Security is a key part, within the organisation and as such:Endorses, sets and supports an overall information security policy for the organisation. Delegates responsibility for information security to senior management who oversees information security. These are the Senior Information Risk Owner and the Caldicott Guardian.
3.4
Senior Information Risk Owner (SIRO)
The Senior Information Risk Owner is the delegated officer for information risk management of which a key part is Information Security. The role of the SIRO is also to foster a culture of appropriate and legal protection and use of confidential information. Further, to be the senior officer for managing information risks and incidents relating to information assets. As a Board member the SIRO is tasked with ensuring that the Trust Board is briefed on information security breaches, and must be in a position to advise the Board and the Accountable Officer on risks associated with information resources. The role is supported by the Caldicott Guardian and other staff in this section. The SIRO owns and is responsible for the UHSM Information Risk Policy. Risk Management is delegated by the Accountable Officer to the Senior Information Risk Owner (SIRO). The SIRO is able to consult with the Caldicott Guardian (CG) and is supported by appropriate committees, staff and experts as necessary.
11
3.5
Information Asset Owners (IAO)/ Information Asset Administrators (IAA)
Information Asset Owners and Administrators are responsible for the strategic management (IAOs) and day-to-day administration (IAAs) of information and information systems, their security and use. They are required to ensure compliance with the UHSMs Information Security Policy and supporting documents and thereby maintain controls to help provide: Optimum security of information assets Optimum confidentiality of information Optimum system integrity Optimum availability of information Appropriate use of equipment by appropriately trained personnel Access control reviews System security reviews
Developing and maintaining a database of Trust repositories of personal data and ensuring compliance with Data Protection and Confidentiality over their assets. IAOs must keep their part of UHSMs Information Assets Register up to date. It can be found on the Intranet in the Information Governance Section.
3.6
Health Records Manager (HRM)

all health records including paper and electronic are stored and transported within the Health Records Department and between the Health Records and other Departments in a secure manner, in accordance with the Trust Information Security Policy. all staff within the Health Records Department comply with the Trusts Confidentiality Code of Practice.
The Health Records manager is responsible for ensuring:
3.7
The Caldicott Guardian (CG)
The Trust Caldicott Guardian is responsible for the legal and ethical use of confidential data at UHSM and between partners, other parties and individuals that work with or provide services to UHSM. Consequently the CG has a major role as the 'ethical head' of UHSM over the ethical and legal use of confidential information. Acting as a central point of contact on information security within the organisation, for both staff and external organisations. Implement an effective framework for the management of security. Coordinate the formulation of necessary policy and procedure such as the Information Security Policy. Coordinating investigations of information security incidents. Coordinating sharing information with third party organisations.
12
3.8
Director of Health Informatics (DoHi)
The DoHi is responsible for escalating information security risks to the SIRO. Further to advise on proposed solutions and ensure their effective rollout and implementation. Thus the role implements strategic risk management.
3.9
Head of IT (HoIT)
The Head of IT is responsible for ensuring that the Trust's information systems, computers, networks and devices, have the necessary security to ensure that it's information (that needs to be kept confidential) remains confidential. Further, that data has the necessary integrity and that data and systems are available as necessary. The necessary technical measures to provide the necessary level of control and operational service to support the provison of health care services is dependent on having adequate and effective measures in place. If any are proved to be operationally unacceptable, inadequate or non-existent then the HoIT must flag that to the Head of Informatics, thence to the IGG for remedial action and also entered onto the Corporate Risk Register. The Head of IT along with appointed IAAs provides advice and support to the Trust on all aspects of IT Security.
The Head of IT is accountable to the Trust Board for the IT aspect of Information Security Management.
3.10 Information Governance Manager (IGM)

The Information Governance Manager:Advises UHSM and it's staff on all matters of IG including information security. Is responsible for developing and ensuring that the Information Governance Action Plan is progressed through the year and encouraging compliance and completion of set targets. Ensures the Trust is progressing with the CfH Information Governance Toolkit and that it's submission is timely. Guides the IGG on matters of IG including information security. Ensures that IG policy and procedures are in place, including information security policy/procedure. Producing organisational standards, procedures and guidance on Information Security matters for approval by the Information Governance Group. Coordinates information security activities. Liaising with external organisations on information security matters, including representing the organisation on cross-community committees. Maintaining an up to date and accurate notification with the Information Commissioner.
13
Providing guidance and advice to all staff in relation to compliance with the Data Protection Act and Confidentiality. Developing, gaining agreement and maintaining Trust policies in respect of Data Protection and Confidentiality. Advising the Information Governance Committee on breaches of the Act and recommended actions. Encouraging, monitoring and checking compliance with the Data Protection Act. Producing guidance in key functional areas for the protection and use of personal information, including the need to obtain consent and the level of consent required.
3.11 Training Manager

Delivering and maintaining an education, training and awareness strategy covering Data Protection, Confidentiality and Information Security.
3.12 Line Managers (LM)

Line Managers are responsible for ensuring that their staff and departments have access to the Information Security Policy and that all staff are made aware of their responsibilities and compliance. All managers of staff are responsible for general information security within their service. It is incumbent on them to ensure that staff from other organisations and contractors working on UHSM premises/sites are made fully aware of UHSM policies and procedures that may affect them. Managers have a responsibility to ensure that data and other assets under their supervision are adequately secured. Managers must also ensure that the appropriate information security guidelines, procedures and mechanisms are observed in the performance of processing activities. Managers are required to: Conform with the Information Security Policy Line managers shall be individually responsible for the security of their physical environments where information is processed or stored. Ensure their staff are working in a manner consistent with the Information Security Policy. Therefore, managers should ensure that this policy is cascaded to all their staff. It is available on the UHSM Information Governance intranet Be responsible for addressing unresolved security issues with the IAO, IAA, IT Services and/or Information Governance Manager. Ensure that staff without UHSM contracts have signed a Confidentiality Agreement. Ensure that breaches in the operation of this policy and the procedures laid down herein are dealt with promptly and reported via the HIRS system.
Line Managers are directly responsible for:

Ensuring the security of the organisations assets, that is information, hardware and software used by staff and, where appropriate, by third parties is consistent with legal and management requirements and obligations. 14
Ensuring that their staff are aware of their security responsibilities. Ensuring that their staff have had suitable security training.
3.13 All staff

All Trust staff have a duty to safeguard hardware, software and information in their care by following this policy and supporting procedures. All staff are responsible for ensuring that no breaches of confidentiality or information security result from their actions. Each employee is responsible for reporting any breach, or suspected breach of security, and ensuring they are aware of, and support all relevant policies (see Related Policies, Procedures and Guidelines section). Reports must be made by using the HIRS which is UHSM's 'one-place reporting' system and which can be found on the Intranet. In case of emergency a more direct route can be used via reporting to line management, Information Governance or the Caldicott Guardian. Significant Untoward Reporting must be made by the Caldicott Guardian who will instigate reporting, actions, investigations as deemed necessary. Emergency reporting where time is of the essence must be made immediately to line management or if this is not feasible to Information Governance staff or the Caldicott Guardian's office.
COMMITTEES & GROUPS 3.14 Trust Board

The Trust Board have ultimate responsibility for ensuring information security is endorsed and being robustly implemented at UHSM. Therefore UHSMs Trust Board and Senior Management endorse and support Information Security.
3.15 Healthcare Governance Group (HCGG)

The HCGG is the ratification committee. Terms of Reference can be found in Appendices.
Information Governance Group (IGG)
The IGG is the Information Governance steering group which reports to the HCGG via the CG or SIRO. Terms of Reference can be found in Appendices.
15
4. STAFF TRAINING
4.1. Introduction
A sound working knowledge of information security purposes and practice is required by all staff that work for UHSM. This is in order to ensure business continuity, legal compliance and that patients, service users and staff's rights under the law are facilitated and upheld. To achieve this UHSM implements a mandatory (compulsory) training programme for all staff that process or handle confidential or business critical information or service or maintain information systems. Staff that may come across such data or systems are included. All staff that have access to confidential, key or business critical information must undertake mandatory Information Governance training.
4.2.
Mandatory training
An ongoing IG awareness training programme has been established and is maintained in order to ensure that staff awareness is refreshed and updated as necessary. A blended approach is taken to learning and training as follows: All new starters must attend Corporate Induction which includes Information Governance training, which covers Information Security. All staff must select one method of e-learning to complete from the following options:An in-house e-learning package is available for all staff and this is accessible via the intranet, and contains details on all relevant information.
2. IG Training Tool (national certification)
1. E-Learning (local certification)
UHSM supports the use of the Connecting for Health Information Governance Training Tool (IGTT) which is accessible via the Internet. USM's IG Manager has functionality to review staff progress on the system. The IGTT is available for all staff registered* on it. Successful completion of relevant modules generates a certificate, which can be used across the NHS. (This tool pre-selects learning modules for staff via their job profile. These are shown to the user when using the tool.) The IG Training Tool is available at :http://www.igte-learning.connectingforhealth.nhs.uk/igte/index.cfm
*Please note that staff must be registered on the tool for modules to be certificated. Taking the Guest Tour will not achieve this.
16
5. POLICY EFFECTIVENESS MONITORING

5.1. Information Governance Toolkit
Compliance with this policy will be monitored by virtue of the annual central returns produced for the Information Governance Toolkit and reported to the Board via the Information Governance Group.
5.2.
Internal Audit
Our processes are subject to review via internal audit, and the recommendations are dealt with through the IG framework, and IG group.
5.3.
5.3.1
Dissemination, Implementation & Access

Dissemination
All staff are trained in key aspects of the policy and supporting procedures through mandatory training. 5.3.2
5.3.2.1
Implementation
Induction
All staff will be made aware of policy at Trust induction, and policy is also available via the Intranet.
5.3.2.2
New starter staff must attend induction.

Mandatory Training
All staff must complete mandatory training on Information Governance that is relevant to their work annually. Staff may select a method to complete this. (Refer to Awareness Training section). 5.3.3 Access
This policy is available to all staff via the Intranet and the general public through the Publication Scheme on the internet in accordance with our Freedom of Information Requirements.
5.4
Review, updating and archiving
The policy will also be subject to review in accordance with any changes to legislation and Government requirements, as appropriate to the content and scope of the document. In line with requirements laid down by the Trust the policy will be up for reviewed according to the Policy on Policies. The policy and earlier versions will be archived in line with the current ICT archiving process.
17
5.5
5.5.1
Compliance Checking
Purpose
To empower the SIRO, IAOs and supporting IAAs and staff to perform periodic information security risk assessments (RAs) for the purpose of determining areas of vulnerability, and to initiate appropriate remediation. 5.5.2 Scope
Risk Assessments (RA) will be conducted on any service within UHSM or any external service provider (with Agreement with the Trust) when the IGG considers it necessary. RAs may be conducted on any information asset or group of assets or any process or procedure by which these assets are administered and/or maintained in order to manage associated risks. 5.5.3 Risk Assessment and Remediation
The execution, development and implementation of remediation programs is the joint responsibility of the IGG and the department responsible for the systems area being assessed. Employees must cooperate fully with any RA being conducted usually with the Information Asset Owners and/or Information Asset Administrators in the development of a remediation plans found to be necessary.
18
6. BREACH OF POLICY & SANCTIONS

6.1 Introduction
Unless a policy has sanctions it may be not be taken seriously. Breaches of this policy may lead to breaches of patients/ service users human rights. They may also lead to information system failure or destruction.
6.2
New Legal Sanctions
The law has become increasingly strict on the use of confidential information. Under the Data Protection Act, it is an offence to sell or purposefully disclose personal data. The Information Commissioner's Office now has the power of entry to premises to undertake investigations and courts are able to impose fines of up to 500,000 and/or custodial sentences.
6.3
UHSM Sanctions
This section provides information on UHSMs stance on violation of this policy and the law. 6.3.1 Enforcement
Any individual found to have violated this policy may be subject to disciplinary action, up to and including termination of employment and/or litigation. 6.3.2 Penalties
The penalties for deliberate sale or disclosure of personal confidential data may be termination of employment and possible civil and/ or criminal prosecution. 6.3.3 Breaches
Staff must not provide confidential data to any other organisation or individual without the authority and signature of the Caldicott Guardian unless a legal exemption is claimed under an 'umbrella' law that guides the data sharing. This must be explicit and justifiable. Staff must not provide access to information or information systems that contain confidential data without authorisation of the Service Lead on whose information system the data resides. This will normally be via an Information Asset Owner a list of which can be found on the Information Asset Register on the UHSM intranet. staff must not provide confidential, secret, key or business critical data unless an approved agreement exists. Approval is via the IGG and thence the HCGG and sign off is via the CG, SIRO or Chief Executive (AC). Staff must not use confidential, secret or key information or systems in a grossly negligent manner. Staff must not process, alter, hide, encrypt so it can't be unencrypted, modify, erase, purge, delete, damage or destroy confidential, key or secret data in a purposefully malicious or damaging manner. Staff must not obstruct or prevent access to any information or information system by senior management 'in scope' or their delegates acting under authority. ('In scope' 19
means that they have the right and authority to access the system(s) in question and where there is any doubt the CG, SIRO or AC will act as ombudsman over this.) If it is suspected or proven that staff have deliberately or negligently caused a breach of this or related policy then their information system access may be suspended until investigations, determinations and decisions have been made.
6.4
Fraud, theft and computer crime
Where illegal acts such as fraud or theft are detected then investigations, disciplinary action and/or litigation will be considered. If the situation warrants that Counter Fraud or the police need to investigate then they will be called in.
6.5
Human resources and sanctions
Sanctions relating to breaches of this policy or the law will be made under guidance of UHSM Human Resources policy (available on the Intranet and from HR).
INFORMATION OWNERSHIP
All data processed (used), stored or transmitted by or on UHSM computers, electronic devices, storage media or other files are owned and protected by UHSM and are not any other organisation or individual's property (unless that can be proven beyond a reasonable doubt). This means they are protected by law and must maintain protection of it.

