ICT Portable Devices and Portable Media Security

Transcription

1 ICT Portable Devices and Portable Media Security Who Should Read This Policy Target Audience All Trust Staff, contractors, and other agents, who utilise trust equipment and access the organisation s data and networks All ICT Staff Version 1.0 October 2016

2 Ref. Contents Page 1.0 Introduction Purpose Objectives Process Laptops Data Storage Devices Secure Storage, Removal or Disposal of Data Procedures connected to this Policy Links to Relevant Legislation Links to Relevant National Standards Links to other Key Policies Roles and Responsibilities for this Policy Training Equality Impact Assessment Data Protection and Freedom of Information Monitoring this Policy is Working in Practice 10 Version 1.0 October

3 Explanation of terms used in this policy CDR CfH DVD N3 NHSmail PDAs PID USB VPN Compact Disc Recordable (can record data onto it) Connecting for Health Digital Versatile Disc (can record data onto it) Encrypted F: drive Individuals allocated space on Trust servers. NHS New National Network (connects all NHS sites) System provided for all NHS staff Personal Digital Assistant Person Identifiable Data (Staff or Client) Resource Drive(s) Allocated space on servers for ALL teams work. RWS Remote Working Solution (home working) Universal Serial Bus Virtual Private Network (encrypted private network Version 1.0 October

4 1.0 Introduction This document defines the Portable Data Security Policy for The Black Country Partnership NHS Foundation Trust. Portable Devices and Portable Media Security policy applies to all business functions and information contained on portable devices such as but not limited to: Laptop Computers, PDA s (including Windows, Apple, Android and Blackberry Smart Phones and tablets), Dictaphone s, MFD s and Pen Drive devices (USB memory sticks), CD/DVDs, tape drives, hard disks and other data storage equipment. The organisation has a responsibility to ensure that all information and data is secure on all types of media. Policy Statement Personal data must not be held on portable media unless this has been approved by the Senior Information Risk Officer (SIRO) or the Head of IT. 2.0 Purpose The aim of this policy is to ensure the security of the Black Country Partnership NHS Foundation Trust portable data devices. 3.0 Objectives Inform all Trust staff of the policy for the protection of the confidentiality, integrity and security of portable data devices Establish the security responsibilities for data security on portable devices used inside and outside of the organisation Establish the roles and responsibilities for all staff employed by the Trust 4.0 Process All personnel or agents acting for the Black Trust have the following duties of care: Always safeguard hardware, software and information in their care Ensure all devices carrying personal identifiable information are encrypted to the latest NHS standards Prevent the introduction of malicious software on the organisation's ICT systems by never installing any unauthorised software or allowing Antivirus software to become out of date Report any suspected or actual breaches of security to the Head of ICT or Line Manager Ensure that any data or devices carried in vehicles are not left in plain sight i.e. where possible, place laptops etc. into the boot of the vehicle even when travelling Never leave portable data devices in vehicles overnight Never leave portable data devices unlocked Never download or save any data to any local drive of ANY PC/laptop/Tablet or non-encrypted device Ensure that data is not be taken off site for any other purpose than the treatment of patients or in the event that a meeting requires access to specific data is taking place off site where remote connectivity is unavailable Ensure that all reasonable steps are taken to secure data being viewed from being seen by third parties Department Directors and managers have a duty to ensure department managers are aware of their responsibilities with regard to staff that carry portable data and or devices are aware of and comply with this policy Personal identifiable data held on portable devices cannot be transferred without the express permission of the SIRO or the Head of ICT Version 1.0 October

5 This policy applies to all devices provided by the Trust or the used for: The storage, sharing and transmission of non-clinical data and images. The storage, sharing and transmission of clinical data and images. Remote connections to NHS network (N3). Remote connections to the Black Trust network i.e. home working The overall Data Security Policy for The Black Country Partnership NHS Foundation Trust is described below: Security should be applied to equipment going off-site taking into account the different risks of working outside the organisation's premises Regardless of ownership, the use of any information processing equipment outside the organisation's premises should be authorised by department managers/directors Security risks, e.g. of damage, theft or eavesdropping, may vary considerably between locations and should be taken into account in determining the most appropriate controls To satisfy this, the Trust will undertake the following: Protect all hardware, software and information assets under its control. This will be achieved by implementing a set of well-balanced technical and non-technical measures Provide both effective and cost-effective protection that is commensurate with the risks to its assets Implement the Data Security Policy in a consistent, timely and cost effective manner Provide users of laptops with appropriate training and instruction in the use of the laptop and its security functionality and lockdown procedures. This will include their responsibility for safeguarding the laptop and their obligation to comply with relevant information governance security procedures of the organisation If there is evidence that members of staff are not adhering to the guidelines set out in this policy, the Trust reserves the right to examine the portable devices usage/content and to take disciplinary action, which may lead to a termination of contract and/or legal action 4.1 Laptops Regardless of a laptop s ownership, the use of any equipment outside an NHS organisation's business premises for the processing of NHS information must be authorised by the relevant Director or Head of Department. Where the processing of NHS patient information is proposed on laptop devices, additional authorisation must be obtained from the organisation s Caldicott Guardian and the device must use NHS standard encryption software. Remote access from a laptop to NHS information systems must be achieved in accordance with the organisation s NHS IG Statement of Compliance, NHS IG guidance, and any defined requirements for the protection or use of the NHS information service(s) concerned. Sensitive data, including that relating to patients, stored on an NHS laptop should be kept to the minimum required for its effective business use in order to minimise the risks and impacts should a breach occur. Version 1.0 October

