NHS NottinghamshireCountyClinical Commissioning Groups (CCGs)
Corporate Information Security Policy
Document Information
Document Reference: / IG01Document Purpose: / This policy describes the way in which personal confidential or personal sensitive information should be protected and individual responsibility with regard to protecting information securely.
Date Approved: / 22 September 2017
Approving Committee: / Information Governance Management and Technology Committee
Version Number: / 2.2
Status: / Approved
Next Revision Due: / December 2018
Developed by: / Information Governance Services, Greater East Midlands Commissioning Support Unit (GEM CSU). Members of the County IG Leads Operational Meeting.
Policy Sponsor: / Nottinghamshire Clinical Commissioning Groups - Director of Outcomes and Information
Target Audience: / This policy applies to any person directly employed, contracted or working on behalf of the CCG
Associated Documents: / All Information Governance Policies and the Information Governance Toolkit requirements
CONTENTS
SECTION / DESCRIPTION / PAGE1 / Introduction / 4
2 / Policy Statement / 4
3 / Scope / 5
4 / Organisational Responsibilities / 6
5 / Risk / 8
6 / Access Control / 8
7 / Computer Information Security / 9
8 / Transfers of Information / 10
9 / Disposal of Information, equipment and media / 11
10 / Physical Security / 11
11 / Internet / 11
12 / Home computers / 11
13 / Procurement, Contracting, Projects an Processes / 12
14 / Asset Management / 12
15 / Business Continuity / 12
16 / Forensic Readiness / 13
17 / Security Incident Management / 14
18 / Advice & Training / 14
19 / Supporting Policies & Procedures / 14
20 / Monitoring of compliance to Information Security / 15
21 / Equality and Diversity Statement / 15
22 / Due Regard / 16
23 / Monitoring compliance and effectiveness / 16
Appendix A / Good Practice Guide for Staff / 17
Appendix B / Guidelines to the Eight Principles of the Data Protection Act (1998) / 18
Appendix C / The Caldicott Principles / 19
Revision History
Version1.0 / Revision date
March 2013 / Reviewed for Nottinghamshire Clinical Commissioning Groups
1.1 / October 2014 / For review in line with Version 12 of the IG Toolkit
2.0 / November 2014 / Approved by Information Governance Management and Technology Committee
2.1 / December 2016 / Minor updates/changes – approved at IGMT
2.2 / August 2017 / Updated to reflect guidance from NHS Digital
Policy Dissemination information
Reference Number / Title / Available fromIG01 / Corporate Information Security Policy / G:\Rushcliffe CCG\Governance and Integration\Corporate Governance\Policies and procedures\APPROVED Rushcliffe CCG policies\Information Governance
1Introduction
1.1This policy applies to NHS Nottinghamshire County Clinical Commissioning Groups (CCGs), subsequently referred to in this document as the CCGs. They include:
- NHS Mansfield and Ashfield CCG
- NHS Newark and Sherwood CCG
- NHS Nottingham North and East CCG
- NHS Nottingham West CCG
- NHS Rushcliffe CCG
1.2Without effective security, NHS information assets may become unreliable and untrustworthy, may not be accessible where or when needed, or be compromised by unauthorised third parties. All NHS organisations and those who supply or make use of NHS information therefore have an obligation to ensure that there is adequate provision for the security management of the information resources that they own, control or use.
1.3This policy describes the way in which information should be managedand the way in which personal confidential or sensitive information should be protected.
The Corporate Information Security Policy identifies individual responsibilities for the security of information held both manually and on computers, whether transmitted across networks or telephone lines, sent by fax, spoken in conversations or printed as hard copy.
2Policy statement for NHS Nottinghamshire CountyCCGs
Information Security Management is essential to the organisation and this policy addresses security management for the processing and use of NHS information. This Policy is based on current legal requirements, relevant standards and professional best practice to ensure staff understand their responsibilities towards use of their organisations information assets.
This policy follows the principles set out in ISO/IEC 27001 Information Security and the Information Governance Toolkit (version 14). It is the overarching policy for information security and supported by specific technical security, operational security and security management policies. It supports the seven Caldicott principles and 10 data security standards. This policy covers:
- Information Security Principles
- Governance – outlining the roles and responsibilities
- Supporting specific information security policies
- Compliance requirements
All references to information security are inclusive of Cyber Security measures.
The Cyber Essentials 10 Steps to Cyber Security will be embedded within the CCG’s Information Security Management Service/plan. Provided by NHIS.
2.1Aim of the Policy
- The aim of the policy is to ensure that all the organisations filing and computer systems are secure and confidential. In particular that these are operated in accordance with NHS guidance, Caldicott Guidance and relevant legislation such as the Data Protection Act (1998) and other legislation as detailed in the NHS Information Governance Guidance on Legal and Professional Obligations (DH 2007).
- To ensure that all staff are aware of their responsibilities and comply with the policy and that this is supported by relevant security and confidentiality training.
- Security breaches are detected and reported through the CCGs’ Incident Reporting mechanism and breaches will be resolved in collaboration with Risk Management, Information Governance, Security Management Services and/or the Caldicott Guardian, with the relevant staff involved.