Staff/individuals, organisations or agencies must not access or process UHSM data without prior authorisation of senior management which is legally compliant. Management must seek Information Governance Group or Caldicott Guardian approval for data sharing/ disclosure where there is a need, if doubt arises or an agreement or protocol is necessary.
8 INFORMATION TYPES
8.1. Introduction
Staff must be aware of the different categories of information that they process in order to be able to ensure it's ethical use, secure handling and legal compliance.
8.2. Categories of data

All UHSM's information can be categorized into 3 main classifications: Public NHS Confidential Commercial in Confidence 'Business Critical'
20
8.3.
Public data
Public data can be shared with anyone. This is information that is already public knowledge or qualifies to be in the 'public domain' under the Freedom of Information Act. It can freely be shared or provided to anyone. Examples are such information that is put in the Annual Report, agendas and minutes of most meetings, advice leaflets and directions. Public data is never personal or confidential, private or secret. Public data is usually fact and not opinion.
8.4.
NHS Confidential data
NHS Confidential data can only be shared with those who 'need to know' as determined by senior management and in compliance with the law. NHS confidential comprises much of the NHS's data. It is a very wide ranging, from confidential data to super-sensitive data and must be protected in a robust and secure manner. In the NHS this is mostly personal data pertaining to patients, service users and staff. (See Definitions for 'personal data') A subset of NHS Confidential information is UHSM Third Party Confidential information. This is confidential information belonging or pertaining to another organisation or third party which has been entrusted to UHSM by that organisation or individual under non-disclosure agreements and other contracts. Examples of this type of information include patient data and joint development efforts data. Information in this category ranges from extremely sensitive to commercially confidential. Also included in NHS Confidential is information that is less critical, such as telephone directories, general corporate information, etc., which does not require as stringent a degree of protection and may qualify to be in the public domain at some point.
Patient Information This includes one or more of the following: Surname, Forename, Initials, Date of birth, Sex, NHS Number Local identifier, Address, Postcode, Telephone number, National Insurance Number etc. It also includes pictures, photographs, videos, audio-tapes or other images of patients and anything else that may be used to identify a patient directly or indirectly e.g. rare diseases, drug treatments or statistical analyses which have very small numbers within a small population may allow individuals to be identified. Personal data about staff relating to their employment with the Trust.
8.5.
Commercial in Confidence data
Commercially Confidential information can only be shared when authorised by senior management and in doing so will not break the law or prejudice the operations of the Trust.
21
Commercially confidential material such as development programs, potential acquisition targets, and other information integral to the success of UHSM. UHSM personnel are encouraged to use common sense judgment and adherence to policy in securing UHSM Confidential information to the proper extent. If an employee is uncertain of the sensitivity of a particular piece of information, they should contact their line manager.
8.6.
Business Critical data
Business critical or sensitive information can only be shared when authorised by senior management and in doing so will not prejudice any operations of the Trust. Information which, if compromised through alteration, corruption, loss, misuse or unauthorised disclosure, is likely to adversely effect the Trust or other third party.
9. INFORMATION SECURITY: BASICS

Introduction
Simple security goes a long way in preventing theft, fraud and confidentiality and security breaches e.g. shutting the door to a secure area and not leaving ID cards lying about. Without the 'simple' security being right it is highly unlikely that complicated security measures will be as effective as they could be. All staff must:Ensure security practices are observed and carried out as part of their daily routine. Adhere to this policy and it's supporting procedures Wear ID badges. Query the status of strangers if safe to do so. Inform the line manager if anything suspicious or worrying is noted.
10.
INFORMATION SECURITY PRINCIPLES

In order to achieve robust information security and not leave the Trust open to breaches of confidentiality, security or systems becoming unavailable the following principles must be followed by staff:-
10.1.
Legal compliance (see Legislation section)

Staff must be familiar with the legislation and guidance that is applicable to data usage and security, notably the 'Data Protection Act', 'Caldicott Principles' and 'Confidentiality: NHS Code of Practice'. Records management policy also needs to be complied with when processing records.
22
10.2.
Physical security (see IT Security section)

Staff issued with Smartcards must carry them and not leave them unattended unless they are (a) in a secure area with trusted staff and (b) it cannot be used by anyone that finds it. These cards or access PIN codes must not be shared except with authority or unless the situation could be justified to senior management e.g. an emergency situation. Premises and transport must be suitably secure so as not to put confidential information or e.g. laptops or paper records containing confidential data, at risk. Equipment must be located where such information cannot be read by anyone without a legitimate relationship with it and most certainly out of public view or access.
10.3.
Logical security (see IT Security section)

Staff must not share computer passwords unless authorised by management. In case of absence management may need legitimate access to user system(s) and this must be authorised and justifiable. Applications must be recorded and made via the IT Service Desk.
10.4.
Data Access (see Data Sharing section)

Staff must have authorised access to the data that is necessary and sufficient for performance of their role. This is termed a legitimate relationship with the data that they have access to. E.g. a finance officer has a legitimate right to use finance ledger data but does not have a legitimate relationship with a heart surgeons patient data and therefore must not be granted access to it. Access permissions that are inappropriate or breach legitimate relationships must be reported to the appropriate line manager or IG Manager.
10.5.
Data sharing (see Data Sharing section)

Staff must only use and share confidential data that they are authorised to use and share, with organisations or individuals that are authorised to receive it. (Note that requests for confidential information can be verbal, by letter, by email, fax or any other means available and by many and various requestors/ applicants.)
10.6.
Data security (see Portable media guidelines)

Confidential data must always be kept securely. If it is written onto media (CDs, DVDs etc) or equipment (USB memory sticks, Blackberries etc) it must be encrypted to the current CfH standard or better. Information is available on the CfH website regarding standards. Paper files, notes etc containing confidential data must only be stored in robustly secured areas . Where such records are carried and used they must be secured prior to staff leaving the area. (see Health Records Policy).
23
10.7.
Information Systems Security (see IT Security section)

All staff must ensure that the computers or other equipment they use are secure, throughout use and in transit if they are carried. IT Services staff must ensure IT equipment is configured securely for computer users. This means that they must be given it to be configured in the first place. Where equipment is purchased unbeknown to IT Services then the purchasing service must ensure IT secure it if it will contain confidential data.
11.
SAFE HAVEN PROCEDURES FOR INFORMATION TRANSFERS

Introduction
11.1
In order to comply with legislation and Department of Health guidance, all NHS organisations are required to have safe haven procedures to safeguard the confidentiality of personal or sensitive information held and transferred. When such information needs to be transferred from one place (or information system) to another, then an approved secure method of transport or transfer must be used. This is intended to ensure compliance with: Data Protection Act 1998 Common Law of Confidentiality Confidentiality: NHS Code of Practice Caldicott Principles
UHSM applies the following Caldicott principles for the security of personal, confidential and business sensitive information: Information must only be transferred for a justifiable purpose The transfer must only take place when absolutely necessary Only the minimum information necessary must be transferred The information must be transferred on a need to know basis
11.2
Definition of a 'Safe Haven'
The term 'Safe Haven' is used to describe either:- (1) a secure physical location, or (2) the agreed set of administration arrangements that are in place within the Trust to ensure confidential patient or staff information is communicated safely and securely. It is the safeguards of confidential information, which enters or leaves the Trust whether this is by fax, post or any other means. It is essential that such safeguards prevent unauthorised access to information. Safe havens enable staff to be confident that information can be transferred securely between environments. All members of staff handling confidential information, whether paper based or digital (computerised) must adhere to the Safe Haven principles.
24
11.3
New Safe Havens
The NHS has used safe havens for over 20 years to ensure the secure transfer of PID. This policy provides the guidance regarding the security of transferring information via staff delivery, fax, post and telephone. It also incorporates the New Safe Haven principles. The New Safe Haven principles includes the concept of restricting access to identifiable data which is required to support the pseudonymisation process of de-identifying records. The New Safe Haven applies to the security of patient information and databases. Patient information systems and databases must be within an electronic safe haven whereby access is limited and password controlled for each authorised user. Access to a safe haven will be given by the Trusts IT Department on the correct completion of the Systems Access Request Change Form. A list of the staff able to authorise access to a Safe Haven will be maintained and regularly reviewed by the IT Department and Information Governance Team. A list of the authorised users will be maintained for each safe haven database/system by the appropriate Information Asset Owner and a full access list maintained by the IT Department.
11.4
Where Safe Haven procedures are needed
Safe haven procedures must be in place in any location where large amounts of personal information are being received, held or communicated especially where the personal information is of a confidential and sensitive nature. (see Definitions for 'personal' or 'sensitive' data).
11.5
SAFE HAVEN: Physical security

Staff must ensure restricted and appropriate access to their office or area where personal/business sensitive information is left unattended. If the room can be locked without compromising service user care then it must be locked. In areas where access cannot be restricted, for example, reception desks service user information must not be left on view. All post-rooms and post collection points must have physical security measures in place, for example, a key coded door that is used and not left on the latch.
Manual information (paper and media)
11.6
SAFE HAVEN: 'Housekeeping'

Only have the minimum information necessary on your desk for you to carry out your work. Any other related information must be put away securely, preferably locked away. This includes correspondence, floppy disks etc. Keys must be kept in a secret place known only to those who require access. Ensure that manual records are arranged so that the record can be found easily if needed urgently. Ensure that records are bound and stored with each piece of paper secure within the record folder. Store records closed when not in use in order that the contents are not seen 25
accidentally. Ensure that each individual piece of paper is identifiable to the person (for example, name and date of birth / or NHS number / or hospital number / or department ref. no.) Do not walk away from your work area leaving personal/business sensitive information exposed for unauthorised persons to see. Do not leave information left open in pigeonholes. If documents containing personal/business sensitive information come into your possession and you are not the intended recipient, you must either forward these to the intended recipient or, if this is not known, the Caldicott Guardian. Office diaries should be destroyed 1 year after the end of the calendar year to which they refer. Health Professional diaries, for example diaries used to record appointments with service users, should be destroyed 2 years after the end of the calendar year to which they refer. Diaries should be viewed as an administrative document and therefore should not contain clinical information. Any service user relevant information should be recorded in the service users record. Any diaries containing personal information (both service user and non service user information) should be destroyed under confidential conditions. Please note that those staff who have an arrangement with the Finance Department regarding Travel Claims to record specific details of visits and journeys in their diary should retain the diary for a period of six years after the calendar year to which they refer, for auditing purposes. Report any loss of personal/business information to your manager who will report the loss on HIRS. Ensure that computer screens are not left on view so that members of the general public or staff who do not have a justified need to view the information can see the personal/business sensitive information. Access to any PC must be password protected, this must not be shared. Lock your computer system when you leave your work area (do not wait for the screen saver to operate). Store electronic personal/business sensitive information in a secure folder on Trusts network servers (S: drive) and not on the local drive (C: Drive). Report any loss of personal/business sensitive information to your manager who will report the loss to the HIRS.
11.7
SAFE HAVEN: On the move
Manual records
If you need to take personal/business sensitive information to work from home you need to gain approval from your manager (who may refer to the Caldicott Guardian for approval). If they agree, you need to ensure the following are considered and remember that there is personal liability under the Data Protection Act 1998 and your contract of employment for breach of these requirements:-
26
Ensure you have authority to take the information. This will normally be granted by your line manager. Only health and social care records required for patients being seen in the community can be removed. Ideally, records should not be removed for general administration purposes, e.g. writing reports. If you are taking manual records please ensure there is a record that you have these records, where you are taking them and when they will be returned. Records must be removed for the minimum amount of time possible. Records must be stored and carried in a secure case. Piles of records must not be carried loosely as this increases the risk of dropping them and losing something. Records must only be taken home if the health or social care professional is not returning to their base after the working day or the records are required for the next working day. This must be with the prior agreement of the team manager. Make sure they are put in the locked boot of the car or carried on your person while being transported from your work place to your home. Such records must not be left overnight in a locked boot. Remember you are bound by the same rules of confidentiality whilst away from your place of work as you are when you are at your desk. While at home you have personal responsibility to ensure the records are kept secure and confidential. This means that other members of your family and/or your friends/colleagues must not be able to see this information or have access to it.
Non-personal or non-business sensitive information

If you take home unidentifiable information/non business sensitive digital data you must ensure that if you are putting this information onto your own PC that you take the information off again when you have finished your work. Non-personal or non-business sensitive information, for example a PowerPoint presentation or report can be transferred onto a non-Trust device, PC or laptop.
Person-identifiable information or business sensitive information

Computerised person-identifiable information or business sensitive information must only be stored on Trust equipment e.g. a Trust encrypted laptop, a Trust encrypted memory stick. Personal or business sensitive information stored on a Trust encrypted memory stick must be not transferred on to a non Trust device, PC or laptop. Staff must not open attachments in e-mails marked as Confidential or Business Sensitive on any machine other than a Trust computer system.
11.8
SAFE HAVEN: Postal & Internal Mail
When sending post internally or externally, the sender must ensure that adequate security measures are in place and these include:External post (mark if confidential) Name of the person you are sending to - the recipient
27
Full address (inc. dept if applicable) Postcode Internal mail (mark if confidential) Name of the person you are sending to - the recipient Job Title Location in the hospital Site (Wythenshawe / Withington) All confidential mail sent via internal/external mail must be in a new envelope, sealed and marked CONFIDENTIAL. All mail must be addressed to a named person and department. Old envelopes must not be used for sending confidential information. Staff must nominate a colleague to open mail containing service user records when on annual leave. Prior to sending any information to a patients home address, confirm the address against an up to date and verifiable source of information e.g. address recorded in casenotes or address recorded on an electronic patient record. Correspondence sent to a patient must not identify the Trust as the origin of the letter anywhere on the envelope. Loose personal/business sensitive information must not be handed to another person for delivery simply because they are going to the destination department. It must only be delivered if the information is in a sealed envelope, marked confidential and to a named person. Where data is received in an insecure manner from an external/internal source, the recipient must notify that source and request that any future information must be sent securely. Staff must report such events on the HIRS. Do not pass documents containing information to other colleagues by leaving it on a secretarys desk or in an IN tray. Always ensure that information is in a sealed envelope addressed to the recipient and clearly marked CONFIDENTIAL. Use the Case Note Tracking System on iPM to record the transfer of manual health and/or social care records. The date, service user details, recipient, department, location, purpose and date returned must be recorded. Please note that original Health and/or social care records must not be transferred outside the Trust. If a client moves to another area the Medical Records Department will send a copy of the notes on request. The original record will be kept within the medical records department. Records will be sent via courier. Records sent from the Medical Records Department will be traced to a named person at a unit or department. It is the named persons responsibility to ensure any subsequent movement of these records is recorded using the case note tracking system. This responsibility can be undertaken by one nominated person with a unit, for example an administrative member of staff working to a team of CPNs.
Additional requirements for health and social care records:
28
11.9
SAFE HAVEN: Fax
11.9.1. FAX MACHINE TRANSFERS
Sending service user information by fax increases the risk of the information being seen by unauthorised persons. The fax machine could be sited in an open office and may be shared by more than one department.
Faxes containing service user information must only be sent when it absolutely necessary.
Faxes containing very sensitive service user information (e.g. psychiatric reports, drug abuse, incriminating evidence, child protection reports) must only be sent: In an emergency, where delay would cause harm to the patient. The risk to the patient is greater than the risk of disclosure. Regular fax numbers should be programmed into the fax memory. Fax machines used to transmit personal/business sensitive information must not be situated in an area accessible to the public.
11.9.2. Definition of a Safe Haven fax machines A safe haven fax is a fax machine that has safeguards in place to ensure unauthorised persons do not have access to the information. These safeguards include: The fax machine must be sited in a secure room or cupboard. The fax machine is used by one service or department. The fax machine has to be kept in a secure room or cupboard i.e. not generally accessible by all staff in the building or the public Staff members need to be made responsible for collecting and delivering the faxed information to the appropriate person.
11.9.3. Sending to fax machine that is not in a Safe Haven Telephone first to confirm the fax number and ask the recipient to wait by the fax. Ask the recipient to acknowledge the receipt of the fax. Make sure your fax sheet states that the information is confidential, is addressed to a named individual and states the number of pages being transmitted. Double check the fax number before you hit the send button. Request a report sheet to confirm that the transmission has been successful.
11.9.4. Additional safeguards It is not advisable to: Send a fax to a destination where you know it is not going to be seen for some time. Send a fax to a destination outside office opening times (whenever possible). 29
Leave the information unattended whilst the information is being transmitted. Send very sensitive information by a fax. Leave faxes unattended at the fax machine or in the print tray.
11.10 SAFE HAVEN: email

