Information Security Policy · Information Security Policy 10.0.0 to be reviewd Nov 18.docx Uncontrolled if Printed Template 1.0 Page 2 of 29

Hertfordshire, Bedfordshire and Luton ICT Shared Services is hosted by NHS East & North Hertfordshire CCG

Information Security Policy

Document Control HBL001

Document Owner Alex McLaren Approved by SMT

Document Author(s)

Keith Fairbrother, Metaish Parmar, Alex McLaren

Date of Approval 20/11/2017

Version 10.0.0 Date for Review November 2018

HBL ICT Shared Service

Information Security Policy 10.0.0 to be reviewd Nov 18.docx Uncontrolled if Printed Template 1.0

Page 2 of 29

Version Control Version Status Commentary Date Author

Draft Initial Draft 09/2007 J Hepburn

1.0 Live 10/2007 J Hepburn

2.0 V2 Review 04/2010 J Hepburn

3.0 V3 Live Amendments 05/2010 C Goodey

5.1 V5.1 Live Amendments 02/2012 M Wallis



7.0 V7.0 Live Amendments 07/2013 M Wallis / K Fairbrother

8.0 V8.0 Draft Amendments 07/2014 L Harris / K Fairbrother

8.0 V8.0 Live Amendments 07/2014 E Robson

8.1 V8.1 Draft Organisational Change/Formatting 10/2014 K Fairbrother

8.1 V8.1 Live HBL ICT SMT Approval 11/2014 HBL ICT SMT

8.2 V8.2 Live HBL ICT SMT Approval. Format change.

10/2015 HBL ICT SMT

8.2.1 Draft Moved to new format, ready for annual review

8/2016 A McLaren

8.2.2 Draft Updates from SMT, Linda Whiteley ready for Review by Partners. Amend Trust for Partner. Amend Job Titles, Meeting titles, Clinical Safety

8/2016 A McLaren

9.0 Live Distribution core Policy to Partners 9/2016 A McLaren

9.1 Live Update to 6.3 to clarify change of Factory set passwords, remove section 11 as detailed in imp. Plan

12/2016 A McLaren

9.2 Live Update section 7.2.3 CSA Policy 21/04/2017 M Parmar

9.2.1 Draft Annual update, inclusion of GDPR elements Significant changes: Inclusion of DPO, IAO, SRO, TA, CISO. Update to Personal Information, Software, Data classification, Other: Job Role titles existing; streamline removal of duplicate paragraphs No change to policy (BYOD) from NHSMail2 as this is already in place – ie no change

31/10/2017 A McLaren

10.0.0 Live Approved by SMT 22/11/2017 A McLaren



Page 3 of 29

Distribution Version Status Commentary Date Author

8.2.2 Draft External Action: Partner review (HCT, HPFT, ENHCCG, HVCCG, BCCG, LCCG)

8/2016 A McLaren

9.0 Live Internal Action: Update folders, External Action: Partner update local policy, sign off (HCT, HPFT, ENHCCG, HVCCG, BCCG, LCCG)

9/2016 A McLaren


12/2016 A McLaren


6/6/2017 A McLaren

10.0.0 Live Internal Action: Update folders, External Action: Partner update local policy, sign off (HCT, HPFT, ENHCCG, HVCCG, BCCG, LCCG)

22/11/2017 A McLaren

Implementation Plan Development and Consultation

IG within Partner organisations

Hertfordshire, Bedfordshire and Luton ICT Shared Services (HBL ICT) is committed to the fair treatment of all, regardless of age, colour, disability, ethnicity, gender, gender reassignment, nationality, race, religion or belief, responsibility for dependents, sexual orientation, trade union membership or non-membership, working patterns or any other personal characteristic This policy / procedure will be implemented consistently regardless of any such factors and all will be treated with dignity and respect. To this end, an equality impact assessment has been completed on this policy.

Dissemination Staff can access this policy via the Intranet and will be notified of new/ revised versions via the staff briefing. This policy will be included in the CCGs Publication Scheme in compliance with the Freedom of Information Act (FOI) 2000

Training All staff members are required to carry out the mandatory IG training through the online NHS Information and Governance Training Tool.

Monitoring 3rd Party Audit, IG Toolkit, spot check

Review The policy will be reviewed annually

Equality, Diversity and Privacy

The PIA and EIA are completed separately



Page 4 of 29

References External : Legislation, Guidance and Standards

Statutory Frameworks (see section 3.4) UK and EU legislation, including :

Data Protection Act (1998) until replaced by GDPR GDPR (from 25 May 2018) Freedom of Information Act (2000); Human Rights Act (1998) Bribery Act 2010 The Computer Misuse Act 1990, Regulation of Investigatory Powers Act (2000) Copyright, Designs and Patents Act (1988) Health and Social Care Act 2012 Caldicott 2 Review Care Act 2014

Department of Health and NHS Regulations and Guidance, including : Guide to Confidentiality in Health and Social Care NHS IM&T Security Manual, NHS Information Governance Standards NHS Statement of Compliance HSCIC_Data_Destruction_Standard_v3.2 Destruction and Disposal of Sensitive Data - Good

Practice Guidelines Standards for Information Security Management ISO27001

and ISO27002 SCCI 0129 & SCCI 0160 Policies and procedures including:

Policies, procedure and guidance on the management of patient/client records.

