Safe Haven and Information Sharing Policy

Size: px
Start display at page:

Download "Safe Haven and Information Sharing Policy"

Transcription

1 Safe Haven and Information Sharing Policy Reference No: Version: 3 Ratified by: P_IG_17 LCHS Trust Board Date ratified: 9 th January 2018 Name of originator/author: Name of approving committee/responsible individual: Date issued: January 2018 Review date: November 2019 Target audience: Distributed via: Kaz Scott, Information Governance Lead / DPO Information Governance Management Assurance Group All staff Website 1

2 Lincolnshire Community Health Services NHS Trust Safe Haven and Information Sharing Policy Version Control Sheet Version Section/Para/ Appendix Version/Description of Amendments Date Author/Amended by 1 New Policy Mar 13 Kaz Scott To reflect organisational change. EIA and NHSLA monitoring added. 1.1 Updated footers and 3 month extension agreed month extension agreed 1.3 Further extension agreed 2 Full review, updated information and removal of Safe Haven Fax Sheet 3 Full review. Updated information, logo and EIA Feb 15 April 15 Sept 15 Feb 16 Oct 17 IGSC IGSC IGSC Kaz Scott Kaz Scott Copyright 2018 Lincolnshire Community Health Services NHS Trust, All Rights Reserved. Not to be reproduced in whole or in part without the permission of the copyright owner. 2

3 Lincolnshire Community Health Services NHS Trust Safe Haven and Information Sharing Policy Contents ii. iii. Version Control Sheet Policy Statement Introduction 5 Scope 5 Definitions 5 - Safe Haven 6 - Personal Confidential Data 6 - Sensitive Information 6 - Portable Electronic or Removable Media 6 - Information / Data Flow / Information Flow Mapping 6 - Anonymised Information 6 - Inter-Agency Information Sharing Protocol 6 - Information Sharing / Confidentiality Agreement 6 Roles and Responsibilities 7 - Chief Executive 7 - Caldicott Guardian 7 - Information Governance Sub Committee 7 - Managers 7 - All Staff 7 Safe Havens - Location/Security Arrangements 7 Fax Machines 8 Communication by Post 8 Computers 9 NHSmail 9 Other Transportation Arrangements 10 Displaying Personal Information 10 Sharing Information with other Organisations 11 Monitoring 11 NHSLA Monitoring 11 Appendix 1 Equality Analysis 12 3

4 Lincolnshire Community Health Services NHS Trust Safe Haven and Information Sharing Policy Policy Statement Background This policy is a safeguard for personal confidential data (PCD) which enters and leaves the Trust whether this is by facsimile (fax), post, or other means. All members of staff handling PCD, which is either paper based or electronic, must adhere to the safe haven principles and comply with the legal requirements placed upon the Trust. This policy conforms to current legislation and other Trust associated policies: Information Governance Management Framework Policy and Procedure Inter-Agency Information Sharing Protocol Confidentiality and Data Protection Policy Information Security Policy Statement This document sets out the Trust approach to Safe Haven Procedures to ensure; The Trust complies with the Data Protection Act (DPA) and confidentiality requirements Confidential information which is sent outside the Trust is done so securely Data sharing agreements are in place to ensure that information sharing complies with the law and meets individuals expectations Responsibilities Training This document applies to: All staff employed by the Trust Facilitated via Trust Induction and Mandatory Annual Training updates Dissemination This policy will be published on the Trust s website. 4