Staff that need to email confidential or sensitive information to outside of the Trust should do so using NHS.net account. An email account can be set up by visiting www.nhs.net and the IT helpdesk can offer support with this (see Contacts). 30
It should be noted that this method of transfer is only secure when the information is being received to another NHS.net account. E-mail is not a secure way of sending personal data/business sensitive information unless encryption is in place. Personal data/business sensitive information must only be sent using an approved method and following the security measures detailed below. Any breach of confidentiality resulting from using email for personal identifiable data will be investigated and you are responsible for showing why any of the following guidelines may have not been applied. Messages containing personal data sent to the wrong recipient will be classed as a breach of confidentiality even if it is another NHS employee.
11.10.1
Email addresses
Staff must ensure that they know what various email addresses mean. The common ones that staff use are described next:The format of email in the NHS is:- firstname.surname @name.nhs.uk Trust's put their name where 'name' is so they are recognizable as NHS. @uhsm.nhs.uk These are from UHSM email addresses within the address book (except those marked with a globe which are nhs.net addresses) @nhs.net These are NHS secure email addresses but staff must note:nhs.net to nhs.net is a secure and approved transfer for confidential information. nhs.net to non-nhs.net e-mail addresses and vice versa are not secure and not approved transfers. Staff must not send confidential or sensitive data to email addresses that are not secure e.g. nhs.net, unless it is encrypted to the CfH standard and remains secure after being opened (i.e. it is in a Safe Haven) @nhs.net to the following are also secure:e-mail address ending: -.x.gsi.gov.uk; .gsi.gov.uk; .gse.gov.uk; .gsx.gov.uk; .police.uk; .pnn.police.uk; .cjsm.net; .scn.gov.uk; .gcsx.gov.uk
11.10.2.
Patients/advocate e-mail address.
Sending to these addresses must be at the request of the patient and further checks must be made to verify the persons identity.
31
11.11 SAFE HAVEN: Secure File Transfer

Staff wishing to send personal and sensitive information to a user who can not obtain an nhs.net account, should first consider if that user is a legitimate 3rd party for receiving NHS information. If so they should the information can be transferred through UHSMs secure file transfer site, https://uhsm.sendfilesafely.net In all instances the following guidelines must be observed. Mark the message appropriately in the subject line .e.g. confidential or business sensitive and select confidential in the Sensitivity section in the Message Options. Limit the number of recipients of the message to as few as possible. Limit the amount of data to only that which is needed for the purpose it is being sent e.g. use a unique identifier or initials instead of the persons name. Password protect any attachments containing personal data/business sensitive information. Ask the recipient to telephone for the password. Double check that you have the correct recipient(s) before pressing the send button. This can be done by checking the properties of the recipient you have selected. Change the address book view from Global address book to the Trust address book. This will avoid the chance of sending an e-mail to another employee in another local NHS organisation. Send to email addresses that are person specific unless the e-mail can be dealt with by any member of the team reading the e-mail (e.g. request for a medical record send to medical records e-mail). Be aware that e-mail can be forwarded by the initial recipient to third parties against your wishes or by accident. Include a note to say that the receiver of patient identifiable data is responsible for the security and confidentiality of that data and must not pass it on to anyone else, via any method, who does not have a justified need to know. Where there is a more formal method for the communication of information, such as web-based referral system then that must be used. If you allow delegate access to other people to your inbox, consider whether they need to see any personal data you receive. Anonymised information can be sent outside the global address book, see Definitions for 'anonymised'. When in receipt of personal data remove it from your e-mail system as soon as possible and file it appropriately, either electronically or on paper.
11.12 SAFE HAVEN:Telephone

Information must only be given over the telephone if you are confident of the identity of the caller. If you are not, you must always take a number, verify it independently and call back. When speaking to a service user or carer on the telephone, confirm the callers identity or ring back.
32
Always check whether they are entitled to the information they request. Information on service users must only be released on a need-to-know basis and with consent where necessary. If in doubt, check with your line manager. If you receive suspicious queries regarding other members of staff asking about whereabouts, base or personal information, then please treat with caution, take contact details of the caller and either verify that it is an authorised person or pass the details to the individual concerned. Report any suspected bogus enquires to your line manager and via the HIRS. Ensure that recorded conversations on answerphones cannot be overheard or otherwise inappropriately accessed. Messages about named service users must not be left on answerphones. Simply leave your name and telephone number and no other information. Ensure unauthorised people cannot overhear you when making sensitive telephone calls, during meetings, and when you are having informal discussions with colleagues about personal/business sensitive information. In these situations, if you do not need to identify a service user by name, then dont. Message books to note messages for absent staff members must be stored securely.
11.13 SAFE HAVEN: Verbal / Face-to-Face

All staff are routinely reminded through mandatory training of their responsibility to maintain patient confidentiality at all times. Staff are reminded to consult the Confidentiality Code of Practice for further guidance, available via the Information Governance link on the intranet. When patients/service users are registering for a service at a reception desk and are required to give personal/business sensitive information verbally ensure that this cannot be overheard by others. During ward rounds (or visits to nursing homes) when service users details are being discussed, staff must bear in mind that they might be overheard by other service users in the same room. Whilst it is appreciated that it is difficult to manage confidentiality in situations like these, staff are expected to be aware of the possible problems and do all they can to respect the service users rights. It is not appropriate to discuss personal/business sensitive information in corridors, stairways or in any public areas where it could be overheard.
11.14 SAFE HAVEN: Disposal of Information

When disposing of paper-based person-identifiable information, confidential or business sensitive information always use confidential waste sacks/shredders. Computer printouts should either be shredded or disposed of as paper-based confidential waste. Take care when disposing of fax cartridges, if it is the type that contains a carbon copy of the faxes sent, ensure that this is shredded.
33
Floppy discs/CDs/videos and any other removable media containing confidential information must be physically destroyed. All this must be logged with the IT Service Desk for advice on secure disposal or arranging it. N.B. For disposal or re-cycling of computers and erasure of computer data please refer to the IT Security section of this document.
12
INFORMATION ACCESS
12.1. Information Systems Access
12.1.1. Authorisation The Information Asset Owner (IAO) responsible for the information system determines authorisation of physical access to it. This will normally be a Head of Department or Service who may consult the SIRO, CG or IGM. Access to information systems must be restricted to authorised personnel and to other persons only under the supervision of an authorised person. It must be granted on the basis of a sound, ethical, legal and justifiable need. Access to the information held on information systems must be authorised by the management responsible for the information. Authorisation for software issues such as upgrades that could affect users work must be obtained from the Head of Department responsible for the upgrade. The Head of Department will either order the upgrade by IT Services or must then notify the Head of IT of the upgrade.
Staff must be:
Authorised to access and/or operate information systems. Access to information systems must only be granted on a basis of justifiable need. For business continuity, access may be granted to UHSM computers, devices or files. This must be authorised. If there is any doubt as to whether a member of staff has the necessary authority to access information or a system then staff must be sure to clarify this with line management first. Investigative access must be requested by the manager leading the investigation and conducted by appointed staff. An investigation order must be signed by a Director prior to commencement (See Contacts)
Staff are not permitted to do any:

Unauthorised processing of data (see Computer Misuse Act). Unauthorised sharing or distribution of data, by any means, of any UHSM or data that UHSM is responsible for. If doubt arises about what is confidential (including commercial in confidence) then experienced staff and senior management must be consulted. N.B. Where the issue is still not clear then the Information Governance Team should be contacted, as necessary authorisation can be obtained by the IGG or CG. 34
12.2.
USER ACCESS CONTROL

12.2.1. Introduction
The purpose of this section is to govern access to the UHSMs information systems and prevent unauthorized access. The policy describes the registration and de-registration process for UHSM information systems and services where these are not in place. This applies especially to new staff, leavers and those changing job role or responsibility. It should also be read in the light of HR procedures.
12.2.2. Application for Access to Information System(s) All users must complete an application form which their line managers must countersign prior to email, intranet and internet or other system access is made available to them. The forms are available on the UHSM Intranet for:1. 2. 3. Corporate information systems Clinical information systems (non-Smartcard) Clinical information systems (where a Smartcard is necessary e.g. Lorenzo). Please ensure that you and your Sponsor complete RA01 and RA02 forms which are available from IT ??? 12.2.3. Principles of User Access Control Only authorised staff are permitted to access UHSM computers and the information that is held on them. Unauthorised access may contravene the Computer Misuse Act (1990), the Data Protection Act (1998) and other legislation leaving the person(s) involved open to prosecution and/ or disciplinary measures. Staff must have their own unique computer account and only login to systems or applications that they have been granted access to unless there is an authorised exception. If data or a system is accidentally accessed that should not be then staff are obliged to maintain its confidentiality, integrity and availability and also to report the fact immediately to their line manager. Where such access is suspected of being confidential or sensitive then it must also be reported to the Information Governance Manager and onto HIRS. Access controls must take account of security requirements of the business application and permit access to be granted only on approval by the system administrator in consultation with the appropriate senior manager where there is any concern or doubt. No individual should be given access to a live system unless the relevant forms have first been completed and in liaison with the System Administrator where necessary. Staff must first be aware of their information security responsibilities as outlined in this policy and related documents. Other policy or procedure may be required reading but this is at the discretion of the system administrator that grants access. Some policies are national such as the Role Based Access so national agreements and policies apply. Please check this with the appropriate system administrator. 35
Staff user access to the National Care Record System (Lorenzo/ the Spine etc) is protected via a smart card according to their role (i.e. Role Based Access). Staff must not share Smartcards unless authorised. Remote access to the UHSM network is protected by strong authentication and passwords. Staff must not share their authentication or passwords unless authorised. Employees will normally be granted access only to such information that is required to perform their work duties. If they are erroneously granted any other access, then this fact must be reported to their line manager immediately as it may become construed as unauthorised access. When information is copied between systems within the network, then staff should ensure that any confidential information remains secure and that the recipient system has the same or greater standard of security protection as the sender. 12.2.4. Visitors Definition: A visitor is anyone who is not UHSM staff such as a service user, engineer or contractor. Visitors must check in and out with an allocated supervisor. This supervisor must know the reason for the visit and any agreements that have been made. Visitors must be supervised and only approved systems engineers may be allowed access to hardware or software. On completion of work visitors must complete sign off sheet or statement of work and hand it in as required by their UHSM supervisor.
36
13.
INFORMATION SHARING
13.1.
INFORMATION SHARING WITHIN THE NHS
Introduction
All sharing of confidential information is governed by law, notably the Data Protection Act 1998 (DPA 98). This DPA 98 states that generally consent must be obtained from the individual whose data it is before sharing takes place with other organisations or individuals. Indeed it is quite a normal and sensible idea to get consent prior to sharing someones confidential information. However in the NHS it is not always possible, practical or necessary as there are different forms of consent and justifiable exemptions that can be claimed that permit legal data sharing. (Refer to Information Sharing other NHS and/or to Information Sharing - nonNHS sections for further details.) UHSM and its staff must be able balance openness with confidentiality in a legally compliant way. Therefore staff must understand relevant law or consult their line manager, senior manager, Caldicott Guardian or supporting Information Governance staff when doubt arises. (Refer to Contacts section of this document) Information sharing is vital for the seamless provision of healthcare. NHS organisations are used to working in a trusted manner and breaches of information security are not usually caused by breaches of trust but by simple security breaches or negligence. The University Hospital of South Manchester (UHSM) routinely works with other NHS organisations, partners and individuals in providing health and social care services, such as: Other NHS organisations Third Party Contractors e.g. GPs, Dentists, Optometrists and Pharmacists
13.2.
NHS partners (other NHS Trusts)
Major information systems often cross organisational boundaries in terms of data sharing. This is quite natural as they useful expert systems for the NHS community. This kind of sharing is governed via sector-wide or local agreements or contracts. The pseudonymisation project is removing elements of risk from such data sharing. This is intended to implement 'legitimate relationships' across the NHS.
13.3.
NHS contractors (GP, Optometrists, Dentists and Pharmacists)
Most contractors have access to national systems specific to their profession. There are also expert systems that they are able to use but they do not develop or administer them but input to them and get results from them. Contractors have to be registered by law to use personal data under the Data Protection Act just like the Trusts and therefore must have their own equivalent Caldicott Guardian equivalent. They are accountable and responsible for the data that they process. 37
14.
INFORMATION SHARING
SHARING WITH NON-NHS ORGANISATIONS