Failure by any employee of the CCGs to adhere to the policy and its guidelines will be viewed as a serious matter and may result in disciplinary action.
2.2Disciplinary Action
Breaches of this policy will be subject to investigation and may result in Disciplinary Action. Breaches of any aspect of the Policy that result in actual or potential breaches of confidentiality relating to patient or staff record may be regarded as Gross Misconduct.
3Scope
3.1This policy applies to:
- All users of the organisation’s information.
- All business functions within the organisation and all organisations providing a service on behalf of the organisation.
- Information (manual and electronic), information systems, networks, physical environment and relevant people who support these functions.
3.2This policy applies to all employees (permanent, seconded, contractors, management and clinical trainees, apprentices, temporary staff and volunteers) of the CCG, including Governing Body and lay members. Third Parties with whom the CCG may agree information sharing protocols will be governed by the associated information sharing agreements and will be made aware of this policy.
3.3Where systems are managed by third parties, it is the responsibility of the organisation to ensure that the information processing and systems of the third party are managed in line with the principles of this policy and associated legislation.
Information Security Principles
Confidentiality: Protect information/ data breaches, unauthorised disclosures, loss of or unauthorised viewing
Integrity: Retain the integrity of the information/ data by not allowing it to be modified
Availability: Maintain the availability of the information/ data protecting it from disruption and denial of service attacks
In addition to the core principles, information security also relates to the protection of reputation; reputational loss can occur when any of the principles are breached. The aggregation effect, by association or volume of data, can also impact upon the Confidentiality property.
For the NHS, the core principles are impacted, and the effect aggregated, when any data breach relates to patient medical data.
4Organisational Responsibilities
4.1Accountable Officer
The Accountable Officerhave overall responsibility for this policy and for emphasising the importance it places on all managers and staff in following the policy both actively and conscientiously. The Accountable Officer has the following management arrangements in place to ensure that requirements are carried out effectively.
4.2Senior Information Risk Owner (SIRO)
The SIRO is responsible for the security and confidentiality of information within the organisation and advises the Governing Body on the effectiveness of information risk management across the organisation. The SIRO for the organisation is supported by the Head of Information Governance and internal Information Governance lead at each individual CCG. The SIRO shall:
- Be accountableforensuring organisational information risk is properly identified, managed and that appropriate assurance mechanisms exist. and managed in accordance with the CCG Risk Management policies.
- Ensure technical information security requirements are met through monitoring of provider contracts.
4.3Head of Information Governance
The Head of Information Governance is responsible for the day to day operational effectiveness of the Information Security Policy and its associated policies and processes. The Head of Information Governance shall:
•Lead on the provision of expert advice to the organisation on all matters concerning corporate information security, compliance with policies, setting standards and ensuring best practice.
•Provide a central point of contact for corporate information security.
•Ensure the operational effectiveness of security controls and processes.
•Monitor and co-ordinate the operation of the Information Security Management System.
•Be accountable to the SIRO and other bodies for corporate Information Security across the CCG.
•Monitor potential and actual security breaches with appropriate expert security resource.
•Lead on the provision of expert advice to the organisation on all matters concerning the Data Protection Act, compliance, best practice and setting and maintaining standards.
•Provide a central point of contact for the Act both internally and with external stakeholders (including the Office of the Information Commissioner).
•Communicate and promote awareness of the Act across the CCG.
•Lead on matters concerning individuals right to access information held by CCG and the transparency agenda.
4.4Caldicott Guardian
The Caldicott Guardian is responsible for ensuring implementation of the Caldicott Principles and Data Security Standards with respect to Patient Confidential Data. This includes reviewing the patient data that is processed within the organisation, advise on information sharing, and options for lawful and ethical processing of information as required.
4.5Information Asset Owners (IAO)
Information Asset Owners are directly accountable to the SIRO and must provide assurance that information risk is being managed effectively in respect of the information assets including electronic systems that they are responsible for. The IAO shall be responsible for:
•Understanding what information is held.
•Knowing what is added and what is removed.
•Understanding how information is moved.
•Knowing who has access and why.
4.6Information Asset Support Staff
Information support staff ensure that policies and procedures are followed, recognise actual or potential security incidents, consult their IAO on incident management, and ensure that information asset registers are accurate and up to date.
4.7Line Managers/ Senior Responsible Managers
Line Managers areresponsible for implementing and maintaining the policy in their area of management, including ensuring that procedures are in place and staff adequately trained.This includes:
•Appointment of Information Asset Owners (IAO) to be responsible for Information Assets in their area(s) of responsibility.
•Awareness of information security risks, threats and possible vulnerabilities within the business area and complying with relevant policies and procedures to monitor and manage such risks
•Supporting personal accountability of users within the business area(s) for Information Security
•Ensuring that all staff under their management have access to the information required to perform their job function within the boundaries of this policy and associated policies and procedures.
