Information Security Policy
Director of Corporate Services
Date Approved: March 2011 Committee: Information Governance
NICE GUIDANCE Once NICE guidance is published, health professionals are expected to take it fully into account when exercising their clinical judgment. However, NICE guidance does not override the individual responsibility of health professionals to make appropriate decisions according to the circumstances of the individual patient in consultation with the patient and/or their guardian or carer.
Page 1 of 10
Version Control Current versions of all policies can be found on NHS Kirklees internet and intranet. If printing a document, please check internet/intranet for most up-to-date version. Document Title: Document number: Author: Contributors: Version: Date of Production: Review date: Postholder responsible for revision: Primary Circulation List: Web address: Restrictions:
Information Security policy Senior Confidentiality IM & T Security Officer Information Governance Group 2.0 January 2011 April 2013 Senior Confidentiality IM & T Security Officer All Staff None
Standard for Better Health Map Domain: Core Standard Reference: Performance Indicators:
Governance 1. 2. 3.
Page 2 of 10
Section 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15.
Introduction Associated Policies and Procedures Aims of this Policy Scope of this Policy Accountabilities & Responsibilities Procedure Equality Impact Assessment Training Needs Analysis Monitoring compliance with this policy References
Page 4 4 4 4 5 5 8 8 8
Appendices A B C D E F G H
Definitions Key Stakeholders consulted/involved in the development of the policy/procedure Equality Impact Assessment Tool
Page 3 of 10
Policy Statement In line with the Data Protection Act 1998 NHS Kirklees will take all practicable steps to protect the confidentiality, integrity and availability of its information assets, this includes the hardware, software and information held on networks and applications.
Introduction This document defines the Information Security Policy for NHS Kirklees (referred to hereafter as the PCT). This policy is adhered to and supported by The Health Informatics Service (THIS) who provide IT support for and are hosted by Calderdale and Huddersfield NHS Foundation Trust. The requirements of this policy are consistent with the equivalent policies for neighbouring organisations that share common networks or receive services from THIS. This Policy applies to all PCT business and covers the information, information systems, networks, physical environment and relevant people who support those business functions.
Associated policies & procedures This policy should be read in accordance with the following Trust policies, procedures and guidance: Confidentiality Policy Records Management Policy Email Policy Network Security Policy Disciplinary Policy Incident Reporting Policy
Aims and objectives The objective of this policy is to ensure the security of the PCTâ€™s information assets. To do this the PCT will: a) Ensure Availability Ensure that assets are available for users; b) Preserve Integrity Protect assets from unauthorised or accidental modification; c) Preserve Confidentiality Protect assets against unauthorised disclosure
Scope of this policy Page 4 of 10
This policy must be followed by all NHS Kirklees employees and applies to all information media, systems, networks, portable devices, applications, locations in use by the PCT and all staff and/or organisations hosted by the PCT and using the IT network and/or systems. .
It must be followed by all staff who work for NHS Kirklees, including those on temporary or honorary contracts, bank staff and students. Breaches of this policy may lead to disciplinary action being taken against the individual. Independent Contractors are responsible for the development and management of their own procedural documents and for ensuring compliance with relevant legislation and best practice guidelines. Independent Contractors are encouraged to seek advice and support as required.
Accountabilities and Responsibilities
The Chief Executive The Chief Executive of NHS Kirklees and Managing Director of KCHS are ultimately responsible for ensuring that the necessary support and resources are available for the effective implementation of this Policy.
The Information Governance Group The Information Governance Group are responsible for the review and approval of this policy.
Director of Corporate Services The Director of Corporate Services is the Senior Information Risk Owner (SIRO) and has organisational responsibility for all aspects of Information Governance, including the responsibility for ensuring the PCT has appropriate systems and policies in place to ensure that the PCT has robust Information Governance procedures in place
The overall Information Security Policy procedure for the PCT is described below: PCT information systems, applications and networks are available when needed, they can be accessed only by legitimate users and should contain complete and accurate information. The information systems, applications and networks must also be able to withstand or recover from threats to their availability, integrity and confidentiality. To satisfy this, the PCT will undertake to the following: a) Protect all hardware, software and information assets under its control. This will be achieved through the implementation of a set of well balanced technical and non technical measures; b) Provide both effective and cost effective protection that is commensurate with the risks to its assets; c) Implement the Information Security Policy in a consistent, timely and cost effective manner; Page 5 of 10
d) Where relevant, the PCT will comply with: -
Copyright, Designs & Patents Act 1988 Access to Health Records Act 1990 Computer Misuse Act 1990 The Data Protection Act 1998 The Human Rights Act 1998 Electronic Communications Act 2000 Regulation of Investigatory Powers Act 2000 Freedom of Information Act 2000 The Environmental Information Regulations 2004 Health & Social Care Act 2001
e) The PCT will comply with other laws and legislation as appropriate. 6.2
The PCT in conjunction with THIS will carry out security risk assessment(s) in relation to all the business processes covered by this policy. These risk assessments will cover all information systems, applications and networks that are used to support those business processes. The risk assessment will identify the appropriate security countermeasures necessary to protect against possible breaches in confidentiality, integrity and availability.