14.1. Introduction
UHSM works with many partners, agencies, commercial third parties and experts. Data needs to be shared to varying degrees with them to achieve health care provision, local services, emergency services and participate in valuable research.
14.2.
Sharing under applicable law
Data sharing with various organisations, services and individuals that is governed by applicable and specific law may facilitate information sharing e.g. the Data Protection Act permits data to be shared for the prevention or detection of crime. Such sharing is not mandatory for the NHS and needs to be justifiable such as when a 'serious crime' has been committed. Therefore the Caldicott Guardian, HR staff, other experts such as legal advisors may need to decide on a course of action being taken. Staff must be clear about why they share the information they do and that it is legal to do so. Staff must be able to justify confidential data sharing. This is usually down to clear working practices where notes are kept. Staff must raise unclear data sharing with line management who may consult the IG team or Caldicott Guardian for clarity.
14.3.
Agreements and protocols
Where a formal agreement, contract or protocol is necessary in order that all parties know where they stand and that the patient's/service user's rights in terms of their personal data being shared are balanced with their healthcare best interests then it must be in place. If this is not the case due to legacy working or information system then these must be reviewed by the IGG and HCGG to decide on the course of action to be taken.
14.4.
Privacy Impact Assessments
Where a new information system is being implemented a Privacy Impact Assessment must be completed at an early stage and requested to be reported to them by the project governing committee or group. Where there are risks flagged by the PIA then these must be entered into the Corporate Risk Register.
14.5.
Legitimate requests
Staff must ensure that incoming requests for confidential data are legitimate before sharing data. If staff are not certain then this can mean referring to the appropriate line manager, service lead or seeking guidance from the relevant policy or Information Governance team. Some useful information sharing decision diagrams follow:-
38
PRINCIPLES OF CONFIDENTIALITY AND INFORMATION SHARING WITH CARERS AND SIGNIFICANT OTHERS: OPERATIONAL PROCEDURE
Introduction
Within the process of providing high quality health care to people who use services provided by UHSM Foundation Trust there is a recognition that in many cases, carers are providing valued and vitally important care and support, sometimes on a full-time basis. There is also an understanding that carers often feel cut-off from, and ill-informed about, the care of people close to them, even though they may be providing a significant level of care. Carers may also have different needs, views and expectations to service users and should therefore be considered separately, in their own right, rather than being an addition to the service users assessment and care plan. Care co-ordinators/named nurses (within inpatient care) will be expected to listen to and take into account the views of carers in relation to the cared for person, including such issues as the current position of the caring relationship and whether this can be maintained. It is also important to offer carers appropriate means of assessing their own needs within what is often a demanding caring role. A carer should be able to expect the following principles in their relationship with the care team: Full recognition and understanding of their contribution Support to meet their needs as a carer Information to assist their understanding of the clients health presentation Involvement as a partner in care
In the majority of situations, service users will agree to involving and informing the carer in all areas of their contact with services. UHSM staff will positively emphasise to the service user the benefits of open communication with carers, outlining the positives that can be added to the care package by everybody involved in their care being fully involved in working together. Where a person using health services chooses not to share information regarding his/her condition, on most occasions, they have every right to expect the upholding of their wishes regarding confidentiality. Any specific issues service users do not wish to be discussed or disclosed with their carer must be clearly documented. In practice, there is a marked distinction to be made between general information, such as requests regarding the clients general wellbeing, routines of the unit or service where care is being provided from and information that can be seen as confidential such as details regarding the clients current mental health. When a member of staff is in discussion with a carer /supporter /significant other they should: Establish the past/current caring relationship. Clarify what the carer /significant other already knows about the clients situation/ health difficulties.
39
Actively listen to the carer /significant others requests and respond accordingly.
15.1.
General Information
Carers should be given/offered by the named nurse/care co-ordinator: General information concerning: health problems Medication (dosages, side effects, what to be aware of) Information re: care processes, routines Signposting to and/or offered help to access organisations that can provide further information and support Contact details of the named nurse/care co-ordinator on the unit/community team to enable consistent support and reassurance, not only during periods of crises. Time and opportunity to share information re their unique knowledge of the service user and that this is recognised as an important and valued part of the assessment process.
This information should be discussed with the carer /significant other and also offered as printed information where appropriate.
15.2.
Information That Is Deemed To Be Confidential
Where a service user has expressed a wish for confidential information not to be shared, this, in the majority of cases, will be adhered to. Where staff are unsure re: disclosure the following information provides a useful guide. If the individual is unable to give permission to share information due to an assessed lack of capacity at that point in time, the implications of the Mental Capacity Act will need to be considered. Confidential information that is considered essential for the carer to be aware of, such as risk issues and any ongoing care information can be agreed to be shared following a Multidisciplinary Team (MDT) decision taking into consideration the views of the carers/significant others as to the likely wishes of the service user and if it is in the service users best interests to do so. Where there is a current advance statement/decision that has been made by the service user this should be used to guide practice if possible. If the service user is unwilling to share confidential information and has been assessed as having capacity to make such a decision, disclosure can only occur following an MDT decision that a breach of confidentiality is necessary due to risk to self or others. Please note that an advance decision/statement made by someone can be overridden at any time by the author. Staff should confirm with the client that the information still reflects their current wishes for how care should be delivered (this may include parameters around confidentiality). The carer will be made aware of these systems and the timescales that this decision making process will take.
40
Where urgency does not allow for the process of an MDT to occur the decision to override a service users unwillingness to share information will be based on an individuals Professional Code of Conduct Performance and Ethics re confidentiality. Where carers requests for confidential information cannot be met, staff must inform the carer of the process, be clear that their requests will be discussed with the MDT and the reasons for withholding information that is deemed to be confidential will be explained in full. Continued support to the carer from the staff involved with the service users care will be ongoing. Information shared by carers should also be entered into the service users case notes. This information will be classed as third party information and carers can, in fact, ask for this information to remain confidential at the point of entry. Carers should be informed that if a service user requests to see their notes under the Data Protection Act 1998, this information will only be revealed if the carer consents or if it is possible to disclose the information without revealing the identity of the third party. Staff can also restrict access to information if it may cause serious harm to the physical and/or mental wellbeing of the service user or any other person. A clear statement of consent/dissent from the carer should be recorded in the case notes on each occasion the carer provides information.
41
16.
DISCLOSING INFORMATION TO THE POLICE: OPERATIONAL PROCEDURE
16.1 Objective:
This procedure details how requests for personal data from the police should be dealt with.
16.2 Consent
The informed explicit consent of the individual must be gained prior to the release of information to the police. Where the individual has given consent, proof of the consent, e.g. a signed consent form should be retained in the service users record. Only the minimum information to satisfy the request should be given. An example consent form is included in Appendix A. The service user must understand what information is to be disclosed and that it may be disclosed to third parties, including the defence and may also be referred to in open Court. If consent cannot be gained or gaining it might jeopardise the investigation consider whether there is a legal duty or power to share the information.
16.3 Legal Duty to Disclose Court Order

Where the courts have made an order, information must be disclosed strictly within the terms of that order unless the Trust decides to challenge the order at court. The Trust must comply with the decision of the judge. In the case of UHSM. such requests will be dealt with by the Complaints Manager. Where a disclosure is ordered by a court the patient should be informed as soon as possible and ideally before the disclosure is made. Clarification should be sought as to whether this has occurred. (Reference: The Queen on the Application of TB v The Combined Court at Stafford and the CPS and South Staffordshire Health Care NHS Trust [2006].)
16.4 Prevention of Terrorism Act 1989 and Terrorism Act 2000

There is a statutory duty to inform the police of information, including personal information, about terrorist activity.
16.5 The Road Traffic Act 1998

There is a statutory duty to inform the police, when asked, the name and address of drivers who are allegedly guilty of an offence. Clinical information should not be disclosed.
16.6 Misuse of Drugs Act 1971

Under Section 8 of the Misuse of Drugs Act 1971, a person commits an offence if, being the occupier or concerned in the management of any premises, he knowingly permits or suffers any of the following activities to take place on those premises, that is:
42
Producing or attempting to produce a controlled drug Supplying or attempting to supply a controlled drug to another or offering to supply a controlled drug to another Preparing opium for smoking Smoking cannabis, cannabis resin or prepared opium. The Police will be informed where patients are suspected of supplying illicit drugs to other patients.
16.7 Coroners Court

The Coroners Office may request a medical record in order to investigate the cause of death of a person in suspicious or unnatural deaths. Information may be requested by a police officer on behalf of the coroner. Staff can confirm this with the Coroners Office. Identification should be requested from the police officer and the officers name, rank and number logged. A receipt for the record should be obtained from the police officers property book. The removal of the record must be recorded. In the case of UHSM, such requests will be dealt with by the Complaints Manager. Original Mental Health Records will not be sent.
16.8 Legal Duty to Co-operate

Section 325 Criminal Justice Act 2003 establishes a duty to co-operate with the Responsible Authority for Multi Agency Public Protection Arrangements (MAPPA). Co-operation may include the sharing information but any information shared must also comply with other legal responsibilities such as the Data Protection Act 1998 and the Common Law Duty of Confidence. MAPPA assesses and manages the risks posed by violent and sexual offenders who may cause serious harm to the public. Personal information may be disclosed to the Responsible Authority to prevent, detect or investigate a serious crime and/or to prevent abuse or serious harm to others. There is a real, immediate and serious risk to public safety The risk will be substantially reduced by the disclosure The disclosure is no great than is reasonably necessary to minimise the risk The consequent damage to the public interest protected by the duty of confidentiality is outweighed by the public interest in minimising the risk. The nature of any disclosure and the reasons for it will be noted clearly in the service users record. Requests for information should be directed to Medico Legal.
16.9 Legal Power to Disclose
43
The police may request information without the consent of the individual when making enquiries concerned with the prevention and detection of crime or the apprehension and prosecution of offenders and consent would prejudice the purpose. The Police must produce the Personal Data Request Form detailed in Appendix B to request the information. The form must be signed the Senior Officer in charge of the Investigation. This will ensure that satisfactory undertakings are in place with then police in respect of any information released. Information should only be supplied to the police if it is in the public interest to do so. The decision should be made by health professional who is responsible for the relevant aspect of the patients health care the time. Further advice may be sought if necessary e.g. Legal Services Manager, Caldicott and Data Protection Officer or Caldicott Guardian. The Caldicott Guardian will make the final decision in complex cases. Information may also be proactively disclosed to the police if it is in the public interest to do so. The following must be considered when making the decision: Is the request in relation to a serious crime or to prevent serious harm or abuse to an individual (See further advice in Appendix C of this procedure). How do the benefits of making the disclosure balance against the harms associated with breaching a patients confidential? Without disclosure, would the task of preventing, detecting or prosecuting the crime be seriously prejudiced or delayed? Could the data subject be persuaded to disclose the information voluntarily? Is the information limited to what is strictly relevant to a specific investigation? The police should be specific about the information required and why. The police should not ask for a full copy of the record using the exemption in the hope that it might contain information to satisfy this purpose, even if a serious offence has taken place. The individual concerned should be informed of the disclosure unless it would defeat the purpose of the investigation or if there is a significant risk of a violent response. The decision to disclose or not to disclose must be recorded in the service users record. Clear evidence of the reasoning used and circumstances prevailing should be documented. The individual concerned should be informed about the disclosure unless it would defeat the purpose of the investigation. Information should only be released before the person has been charged, unless there are highly exceptional circumstances. If the person has been charged, a court order for the release of any information should be presented. Staff should be aware that the police are not entitled to take service users records, even with a search warrant. A court order or a witness summons requiring the release of the record must be presented. Within UHSM, staff should contact the Legal Services Manager immediately. The Legal Services Manager will be responsible for the release of such information. The above guidance should also be followed in instances where the Trust wishes to proactively release information to the police in the public interest.
44
If the information requested relates to a deceased person, the Data Protection Act no longer applies, however, confidentiality obligations remain and the guidance above must be followed.
16.10
Process for disclosure
The flowchart detailed in Appendix D should be followed when dealing with a request for information. In particular: Ensure a lawful basis for the disclosure Only disclose information that is relevant to the enquiry. Disclose information securely, following the Trusts Safe Haven Procedure. Seek advice from colleagues and line managers when making a decision about a disclosure Record the reasoning used, circumstances prevailing and decisions made in the service users record. Even talking to the police about a service user will constitute a disclosure and must follow this procedure. Staff may face disciplinary proceedings if information is disclosed outside the remit of this procedure. The Caldicott Guardian will make the final decision in complex cases.
16.11
Witness statements
It is the decision of the member of staff whether they wish to provide a statement to the police. Service user details must not be included unless the service user has given consent. Consent may be sought using the example Form of Authority detailed in Appendix A. The service use must be clear that this information could be heard in a court of law and therefore in the public domain. Staff could provide general information about a particular condition without providing any patient details unless the information has already been released in the public interest, see section 3.2.
16.12
Liaison meetings with the Police
Person identifiable information disclosed during meetings with the police must comply with this procedure e.g. disclosure must be with the consent of the individual, required by law or in the public interest to prevent a serious crime or abuse or harm to others. The decision to disclose or not to disclose must be recorded in the service users record. Clear evidence of the reasoning used and circumstances prevailing should be documented. The individual concerned should be informed about the disclosure unless it would defeat the purpose of the investigation or if there is a significant risk of a violent response. Information that has already been shared with one of the above justifications may be discussed further with police during a post incident review.
16.13
Review
This procedure will be reviewed on an at least a bi-annual basis.
45
17.
17.1.
IT SECURITY
Introduction
IT Security supports Information Security. Information systems must be robustly protected so as to enable business as usual and continuity at the various levels agreed and thus support the provision of health and social services to the necessary standard.
17.2.
Risk
All information systems and the data they contain have some level of risk attached to them. Data and equipment can be stolen or lost. Staff must help protect the information assets, equipment and information that they use by being vigilant and following best practice in information security as outlined in this policy and supporting documents. This will help to prevent inappropriate access, data loss, system compromise, equipment loss or failure, disasters and loss of business operations. It will also help to prevent a variety of crimes being carried out such as theft and fraud.
17.3.
Aims & Objectives
The objective of this policy is to ensure the security of Trust information assets and thus to ensure the:Confidentiality - to preserve the confidentiality of all information Integrity - the accuracy and completeness of information and processing to ensure confidence in the authenticity of the information. Availability - that authorised users have access to information and associated assets when required. The aim is to ensure that Trust information systems, applications and networks are available when required, can be accessed only by legitimate users and contain complete and accurate information. UHSM information systems, applications and networks must be able to withstand or recover from threats to their confidentiality, integrity and availability. To achieve this IT Services, on behalf of the Trust, will undertake to do the following:Protect all hardware, software and information assets under its control. This will be achieved through the implementation of a set of well-balanced technical and nontechnical measures. Provide both effective and cost-effective protection that is commensurate with the risks to its assets. Take preventative steps to stop staff from downloading and installing software utilities and applications from the internet without the consent of the Service Desk. Implement the Information Security Policy in a consistent, timely and cost effective manner. 46
Carry out security risk assessment(s) in relation to all the business process covered by this policy. These risk assessments will cover all information systems, applications and networks that are used to support those business processes. The risk assessment will identify the appropriate security controls required to protect the information systems. Produce system security policies and procedures for all information systems, applications and networks. These policies or procedures should be developed on the basis of an analysis of risks and approved by the Information Governance Manager (IGM). Ensure that all users of the system are made aware of the contents and implications of relevant system security policies and security operating procedures. Ensure that all users of information systems, applications and the networks are provided with the necessary security guidance, awareness and where appropriate training to discharge their security responsibilities. All staff to be made aware that irresponsible or improper action may result in disciplinary action(s). Ensure that all newly developed information systems, applications and networks are approved by the IGM and the Caldicott Guardian and SIRO before they commence operation. Ensure that measures are in place to detect and protect information systems, applications and networks from viruses and other malicious software. Ensure that changes to the security of an information system, application or network are reviewed by the relevant project/system manager. All such changes must be reviewed and approved by the IGM. The project/system managers are responsible for updating all relevant system security policies, design documentation and security operating procedures. Ensure that all connections to external networks and systems have documented and approved system security policies and that all connections to external networks and systems are approved by the ISM before they commence operation. Ensure that operational applications, systems and networks are monitored for potential security breaches. Security incidents, whether actual or suspected, must be reported and investigated in accordance with the requirements of the Trusts incident reporting procedures. The IT Service Desk will remind staff of this fact when notified of any occurrences which may be considered a reportable incident. Incidents will be recorded by means of an Information Security Incident Log kept by the ISM and monitored by the Information Governance Group. Ensure that there is an effective configuration management system for all information systems, applications and networks. Ensure that contingency plans and disaster recovery plans are produced for all critical applications, systems and networks. Adhere to the information security policies of other health organisations and local authorities that may share information processing facilities such as wide area networks. Provide security awareness training for all staff to ensure that they are aware of their responsibilities for security, and the actions that they need to undertake in order to discharge those responsibilities.
47
17.4.
Physical Security
Objective: To maintain the security of UHSM information processing facilities and prevent unauthorised access, damage and interference to business premises, equipment and information.
17.4.1.
Staff must : Report problems with IT and information systems to the appropriate staff. (see Contacts section at end of this document). The more serious the fault or incident (or potential for one to occur) the sooner it must be reported. Comply with UHSM policies, procedures and guidelines Comply with the law Report accidental information access and security breaches immediately to management Report unsafe or unsatisfactory equipment promptly to the IT Service Desk and Facilities Report any deficiencies in security without actively trying to find any more to Information Governance. For example: Equipment must be sited in order to avoid computer screens being able to be read by unauthorised staff or the public. If this is not the case it should be reported. Staff must wear ID cards in areas where they will not be recognised, i.e. out of their office or department as other staff may challenge anyone without an ID card that they do not recognise. If suspicion is aroused then staff should call security personnel or the police. Use entry controls to premises securely Ensure doors and windows are closed and locked correctly when vacating the premises. Report improper use of equipment or damage to line manager
Staff must not: Staff must not load onto any UHSM computer or device, use (or cause to be used), any software application, batch file, script or executable file that has not been approved by management on any UHSM computer, digital device or portable media such as CD, DVD or USB memory stick. Where management do not know what the executable file etc in question is or does, must consult IT services. Just one bad file can bring an information system down. Cause deliberate damage to a computer, information system, application, data or storage media (this includes unauthorised installation or distribution of software, computer viruses or malicious code.) Deliberately disrupt a computer or information system Deliberately exploit any vulnerability. Deploy security without approval Such measures must only be deployed on approval of the senior management in scope and by staff qualified to do so.
48
Move computers, printers or other desktop equipment without notifying IT Service Desk unless authorised. Allow computers, electronic media (e.g. floppy disks, CD disks, USB pen drives) to be exposed to extreme temperatures, fluids or corrosive substances. Connect unapproved, unconfigured computers to the UHSM network. Eat, and especially drink, in the vicinity of computers and related equipment. Eating and drinking is forbidden in areas where there are important computers such as fileservers. The penalty could be loss of fileservers, harm or even death (not by UHSM but by the electrified equipment!). Any foodstuffs that present a risk to facilities e.g. liquids, soup or cans of drink must not be taken near equipment that it could present a risk to. 17.4.2. Access to premises: Secure areas
Most staff need access to premises and many staff access secure areas within them. Staff must not share secure areas access passwords, PIN codes, ID cards or keys with anyone unless authorised or they have the necessary management level of authority to permit it. 17.4.3. Computer hardware and software protection Staff must not load onto any UHSM computer or device, use (or cause to be used), any software application, batch file, script or executable file that has not been approved by management on any UHSM computer, digital device or portable media such as CD, DVD or USB memory stick. Where management do not know what the executable file etc in question is or does, must consult IT services. Just one bad file can bring an information system down. Environmental controls should be installed for key computer equipment where extreme temperatures may adversely affect their operation Key equipment should be covered by maintenance agreements with trusted service providers Precautions should be taken against theft, especially equipment that is portable and desirable like laptops and mobile phones. Personal computers should only be placed in locations with lockable doors and windows. Curtains/ blinds must be closed when possible and doors and windows locked when an office is vacated. Wherever possible computer equipment must be kept out of view and out of reach, particularly in public areas. Locking devices should be fitted to computers in high risk areas such as public areas and by ground floor windows. Master copies of software must be stored in lockable cabinets. 17.4.4. Transporting Equipment Equipment must not be on display in a vehicle but put into the boot or equivalent and covered up, especially if the vehicle is left unattended Equipment should not be taken home unless it has been authorised and has appropriate security 49
17.4.5. Equipment & Information Disposal