4.8All Staff (including Governing Body and Committee members)
Information Security and the appropriate protection of information assets is the responsibility of all users and individuals are expected at all times to act in a professional and responsible manner whilst conducting CCG business. All staff are responsible for information security and remain accountable for their actions in relation to NHS and other UK Government information and information systems. Staff shall ensure that they understand their role and responsibilities, and that failure to comply with this policy may results in disciplinary action. This will be reinforced by yearly mandatory training.
All individuals covered by this policy are responsible for ensuring their understanding of their responsibilities under this policy and the policy to be available to new staff on induction.
NHIS provides information security assurance to the CCGs and will be responsible for providing cyber security assurance report to the CCG’s IGMT Committee and SIRO’s.
5Risk
5.1Appropriate security measures must be viewed as necessary for protection against a risk of an event occurring or to reduce the impact of such an event. Some of these events may be deliberate acts of damage and others may be accidental. Nevertheless, a range of security measures can be deployed to address:
The Threat of something damaging the confidentiality, integrity or availability of information held on systems or manual records.
The Impact that such a threat would have if it occurred.
The Chance of such a threat occurring.
5.2All staff must consider the risks associated with the computers and the information that is held on them as well as information that is held in manual records.
5.3All new projects and procurements of IT systems will have a risk assessment (Privacy Impact Assessment-PIA) as part of the project, and any existing systems should have periodic risk assessments, including those carried out by local management and internal/external audit services. Any risks identified as extreme or high must be reported to Risk Management and added to the organisational corporate risk register through each CCG internal governance processes.
6Access Control
Authorised Access
6.1Access to electronic systems should be managed on an individual basis and have strict access controls associated to it. Examples of these are username and password, a one time only passcode (such as a remote access token) or SmartCard and PIN[1]. In addition, the following must be observed, whenever relevant.
6.2All new starters must receive a mandatory induction, which includes general security and confidentiality awareness and IG training. It is the responsibility of all Line Managers to ensure that all new staff are properly inducted, and to arrange for access to all necessary information and systems at an appropriate level, in line with relevant local procedures, to adequately perform their duties.
6.3Access to electronic information of another member of staff (i.e. through the network or email) can only be provided in an urgent situation and then only with verified authorisation from a Senior Manager.
6.4It is the responsibility of Line Managers to inform relevant Information Asset Support Staff and the IT Service Desk of any staff terminating their employment, immediately on notice being given to enable arrangements for removal of access.
6.5No member of staff will be allowed to access information until Line Managers are satisfied that they understand and agree the responsibilities under the Data Protection legislation and Organisation Policies.
Password Management
6.6Passwords and PIN numbers must not be shared with other members of staff and must not be written down, left on display or be easily accessible.
6.7Passwords and PIN numbers must be changed regularly. If this is not done as an automatic process through the system[2], it is the user’s responsibility to change these at least every 3 months. Obvious choices of passwords or PIN must not be used, for example; common words such as partner’s, children’s or pet’s names, NHS, Nottingham etc.
6.8Passwords should be changed every 3 months, be at least 6 characters long and contain at least one numerical and one alphabetical character (Alphanumeric).
6.9If a member of staff suspects that their SmartCard, PIN or password security has been compromised they should immediately change their password (if possible) and inform the NHIS Service Desk and/or the Information Governance Lead.
7Computer Information Security
Computer Misuse Act 1990
7.1Under the Act ‘hacking’ and the introduction of computer viruses are criminal offences. The purpose of the Act is to make provision for securing computer material against unauthorised access or modification.
Virus Control
7.2All organisations view viruses and other malicious software as presenting a significant threat to any system, and it is a disciplinary offence to wilfully introduce a virus or other malicious software onto the organisations computer systems (section 7.1 Computer Misuse Act 1990)
7.3Staff should report any viruses, suspected viruses or suspicious emails (which could contain viruses) to the IT Service Desk.
7.4E-mails are of particular concern as viruses from these are transmitted using attachments. Users must be vigilant when receiving unknown e-mails and not open them. Users must follow the routine cyber security briefings that are sent out by the CCG to inform staff of changes or evolving threats in the cyber environment.
Data Security
7.5All employment contracts must include a confidentiality clause, binding staff to maintain a proper level of security to all sensitive and personal confidential information that they may encounter as part of their employment.
7.6All data entered onto a system or captured manually must be held accurately and should conform to Data Quality Guidance and the local operating procedures for the system.
7.7No data must be held that breaches the Data Protection Act (1998) or formal notification and guidance issued by the Department of Health. All person-identifiable information must also be used in accordance with the Caldicott Principles. See Appendix A further details.
7.8Staff are authorised to have access to personal confidential data on a need to know basis in order for them to perform their duties. Accessing data that is not needed to carry out work or passing data to someone who is not authorised to receive it is a breach of confidentiality which could result in disciplinary action.
7.9Where access to personal confidential or sensitive data is justified, all personal confidential or sensitive information should be stored on network file server and not on the computers local or C: Drive. Any files containing person-identifiable or confidential information must be saved onto network drive to ensure that the information is secure and backed up on a daily basis.
7.10Staff must not store any personal confidential or sensitive information on unencrypted mobile devices.