6 Loss of Laptops must be reported immediately to the department manager who will inform the Head of ICT. 4.2 Data Storage Devices Data storage devices which include but not exclusive to Hard Drives, Memory Sticks, CD s, DVD s, PDA s (including Windows, Apple, Android and Blackberry Smart Phones and tablets), MFD s and Dictaphones, must use or be protected by NHS approved standard encryption software. Sensitive data, including that relating to patients, stored on a data storage device should be kept to the minimum required for its effective business use in order to minimise the risks and impacts should a breach occur. Personal Identifiable Information kept on such devices must be encrypted to NHS standards using NHS standard encryption software as a minimum. Loss of data storage devices must be reported immediately to the department manager who will inform the Head of IT. Mobile phones/pda must be protected by a PIN code / Password and set to time out after a maximum of 15 minutes use. Dictaphones (Digital Dictation Devices) must be capable of being protected by either pin access or biometrics (finger print readers) and encrypt. 4.3 Secure Storage, Removal or Disposal of Data All Trust staff must ensure that all data on equipment (e.g. on hard disks, CD s, DVD s or tapes) is securely overwritten. Where this is not possible then the Black Country Partnership NHS Foundation Trust ICT department will ensure the physical destruction of the disk or tape. Where disks are to be removed from the premises for repair, where possible, the data is securely overwritten or the equipment de-gaussed by the ICT Department. Data is to be stored for audit purpose on removable media such as DVD s must be kept in a secure, locked environment i.e. data safe. Where this is not possible, advice must be sought from the Caldicott Guardian or The ICT Department. MFD s (Multi-Function Devices) such as print/fax scanners can contain internal hard drives which must be treated like a normal hard drive for disposal. 5.0 Procedures connected to this Policy There are no standard operating procedures currently linked to this policy 6.0 Links to Relevant Legislation Where relevant, the Trust will comply with: Copyright, Designs & Patents Act 1988 Access to Health Records Act 1990 Computer Misuse Act 1990 The Data Protection Act 1998 The Human Rights Act 1998 Electronic Communications Act 2000 Version 1.0 October

7 Regulation of Investigatory Powers Act 2000 Freedom of Information Act 2000 Health & Social Care Act Links to Relevant National Standards There are no links to relevant national standards. 6.2 Links to other Key Policies ICT Portable Devices and Portable Media Security Policy ICT Change Control Policy The purpose of this policy is to mitigate any risks associated with implementation of changes to the Trust ehealth systems. ICT and Internet Acceptable Use Policy The purpose of this policy is to clearly define the acceptable usage and standards that apply to all Trust and NHS and internet Systems by employees and all other sponsored/ authorised individuals. ICT Remote Access Policy The aim of this policy is to set out the security measures, practices and restrictions in place to minimise the risks for connecting to Black Country Partnership NHS Foundation Trust s internal network from external hosts via remote access technology, and/or for utilising the Internet for business purposes via third-party Internet service providers. ICT Telecommunications Policy The purpose of this policy is to set out the key principles regarding the use of Telecommunications equipment within the Trust. ICT Priority 1 Incident Handling Policy The purpose of this policy is to define the actions, communications and escalation steps that are to be used to manage a Priority 1 incident for all staff within ICT Services. ICT Security Policy The purpose of this policy is to provide management direction, support and outline how information security is managed throughout the Trust. The approach adopted conforms to ISO standard 27000, specifically relating to Information Security Management Systems (ISMS). The policy also aims to develop a positive culture of information security throughout the Trust. Version 1.0 October