Equipment that contains or may have contained confidential data must be securely disposed of when disposal is agreed by management. 17.4.5.1. Computers and computer files
17.4.5.1.1.
Device to be reused
Data existing prior to formatting must be erased/purged so that it can never be recovered. Only qualified staff in the IT Services Department or an approved contractor using specified secure methods must carry out complete low level formatting of the entire hard disk drive to the CfH approved standard or higher. For removable media (e.g. USB pendrive/memory sticks) floppy disks/ CDs/DVDs and backup tapes (please refer to Portable Media Policy).
17.4.5.1.2. Device to be destroyed
Storage devices or media must be disposed of by being put beyond any means of data recovery such as by being physically destroyed. This includes floppy disks, backup tapes and any other conceivable media used for storing data on. This can be done on site by qualified IT staff, or via an approved contractor. A destruction log (certificates of destruction) must be provided by a contractor.
17.5.
Data Retention & Archiving
Data files and records must be retained according to the Data Protection Act and the Department of Health Records Management: Code of Practice retention periods and not destroyed until the minimum retention period has elapsed. Some files may be retained for specific purposes after their minimum retention period has expired if they have been deemed valuable for specific purposes, such as research. Such retention must not contravene the law and this would usually be achieved by anonymising it. Where an approved method of storage or archiving supersedes an older one then data can be considered for migration onto it.
17.6.
Data Storage
Information must be processed in accordance with the Data Protection Act 1998 and comply with directives and guidance issued by the Department of Health. All patient identifiable information must also be processed in accordance with the Caldicott Principles. [Further details may be found on the Information Governance intranet site or requested from the IG Team. See Contacts] All staff must comply with Data Protection legislation and their contract of employment regarding confidentiality. Staff that do not have a UHSM contract of employment must only
50
be granted access to information systems after they have signed the Confidentiality Agreement [see HR intranet for ???].
17.7.
Data Backup
Objective: To preserve the integrity and availability of information and enable recovery in event of disaster. Files must be stored on a users network drive. This will mean they are then saved onto a secure and resilient file server. This is not the same as saving data onto a computer hard drive. For instance a laptop would have to be plugged into the network to do this. Any computer that stands alone does not backup onto a file server. [Information stored on network servers with secure, authorised access helps to maintain confidentiality, availability and integrity of the information and reduce the impact of breaches in physical security.] Important backup tapes and media must be stored safely and securely. Confidential or business critical information must not be stored on individual computer hard drives. The line manager in charge of the staff that process such information must ensure that adequate physical security and backup arrangements are put in place by seeking advice from senior IT staff or the IG Team. Data located upon critical network servers must be backed up in accordance with IT back-up procedures to provide at least ??? period of information retention. Such information will also be stored at another site to facilitate a maximum loss of ??? of information destroyed as a result of local building or system damage. All back-up media must be maintained securely and only erased when no longer required in compliance with legislation and/ or policy.
17.7.1. 17.7.1.1.
Access to information systems UHSM staff
Most staff need access to an office computer to perform their duties and many need access to local and national information systems to perform their role. It is a privilege to be able to use information systems. Such systems either contain, or are linked to other systems that contain, vast amounts of confidential data. They must be protected and this means used confidentially, securely and responsibly by each and every computer user. 17.7.1.2. Maintenance contractors, visitors etc in non-public areas
These must sign in to abide by UHSM policy and procedure and be escorted by the member of staff or delegate that arranged the visit.
17.8.
User Registration
51
17.8.1.
Introduction
Registration for computer use, computer network use and hence office applications such as email and MS Office, intranet, and internet usage is made via line management to IT Services. Applications will be made available to you according to your role and Smartcard profile. To register to use an information system (e.g. Sunrise) staff must have this arranged through their sponsor who will usually be their line manager. To de-register from using an information system the sponsor (line manager) should be notified unless there are circumstances where they cannot be. Information system administrators are not permitted to register or de-register staff to or from systems without authorisation from the users sponsor unless there is a justifiable reason. 17.8.2. 17.8.2.1. New Users User Registration
Access to any UHSM system can only be provided after proper procedures are completed. There is a formal user registration process beginning with a formal notification from a line manager to the System Administrator. A request for access to services (systems and applications) must be made in writing (email or hard copy) by the member of staffs line management. Each System Administrator will maintain a record of all applications. Each user will be provided with a unique user account and ID.
17.8.2.2. User Access Level
There is a standard level of network and applications access but other services can be accessed when authorised by line management. Access must match the users role.
17.8.2.3. Change of user requirements
Changes in user requirements will normally relate to an alteration to the applications accessed. Requests must be in writing (e-mail or hard copy) and must be directed to the System Administrator. It is recommended that System Administrators review their system users access rights on an annual basis.
17.8.2.4. User passwords
Password format and general rules can be found in Password section.

17.8.2.5. Change of password
Where a user has forgotten his/her password, the System Administrator is authorised to issue a replacement. Upon receipt of such a request the System Administrator will: Ensure the request is logged.
52
Confirm the identity of the user by question about existing services/access or by reference to a work colleague
17.8.2.6. Staff Changes Notifications Starting and Leaving
Line managers are responsible for notification of new staff to the relevant System Administrator so as to allow access rights to be established from required dates. System Administrator must be notified of leavers and staff changes that affect computer access by line managers (for example job function changes / leaving department or organisation) so that computer network access rights may be amended or deleted. When an individual leaves the UHSMs employment, all his/her system logons must be revoked unless there is a justifiable reason not to such as business continuity. Even so the password must be changed. Leavers reports should be distributed to relevant administrators in a timely manner. All leavers must hand over current files, however IT Services can move a leavers files to specific areas if requested. Normally a leavers data will be left in its existing directory until authorised to be deleted and then archived off system (so it can be recovered if required).
17.8.2.7. Revoking User Accounts
Senior management with the necessary authority have the right to revoke user(s) access to information systems. This action, the circumstances and the reason(s) must be notified to management in scope if it has not already been done. The Information Asset Owner (IAO) must be notified who will notify the SIRO sooner or later depending on urgency and availability. If PID is compromised the the Caldicott Guardian or IG Manager must be notified. Investigatory Officer(s) must have formal authority from an Executive in place before conducting an investigation. Where fraud is suspected then NHS Counter Fraud staff must be contacted. Staff notification is at the discretion of the senior management in charge A user account can be suspended or revoked by the System Administrator when a user no longer requires access A user account must be revoked when a user is not granted access to a system During an investigation a users account must be suspended or revoked to prevent access, unless specified otherwise by senior management who are aware of the investigation A user account must be revoked on the instructions of a Director unless the Director is advised otherwise and agrees
17.8.2.8. Temporary User Accounts
Temporary access may be granted on a need to use basis. Accounts must be authorised by a senior manager and must be recorded on the normal application form.
17.8.2.9. Review of user access rights
53
The System Administrator may conduct a review of all user access rights when necessary, which is designed to positively confirm all users. The relevant manager may request an access rights review. The Information Governance Manager may request or conduct an access rights review. Any lapsed or unwanted logon, which is identified, will be disabled and may be deleted after confirmation with the relevant line manager. Systems Administrators may conduct reviews of access to applications. This will be done in co-operation with the application owner. Directors may order reviews
17.8.2.10. Review of user access
The line managers may request a user access review. The System Administrator may conduct a review of user access when requested by senior management The Information Governance Manager may request user access reviews. Directors may order reviews
17.8.2.11. Review approach
The approach taken in reviews and checks will be as follows: Generate a list of users by (profile, application etc) Confirm that all users identified are authorised to use the system or application Confirm that all users access is appropriate Any user not confirmed or with inappropriate access will have his/her access either: Removed or Revoked, pending investigation The System Administrator will maintain a file of:
Lists of accounts with access levels A record of any action taken
17.8.2.12.
Passwords (also see Password Procedure)
All systems or accounts should be password protected. Passwords should not be divulged to other users, or shared by new starters, and managers should arrange appropriate systems access once an appointment has been made and prior to the start date. Where access to functions or files is required and a password is unavailable due to the absence of the relevant member of staff, an approach should be made to the relevant systems manager. They may arrange alternative means of access if the correct authority is given. Further advice on the creation of secure passwords can be found on the intranet, by following the link for Information Governance.
54
Passwords should be changed at intervals in line with Trust policy, when prompted or if the account may have been compromised. Where unique passwords are available within a system they must be used. Confidential personnel or commercially sensitive data should be password protected. Further advice for creating a secure password can be found in Appendix b. The security of manager or supervisor passwords should be treated with the highest regard for security. Only authorised personnel should be aware of current manager/supervisor related passwords. These passwords should be kept in a secure area, in a lcocked and in a sealed envelope. In the absence of the manager/supervisor, authorised users will then have access to the appropriate passwords as necessary. As well as the systems manager there should be at least one recognised deputy. There should also be additional personnel aware of back up procedures in the event of the absence of managers and deputies.
17.8.2.13. Remote Access
Certain staff may need to use Trust IT equipment in geographically dispersed locations. This might include:Travelling Users - staff working across site or temporarily based at other locations Home Workers (IT Support, Corporate Managers, IT Development Staff, Clinicians Non-NHS Staff (Social Services, Contractors and other Third Party organisations) A detailed policy, the Remote Access Policy, exists to provide guidance to users in these circumstances. It should be noted that this is considered by the Trust to be the only acceptable method of working with PID off site, as all the information remains on the network.
17.9.
Storage of Trust data
Objective To ensure the safe storage of data, in appropriate areas of the network, to enable timely retrieval and ensure Trust business is not interfered with in the absence of employees. 17.9.1. Clinical data UHSM uses massive volumes of data and most of it is confidential either separately or when it is put together with other data. It may even be sensitive as in the case of mental or sexual health data. Much of the data and information is clinical and is at some point entered into a paper-based patient record or computer file such as a database. Lab results, CT scan data, X-rays etc. The list is enormous. 17.9.2. Non-clinical data The list is made even more enormous by adding other data from support services which is also covered by the same law (e.g. (1) HR stores personnel files which is also likely to be confidential, (2) Facilities may have CCTV camera footage which contains identifiable staff and patients).
55
17.9.3.
C:drive (or any Hard Disk Drives)
Under no circumstances should staff save any of their work data to the c: drive. This is the hard drive of the individual computer they working on, and the information is unprotected and open to loss or misuse. All staff should be aware of the relevant drive on the network in which they can save their work securely. 17.9.4. Desktop Staff must not save work to the desktop area of their computer as this is unprotected and puts information at risk from loss or misuse. It has limited capacity, and the Trust is operating a policy to clear all computer desktops of documents and file folders. Please note this is not the same as shortcut link to a file on the network, which is allowed on the desktop. 17.9.5. Portable Media Devices Security
This includes, but is not limited to:

17.9.5.1. USB Memory Sticks
The use by anyone, of unprotected, unencrypted USB memory sticks (or other such devices, cds dvds), for containing person identifiable, sensitive or confidential data, is strictly prohibited by UHSM. Staff who need a USB stick for containing confidential data must apply to their Sponsor who will normally be their line manager. If approved by the Sponsor then subsequently IT Services must be applied to via the sponsor and the relevant form completed. Only successful applicants will be issued with a UHSM approved, encrypted device which meets CfH security standards. The issued memory stick or device must only be used for the purposes declared by the applicant and sponsor. Staff must not use their own or any other non-UHSM memory sticks for storing or carrying personal data. IT Services will configure memory sticks prior to use therefore services that purchase them must submit them prior to use for secure configuration. Staff or individuals external to UHSM must have a contract or agreement in place and must accept to work under UHSMs policy and procedure whilst working at or for UHSM. They are forbidden from using unchecked, unapproved, unencrypted USB memory sticks throughout the entirety of their work with UHSM. Any device that is proposed to contain confidential data during such work must be approved by IT Services for secure use before connecting to UHSM systems or containing UHSM data.
17.9.5.2. Laptops
All laptops owned by the Trust and/or operated by Trust staff will be encrypted up to NHS standards. To ensure this is done, all laptops will have been brought to the IT suite to be encrypted and registered as a Trust asset. Encryption products are not difficult but must be used, in particular the password and any token must be kept separate from the laptop; these are effectively the encryption key. Data is therefore only protected by encryption when the laptop is powered off and not in normal use. New laptops will be purchased through the IT department and ensure that NHS encryption has been applied before operating the new laptop. 56
Laptops which are operated by departments, using 3rd party software, for clinical related activities will do so with prior knowledge of the IT department, to ensure that sufficient safeguards for the storage and use of such a laptop has been put in place. All encrypted laptops will be logged on to the network once every 60 days. This allows anti virus updates to be loaded to the laptop, ensuring continued compliance with security standards. A failure to log on to the network within the allotted 60 days will result in the computer becoming in operable, and the laptop will have to be returned to the IT department to be unlocked.
Responsibilities
The IT manager is responsible for ensuring encryption applied to IT systems and laptops is up to NHS standards, and delegates the collection of laptop registration. Individual staff members who use laptops as part of their job roles, are ultimately responsible for maintaining the security of that laptop, and the information processed through the laptop.
Laptop Registration
All Trust owned laptops will be registered with the IT department, this should be done at time of purchasing. Staff will need to ensure a relevant registration form has been completed and this is attached.
57
58 / 93
Appendix E: Laptop Registration Form
Laptop Registration Form
Registration No:
Type: Owner (UHSM Department)
Contact Name:
Title: Department: Contact No: Other Authorised Users: Name Title Department Name Title Department
Usage (tick as many as appropriate): Remote Access Personal Data Presentations Sensitive Data:
59 / 93
Mobile Computing Device Registration Form
Registration No:
Type: Owner (UHSM Department)
Contact Name:
Title: Department: Contact No: Other Authorised Users: Name Title Department Name Title Department
Usage (tick as many as appropriate): Remote Access Personal Data Presentations Sensitive Data:
60 / 93
17.9.5.3.
CDs/ DVDs
It is absolutely forbidden for staff to copy or store confidential or sensitive data onto CDs, DVDs or any other such media. Biometric and encrypted memory sticks have replaced such media. It is contrary to CfH guidelines to do this as it may be the cause of massive data loss. Only if there is a mission critical need to do so then senior management in consultation with the Caldicott Guardian and SIRO must consider whether to authorise the data to be encrypted to the CfH approved standard or higher prior to it being copied or transmitted. The encrypting and copying process must be undertaken by IT Services as staff would not have the tools or expertise to do this safely. This authorisation, encryption and copying process must be recorded and signed off by the SIRO.
17.9.5.4. Blackberrys
All Blackberrys supplied to Trust staff will be protected up to NHS standards, and accessible only by using a secure pass phrase. Staff will protect the integrity of that pass phrase by not sharing it with other members of staff and ensuring it is not recorded anywhere accessible by others.
17.9.5.5. PDAs
The use of PDAs is restricted to non Personal Identifiable Data (PID, and they will not be able to log in to the UHSM network.
17.9.5.6. Mobile Telephones
Where these are able to store data, Trust policy will be followed, and the storage of identifiable personal or sensitive data on the mobile phone, is prohibited. This will be applied to both Trust issued mobiles, and personal mobiles used for work purposes. All staff are responsible for the data they work with, and should adhere to guidance laid out in this policy, and other related policies, staff should be aware that it is not acceptable to download patient identifiable data to any removable media without authorisation.
17.9.5.7. Miscellaneous
Staff need to be aware that the following devices may be used to capture, store or process personal data and so need to be treated like any other device or computer that is so used:Cameras, Video Cameras and CCTV, Audio recorders
All camera prints, images and footage that identify person(s) must be stored securely.
CD and DVD
17.9.5.8.
It is expressly forbidden for staff to store any confidential or business critical information on CD, DVD or any such media without (a) senior management authorisation and (b) encryption to the CfH standard.
61 / 93
18.
DATA QUALITY
Data Quality and Information Security

High quality, reliable information underpins health service delivery within the NHS. Information that retains its integrity, while being accessible and accurate and remaining confidential, is vital to the NHS and this Trust as a whole. Inaccurate, outdated or inaccessible information that is the result of one or more information security weaknesses can quickly devalue information and result in a detrimental affect on business and mission critical processes. Good security measures will function as quality internal controls, helping to eliminate mistakes. The Data Quality Policy should be read in conjunction with this policy to ensure staff are fully informed about the importance of maintaining the integrity of the Trusts data. Accuracy is vital in the creation and subsequent use of clinical records. Data Quality Policy can be found on the Intranet.
62 / 93
19.
19.1.
PASSWORD PROCEDURE
Creating a Secure Password
Passwords are your legal responsibility so its worth making them extra secure. Mnemonics is a proven way of creating a secure and memorable password. Why? The human brain remembers a sentence far better than a single word. Let us take an example we all might know: Richard Of York Gave Battle In Vain So your password would be: ROYGBIV Not clear? Ok, lets take another example. As we have to change our passwords every 2 months, you may want to pick something applicable to those months like a partners birthday, for example: Richards birthday is the 17th of February So the password would be: Rbdi17F See how this now allows a combination of numbers and letters that you require for most passwords. Other ways of adding in numbers and symbols could be as follows: 3 for E (as these sound similar) 5 for S (as these look similar) # is a bit like a H & @NT#]N9 15E Y0U (@N T#[NK O! A word of caution though dont over complicate your password or it may be so good even you cant guess it! 19.2. Summary Passwords MUST be difficult to guess Mnemonics is a good way of making a secure password that would be difficult for someone else to guess. If you want to write a reminder of your password, in case you forget; you can! Such as: Rs Birthday, it is unlikely someone would be able to guess you combination of numbers, letters & symbols. For further information on passwords and keeping your information secure please contact the Information Governance Manager.
63 / 93
20.
IT NETWORKING
Introduction
This section of the document sets out UHSM's computer network services provision's security.
Aim
The aim of this section is to ensure the information security of UHSM's computer networks and devices that connect to them. 20.1. Network definition
The network is comprised of connected computer and communication equipment. The network is created to support business operations by sharing data, applications, software, and peripherals such as printers, routers, fax machines, and other data storage equipment. 20.2. Scope
This section applies to:all computers and computer networks that support UHSM in delivery of health and social care and supporting services. all business functions and information assets that are part of or linked to any UHSM computer or computer network(s), the physical environment, equipment and the services and people who support the network.
20.3.
Statement
Network Security for UHSM is described below:The UHSM information network will be available when needed, can be accessed only by legitimate, authorized users and will contain information that is as complete and accurate as possible or as required. The network must also be able to withstand and recover from threats to its availability, integrity and confidentiality. To satisfy this, UHSM will undertake to the following. UHSM will:Robustly protect all hardware, software and information assets under its control. This will be achieved by implementing a set of well-balanced technical and nontechnical controls and measures. Provide both effective and cost-effective protection that is commensurate with the risks to its network assets. 20.4. Risk Assessment UHSM will carry out security risk assessment(s) in relation to all the business processes covered by this policy. These risk assessments will cover all aspects of the network that are used to support those business processes. The risk
64 / 93
assessment will identify the appropriate security countermeasures necessary to protect against possible breaches in confidentiality, integrity and availability. Risk assessment will be conducted to determine the CfH and ISO 27001 and 27002 assurance levels required for security controls and countermeasures that protect the network. This will include penetration testing when necessary. 20.5. Physical & Environmental Security Network computer equipment will be housed in a controlled and secure environment. Critical or sensitive network equipment will be housed in an environment that is monitored for temperature, humidity and power supply quality. Critical or sensitive network equipment will be housed in secure areas, protected by a secure perimeter, with appropriate security barriers and entry controls. The Support Manager is responsible for ensuring that door lock codes are changed periodically, following a compromise of the code, if s/he suspects the code has been compromised, or when required to do so by the senior IT management Critical or sensitive network equipment will be protected from power supply failures. Critical or sensitive network equipment will be protected by intruder alarms and fire suppression systems. Smoking, eating and drinking is forbidden in areas housing critical or sensitive network equipment. All visitors to secure network areas must be authorised by the Network Manager . All visitors to secure network areas must be made aware of network security requirements, policy to be shared with contractors prior to work (signed?). All visitors to secure network areas must be signed in and out. The log will contain name, organisation, purpose of visit, date, and time in and out The Network Manager will ensure that all relevant staff are made aware of procedures for visitors and that visitors are escorted, when necessary. 20.6. Access Control to Secure Network Areas Entry to secure areas housing critical or sensitive network equipment will be restricted to those whose job requires it. The Network manager will maintain and periodically review a list of those with unsupervised access. 20.7. Access Control to the Network Access to the network will be via a secure log-on procedure, designed to minimise the opportunity for unauthorised access. Remote access to the network will conform to the Trust's Remote Access Policy. There must be a formal, documented user registration and de-registration procedure for access to the network. (HR produce leavers list weekly basis. Also line management issue) Departmental managers (Sponsors) and the Network Manager must approve user access. Access rights to the network will be allocated on the requirements of the user's job, rather than on a status basis.
65 / 93
Security privileges (i.e. 'superuser' or network administrator rights) to the network will be allocated on the requirements of the user's job, rather than on a status basis. Access will not be granted (copy paste in User access from above) registers a user. All users to the network will have their own individual user identification and password. Users are responsible for ensuring their password is kept secret (see User Responsibilities). User access rights will be revoked when known removed or reviewed for those users who have left the Trust or changed jobs.
20.8.
Third Party Access Control to the Network Third party access to the network must be based on a formal contract that satisfies all necessary NHS security conditions and requirements of both the law and IG. All new systems must have a Privacy Impact Assessment conducted by the IG team and where deemed necessary by the IGG, legacy/inherited systems must also have them. All third party access to the network must be logged by Service desk.
20.9.
External Network Connections Ensure that all connections to external networks and systems have documented and approved System Security Policies. Ensure that all connections to external networks and systems conform to the, CfH standards, adopted standards, statement of Compliance and are legally compliant. The Change Board must approve all connections to external networks and systems before they commence operation. The Change Board must report its approvals to the IGG for consideration of IG matters.
20.10.
Maintenance Contracts
The Network Manager will ensure that maintenance contracts are maintained and periodically reviewed for all network equipment. All contract details will constitute part of the IT Department's Asset register. IT maintenance contracts that require IG content due to confidential data being accessed, stored or otherwise processed must be forwarded to the IG Manager for review. 20.11. Data Sharing
Formal agreements for the exchange of data and software between organisations must be established and approved by the IGG 20.12. Risk and Logging
To SIRO/ IAOs and IAAs
66 / 93
20.13.
Security Operating Procedures (SyOps)
Produce SyOps and security contingency plans that reflect changes to operating procedures authorised by the Head of IT
20.14.
Network Operating Procedures
Documented operating procedures should be prepared for the operation of the network, to ensure its correct, secure operation. Changes to operating procedures must be authorised by the Head of IT
20.15.
Data Backup and Restoration
The Network Manager is responsible for ensuring that backup copies of network configuration data are taken regularly. Documented procedures for the backup process and storage of backup tapes will be produced and communicated to all relevant staff. All backup tapes will be stored securely and a copy will be stored in another location from servers they are backed up from. Backup media must be securely destroyed when authorized by the Head of IT.
20.16.
User Responsibilities, Awareness & Training
The Trust will ensure that all users of the network are provided with the necessary security guidance, awareness and where appropriate training to discharge their security responsibilities. All users of the network must be made aware of the contents and implications of the Network Security Policy and SyOps. Irresponsible or improper actions by users may result in disciplinary action(s).
20.17.
Accreditation of Network Systems
Ensure that the network or information system is approved by the Head of IT before it commences operation. Network management are responsible for ensuring that the network does not pose an unacceptable security risk to the organisation.
20.18.
Security Audits
Network management will require checks on, or an audit of, actual implementations based on approved security policies.
All staff granted Internet and/or Email access must follow the Internet, Email and Social Networking policy which is available via the Intranet. UHSM management have a right to order internet monitoring for statistical purposes on many accounts but also on individual accounts. Intranet All staff with Intranet access shall be able to use the services authorised to them unless they are revoked justifiably by management.
67 / 93
Staff with administration rights must be careful not to delete or modify other user's rights and account settings. 20.19. Malicious Software
UHSM will ensure that measures are in place to detect and protect the network from viruses and other malicious software.
20.20.
Secure Disposal or Re-use of Equipment
This work is mostly undertaken by contractors. Where it is not the following applies:Staff must contact IT to arrange disposal under contract or advise on appropriate methods. A log must be kept by IT which is accessible to SIRO/CG appointed risk assessors.
20.21.
System Change Control
Ensure that the Change Advisory Board reviews changes to the security of the network. All such changes must be reviewed and approved by the Change Managers are responsible for updating all relevant Network Security Policies, design documentation, security operating procedures and network operating procedures. Change Advisory Board may require checks on, or an assessment of, the actual implementation based on the proposed changes. Change Advisory Board is responsible for ensuring that selected hardware or software meets agreed security standards. Testing facilities will be used for all new network systems. Development and operational facilities will be separated.
20.22.
Security Monitoring
All monitoring will
Ensure that the network is monitored for potential security breaches. comply with current legislation. Standard log files checked.
20.23.
Reporting Security Incidents & Weaknesses
All potential security breaches must be investigated and reported to the Network Management and weaknesses must be reported to the IT Service Desk. Service Desk logs and reports are to be made available on request to the IGM and risk assessors for analysis.
20.24.
Business Continuity & Disaster Recovery Plans
UHSM will ensure that business continuity and disaster recovery plans exist for the network. These must include network staff access that will ensure no lock out and business continuity. The plans must be reviewed by the Head of IT in conjunction with the IGM and rehearsals / walk throughs undertaken.
20.25.
Unattended Equipment and Clear Screen
Users must ensure that they protect the network from unauthorised access. They must log off the network when finished working. The Trust operates a clear screen policy that means that users must ensure that any equipment logged on to the network must be protected if they leave it unattended, even for a
68 / 93
short time. Workstations must be locked or a screensaver password activated if a workstation is left unattended for a short time. This is especially required in areas that are accessed by the public. Users failing to comply in full knowledge will be subject to disciplinary action.
20.26.
Security Responsibilities
The Chief Executive has delegated the overall security responsibility for security, policy and implementation to the SIRO Responsibility for implementing this policy within the context of IT systems development and use in the organisation is delegated further to the Head of Health Informatics.
21.0 RISK ASSESSMENT PROCESS

