Reference No: / 008/IT
Owner: / Deputy Chief Officer
Author / Information Governance Lead
First Issued On: / April 2013
Latest Issue Date: / March 2015
Operational Date: / March 2015
Review Date: / January 2017
Consultation Process
Ratified and approved by: / Governing Body 4th March 2015
Distribution: / All staff and GP members of the CCG.
Compliance: / Mandatory for all permanent and temporary employees of Rotherham CCG.
Equality & Diversity Statement: / In applying this policy, the Organisation will have due regard for the need to eliminate unlawful discrimination, promote equality of opportunity, and provide for good relations between people of diverse groups, in particular on the grounds of the following characteristics protected by the Equality Act (2010); age, disability, gender, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, and sexual orientation, in addition to offending background, trade union membership, or any other personal characteristic.
Policy title: / Rotherham CCG Portable Data Security Policy
Issue date: / 20/10/2008 / Review date: / January 2015
Version: / V 7.1 / Issued by: / TRFT Health Informatics Service
Aim: / To ensure the network is secure for Trust users
Scope: / All NHS Rotherham CCGportable data appliances (clinical and non clinical) including Laptops, PDA, Dictaphone, MFD, Mobile Phone and Pen devices.
Associated documentation: / Legal Framework: The Data Protection Act (1998), Copyright Designs & Patents Act (1988), Computer Misuse Act (1990), Regulation of Investigatory Powers Act (2000), Human Rights Act (1998)
Policies:NHS Rotherham CCG Network Security Policy
Appendices: / [Note any appendices here]
Approved by: / Trust Board
Date: / 20/10/2008
Review and consultation process: / To be reviewed annually or as required
Responsibility for Implementation & Training: / Head of IT
Network Specialist(s), Server Specialist(s), Department Managers
HISTORY
Revisions: / [Enter details of revisions below]Date: / Author: / Description:
7/01/08 / D Stowe / Initial Document Draft for approval
15/01/08 / D Stowe / Second Document Draft for approval
03/03/08 / D Stowe / Third Document Draft for approval
04/03/08 / D Stowe / Fourth Document Draft for approval
10/03/08 / D Stowe / Policy Statement added, 4.13 added, removed 7.8, edited 10.3 to read must.
10/07/08 / D Stowe / Edited 3.3 to include McAfee Endpoint Encryption, updated 4.2 to include McAfee Endpoint Encryption, updated 4.3 to include McAfee Endpoint Encryption, updated 4.12 to include McAfee Endpoint Encryption, updated 7.4 to include training on McAfee Endpoint Encryption and lockdown procedures,updated 9.2 to include and the device must use McAfee Endpoint Encryption software, updated 10.1 to include and the device must use McAfee Endpoint Encryption encryption software,updated 10.3 to include McAfee Endpoint Encryption, updated 14 to include McAfee Endpoint Encryption.
17/08/10 / D Stowe / Updated Introduction, Device Definition, to include MFD’s and Dictaphone’s.
18/08/10 / D Stowe / Inserted in 10.1 ‘MFD’s, Dictaphones and the device, if possible’.
Added 10.6
Added 11.4
Added Dictaphone’s and MFD’s to 14.
Changed Safeboot to Endpoint Encryption.
09/09/12 / D Stowe / Changed to reflect CCG and reviewed
Changed wording in 11.1
Removed references to McAfee Endpoint for generic.
05/01/15 / D Stowe / Policy reviewed and updated to reflect organisational changes that have occurred since the last review. Posts and accountability updated.
Distribution methods: / CCG Intranet
Introduction
This document defines the Portable Data Security Policy for NHS Rotherham CCG. The Portable Data Security Policy applies to all business functions and information contained on portable devices such as but not limited to Laptop Computers, PDA’s (including Windows Mobile Phones), Dictaphone’s, MFD’s and Pen Drive type devices( memory sticks). The organisation has a responsibility to ensure that all information and data is secure on all types of media.
- This document:
Sets out the organisation's policy for the protection of the confidentiality, integrity and security of portable data devices.
Establishes the security responsibilities for data security on portable devices used inside and outside of the organisation.
Provides reference to documentation relevant to this policy (as stated in section 6).
Establishes roles and responsibilities for all staff.
- Policy Statement
Personal data must not be held on portable media unless this has been approved by theSenior Information Risk Officer (SIRO) or the Head of IT.