Gartner Toolkit: Software Asset Management Policy Template Feb 15

Internal : Related Documentation

Management of Records Policy and Procedure Standing Financial Instructions Data Quality Policy Email and Internet Policy Information Governance Framework Mobile Devices Security Policy Incident Policy Confidentiality Policy Data Centre and Policy Procedures doc Guidance on Portable Computers Disposal of Assets Policy Records Policy Non-Standard Equipment Standards Risk Management Policy RA Policy

Enclosures none



Page 5 of 29

Contents 1 Executive Summary ............................................................................................ 10

2 Introduction ......................................................................................................... 10

3 Purpose and Scope ............................................................................................. 11

Purpose ................................................................................................................ 11 3.1

Scope ................................................................................................................... 11 3.2

Local Variation .................................................................................................... 11 3.3

Legal Framework ................................................................................................. 11 3.4

4 Information and Data .......................................................................................... 12

Ownership of Data / Data Controller .................................................................. 12 4.1

Processing of Data/ Data Processor ................................................................. 12 4.2

Personal Information .......................................................................................... 12 4.3

Chief Executive (CEO)/Managing Director (MD) - or equivalent ...................... 13 4.4

Caldicott Guardian .............................................................................................. 13 4.5

Senior Information Risk Owner (SIRO) ............................................................. 13 4.6

Line Managers ..................................................................................................... 13 4.7

IM&T Security Adviser Role ............................................................................... 13 4.8

Data Protection Officer ....................................................................................... 14 4.9

Information Asset Owners.................................................................................. 14 4.10

Senior Responsible Owners ............................................................................... 14 4.11

Technical Architect ............................................................................................. 15 4.12

5 Responsibility of all Staff ................................................................................... 15

General Responsibility ....................................................................................... 15 5.1

Paper Records ..................................................................................................... 15 5.25.2.1 Paper Waste Disposal ..................................................................................................... 15

Information Systems and Equipment ................................................................ 16 5.3

Mobile Devices .................................................................................................... 16 5.4

Access to Information Systems ......................................................................... 16 5.5

Data Accuracy ..................................................................................................... 16 5.6

Processing Information and Data ...................................................................... 17 5.7

Portable Storage Devices - Electronic Media ................................................... 17 5.8

6 Management and Control of Information Assets ............................................. 17



Page 6 of 29

Control of Assets ................................................................................................ 17 6.1

6.1.1 Ownership of Assets ....................................................................................................... 17

6.1.2 Asset Registers ............................................................................................................... 18

6.1.3 Procurement of Assets .................................................................................................... 18

6.1.4 Disposal of Assets ........................................................................................................... 18

6.1.5 Media Disposal ................................................................................................................ 18

Access Control .................................................................................................... 18 6.2

6.2.1 Physical Access Controls ................................................................................................ 18

6.2.2 Logical Access Controls .................................................................................................. 19

6.2.3 Computer System Access Controls ................................................................................. 19

Use of Information Assets .................................................................................. 19 6.3

6.3.1 Installation and Siting of Equipment ................................................................................ 19

6.3.2 Limitations on Use ........................................................................................................... 19

6.3.3 Data Security ................................................................................................................... 20

6.3.4 Security of Equipment Off-Premises ................................................................................ 20

6.3.5 Security of Hard Disks ..................................................................................................... 20

Passwords ........................................................................................................... 20 6.4

6.4.1 Password Protection ....................................................................................................... 20

6.4.2 Password Standards ....................................................................................................... 21

Business Continuity ........................................................................................... 21 6.5

6.5.1 Physical Security ............................................................................................................. 21

6.5.2 Remote Access to the Organisation’s Services ............................................................... 21

6.5.3 Remote Access to the Organisation’s Services by Staff .................................................. 21

6.5.4 Remote Access to the Organisation’s Services by Suppliers ........................................... 22

6.5.5 Business Continuity Planning .......................................................................................... 22

Databases and Application Systems ................................................................. 22 6.6

6.6.1 Authorised Databases and Systems ................................................................................ 22

6.6.2 Acquisition of Application Systems .................................................................................. 22

6.6.3 System Acceptance ......................................................................................................... 23

6.6.4 Privacy Impact Assessment (PIA) / Data Protection Impact Assessment (DPIA) ............. 23

6.6.5 Clinical Safety ................................................................................................................. 23

Software Protection ............................................................................................ 24 6.7

6.7.1 Licensed Software ........................................................................................................... 24

6.7.2 Software Standards ......................................................................................................... 24



Page 7 of 29

6.7.3 Virus Control ................................................................................................................... 24

7 Electronic Mail and Internet Access .................................................................. 25

Purpose and Ownership ..................................................................................... 25 7.1

Use of Email and Internet Services ................................................................... 25 7.2

Access and Disclosure of Electronic Communications .................................. 25 7.37.3.1 Monitoring Usage ............................................................................................................ 25

7.3.2 Inspection and Disclosure of Communications ................................................................ 25

7.3.3 Monitoring and Disclosure Procedures ............................................................................ 26

8 Security Incident Management .......................................................................... 26

Personal Data Breach ......................................................................................... 26 8.1

Security Incidents ............................................................................................... 26 8.2

8.2.1 Logging Security Incidents .............................................................................................. 26

9 Disciplinary Action .............................................................................................. 27

Appendix A. Organisational SIROs ............................................................................. 28

Appendix B. Comment Form ....................................................................................... 29



Page 8 of 29

Terms and Acronyms Term Definition

ICT Information and Communications Technology

IM&T Information Management and Technology

IP Internet Protocol

PIA / DPIA Privacy Impact Assessment Data Protection Impact Assessment (term for PIA within GDPR)

SIRO Senior Information Risk Owner

UPS Uninterruptable Power Supply

VPN Virtual Private Network

Data Owner / Data Processor

Under DPA, the following Terms are identified in Section 1.1 “data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed “Data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. “processing”, in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including— a) organisation, adaptation or alteration of the information or data, b) retrieval, consultation or use of the information or data, c) disclosure of the information or data by transmission, dissemination or otherwise making available, or d) alignment, combination, blocking, erasure or destruction of the information or data The ICO states that “The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – ie the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.”