Procedures relating to the operation of systems must be appropriately documented. The procedures should be developed on the basis of an analysis of risk.
All users of the system must be made aware of the contents and implications of relevant System Security Policies.
Project Managers and the Information Asset Owner (IAO)responsible for implementing systems must ensure that effective security countermeasures are produced and implemented as part of any new systems project and ensuring that all relevant system documentation relating to operating procedures and contingency plans are in place as part of the project.
Accreditation of information systems
All information systems, applications and networks must be approved by the appropriate IAO and Head of Professional Services THIS before they commence operation.
The Head of Professional Services is responsible for ensuring that the information systems do not pose an unacceptable security risk to the organisation.
Security audits Page 6 of 10
THIS will require checks on, or an audit of, actual implementations based on approved security policies.
THIS will ensure that measures are in place to detect and protect the network from viruses and other malicious software.
All software used on PCT equipment must have a valid licence agreement. Software may only be installed onto a computer by and with the approval of the Service Desk. Any person who installs or attempts to install unauthorised software onto a computer maybe subject to the PCTâ€™s disciplinary process
System change control
The relevant Portfolio Manager of THIS in conjunction with the appropriate IAO will review changes to the security of any information system, application or network. In addition, all such changes must be reviewed and approved by the Portfolio Manager Networks. The relevant Portfolio Manager is responsible for updating all relevant System Security Policies, design documentation and security operating procedures. For networks this is the Portfolio Manager Networks and for systems this is the Portfolio Manager Back Office.
THIS may require checks on or an assessment of the actual implementation based on changes implemented.
External network connections
All connections to external networks and systems will be documented and have approved System Security Policies.
The Portfolio Manager Networks must approve all connections to external networks and systems before they commence operation.
System configuration management
There will be an effective configuration management system for all information systems, applications and networks.
Technical compliance checking
Information systems are regularly checked for compliance with security implementation standards.
Business continuity and disaster recovery plans
Business continuity plans and disaster recovery plans are required for all critical Page 7 of 10
applications, systems and networks. 6.13.2
The plans must be reviewed by the IAO and Head of Professional Services (THIS) and tested on a regular basis.
Equality Impact Assessment All public bodies have a statutory duty under the Race Relation (Amendment) Act 2000 to “set out arrangements to assess and consult on how their policies and functions impact on race equality.” This obligation has been increased to include equality and human rights with regard to disability age and gender. The Trust aims to design and implement services, policies and measures that meet the diverse needs of our service, population and workforce, ensuring that none are placed at a disadvantage over others. In order to meet these requirements, a single equality impact assessment is used to assess all its policies/guidelines and practices. This Policy was found to be compliant with this philosophy (see appendix C).
Training Needs Analysis Information Governance Training is mandated under the NHS Operating Framework 2010 – 11. Training is provided both through classroom sessions and via the Connecting for Health elearning package, the Information Governance Training Tool (IGTT). Information Security is covered by both methods of training..
Monitoring Compliance with this policy Compliance with the is policy will be measured by the number of information security incidents reported and the annual submission of the Information Governance Toolkit.
References Copyright, Designs & Patents Act 1988 Computer Misuse Act 1990 The Data Protection Act 1998 The Human Rights Act 1998 Electronic Communications Act 2000 Regulation of Investigatory Powers Act 2000 Freedom of Information Act 2000 The Environmental Information Regulations 2004 Health & Social Care Act 2001
Appendices A. Definitions Page 8 of 10
B. Key stakeholders consulted/involved in the development of the policy/procedure
Stakeholders name and designation Information Governance Group
Key Participant Yes/No Yes
Feedback requested Yes/No Yes
Feedback accepted Yes/No
C. Equality Impact Assessment Tool To be completed and attached to any procedural document when submitted to the appropriate committee for consideration and approval. Insert Name of Policy / Procedure Information Security Policy 1.
Does the policy/guidance affect one group less or more favourably than another on the basis of: Race
Ethnic origins (including gypsies and travellers)
Religion or belief
Sexual orientation including lesbian, gay and bisexual people
Disability - learning disabilities, physical disability, sensory impairment and mental health problems
Page 9 of 10
Insert Name of Policy / Procedure Information Security Policy
Is there any evidence that some groups are affected differently?
If you have identified potential discrimination, are any exceptions valid, legal and/or justifiable?
Is the impact of the policy/guidance likely to be negative?
If so can the impact be avoided?
What alternatives are there to achieving the policy/guidance without the impact?
Can we reduce the impact by taking different action?
If you have identified a potential discriminatory impact of this procedural document, please refer it to [insert name of appropriate person], together with any suggestions as to the action required to avoid/reduce this impact. For advice in respect of answering the above questions, please contact [insert name of appropriate person and contact details].
Page 10 of 10