5 Introduction All NHS organisations require safe haven procedures to maintain the privacy and confidentiality of the personal information held. The implementation of these procedures facilitates compliance with the legal requirements placed upon the organisation. Where departments within the Trust, other NHS Trusts or other agencies want to send personal information to a Trust department, they should be confident that they are being sent to a location which ensures the security of the data. A number of Acts and guidance dictates the need for safe haven arrangements to be set in place, they include: DPA 1998 (Principle 7): Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Confidentiality: NHS Code of Practice: Annex A1 Protect Patient Information Care must be taken, particularly with confidential clinical information, to ensure that the means of transferring from one location to another are secure as they can be Scope This policy provides: The legislation and guidance which dictates the need for a safe haven A definition of the term safe haven When a safe haven is required The necessary procedures and requirements that are needed to implement a safe haven Rules for different kinds of safe haven The processes described in this policy must be followed by all Trust staff, unless exceptional circumstances arise, which may have an impact on direct patient care. This policy applies to all those working in the Trust, in whatever capacity. A failure to follow the requirements of the policy may result in investigation and management action being taken as considered appropriate. This may include formal action in line with the Trust's Disciplinary process for Trust employees; and other action in relation to other workers, which may result in the termination of an assignment, placement, secondment or honorary arrangement. Non-compliance may also lead to criminal action being taken. Definitions Safe Haven The term safe haven is a location situated on Trust premises where arrangements and procedures are in place to ensure person-identifiable information can be held, received and communicated securely. In a Trust they are the point from where PCD is controlled. However, any department sending, receiving, holding or communicating PCD, concerning either patients or staff, should provide safe haven conditions by following the guidelines set out within this policy. 5

6 Personal Confidential Data: (PCD) This relates to information about a person which would enable that person s identity to be established by one means or another. This might be fairly explicit such as an unusual surname or isolated postcode or bits of different information which if taken together could allow the person to be identified. All information that relates to an attribute of an individual should be considered as potentially capable of identifying them to a greater or lesser extent. This includes the nationally recognised NHS number. Sensitive Information: This is information where loss, misdirection or loss of integrity could impact adversely on individuals, the organisation or on the wider community. This is wider than, but includes, data defined as sensitive under the DPA. In addition to personal and clinical information, financial and security information is also likely to be deemed sensitive. Examples of sensitive information include information in relation to a person s: Health or physical condition Ethnic origin Political views Sexual life Religious beliefs Criminal convictions Or Trade Union Membership For this type of information even more stringent measures should be employed to ensure that the data remains secure. Portable Electronic or Removable Media This includes tapes, floppy discs, Laptops & handheld computers, Optical discs - DVD & CD-ROM, solid state memory cards, cameras, Dictaphones, USB memory sticks and portable hard drives. Information / Data Flow / Information Flow Mapping This is the process of documenting the flow of information from one physical location to another and the method by which it flows. Data flows may be by: E mail, fax, post/courier, text or portable electronic or removable media. Anonymised Information This is information which does not identify an individual directly, and which cannot reasonably be used to determine identity. Anonymisation requires the removal of name, address, full postcode and any other detail or combination of details that might support identification. Inter-Agency Information Sharing Protocol The protocol is the high level document setting out the general reasons and principles for sharing data. The protocol will show that all signatory agencies are committed to maintaining agreed standards on handling information and will publish a list of senior signatories. It should be underpinned by information sharing agreements between the organisations who are actually sharing the information. Information Sharing / Confidentiality Agreement The agreement is a more detailed document, the intention of which is to spell out how the organisations involved will operate the approach to information sharing. 6

7 Roles and Responsibilities Chief Executive The Chief Executive has ultimate responsibility for security and patient confidentiality at Trust level. Caldicott Guardian The Caldicott Guardian has responsibility for safeguarding the confidentiality of patient information. Information Governance Management Assurance Group (IGMAG) The IGMAG are responsible for coordinating improvements in data protection, confidentiality and information security. Managers Managers within the Trust are responsible for ensuring that the policy, and other associated policies and supporting standards and guidelines are built into local processes and that there is on-going compliance Managers are accountable for the communication about and compliance with Trust policies, and must ensure that staff are adequately trained and apply the appropriate guidelines. All Staff All staff, whether permanent, temporary or contracted are responsible for ensuring that they are aware of the requirements incumbent upon them and for ensuring that they comply with these on a day to day basis. All staff are responsible for any records or data they create and what they do with information they use. Staff should ensure they attend information governance training and awareness sessions to maintain their knowledge and skills. All staff have a responsibility to adhere to information governance standards which are written into the terms and conditions of their contracts of employment. Safe Havens - Location/Security Arrangements Any area sending/receiving PCD should consider the physical security arrangements i.e. a room that is locked or accessible via a coded key pad known only to authorised staff, or swipe card controlled. This should be the first step in the aim to create safe haven conditions The office or workspace should be sited that only authorised staff can enter i.e. not an area which is readily accessible to any member of staff in the same building, or any visitors If sited on the ground floor, any windows should have locks on them The room should conform to health and safety requirements in terms of fire, safety from flood, theft or environmental damage Paper records containing PCD should be stored in locked cabinets / rooms, where possible Computerised information should not be left on view or accessible to unauthorised staff and the screen locked (using Ctrl, Alt, and Delete keys simultaneously / windows and L key) or logged/switched off when not in use Confidential information should not be removed from a safe haven unless absolutely necessary 7