- Aim
The aim of this policy is to ensure the security of NHS Rotherham CCG’sportable data devices. To do this the CCG will:
3.1.Ensure advice is always available from the Health Informatics department and department managers.
3.2.Ensure that the device is secured to standards defined by governing organisations applicable to the NHS.
3.3.Provide encryption toolsand advice via the Health Informatics department and departmental managers.
3.4.Maintain a record of all portable devices in use (departmental managers are responsible for this).
3.5.Investigate reports of misuse.
3.6.Prevent or stop inappropriate use.
- Roles and Responsibilities
All personnel or agents acting for the organisation have the following duties of care:
4.1.Users must safeguard hardware, software and information in their care.
4.2.The IT department will provide guidance and advice on current NHS encryption standards to portable data device users.
4.3.Users must ensure all devices carrying personal identifiable information are encrypted to the latest NHS standards.
4.4.Users must prevent the introduction of malicious software on the organisation's IT systems by not installing unauthorised software or allowing Antivirus software to become out of date.
4.5.Users must report on any suspected or actual breaches in security to the Head of IT/Line Manager.
4.6.Users must ensure that data carried in vehicles is not left in plain site i.e. where possible, place laptops etc in the boot of the vehicle even when travelling.
4.7.Users must never leave portable data devices in vehicles overnight.
4.8.Users must never leave unlocked portable data devices and use a screen saver password to unlock the device.
4.9.Users must ensure that all reasonable steps are taken to secure data being viewed from being seen by third parties.
4.10.Department Directors have a duty to ensure department managers are aware of their responsibilities with regard to staff who carry portable data and are aware of and comply with this policy.
4.11.Department Managers have a duty to ensure staff who carry portable data are aware of and comply with this policy.
4.12.The RFTHealth Informatics department will ensure current encryption advice and software is up to date and complies with national policy.
4.13.Personal identifiable data held on portable devices cannot be transferred without the express permission of the SIRO or theHead of IT.
- Device definition
The devices covered under this policy are any capable of storing data. These include Laptops, PDA’s, Windows Mobiles (Qtek etc), Apple iPhones, Android Phones, Pen Drives (USB Memory Sticks), CD-ROM/DVD and tape drives, hard disks, Dictaphone’s (tape and digital), MFD’s (multi-function devices such as print/fax scanners) and other data storage equipment.
- Scope of this Policy
This policy applies to all devices provided by or forNHS Rotherham CCG used for:
6.1.The storage, sharing and transmission of non-clinical data and images.
6.2.The storage, sharing and transmission of clinical data and images.
6.3.Remote connections to NHS network (N3) sed applications such as TPP.
6.4.Remote connections to NHS Rotherham CCG shared services i.e. home working.
- The Policy
The overallData Security Policy for NHSRotherham CCG is described below:
Security should be applied to equipment going off-site taking into account the different risks of working outside the organisation's premises;
Regardless of ownership, the use of any information processing equipment outside the organisation's premises should be authorised by department managers/directors.
Security risks, e.g. of damage, theft or eavesdropping, may vary considerably between locations and should be taken into account in determining the most appropriate controls.
To satisfy this, NHS Rotherham CCG will undertake to do the following.
7.1.Protect all hardware, software and information assets under its control. This will be achieved by implementing a set of well-balanced technical and non-technical measures.
7.2.Provide both effective and cost-effective protection that is commensurate with the risks to its assets.
7.3.Implement the Data Security Policy in a consistent, timely and cost effective manner.
7.4.Provide users of laptops with appropriate training and instruction in the use of the laptop and its security functionality and lockdown procedures, via the RFTHealth Informatics department or department managers. This should include their responsibility for safeguarding the laptop and their obligation to comply with relevant information governance security procedures of the organisation.
7.5.If there is evidence that you are not adhering to the guidelines set out in this policy, the NHS Rotherham CCG reserves the right to examine PC usage/content and to take disciplinary action, which may lead to a termination of contract and/or legal action.
7.6.Where relevant, NHS Rotherham CCG will comply with:
Copyright, Designs & Patents Act 1988
Access to Health Records Act 1990
Computer Misuse Act 1990
The Data Protection Act 1998
The Human Rights Act 1998
Electronic Communications Act 2000
Regulation of Investigatory Powers Act 2000
Freedom of Information Act 2000
Health & Social Care Act 2001
7.7.NHS Rotherham CCG will comply with other laws and legislation as appropriate.