CSA Computer System Access

DPO Data Protection Officer

EUD End User Devices (EUD) 51. The EUD programme anticipates that any OFFICIAL information (including information handled with the OFFICIAL-SENSITIVE caveat) can be managed on a single device that conforms to the security principles defined in the End User Device Strategy: Security Framework and Controls, (March 2013). Note that the assurance required (including compliance with relevant legislation such as Freedom of Information Act (FoI) and DPA), means that EUDs will normally be owned, managed and controlled by the organisation. Any stated residual risks must be managed in line with local risk appetites. (Taken from Government Security Classification v1.0 Oct 2013 NHSMail2 solution is accredited to government Official status for sharing patient identifiable and sensitive information, meaning it meets a set of information security controls that offer an appropriate level of protection against loss or inappropriate access

HBL ICT Hertfordshire, Bedfordshire and Luton ICT Shared Services

Personal Data and Sensitive Personal Data – under GDPR

Personal data Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides for a wide



Page 9 of 29

range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people. For most organisations, keeping HR records, customer lists, or contact details etc, the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR. The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data. Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual. Sensitive personal data The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9). These categories are broadly the same as those in the DPA, but there are some minor changes. For example, the special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (see Article 10).

Personal Data and Sensitive Personal Data – under DPA

Personal data means data which relate to a living individual who can be identified – (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. Sensitive personal data means personal data consisting of information as to - (a) the racial or ethnic origin of the data subject, (b) his political opinions, (c ) his religious beliefs or other beliefs of a similar nature, (d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992), (e) his physical or mental health or condition, (f) his sexual life, (g) the commission or alleged commission by him of any offence, or (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Patient Confidential Data

Patient’s personal information given or received in confidence for one purpose. This may not be used for a different purpose or passed to anyone else without the consent of the provider of the information

ICT Department For the purposes of this document, the term ICT Department refers to HBL ICT



Page 10 of 29

1 Executive Summary The Information Security Policy sets out the commitment of the organisation to preserve the confidentiality, integrity and availability of the information and information systems and to ensure the information and systems are effectively and lawfully managed.

The Policy aims to ensure that:-

The organisation’s information, its information systems and the supporting infrastructure are secure and are operated in accordance with NHS Guidance, to industry standards and current best practice;

The information contained in or processed by these systems is kept secure; Confidentiality, integrity and availability are maintained at all times; Staff are aware of their responsibilities and adhere to the provisions of the policy; Procedures are in place to detect and resolve security breaches and to prevent a

recurrence.

This policy applies to:

All information and information storage, whether manual or electronic, information processing systems and networks used by the organisation;

All staff employed by the organisation, contractors, seconded staff from other organisations and any other persons used by the organisation or engaged on the organisation’s business.

Any other persons granted access to the organisation’s information, systems and networks.

All locations, all information, information systems, computer equipment and networks.

Application of the policy will assist in the organisation’s compliance with information related legislation, NHS standards and Information Governance Standards.

2 Introduction The organisation works to a framework for handling personal information in a

confidential and secure manner to meet ethical and quality standards. This enables National Health Service organisations in England and individuals working within them to ensure personal information is dealt with legally, securely, effectively and efficiently to deliver the best possible care to patients and clients.

The organisation, via the Information Governance Toolkit (IG Toolkit), provides the means by which the NHS can assess our compliance with current legislation, Government and National guidance.

Information Governance covers: Data Protection and IT Security (including smart cards), Human Rights Act, Caldicott Principles, Common Law Duty of Confidentiality, Freedom of Information Regulations, Information Quality Assurance and Fraud and Bribery Policy.



Page 11 of 29

3 Purpose and Scope

Purpose 3.1The Information Security Policy sets out the commitment of the organisation to preserving the confidentiality, integrity and availability of information and information systems and to ensure the information and information systems are effectively and lawfully managed.

The Policy aims to ensure that:

The organisation’s information, its information systems and the supporting infrastructure are secure and are operated in accordance with NHS Guidance, to industry standards and current best practice;

The information contained in or processed by these systems is kept secure; Confidentiality, integrity and availability are maintained at all times; Staff are aware of their responsibilities and adhere to the provisions of the policy; Procedures are in place to detect and resolve security breaches and to prevent a

recurrence.

Scope 3.2This policy applies to:

All information and information storage, whether manual or electronic, information processing systems and networks used by the organisation;

All staff employed by the organisation, contractors, seconded staff from other organisations and any other persons used by the organisation or engaged on the organisation’s business.

Any other persons granted access to the organisation’s information, systems and networks;

All locations and all information, information systems, computer equipment or network used by staff.

Local Variation 3.3Variation to some parts of the policy may be allowed where local conditions do not permit full implementation. Applications for such variation must be made to the Head of Technical Services and must be approved by the ICT Department’s Director or Associate Director and Head of Governance and Compliance and, should the assessed level of risk warrant it, the Stakeholder Board before being introduced.

Legal Framework 3.4This policy is compliant with relevant legislation, Department of Health and NHS regulations and guidance and the policies and procedures of partner organisations; principally:-

UK and EU legislation, including : Data Protection Act (1998), replaced on 25 May 2018 by GDPR Freedom of Information Act (2000); Human Rights Act (1998)



Page 12 of 29

Bribery Act 2010 The Computer Misuse Act 1990, Regulation of Investigatory Powers Act (2000) Copyright, Designs and Patents Act (1988) Health and Social Care Act 2012 Caldicott 2 Review Care Act 2014

Department of Health and NHS Regulations and Guidance, including : Guide to Confidentiality in Health and Social Care NHS IM&T Security Manual, NHS Information Governance Standards NHS Statement of Compliance

Standards for Information Security Management ISO27001 and ISO27002 Policies and procedures including:

Policies, procedure and guidance on the management of patient/client records.