8 Fax Machines Fax machines must only be used to transfer personal information where it is absolutely necessary to do so and the use of NHSmail to communicate confidential information is recommended. Faxing should be limited where possible Fax is sent to a safe location where only staff that have a legitimate right to view Use a Fax Header Sheet with confidentiality clause / disclaimer Ensure Fax number is correct, use Pre-programmed numbers Maintain an up-to-date list Telephone recipient before & after Confidential faxes are not left lying around for unauthorised staff to see All Corporate Templates are available on the Trust network or through the Communications Team. Communication by Post This section applies to internal post, external post such as the Royal Mail and any other postal or courier / delivery service. Records relating to confidential or commercially sensitive must be in appropriately addressed in a secure, sealed envelope, using the new government markings and clearly marked OFFICIAL SENSITIVE: COMMERCIAL or OFFICIAL SENSITIVE: PERSONAL and sent securely by the most appropriate method pertaining to the content. The envelope must be robust and sealed to withstand transit through the postal system. Special Delivery is a tracked service which goes separately and recorded delivery is signed for. All clinical records relating to vulnerable children, children in need, children subject to a child protection plan and looked after children must be sent via the Child Health Department. The records must be seen by the Designated or Named Nurse for Child Protection before leaving the Trust and must contain a transfer out summary, and sent by special delivery with a return address clearly given on the outside of the envelope or transferred by secure to the Child Health Department of a receiving NHS organisation. It is advised the use of Transit Envelopes are reduced as often the contents are not sealed. Internal post can be sent safely on the Internal Courier as the vehicle is emptied each day therefore mitigating the loss of any post. All sensitive records must be placed face down in public areas and not left unsupervised In-coming mail should be opened away from public areas Outgoing mail (both internal and external) should be sealed securely in robust envelopes and - to be opened by addressee only (if the information is particularly sensitive or intended for a particular individual. Where possible use tamper-evident envelopes or tape/seals. Confirm the name, department and full address of the recipient before sending any information out, and ask the recipient to confirm receipt Paper Records can be tracked within SystmOne using Local Options to allow auditing and movement of them 8

9 Computers Access to any PC / Laptop must be password protected; passwords must not be shared, written down or disclosed in any way The Trust operates a Clear Desk Procedure so the computer screen is locked (using Ctrl, Alt, and Delete keys simultaneously / windows and L key) or be logged/switched off when not in use Information should be held on the Trust s network e.g. J Drive, J Secure or home drives H Drive and not stored on local computer hard drives i.e. C drive (usually my documents ) due to a possible failure of a hard drive and the information is rarely recoverable.. Confidential Information should be stored on J Secure and should be restricted as appropriate. ICT services can assist in establishing folder access rights Ensure regular house-keeping of files, ensuring only the minimum amount of data is retained, in accordance with the Records Management Code of Practice for Health and Social Care 2016 Any new database/system applications created / introduced that contain PCD should be registered as an Information Asset Any database, containing personal information should comply with the DPA and Caldicott Principles NHSmail NHSmail is the national and directory service developed specifically to meet British Medical Association requirements for clinical electronic messaging between NHS organisations and is the only NHS approved system for transmitting PCD. To be set up with an NHSmail account staff should first contact the ICT Support Desk or their Local Organisation Administrator (LOA) so they can pre-register for this service. Log a call by ing it.supportdesk@ardengemcsu.nhs.uk or telephoning All NHSmail addresses end If the contents are to remain secure in transit both the sender and recipient must use NHS.net to NHS.net. Information sent by NHSmail is only secure when in transit. NHSmail cannot protect information before it has been sent or after it has been received especially if this has subsequently been saved on to a computer hard disk drive. There is no message recall functionality within NHSmail and staff are advised to check the National NHSmail Directory to ensure they have the correct recipient before sending an . Sending (or receiving) from NHSmail to another NHS.net address is deemed secure. *.gsi.gov.uk *.gsx.gov.uk *.gcsx.gov.uk *.gse.gov.uk *.pnn.police.uk *.scn.gov.uk *.cjsm.net *.mod.uk *.hmps.gsi.gov.uk The above table are all domains within the government secure network and have a secure link between that network and NHSmail but [secure] must be added to the subject line when sending from NHS.net which operates a filtering system. This is following updated guidance. 9