21.1. Purpose
To empower SIRO, IAOs, IAAs and risk assessors to perform periodic information security risk assessments (RAs) for the purpose of determining areas of vulnerability, and to initiate appropriate remediation.
21.2. Scope
Risk assessments can be conducted on any entity within UHSM or any outside entity that has agreed this and/or signed an agreement including this with UHSM. RAs can be conducted on any information system, to include applications, servers, and networks, and any process or procedure by which these systems are administered and/or maintained.
21.3. Policy
The execution, development and implementation of remediation programs is the joint responsibility of SIRO, CG and support team and the IAO responsible for the systems area being assessed. Employees are expected to cooperate fully with any RA being conducted on systems for which they are held accountable. Employees are further expected to work with the SIROs risk assessor(s)in the development of a remediation plan.
69 / 93
21.
LEGAL GUIDANCE
Introduction
Staff must comply with the law. In order to do this staff must be aware of the law. Staff must read and comply with this policy, related policy, procedures and guidance that is applicable to their work and which can be found on UHSMs Intranet. As required and necessary staff must comply with the following legislation: Data Protection Act 1998 Human Rights Act 1998 Freedom of Information Act 2000 Regulation of Investigatory Powers Act 2000 Computer Misuse Act 1990 Health and Safety at Work Act 1974 (Computers) Copyright Designs and Patents Act 1988 There is also an obligation for the Trust and it's IT Services to conform to the Common Law Duty of Confidence and Caldicott principles.
22.1.
Data Protection Act 1998 (DPA)
(This Act relates to the processing (use) of personal data - see Definitions section)
The DPA is the law that relates to the use of confidential 'personal data' (e.g. patient data or staff data that identifies an individual). When information security is implemented and the DPA is complied with correctly it safeguards personal information. It is also bestows rights on people, such as the right of access to information that has been collected and stored about them e.g. in patient records. There are 8 principles to the Data Protection Act 1998 that must be complied with, and the individual as well as the wider Trust may be held accountable for breach of the Act. The Act applies to both computerised and paper records, video and audio footage, cctv film and in fact any data which an individual can be identified from or when it is put together with other data then they can. Here are the 8 principles:-
First principle Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 is met as follows:-
70 / 93
SCHEDULE 2 Conditions relevant for purposes of the first principle: processing of any personal data 1The data subject has given his consent to the processing. 2The processing is necessary (a)for the performance of a contract to which the data subject is a party, or (b)for the taking of steps at the request of the data subject with a view to entering into a contract. 3The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract. 4The processing is necessary in order to protect the vital interests of the data subject. 5The processing is necessary (a)for the administration of justice, (aa)for the exercise of any functions of either House of Parliament,] (b)for the exercise of any functions conferred on any person by or under any enactment, (c)for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or (d)for the exercise of any other functions of a public nature exercised in the public interest by any person. and in the case of sensitive personal data, at least one of the conditions set out in Schedule 3 is met:
SCHEDULE 3 The data subject has given his explicit consent to the processing of the personal data. (1)The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment. (2)The Secretary of State] may by order:(a)exclude the application of sub-paragraph (1) in such cases as may be specified, or (b)provide that, in such cases as may be specified, the condition in sub- paragraph (1) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied.
Second principle
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
Third principle
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
71 / 93
Fourth principle
Personal data shall be accurate and, where necessary, kept up to date.
Fifth principle
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
Sixth principle
Personal data shall be processed in accordance with the rights of data subjects under this Act.
Seventh principle
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Eighth principle
Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. UHSM staff must strive at all times to comply with the requirements of the Data Protection Act 1998.
72 / 93
22.2
COPYRIGHT, DESIGNS & PATENT ACT 1988
This Act states that it is illegal to copy or use software without the copyright owners consent or the appropriate licence to prove the software was legally required. Staff are individually responsible for ensuring no unauthorised software is used within the organisation, and each manager is responsible for ensuring that all items of software in their department are purchased through or sanctioned by the Information Technology department. Staff must not load onto any UHSM computer or device, use (or cause to be used), any copyrighted material without the authors permission.
As a basis of the Act the copyright owners reserve the right to prosecute any individual or organisation found to breach their copyright, and this may be the basis for disciplinary action.
22.3
Computer Misuse Act 1990
This act states that it is a criminal offence to attempt to gain access to computer information for which you have no authorisation. If it is suspected that any unauthorised access is made to a computer system then disciplinary action may be taken under the hospital Disciplinary Policy. All staff that use Smartcards must be familiar with the Registration Authority (RA) policy, offering instruction for the correct registration and use of RA cards throughout the Trust. Where required managers are responsible for ensuring that all new members of staff obtain an authorised RA card on the day employment commences and the RA department is notified on termination. The RA policy will be available on the Intranet. Staff must not gain access to data or computer equipment when not authorised. Staff must report any incident to IT Services when accidental access occurs to other levels or systems that they are not authorised to access.
22.3
Freedom of Information Act 2000
The Freedom of Information Act 2000 gives everyone a legal right to access information held by public sector organisations (University Hospital of South Manchester is classed as a public authority). The aim is to make Public Sector organisations more transparent and accountable to the public. Staff must know the difference between public data and personal data, e.g. a patient record is personal data but the Trust's Annual Report is public data.
22.4
Human Rights Act
The part of the act most relevant to Information Security refers to Article 8 of the European Convention of Human Rights. Personal data is part of an individuals private life and as such they are afforded protections from interference and surveillance: Everyone has the right to respect for his private and family life, his home and his correspondence. There shall be no interference by a public authority with the exercise of this right except such as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well
73 / 93
being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
74 / 93
22.
GUIDANCE & STANDARDS

Information Governance (NHS standard)
23.1
The Information Governance Toolkit is a requirement for all NHS organisations. An annual IG Toolkit assessment submission is made to CfH. An annual IG Toolkit assessment will be submitted in accordance with Department of Health (Connecting for Health) requirements.
23.2
Caldicott (NHS standard)
23.2.1 Caldicott Report 1997 The department of Health issued the Caldicott report which dictates levels and standards for securing information and computer systems. The increased emphasis on the Electronic Patient Record and Clinical Governance has combined to heighten security awareness. The main objective of the report was to outline measures to maintain the security of patient identifiable information. It is the responsibility of all staff to ensure that they adhere to Caldicott Guidance, further information surrounding confidentiality of patient identifiable data and best practice can be found in the Confidentiality Code of Practice available via the Intranet. The report defined 6 principles: 1. Justify the purposes of accessing confidential information 2. Do not use patient-identifiable information unless absolutely necessary 3. Use the minimum amount of patient-identification 4. Access to patient-identifiable information should be on a strictly need-to-know basis 5. Everyone should be aware of their responsibilities 6. Understand and comply with the law (specifically Data Protection Act 1998) 23.2.2 Privacy Impact Assessments Prior to any new information system being developed or purchased that will contain confidential information this fact must be notified to the SIRO, IAO and CG. They will decide whether a Privacy Impact Assessment must be conducted before the order or development is progressed.
23.3
Information Security Management (ISO 27001)
ISO 27001 is the International Standard on Information Security Management initially developed by the British Standards Institute and the Department of Trade and Industry with the co-operation of various private and public sector organisations, including healthcare. There are two parts of the application of this standard: Part 1 is a Code of Practice for Information Security Management and provides a comprehensive set of security objectives and control requirements for those organisations seeking to demonstrate compliance with e British Standard. Part 2 is a specification for Information Security Management, suitable for certification of an organisations information security system.
75 / 93
Appendix A
Disclosing information to the Police

FORM OF AUTHORITY
Full name ................................................................................................ Date of birth............................................................................................. Address .................................................................................................. I (insert name of patient) of the above address AUTHORISE AND REQUEST (insert name of Police Force).................................. to have access to (specify information requested) held by UHSM NHS Foundation Trust pertaining to my healthcare and assessments at ......., from ..... onwards. FURTHER, I UNDERSTAND that the said Police Force will be referring to the said records in connection with a criminal investigation and therefore the content of the said records may be disclosed to third parties, including the Defence and may also be referred to in open Court.
SIGNED .......................................................... PRINT NAME ................................................. WITNESS ........................................................ PRINT NAME ................................................... DATED..............................................................
76 / 93
Appendix B
Disclosing information to the Police
Dear Sir/Madam PERSONAL DATA REQUEST FORM IN CONFIDENCE Request for the disclosure of information held by ....................................................................................
(Name of NHS Trust or GP Practice)
..........................Police are conducting a criminal investigation into allegations made against:......................................................

(Name of the alleged offender) (Address)
............................................................. ...........................
(Date of Birth)
The allegations being investigated are, in general terms, that ..................................................................

........................................................................................................................................................................................ (Set out the circumstances of the offence(s) being investigated and the charges if any)
The personal data I require relates to: ......................................................

(Name) (Address) (Date of Birth)
............................................................. ...........................
I believe that your organisation may hold information that may be relevant to our investigation. (Set out
the specific information required and the reasons why it may be relevant to the criminal investigation.)
................................................................................................................................................................... .............. ................................................................................................................................................................... .............. ................................................................................................................................................................... .............. ................................................................................................................................................................... .............. I should be grateful if you would ascertain whether or not your organisation holds the information requested. (Set out any prejudice or delay to the investigation, which may be caused by the information not being
disclosed)
................................................................................................................................................................... .............. ................................................................................................................................................................... .............. Any material obtained by us in the course of our investigation will be treated as sensitive and dealt with in accordance with the Criminal Procedure and Investigations Act 1996. This information will not be used for any other purpose and will be destroyed if the offender is not prosecuted, or is discharged or acquitted. I should be grateful if you were able to reply by ........................ (date) If you wish to discuss this request, or any further information, please do not hesitate to contact either myself or .............................................................. on ................................. (name of officer Thank you in advance for your assistance. Yours faithfully, Signed ............................................................................................... Print Name................................................................................................... Senior Officer in charge of the Investigation Collar No ............................... Date ................................
(telephone number).
77 / 93
Appendix C Disclosing information to the Police

Disclosures to the police in the public interest - Extract from Confidentiality:
NHS Code of Practice, pg 34 Public Interest
Under common law, staff are permitted to disclose personal information in order to prevent and support detection, investigation and punishment of serious crime and/or to prevent abuse or serious harm to others where they judge, on a case by case basis, that the public good that would be achieved by the disclosure outweighs both the obligation of confidentiality to the individual patient concerned and the broader public interest in the provision of a confidential service. Serious Crime and National Security The definition of serious crime is not entirely clear. Murder, manslaughter, rape, treason, kidnapping, child abuse or other cases where individuals have suffered serious harm may all warrant breaching confidentiality. Serious harm to the security of the state or to public order and crimes that involve substantial financial gain or loss will also generally fall within this category. In contrast, theft, fraud or damage to property where loss or damage is less substantial would generally not warrant breach of confidence. Risk of Harm Disclosures to prevent serious harm or abuse also warrant breach of confidence. The risk of child abuse or neglect, assault, a traffic accident or the spread of an infectious disease are perhaps the most common that staff may face. However, consideration of harm should also inform decisions about disclosure in relation to crime. Serious fraud or theft involving NHS resources would be likely to harm individuals waiting for treatment. A comparatively minor prescription fraud may actually be linked to serious harm if prescriptions for controlled drugs are being forged. It is also important to consider the impact of harm or neglect from the point of view of the victim(s) and to take account of psychological as well as physical damage. For example, the psychological impact of child abuse or neglect may harm siblings who know of it in addition to the child concerned.
78 / 93
Appendix D Disclosing information to the Police Procedure for dealing with requests by the Police
79 / 93
APPENDIX E Terms of Reference