4 Information and Data

Ownership of Data / Data Controller 4.1The organisation is the legal owner of all data held in its Records, Information systems and equipment. All of the organisation’s staff must ensure the data is accurate, up-to-date and secure from unauthorised access or disclosure.

Processing of Data/ Data Processor 4.2The organisation’s data must be processed only by systems and equipment owned or authorised by the organisation.

Data must not be transferred to or processed on any equipment that is not owned by the organisation without the prior authority of the appropriate Service Manager or the Caldicott Guardian.

Processing of all data must be legal and must comply with other organisational policies; eg Records Management Policy.

Personal Information 4.3Personal information is subject to the provisions of the Data Protection Act (1998) and from 25 May 2018, GDPR. Additionally, information about patients is subject to the Guide to Confidentiality in Health and Social Care

Under both the Data Protection Act (1998) and GDPR the organisation is obliged to notify the Information Commissioner of the personal information it processes and for what purposes. Processing of all personal information must be consistent with this notification. Privacy Impact Assessments must be carried out and submitted to the IG Manager before new systems or significant changes to existing systems are implemented as part of GDPR, these assessments will be called Data Protection Impact Assessments DPIA – see Section Privacy Impact Assessments. Management of Information Security



Page 13 of 29

Chief Executive (CEO)/Managing Director (MD) - or equivalent 4.4The CEO/MD of the organisation has overall responsibility for all matters relating to information security.

Caldicott Guardian 4.5The organisation’s Caldicott Guardian will ensure that information about patient and service information is used legally ethically and appropriately

Senior Information Risk Owner (SIRO) 4.6The SIRO is responsible for user access into systems and is responsible for information risk across the organisation

Line Managers 4.7Line Managers are individually responsible for ensuring that information security is applied and practiced within their area of responsibility.

Specifically, Line Managers will ensure that:

All staff are appropriately instructed/trained in their security responsibilities; All staff sign confidentiality undertakings as part of their contract of employment; All staff are appropriately trained in any procedures, systems, services and equipment

they are required to use; Untrained staff are not allowed access to confidential information or to computer

systems and equipment; Staff are appropriately authorised to access information systems in accordance with

their job function and relationship with patients, specifically that they do not share their login credentials;

Staff are authorised to access equipment, systems, services and media appropriate to their job function;

Information quality standards are maintained by their staff and that information recorded is accurate and up-to-date;

All critical job functions are adequately documented to maintain continuity of service; Procedures are implemented to minimise disruption to systems and services and

exposure to fraud/theft. These may include segregating duties, implementing dual control and staff rotation where appropriate;

Appropriate disciplinary action is taken for breaches of policies, standing instructions and legislation.

IM&T Security Adviser Role 4.8The Security Manager – End User Computing within the ICT Department is the IM&T Security Advisor and so will provide advice and guidance on confidentiality and security of information and information systems.

Specifically, the Security Adviser will:



Page 14 of 29

Develop and maintain confidentiality and information security policies and assist with the implementation of these policies;

Provide advice on compliance with legislation, NHS Policies and guidelines relating to confidentiality and information security;

Ensure that breaches of information security are investigated and reported appropriately;

Advise and assist in implementing security improvement programmes consistent with NHS, DH and industry best practice.

Data Protection Officer 4.9The Data Protection Officer is responsible for ensuring that the organisation and its constituent business areas remain compliant at all times with Data Protection, Privacy and Electronic Communications Regulations, Freedom of Information Act and the Environmental Information Regulations. The Data Protection Officer shall lead on the provision of expert advice to the organisation on all matters concerning the Data Protection Act, compliance, best practice and setting and maintaining standards

The DPOs within the organisation will: Inform and advise the organisation and its employees about their obligations to comply

with the GDPR and other data protection laws. To monitor compliance with the GDPR and other data protection laws, including

managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.

To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

Information Asset Owners 4.10The Information Asset Owners (IAOs) are senior/responsible individuals involved in running the business area and shall be responsible for:

Understanding what information is held Knowing what is added and what is removed Understanding how information is moved Knowing who has access and why

Senior Responsible Owners 4.11All Senior Managers, Heads of Department, Information Risk Owners and Directors, defined as Senior Responsible Owners (SROs) are individually responsible for ensuring that this policy and information security principles shall be implemented managed and maintained in their business area. This includes: Appointment of Information Asset Owners (IAO) to be responsible for Information

Assets in their areas of responsibility Awareness of information security risks, threats and possible vulnerabilities within the

business area and complying with relevant policies and procedures to monitor and manage such risks



Page 15 of 29

Supporting personal accountability of users within the business area(s) for Information Security

Ensuring that all staff under their management have access to the information required to perform their job function within the boundaries of this policy and associated policies and procedures.

Technical Architect 4.12Within the ICT Department the Technical Architect will ensure that solutions are created that meet the business requirements and will comply with the Information Security agenda

The Technical Architect will attend the Technical Design Authority meetings to ensure review of all solutions prior to delivery

5 Responsibility of all Staff

General Responsibility 5.1Information Security and the appropriate protection of information assets is the responsibility of all users and individuals are expected at all times to act in a professional and responsible manner whilst conducting business on behalf of the organisation. All staff are responsible for information security and remain accountable for their actions in relation to NHS and other UK Government information and information systems.

Staff shall ensure that they understand their role and responsibilities and that failure to comply with this policy may result in disciplinary action. This will be reinforced by yearly mandatory training.