8 7.0 Roles and Responsibilities for this Policy Title Role Key Responsibilities Third Part Organisations All staff Line Managers Access to any Trust system, network and data for a specified purpose Adherence Implementation - abide by the controls detailed within this document - sign and comply with the Non-Disclosure Agreement - comply with the standards expected in respect of Information Security Systems and to ensure that a robust information security infrastructure is implemented and adhered to within their own organisation - ensure that each access session is used solely for the agreed purpose for that connection - have a responsibility to familiarise themselves with this policy and adhere to its principles in order to keep the Trust s Networks secure - ensure they understand their responsibilities and be accountable for their actions - compliance with all Trust policies is a condition of employment and a breach of this policy may result in disciplinary action - any breaches or incidents relating to this policy and area of practice are reported on DATIX, the Trust s electronic incident reporting system. - if a member of staff has concerns about the way this policy is being implemented or about this area of practice in general, they should raise this with their line manager. If they feel unable to raise the matter with them, he/she may write to an Executive Director. If they feel unable to raise the matter with an Executive Director, he/she may write to the Chairman or a Non-Executive Director. If he/she is unsure about raising a concern or requires independent advice or support, they can contact:- - their Trade Union representative - the relevant professional body - - the NHS Whistleblowing Helpline complete user account application form, - ensure that staff granted access have read and understood this policy ICT Manager ICT Department Information Governance Steering Group Implementation Lead Technical Support Scrutiny and Performance - ensure a robust framework is in place so the Trust complies with national legislation and guidance relating to ICT security - ensure that Groups are fully informed of their role in maintaining the required standards of practice relating to portable Devices and Portable Media Security - lead on strategies and innovations to improve more secure and efficient methods of portable devices and media - policy lead/author of this policy - Implementing approved requests for portable storage and to provide secure methods to transfer media in a timely manner - provide technical support and advice on the implementation of this policy as requested - ensure that User access rights are correctly implemented - oversee the governance of information management across the Trust - receive incidents, breaches and specific issues in relation to the delivery, development and monitoring of ICT information management systems - review all policies, guidelines and procedures relating to information and ICT security systems Version 1.0 October

9 Title Role Key Responsibilities Executive Director of Nursing AHP s and Governance Senior Information Risk Owner (SIRO) ICT Portable Devices and Portable Media Security Policy - implements and leads the information governance risk assessment and management processes within the Trust and advises the Board of Directors on the effectiveness of information risk management across the organisation - act as a champion for information risk on the Board and provide written advice to the Chief Executive on the content of their annual governance statement in regard to information risk - lead responsibility for the implementation of this policy - allocation of resources to support the implementation of this policy - any serious concerns regarding the implementation of this policy are brought to the attention of the Board of Directors Director of Strategy, Executive Lead Estates and ICT The Trust Accountable - ensure advice is always available from the ICT department and departmental managers - ensure that all devices are secured to standards defined by governing organisations applicable to the NHS - provide encryption tools and advice via the ICT department and departmental managers - maintain a record of all portable devices in use (departmental managers are responsible for this) - investigate reports of misuse - prevent inappropriate use 8.0 Training What aspect(s) Is this training covered in the Which staff groups of this policy will Trust s Mandatory and Risk How often will Who will ensure and If no, how will the Who will deliver the require this require staff Management Training Needs staff require monitor that staff have training be delivered? training? training? training? Analysis document? training this training? n/a n/a n/a n/a n/a n/a n/a 9.0 Equality Impact Assessment Black Country Partnership NHS Foundation Trust is committed to ensuring that the way we provide services and the way we recruit and treat staff reflects individual needs, promotes equality and does not discriminate unfairly against any particular individual or group. The Equality Impact Assessment for this policy has been completed and is readily available on the Intranet. If you require this in a different format e.g. larger print, Braille, different languages or audio tape, please contact the Equality & Diversity Team on Ext or EqualityImpact.assessment@bcpft.nhs.uk 10.0 Data Protection and Freedom of Information This statement reflects legal requirements incorporated within the Data Protection Act and Freedom of Information Act that apply to staff who work within the public sector. All staff have a responsibility to ensure that they do not disclose information about the Trust s activities in respect of service users in its care to unauthorised individuals. This responsibility applies whether you are currently employed or after your employment ends and in certain aspects of your personal life e.g. use of social networking sites etc. The Trust seeks to ensure a high level of transparency in all its business activities but reserves the right not to disclose information where relevant legislation applies. Version 1.0 October

10 11.0 Monitoring this Policy is Working in Practice ICT Portable Devices and Portable Media Security Policy What key elements will be monitored? (measurable policy objectives) Where described in policy? How will they be monitored? (method + sample size) Who will undertake this monitoring? How Frequently? Group/Committee that will receive and review results Group/Committee to ensure actions are completed Evidence this has happened All incidents relating to noncompliance and / or breaches in security Throughout all of the document DATIX, the Trust s electronic incident reporting system ICT Department Annually Information Governance Steering Group Information Governance Steering Group Reports and Minutes of Meetings Version 1.0 October

11 Policy Details Title of Policy ICT Portable Devices and Portable Media Security Unique Identifier for this policy State if policy is New or Revised Previous Policy Title where applicable Policy Category Clinical, HR, H&S, Infection Control etc. Executive Director whose portfolio this policy comes under Policy Lead/Author Job titles only Committee/Group responsible for the approval of this policy Month/year consultation process completed * Month/year policy approved Month/year policy ratified and issued Next review date Implementation Plan completed * Equality Impact Assessment completed * Previous version(s) archived * Disclosure status Key Words for this policy BCPFT-ICT-POL-04 New n/a ICT Director of Strategy, Estates and ICT ICT Manager Information Governance Steering Group August 2015 February 2016 October 2016 October 2019 Yes Yes Yes B can be disclosed to patients and the public ICT, Media, USB, Devices * For more information on the consultation process, implementation plan, equality impact assessment, Or archiving arrangements, please contact Corporate Governance Review and Amendment History Version Date Details of Change 1.0 Oct 2016 New policy for BCPFT Version 1.0 October