Healthcare Governance Committee Private & Confidential
Title of Paper
Revised Information Governance Arrangements
Executive Summary
The Department of Health recently clarified the role of Caldicott Guardian and the SIRO (senior Information Risk Owner), in order to meet the requirements of the Information Governance toolkit we have reviewed and clarified terms of reference of the Information Governance Steering Group. To approve the reference revised IG Arrangements and terms of
Actions Requested
Publication
Background papers
Link to NHS IG Toolkit strategies and policy Link to Strategic and Trusts Direction
Information Governance
Corporate objectives Resource implications You are reminded not to use acronyms or abbreviations wherever possible. However, if they appear in the attached paper, please list them in the Nil
IG Information Governance SIRO - Senior Information Risk Owner HMRC - (The Inland Revenue) IAO -Informaton Asset Owner
80 / 93
adjacent box: PCT - Primary Care Trusts Communication issues Report of Paper prepared by HGC meeting date Review date applicable) (if Mandy Bailey Colin Owen 22nd July 2010
Revised Information Governance Arrangements
The Chief Nurse currently carries out the important role of Caldicott Guardian, one which has grown immensely from being focused initially on confidentiality issues to one that in recent years has been a wider Information Governance remit, this extended role has encompassed new laws, IT projects and guidance, namely 1 the Data Protection Act 1998 2 the Freedom of Information Act 2000 3 the Human Rights Act 1998 4 Caldicott 5 NHS code of confidentiality 2003 6 National Care records Service You may recall that as a result of national issues around significant data losses (e.g. HMRC) and other IT security breaches, the Cabinet Office produced a data handling report which recognised that senior level ownership of information risk is a key factor in the appropriate management of personal information. The SIRO role (Senior Information Risk Owner) was mandated for the NHS and the Chief Operating Officer was appointed to undertake that role within UHSM. The Department of Health has recently reviewed and reviewed the duties of the Caldicott Guardian role and has clarified the relationship with the SIRO The Caldicott Guardian role:
81 / 93
is advisory, and accountable for that advice; is the conscience of the organisation; provides a focal point for patient/service user confidentiality & information sharing issues; is concerned with the management of patient/service user information. Whilst the Senior Information Risk Owner role is accountable for IG processes within their organisation; fosters a culture for protecting and using data; provides a focal point for managing information risks and incidents; is concerned with the management of all information assets. The SIRO has responsibility for understanding how the strategic business goals of the organisation may be impacted by any information risks. In order to respond to changes in guidance the increasing IG agenda, particularly around the management of information risks, organisations are required to carry out work to identify their information assets and assign Ownership for each asset to an Information Asset Owner (IAO). The IAO should be a senior member of staff who is accountable to the SIRO. This role is supported by an Information Asset Administrator (IAA) usually someone with the technical knowledge of such assets, therefore A review of the information assets has been undertaken and certain staff have been identified to act in that capacity of Information Asset Owners and Information Asset Administrators.
A series of workshops is underway to clarify the role, and to commence a programme of work which includes: Knowing what information comprises or is associated with the asset and understand the nature and justification of information flows to and from the asset .Knowing who has access to the asset and why, whether it is a system or information to ensure that access is monitored and compliant with policy.
82 / 93
Understanding and addressing risk to the asset and providing assurance to the SIRO
It is proposed that the existing Information Governance Group continues to oversee this work with a change to the terms of reference with attendance by more senior level staff. Future agendas will cover both the confidentiality & information sharing issues and managing Information risk. The Healthcare Governance Committee are asked to support this proposal
83 / 93
APPENDIX F
INFORMATION GOVERNANCE STEERING GROUP DRAFT TERMS OF REFERENCE
MAIN AUTHORITY/ LIMITATIONS
The Information Governance Steering Group is responsible to the health care Governance Committee for ensuring that the Trust implements, monitors and reports on effective information governance policies within the Trust. The minutes of the meeting will go to the HCGC
MAIN PRIORITY AND OBJECTIVES
To ensure that the Trust has effective policies and management arrangements covering all aspects of Information Governance and ensures it meets the requirements of the Information Governance toolkit and other directives. MAIN DUTIES AND RESPONSIBILITIES To ensure that the Trust has effective policies and management arrangements /plans covering all aspects of Information Governance by:
Ensuring Trust-wide implementation of the Information Governance policies.
Ensuring that the Trust undertakes or commissions annual Assessments and audits of its Information Governance Policies, Protocols and arrangements, via the Information Governance toolkit.
Establishing annual Information Governance Improvement Plans.
Receiving and consider reports into breaches of confidentiality and security and where appropriate, undertake or recommend remedial action.
To receive updates from Information Asset owners on assets and assurance of information risk.
84 / 93
Formally monitoring the progress of all Information Governance projects and action plans following security incidents.
Formally monitoring Trust wide uptake of Information Governance mandatory training.
To receive reports, discuss and agree actions following relevant IG investigations or failures and SUIs 1. Ensure that all risks identified are discussed and escalated in line with Risk Management Strategy & Escalation Policy & Procedure. 2. To receive reports, discuss and agree actions following relevant investigations or failures in healthcare provision within other organisations. 3. The IGG is responsible for reviewing Trust-wide policies and procedures on behalf of the Trust which relate to Information Governance prior to submission to the HCGC for approval.
CONSTITUTION 1. Frequency of Meetings
The Group will meet a minimum of four times a year. 2. Chair
The Caldicott Guardian acts as the Chair of this committee. The SIRO will be the ViceChair. In the absence of both the Chair and Vice-Chair, a decision will be taken in advance of the meeting who will chair that particular meeting. 4.3 Membership
Membership SIRO Caldicott Guardian Director of Health Informatics Head of Information Health Records Manager Internal Audit representative Facilities representative Choose and Book/ RA Manager
85 / 93
Data Quality Manager Head of Information Governance /Data Security Manager Human Resources rep Head of IM&T Infrastructure Manager .Each member is required to nominate a deputy to attend in his/her absence. Members may be co -opted onto the Asset Owners Group or other special subgroups of this Committee or asked to attend on the basis of issues arising or as part of broader engagement.
4.4
Quorum
In order for decisions taken by the Committee to be valid, the meeting must be quorum This will consist of an exec director or other director plus a minimum of four other members. 1. Organisation
The Information Governance Group Committee is serviced by the IG Manager who organises meetings. 2. Standard Agenda Items 1. Minutes of previous meetings 2. HIRS updates 3. Information Risks 4. Review of IG action Plans 5. IT Security Issues update
3.
Review
Terms of reference are reviewed annually or in light of changes in practice or national/local guidance. 4.8 Responsibilities of Members of the Information Governance group
As a member of the IG Group named individuals represent divisions and corporate departments. Committee members are expected to:
86 / 93
Actively participate in discussions pertaining to Information Governance ensuring that solutions and action plans have multidisciplinary perspectives and have considered the impact across all of the directorates and departments. Share the learning gained from the Information Governance Group within their division to ensure that organisational learning occurs.
Communicate to the Information Governance Group risk issues and solutions discussed in the divisional meetings to support organisational learning. Present to the HCGC progress of the IG agendas. To attend at least 60 % of meetings of the Committee.
1 Version control Version Control V0.1 V0.2 Date 12 May 2010 14th June 2010 Comments For consultation. Change made Guardian to chair to Caldicott
6.0
Document owner
The SIRO is responsible for maintaining both these terms of reference and the record keeping of any minute authorising their variation.
87 / 93
APPENDIX G PLAN FOR DISSEMINATION
Title of document: Date finalised: Previous document already being used?
Information Security Policy 23 March 2011 Yes 0161 291 5755

rd
Dissemination Colin Owen
lead:
Information Governance
If yes, in what format and where? Proposed action to retrieve out-of-date copies of the document:
Available in PDF format on the Intranet for staff and via the publication scheme on the internet for the general public. To update the policy on the Intranet, this will automatically update the available information on the internet.
Describe the plans for dissemination of the document to specific people / groups in specified formats and if appropriate with relevant training To be disseminated to all staff via awareness training, email and intranet
Dissemination Record - to be used once document is ratified. Date put on register / library of policy or procedural documents Date due to be reviewed
Notes
88 / 93
APPENDIX H EQUALITY IMPACT ASSESSMENT OF INFORMATION SECURITY POLICY
Yes/No 1. Does the policy/guidance affect one group less or more favourably than another on the basis of: Race Ethnic origins (including gypsies and travellers) Nationality Gender Culture Religion or belief Sexual orientation lesbian, gay and bisexual people Age 2. Is there any evidence that some groups are affected differently? If you have identified potential discrimination, are any exceptions valid, legal and/or justifiable? Is the impact of the policy/guidance likely to be negative? If so can the impact be avoided? What alternatives are there to achieving the policy/guidance without the impact? Can we reduce the impact by taking different action? including No No
Comments
No No No No No
No No
3.
No
4.
No
5. 6.
N/A N/A
7.
N/A
89 / 93
REFERENCES
Various law and guidance can be found at the following websites:
Access to Health Records Act 1990
http://www.hmso.gov.uk/acts/acts1990/Ukpga_19900023_en_1.htm
Computer Misuse Act 1990
http://www.hmso.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm
Crime and Disorder Act 1998
http://www.hmso.gov.uk/acts/acts1998/19980037.htm
Criminal Justice Act 2003
Data Protection Act 1998
Environmental Information Regulations Act 1992
http://www.hmso.gov.uk/si/si1992/Uksi_19923240_en_1.htm
Freedom of Information Act 2000
Human Rights Act 2000
http://www.hmso.gov.uk/si/si2000/20001851.htm
Regulation of Investigatory Powers Act 2000
National Guidelines BIP 0008:2004 Code of Practice for Legal Admissibility and Evidential Weight of Information Stored Electronically
http://www.bsi-global.com
90
This Review Date: Feb 2011 Next Review Date: Sep 2012
Confidentiality NHS Code of Practice, which gives guidelines on using and disclosing patient information
http://www.dh.gov.uk/assetRoot/04/06/92/54/04069254.pdf
Guidance for Access to Health Records Requests under the Data Protection Act 1998
http://www.doh.gov.uk/ipu/ahr/dpa1998.pdf
HSC 1998/217 Preservation, Retention and Destruction of GP General Medical Services Records Relating to Patients, for GP practices (including the Primary Care Agency for GP Medical Records)
http://www.info.doh.gov.uk/doh/coin4.nsf/page/HSC-1998-217
HSC 1998/153 Using Electronic Patient Records in Hospital: Legal Requirements and Good Practice
http://www.info.doh.gov.uk/doh/coin4.nsf/page/HSC-1998-153?OpenDocument
Records Management - NHS Code of Practice
http://www.dh.gov.uk
Information Governance Toolkit
https://www.igt.connectingforhealth.nhs.uk/
91
CONTACTS
Role Head of Information Governance and DQ Head of IT Caldicott Guardian Senior Information Risk Owner IT Services
Name Colin Owen Mark A WRIGHT Mandy BAILEY Karen JAMES
Phone 5757
Location Baguley Baguley Trust HQ Trust HQ
2820
92
Sharing Identifiable Data

By Fax
This advice relates to Data Protection Act 1998

Telephone the recipient of the fax to let them know you are going to send it. Send a blank page through first and ask them to confirm receipt. Ask them to acknowledge receipt of the fax. Use pre-programmed numbers Always send a fax cover sheet making sure it states who the fax is for, and mark Private and Confidential. If appropriate request a report sheet Emails containing identifiable date should not be sent between sites Personal data should be anonymised wherever possible All personal information should be password protected, and the password exchanged separately Wherever possible identifiable information should only be emailed via nhs.net if going out of the hospital data should NEVER be sent via other servers e.g. AOL, Hotmail, etc
By Post Confirm the name, department & address of the recipient. Seal envelope Mark the envelop clearly and concisely
By Phone
Email
Case Notes
Confirm the name, job title, department, organisation and contact number of the person requesting the data. Confirm the reason for the information request. Check whether the information can be provided. If in doubt, ask them to fax their request on headed paper. Provide info only to the person who requested it. Never leave messages. Make a note of all the information you have taken and when you sent it. Callers coming through on the internal phone line are not necessarily entitled to personal information
Whiteboards
The use of whiteboards should be restricted Patient identifiable information e.g. diagnosis, traumas, should be kept off whiteboards Whiteboards should be placed in areas with limited public access whenever possible
Health records should only be released to Trust staff. Areas containing health records should be secure at all times. Records for delivery should be clearly addressed with the recipients name, department, area of hospital, and hospital site. When preparing bundles of records, ensure patients names are not visible by turning the records over or by covering with a piece of paper. Inter-trust transfers should be done through theDate: Feb 2011 medical records 93 This Review department unless previously discussed with Health Records
Next Review Date: Sep 2012

Information Security Policy (Incl Laptop Security) V1.00

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information Security Policy (Incl Laptop Security) V1.00

Uploaded by

Copyright:

Available Formats

Information Security Policy version 1.

Information Security Policy

Version: Ratifying Committee: Date ratified: Name of originator/author/job title:

Information Governance Group June 2011 March 2013 Organisation-wide

Information Security Policy version 1.00

University Hospital of South Manchester NHS Foundation Trust

VERSION CONTROL SCHEDULE

Revisions from previous issue

Date of Ratification by Committee 25th March 2011

Complete Re-write: Replaces Previous IT security policy and Laptop Policy

Information Security Policy version 1.00

Summary of consultation process

Intranet for all staff commencing 1/3/11 Information Governance Group

Associated documentation and references

Information Security Policy version 1.00

REFERENCES ............................................................................................................. 90 CONTACTS .................................................................................................................. 92

Information Security Policy version 1.00

Information Security Policy version 1.00

Information Security Policy version 1.00

Information Security Policy version 1.00

Term Data Information Personal data or personal information

Sensitive personal information

Information Security Policy version 1.00

PID PII CfH Information security

Information system (IS)

DH FT UHSM Risk management

Staff - In this policy all of the personnel defined are referred to

Information Security Policy version 1.00

Information Security Policy version 1.00

3. DUTIES AND RESPONSIBILITIES

Executive sponsors of this policy

Senior Information Risk Owner (SIRO)

Information Security Policy version 1.00

Information Asset Owners (IAO)/ Information Asset Administrators (IAA)

Health Records Manager (HRM)

The Health Records manager is responsible for ensuring:

The Caldicott Guardian (CG)

Information Security Policy version 1.00

Director of Health Informatics (DoHi)

3.10 Information Governance Manager (IGM)

Information Security Policy version 1.00

3.11 Training Manager

3.12 Line Managers (LM)

Line Managers are directly responsible for:

Information Security Policy version 1.00

3.13 All staff

COMMITTEES & GROUPS 3.14 Trust Board

3.15 Healthcare Governance Group (HCGG)

Information Security Policy version 1.00

1. E-Learning (local certification)

Information Security Policy version 1.00

5. POLICY EFFECTIVENESS MONITORING

Dissemination, Implementation & Access

New starter staff must attend induction.

Review, updating and archiving

Information Security Policy version 1.00

Information Security Policy version 1.00

6. BREACH OF POLICY & SANCTIONS

New Legal Sanctions

Information Security Policy version 1.00

Fraud, theft and computer crime

Human resources and sanctions

8.2. Categories of data