All members of staff are responsible for ensuring that no breaches of information security result from their actions. Members of staff are required to:

Comply with the Information Security Policy and the Guide to Confidentiality in Health and Social Care,

Raise any concern regarding information security with their manager and/or the ICT Department Service Desk;

Comply with any relevant legislation, regulations, codes of conduct, any other policies and procedures and any instructions which may be issued from time to time;

Ensure they are familiar with security measures, such as access controls and anti-virus software, and use or operate them correctly.

Paper Records 5.2All paper records must be stored in the appropriate manual filing system when not in use.

Records containing personal information must be kept secure from unauthorised access at all times. Records are to be stored in line with the Partner records policy

5.2.1 Paper Waste Disposal

Any reports or printouts containing personal and/or patient information must be treated as confidential, and stored and disposed of accordingly. For example, in cross shredder



Page 16 of 29

machines or confidential waste sacks/bins. Further guidance can be found in the Partners Confidentiality Policy.

Information Systems and Equipment 5.3Information systems and associated equipment - computers, printers, etc. - are provided for the conduct of official organisational business. They must not be used for any commercial purposes or for personal gain. Limited personal use may be permitted at the discretion of the appropriate Senior Manager.

All equipment and information must be adequately protected at all times. Any default accounts must be disabled or removed and any factory set passwords changed prior to issue for use.

Fixed assets eg printers, scanners, PCs must not be removed from premises or relocated without permission. All requests for movement of equipment must be notified to the ICT Department Service Desk

Mobile Devices 5.4Portable computers must only be used in accordance with the organisation’s Mobile Device Security Policy. All portable devices must be encrypted to DH standards. They must be secured at all times and must not be left in view when unattended. Any portable computer taken off premises must not be used or left in an insecure location. They must be used only by authorised persons and password protection must be in place

Access to Information Systems 5.5Authorised staff will be given a username and/or a smartcard and a password to access the systems they are authorised to use. These will identify the user to the system; all actions by the user are recorded by the systems.

Smartcards must be kept safe and secure and must not be used by any other person. Users of smartcards must also comply with the RA01 Short Form Conditions which they signed when the card was issued. Further guidance can be found in the RA policy.

Passwords must be kept secret and not divulged to any other person, even Personal Assistants or Secretaries. Passwords must be changed frequently as prompted by the system or in accordance with standards and instructions for the system.

Computers must be locked or switched off when unattended.

The authorised user is responsible for any action associated with their identity. Any suspected misuse should be reported to the ICT Department Service Desk

Data Accuracy 5.6Members of staff are responsible for the accuracy of the data they record and use. It is paramount that patient related data is accurate and up-to-date as inaccurate data could threaten patient safety. Administrative data must also be as accurate as possible to ensure effective management and decision making.



Page 17 of 29

Processing Information and Data 5.7The organisation’s information and data must only be processed or stored on NHS equipment and using authorised systems and databases. Staff must not acquire or develop systems or databases without the prior approval in writing of the relevant Information Governance Group in each organisation.

Personal equipment or non-NHS equipment must not be used to process the organisation’s information unless authorised in writing by the appropriate Information Governance Group. Where such authorisation is given, it is the responsibility of the member of staff to make adequate provision to safeguard the security, integrity and confidentiality of the data. Written advice must be sought from the ICT Department.

Portable Storage Devices - Electronic Media 5.8Portable Storage devices include smartphones, BlackBerrys, disks, memory sticks, portable hard drives and any other device that can store information, e.g. cameras, Dictaphones, etc. These devices must only be used in accordance with the organisation’s Mobile Devices Security Policy.

Portable storage devices must be encrypted in accordance with DH standards. Only approved, authorised devices owned by the organisation can be used for storing the organisation’s information and data. Where a type of device needs to be used but its storage cannot be encrypted, such as cameras, local procedures must be created and signed off by the Information Governance Manager before such devices are used.

The approval of the appropriate Information Governance Group must be obtained prior to copying any personal data onto a portable storage device. For patient data this will be the Caldicott Guardian.

Portable storage devices must not be used for storing the primary copy of any of the organisation’s information. The primary copy must be stored on the appropriate shared drive or server area.

Portable storage devices must be kept secure at all times and stored safely when not in use.

Loss, or suspected loss, of any portable storage device must be reported to the ICT Department Service Desk and IG Manager immediately.

All redundant or non-functioning portable storage devices must be returned to the ICT Department for re-use, recycling or secure disposal as appropriate

6 Management and Control of Information Assets

Control of Assets 6.1

6.1.1 Ownership of Assets

All information assets owned by the organisation will be identified, and will have a named custodian responsible for the security of that asset.



Page 18 of 29

6.1.2 Asset Registers

The ICT Department will maintain asset registers on behalf of customers in line with SLAs. This includes:

Physical Assets (all computer equipment and hardware); Software Assets; Information Assets it (the organisation) owns (application systems and databases).

Information asset owners are responsible for ensuring that their information repository (database, spreadsheets, etc.,) are maintained with details of all their Information Assets. The partner is responsible for informing HBL ICT on the movement and transfer requests for IT Assets.

6.1.3 Procurement of Assets All electronic information assets will be procured by ICT Department in line with SLAs. Requests for PC’s, printers and other equipment such as cameras, Dictaphones, etc., must be made through the ICT Department Service Desk.

6.1.4 Disposal of Assets

All information assets must be maintained until the end of their useful life and then must be disposed of safely and without risk to the organisation, or the organisation’s patients, clients and staff.

All computer equipment will be disposed of by the ICT Department in accordance with NHS standing instructions, EU and UK environmental and health and safety regulations. A record of all disposals will be maintained.

Computer equipment must not be sold, removed or disposed of outside of the agreed policy without the prior permission of the Director of IT and the SIRO.