- Risk Assessment
- Rotherham Foundation TrustHealth Informatics department will carry out security risk assessment(s) in relation to all the business processes covered by this policy. The risk assessment will identify the appropriate security countermeasures necessary to protect against possible breaches in confidentiality, integrity and availability.
- Formal risk assessments will be conducted to ensure the data devices conform to ISO/IEC 27002 standards where possible.
- Laptops
- Laptops should be secured to a desk or other appropriate point if left unattended using an appropriate locking device if available. If this is not possible, ask the person nearest to you to assist with watching over the device.
- Regardless of a laptop’s ownership, the use of any equipment outside an NHS organisation's business premises for the processing of NHS information must be authorised by the relevant Director or Head of Department. Where the processing of NHS patient information is proposed on laptop devices, additional authorisation must be obtained from the organisation’s Caldicott Guardian and the device must use NHS standard encryption software.
- Remote access from a laptop to NHS information systems must be achieved in accordance with the organisation’s NHS IG Statement of Compliance, NHS IG guidance, and any defined requirements for the protection or use of the NHS information service(s) concerned.
- Sensitive data, including that relating to patients, stored on an NHS laptop should be kept to the minimum required for its effective business use in order to minimise the risks and impacts should a breach occur.
- Loss of Laptops must be reported immediately to the department manager who will inform the Head of IT who will help the manager complete the IR1 form.
- Data Storage Devices
- Data storage devices will include but not be exclusive to Hard Drives, Memory Sticks, CD’s, DVD’s, PDA’s, Mobile Phones (Windows Mobiles), MFD’s and Dictaphonesand the device, if possible, must use or be protected by NHS standard encryption software.
- Sensitive data, including that relating to patients, stored on a data storage device should be kept to the minimum required for its effective business use in order to minimise the risks and impacts should a breach occur.
- Personal Identifiable Information kept on such devices must be encrypted to NHS standards using NHS standard encryption software as a minimum, using a key which is a minimum of 10 characters and contains a combination of special characters such as $*@~?( ) etc.
- Loss of data storage devices must be reported immediately to the department manager who will inform the Head of IT.
- Mobile phones/PDA that access the CCG email system must be protected by a PIN code and set to time out after a maximum of 2 minutes use.
- Dictaphones (Digital Dictation Devices) must be capable of being protected by either pin access or biometrics (finger print readers) and encrypt any files to be transferred. There are only a few devices with this feature (i.e. Olympus DS-5000 range) and older tape type equipment must be replaced at the earliest opportunity.
- Secure Storage, Removal or Disposal of Data
- The RFTHealth Informatics Department staff will ensure that all data on the equipment (e.g. on hard disks, CD’s, DVD’s or tapes) is securely overwritten. Where this is not possible RFT Health Informatics Department staff willensure the physical destruction of the disk or tape.
- Ensure that where disks are to be removed from the premises for repair, where possible, the data is securely overwritten or the equipment de-gaussed by the Health Informatics Department.
- Data to be stored for audit purpose on removable media such as DVD’s must be kept in a secure, locked environment i.e. data safe. Where this is not possible, advice must be sought from the Caldicott Guardian or Health Informatics Department.
- MFD’s (Multi-Function Devices) such as print/fax scanners can contain internal hard drives which must be treated like a normal hard drive for disposal.
- Data Guidelines
Data containing Personal Identifiable Information may be contained in but not be restricted to:
12.1.Office Applications i.e. Email, Word documents, Database entries etc.
12.2.Clinical Applications i.e. Off-line patient records.
12.3.Voice recordings held in a data file on a device.
12.4.Pictures held on a device.
12.5.Notes held on a device i.e. Qteks, Tablet PC’s where a digital pen may be used.
- Validity of this Policy
- This policy should be reviewed bi-annually under the authority of the Chief Officer. Associated information security standards should be subject to an ongoing development and review programme.
- Acronyms
Windows mobile / A mobile phone capable of receiving emails.
Tablet PC / A type of laptop that is generally used in conjunction with a digital pen.
DVD / A data disc capable of storing up to 8Gb of data.
CD / A data disc capable of storing 650Mb of data.
Memory stick/pen drive / A memory storage device that plugs into the USB port capable of storing up to 32Gb of data.
PDA / A personal data assistant that can be used for off-line storage of emails etc.
Encription software / NHS compliant encryption software.
Dictaphone / Digital Dictation Machines.
MFD / Multi-Function Device such as print/fax scanners.
1