6.1.5 Media Disposal

All redundant removable media must be treated as confidential waste and unconditionally formatted before disposal. Wiping the media must be done in accordance with current Government policy and standards via the ICT Department (do not attempt to do this yourself; the data will probably still be recoverable). If reformatting is not possible, the media must be destroyed.

Access Control 6.2

6.2.1 Physical Access Controls

All information servers, network control equipment, etc., will be installed in designated controlled areas secured by physical access controls.

Access to controlled areas will be restricted to authorised ICT Department staff whose job function requires access to that particular area.

The Director of IT may grant access privileges to other staff in the organisation to allow them to perform agreed specific tasks in the controlled areas.



Page 19 of 29

The ICT Department may authorise authenticated representatives of third party support suppliers and agencies to access controlled areas. The representatives will be accompanied at all times in the controlled areas.

All personnel are required to wear their identity badges at all times in controlled areas and are obliged to challenge all unrecognised or unaccompanied visitors.

A record of all accesses to controlled areas will be maintained.

All staff with access to the Data Centres must abide by the Data Centre Policy and Procedures document.

6.2.2 Logical Access Controls

Access to all information and application systems will be restricted to staff who have a business need and have been authorised by their Line Manager.

Logical access to all information assets will be by means of passwords, key-tokens (smartcards) or a combination of both.

6.2.3 Computer System Access Controls Computer system access (CSA) control is managed and controlled through a defined process. CSA requests are normally made via the customer portal of the Service Management tool where the relevant CSA form is completed. Access to the forms is restricted and can only be completed by an authorised member of staff. Staffs with access are responsible for providing correct information and are liable for any discrepancies. This form includes a Disclaimer, and in order to process the request, this must be ticked.

Additionally for agreed student intake or rotation these are managed from a bulk provided list of main base and job title with end date. Email address is provided but not shared drive access. If shared drive access is deemed necessary then this is logged as an additional access by the line manager or mentor or person/persons with the appropriate authority.

Use of Information Assets 6.3

6.3.1 Installation and Siting of Equipment

All equipment must be sited and installed in accordance with current environmental and health and safety regulations. Initial installation will be made by the ICT Department. Equipment must not be moved without first informing the ICT Department.

6.3.2 Limitations on Use

Equipment must only be used for the purpose it was supplied and in accordance with the manufacturer’s/supplier’s instructions.

Equipment must not be modified without the permission of the ICT Department. This includes the attachment of additional equipment and/or peripherals or the loading of additional software.

Unauthorised connection or attempted connection to the communications network, e.g. by means of a personal laptop, will be treated as serious misconduct.



Page 20 of 29

6.3.3 Data Security

All electronic data files must be stored in the appropriate area on the network fileservers. This will ensure that all files reside in a secure, virus free area and are automatically backed up on a regular basis.

All confidential data will be stored in secure personal and workgroup areas. Creation and access to these areas will be managed by the ICT Department on the authority of the appropriate senior manager

The local hard disk on desktop PC’s must not be used for the storage of files. Where a local copy has been taken (eg during a network failure), the files must be moved to shared areas promptly

Removable media or portable storage devices must not be used for the archiving of data or transferring data unless specifically authorised, in which case the device must be encrypted. All data archive and transfers will be done via the organisation’s network. See also section Portable Storage Devices – Electronic Media

6.3.4 Security of Equipment Off-Premises Equipment and data must not be taken off site without formal authorisation from the appropriate Senior Manager or person with delegated authority.

Where equipment is located in an insecure environment or public access area, additional physical and logical security measures will be implemented in the form of locks, additional passwords, etc.

Users are responsible for the security of laptop computers and must follow good security practices in accordance with the Mobile Device Security Policy.

6.3.5 Security of Hard Disks The hard disks on any computer may contain sensitive or confidential data, possibly in temporary files.

Theft or removal off-site of such disks is a potential threat to the security of the organisation’s information and could risk a breach of confidentiality.

Hard disks sent offsite for data recovery are therefore to be treated as Portable Storage Devices (see section), and must only be sent to approved contractors who have signed a confidentiality agreement. If encrypted they must be sent via a recorded delivery system. If unencrypted they must either be collected by the recovery firm or delivered personally by a member of the organisation’s staff or ICT Department staff.

Hard Disks that are no longer required will have all data physically removed or will be destroyed prior to disposal. This process will be controlled by the ICT Department in line with SLAs, see Disposal of Assets section.

Passwords 6.4

6.4.1 Password Protection

Access to all information systems and the network operating system will be granted on a need to know basis and restricted by password facilities controlled by the system managers.



Page 21 of 29

All systems will, where possible, be configured to record unsuccessful login attempts. Accounts will be frozen after three (3) unsuccessful attempts.

User sessions will, where possible, be de-activated or logged out if inactive for 15 mins.

6.4.2 Password Standards

Passwords will be a minimum of eight (8) alphanumeric characters and contain at least one (1) alphabetic and one (1) numeric character. Staff will be responsible for maintaining the secrecy of their passwords.

Passwords must be changed frequently. Enforced password changing will be implemented using password ageing where the systems permit. The change cycle will be 30 to 90 days depending on the system.

Passwords must not be re-used for a specified number of instances. This will vary between four (4) and 12 depending on the system.

All systems should be configured to record unsuccessful login attempts and accounts will be locked after a number of failed attempts, normally three (3), depending on the system.

Business Continuity 6.5

6.5.1 Physical Security

All servers (virtual and physical) and data communications equipment will be located in secure controlled areas with physical entry controls restricting access to authorised personnel only.

Local data communications equipment and/or file servers will always be located in secure areas and/or lockable cabinets.

6.5.2 Remote Access to the Organisation’s Services In addition to strong authentication, audit trails and events logs will record remote access activity with particular emphasis on failed login attempts or attempted intrusions to the local area network.

Security breaches (actual and suspected) will be reported immediately to the ICT Department Service Desk and IG manager where it will be recorded as a security incident. All security incidents will be promptly investigated and treated very seriously.

Connection of a modem (or other unauthorised communications equipment) to the ICT Department’s managed network other than through an authenticating server, is a breach of the NHSNet Statement of Compliance and may lead to disciplinary action being taken against that individual.

6.5.3 Remote Access to the Organisation’s Services by Staff Controlled virtual private network (VPN) access via the internet may be given to members of staff who can demonstrate a genuine need to access network resources remotely. Access will be conditional on:

The completion by an authorised manager of the appropriate Computer System Access form;



Page 22 of 29

Acceptance that passwords or tokens issued to enable remote access are for use only by the person they are issued to;

The user taking care to ensure any sensitive data displayed on screen is not visible to others;

No attempt is made to connect to any wireless local area network that fails to meet at least the WPA-2 standard, e.g. wireless hotspots. Where you believe you will need to use wireless hotspots, request must be authorized by your line manager and SIRO

Use of domestic wireless local area networks is acceptable provided the wireless access point (sometimes known as a wireless hub or router) is configured to at least WPA-2 standards. Refer to the device manual or its supplier for information on how it should be configured.

Even when using a wired connection in a domestic setting, if a wireless access point is connected to the network it must be configured to at least the WPA-2 standard.

6.5.4 Remote Access to the Organisation’s Services by Suppliers

Controlled virtual private network (VPN) access via the internet may be given to support organisations who can demonstrate a genuine need to access network resources remotely. Access will be conditional on:

An agreement being signed restricting the access for use only by qualified persons for specified purposes and that no information will be disclosed to unauthorised persons.

Each request for dial up or VPN access being logged and approved by an authorised person in the ICT Department.

Passwords or tokens issued to enable remote access are for use only by the person they are issued to.

6.5.5 Business Continuity Planning All critical systems will have a disaster recovery plan in the event of system or data loss. These will be agreed between the ICT Department and representatives of the organisation. Criticality of systems will be established as part of the implementation of this policy. Plans will be reviewed and be tested regularly.

Databases and Application Systems 6.6

6.6.1 Authorised Databases and Systems A list of authorised databases and applications will be maintained by the ICT Department. The organisation’s information and data must only be stored and processed in applications or databases on the list. Where members of staff develop systems in Access such databases must not be used for storing any organisation related information or data without referral to the ICT Department. Support for such systems will only be provided on a reasonable endeavours basis.

6.6.2 Acquisition of Application Systems Acquisition of all application systems whether by procurement or development must follow the current Information Governance standards and NHS procurement procedures and



Page 23 of 29

guidelines. The ICT Department must be approached as early as possible in such a process.

Security requirements to ensure compliance with this policy must be incorporated in the business requirements used for the development or procurement process. The security requirements must be approved by Head of Technical Services before the start of any procurement or development

Prospective suppliers must formally commit to meeting or exceeding the required level of security.

6.6.3 System Acceptance

Application systems will not be connected to, or accessed from, the managed network until the ICT Department Head of Technical Services; is satisfied that security has been comprehensively addressed.

The Project Team responsible for the new system will devise formal acceptance test plans and demonstrate that the security requirements of the system have been tested satisfactorily. These tests must include witness testing the strength of the security features in a controlled environment.

6.6.4 Privacy Impact Assessment (PIA) / Data Protection Impact Assessment (DPIA) A PIA/DPIA must be completed for all application systems. This will be completed before new applications are accepted. The PIA/DPIA must be revised when any changes to functionality or usage are made.

A PIA/DPIA must also be completed in respect of any data being transferred between the organisation and third parties along with all other appropriate documents.

The DPIA/PIA must contain the following information: A description of the processing operations and the purposes, including, where

applicable, the legitimate interests pursued by the controller. An assessment of the necessity and proportionality of the processing in relation to the

purpose. An assessment of the risks to individuals. The measures in place to address risk, including security and to demonstrate that you

comply.

6.6.5 Clinical Safety

The provision and deployment of Health IT Systems within the National Health Service (NHS) can deliver substantial benefits to NHS patients through the timely provision of complete and correct information to those healthcare professionals that are responsible for delivering care. However, it has to be recognised that failure or incorrect use of such systems has the potential to cause harm to those patients that the system is intending to benefit.

To ensure that Health IT Systems do not introduce risks to NHS patients, all Health IT systems must now comply with the following National Information Standards



Page 24 of 29

SCCI 0129 – Clinical Risk Management: its Application in the Manufacture of Health IT Systems

SCCI 0160 – Clinical Risk Management: its Application in the Deployment and Use of Health Software

These two standards provide manufacturers of Health IT systems and software and Health Organisations responsible for deploying these systems with a set of mandated requirements to ensure that they are well designed and do not impact on patient safety.

SCCI 0129 outlines the safety management requirements for system suppliers during system production and handover to healthcare organisations including system changes and upgrades. This requires suppliers to produce formal documentation of their clinical safety assessment and approval process, identification of any risk and mitigation proposal.

SCCI 0160 requires healthcare organisations to ensure appropriate systems are in place to assess patient safety risks during procurement, implementation, use and decommissioning of Health IT Systems. These processes should build upon or clarify existing safety processes, project governance and other clinical risk management arrangements. This requires suppliers to produce formal documentation of their clinical safety assessment and approval process, identification of any risk and mitigation proposal.

Software Protection 6.7

6.7.1 Licensed Software

Only licensed and supported software will be installed on organisation owned equipment. All installed software must comply with ICT Department standards. All software must be used only for the purpose it is provided and in accordance with training and instructions.

Any required software will be procured and installed by the organisation’s ICT Department. Records of entitlement data, including contracts, purchase records and other media to support proof of software subscription use rights must be maintained. Staff must not install any software on any of the organisation’s computers without the express written consent of Partner IG and ICT Department’s Governance and Compliance Manager.

Users who require additional software must submit a request to their Department Manager.

6.7.2 Software Standards The organisation has standardised on the Microsoft Office suite of applications, Microsoft Outlook E-mail for office applications and Microsoft Internet Explorer for web browsing. Alternative products are not supported and must not be installed.

Software used must be reviewed by ICT Department to ensure it is fit for purpose and does not have a negative impact on other business applications.

6.7.3 Virus Control

Virus protection software will be installed on all network servers and all PC’s. The virus protection software will be updated frequently to ensure adequate protection against the



Page 25 of 29

latest viruses. Network servers will be updated at least daily. Standalone PC’s must be updated at least weekly.

The users of portable computers are responsible for ensuring virus protection is kept up-to-date. Portable computers receive updates every time they are connected to the network and must be so connected at least once a month.

Connection (beyond the need to download updates) may be refused if any PC or laptop does not have up-to-date anti-virus software.

The ICT Department will make every effort using the technology available to protect against virus attacks. Users are also responsible for ensuring virus infections do not occur or are spread by their actions.

Any suspected or actual virus infection must be reported to the ICT Department Service Desk by phone immediately. Any user suspecting virus activity on their PC or laptop should disconnect it from the network if they are able to do so safely.

7 Electronic Mail and Internet Access

Purpose and Ownership 7.1E-mail and internet services are provided for the conduct of the organisation’s and NHS business. These systems, including the hardware, software and all data that are stored within the system - including all messages, attachments and file downloads - are the property of the organisation.

Use of Email and Internet Services 7.2All staff must comply with the organisation’s E-Mail and Internet Policy.

Access and Disclosure of Electronic Communications 7.3

7.3.1 Monitoring Usage All electronic communications - including email and Internet - will be monitored to ensure compliance with policies, license use rights, procedures and with the organisation’s statutory obligations.

The organisation may at any time, and without notice, block any incoming or outgoing communication that is considered to be not relevant to the conduct of the organisation’s or NHS business or which could damage any of the organisation’s systems or information.

7.3.2 Inspection and Disclosure of Communications

All electronic communication may be inspected and disclosed under the provisions of the Data Protection Act (1998) and GDPR from 2018 and the Freedom of Information Act (2000), subject to the safeguards contained in the legislation. This may be done without informing the sender or recipient.

Inspection and disclosure may also be done:

To discharge legal obligations and legal processes and any other obligations to staff, clients, patients, customers or any other persons;



Page 26 of 29

To locate information required for the organisation’s or NHS business that is not readily available by other means;

To safeguard assets and to ensure they are used in an appropriate manner; In the course of an investigation into alleged criminal offences, misconduct or misuse.

7.3.3 Monitoring and Disclosure Procedures

Prior approval must be obtained from the ICT Department’s Director or Associate Director to gain access to the contents of electronic communications or data stores, and disclose information gained from such access.

8 Security Incident Management The ICT Department will detect, investigate and resolve any suspected or actual breaches in computer security. The processes for managing security incidents will be linked with the organisation’s Incident reporting Policies and Procedures.

Personal Data Breach 8.1A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.

All suspected breaches must be reported at once to the organisation’s DPO. The organisation will notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it.

Security Incidents 8.2A security incident is an event that may result in:

the integrity of any system being jeopardised, the availability of any system being jeopardised, unauthorised disclosure of information or disruption of activity, unauthorised or inappropriate use of assets and resources, financial loss or loss of resources, Legal action.

All suspected security incidents must be reported at once to the ICT Department’s Service Desk.

8.2.1 Logging Security Incidents All ICT related incidents should be reported to the ICT Department via the Service Desk. All actual or suspected security incidents will be formally logged, categorised by severity and action/resolution recorded by the ICT Department’s Service Desk.



Page 27 of 29

In addition, the organisation’s Incident recording system may be used to log untoward events. This process will record what happened, what was done, by whom, when and final resolution. Refer to the Incident Policy for details.

Disaster Recovery procedures will be invoked in response to serious problems e.g. inability to recover critical live systems.

9 Disciplinary Action Members of staff who breach any aspect of this policy will be subject to disciplinary action in line with the current disciplinary policy. Serious breaches will be regarded as gross misconduct and may result in dismissal and potential referral to the Local Counter Fraud Service (LCFS) for further investigation.



Page 28 of 29

Appendix A. Organisational SIROs

Organisation SIRO Role

BCCG Director of Finance

ENHCCG Director of Finance

HCT Director of Finance

HPFT Executive Director Quality and Medical Leadership

HVCCG Director of Finance

LCCG Director of Finance



Page 29 of 29

Appendix B. Comment Form As part of HBL ICT Services Department continuous improvement regime, would you please complete this form. Any comments or feedback on this document should be addressed to the Owner. Please provide your name and contact details in case clarification is required.

Name Please return to:

HBL ICT Services

Charter House

Welwyn Garden City

Hertfordshire, AL8 6JL

Address

Phone

Email

Please confirm the document you want to give response …

Please rate the document using the topics and criteria indicated below:

Very Good Good Average Fair Poor

Format and Layout

Accuracy

Clarity

Illustrations (tables, figures etc.)

When using the document, what were you looking for?

How could the document be improved?

How often do you use the document?

If you have additional comments, please include them below:

Thank you for your time

Documents

Information Security Policy · Information Security Policy 10.0.0 to be reviewd Nov 18.docx Uncontrolled if Printed Template 1.0 Page 2 of 29