10 Phone: Information should not usually be provided over the telephone as the identity of the caller cannot always be verified Always confirm the name, job title, department, and organisation of the person requesting the information Confirm the reason for the information request Take a contact number i.e. main switchboard (never a direct line or mobile telephone number unless known to you) Call them back (always call the switchboard) to confirm the details, if necessary Check whether the information can be provided; if in doubt tell the enquirer that you will call them back Provide the information only to the person, who requested it, do not leave messages Other Transportation Arrangements PCD should only be taken off site when absolutely necessary Information must be transported in a sealed container (where possible) Never leave PCD unattended Ensure all information is returned back to site as soon as possible, and records are updated Personal data should not be sent outside of the UK without seeking advice from Information Governance. Displaying Personal Information (for example on white-boards) Boards containing PCD should ideally be sited in areas that are not generally accessible by the public, e.g. staff offices. These rooms should be clearly marked 'staff only' and windows obscured appropriately. The boards should contain only sufficient detail to locate the patient and they must not contain confidential information and in patient areas should only state the patient s first initial and surname (both initials preferably). If it is absolutely necessary to put clinical information onto a whiteboard, the information should be abbreviated or symbolised so only health professionals can understand the information not other members of staff that may come into the department. The use of personal information in patient areas should be carefully considered and a risk assessment undertaken by an appropriate manager. 10

11 Sharing Information with other Organisations Information must only be shared if: You have patient consent or If a law says you have to or It s in the public interest Direct Care purposes Employees of the Trust authorised to disclose information to other organisations outside the NHS must seek assurance that these organisations have a designated safe haven point for receiving personal information. The Trust must be assured that these organisations are able to comply with the safe haven ethos and meet certain legislative and related guidance requirements: Data Protection Act 1998 Common Law Duty of Confidentiality Confidentiality: NHS Code of Practice Information sharing/confidentiality agreements must be put in place with organisations where personal information is to be shared. All flows of information coming in and going out of the department should be risk assessed as appropriate. Monitoring The Trust will monitor and audit its Safe Haven & Information Sharing practices for compliance with this policy. The audit will: Identify areas of operation that are covered by the Trust s policies and identify which procedures and/or guidance should comply to the policy; Set and maintain standards by implementing new procedures, including obtaining feedback where the procedures do not match the desired levels of performance; and Highlight where non-conformance to the policy is occurring and suggest a tightening of controls and adjustment to related procedures. The results of audits will be reported to the IGMAG, Quality and Risk Committee and other Committees, as appropriate. NHSLA Monitoring Minimum requirement to be monitored Process for monitoring e.g. audit Responsible individuals/ group/ committee Frequency of monitoring/audit Responsible individuals/ group/ committee (multidisciplinary) for review of results Responsible individuals/ group/ committee for development of action plan Responsible individuals/ group/ committee for monitoring of action plan IG Toolkit Standards Review / Audit / Reports IG Lead Annual IG Lead / IGMAG IG Lead / IGMAG IG Lead / IGMAG 11

12 Appendix 1 Equality Analysis A. B. C. D. Briefly give an outline of the key objectives of the policy; what it s intended outcome is and who the intended beneficiaries are expected to be Does the policy have an impact on patients, carers or staff, or the wider community that we have links with? Please give details Is there is any evidence that the policy\service relates to an area with known inequalities? Please give details Will/Does the implementation of the policy\service result in different impacts for protected characteristics? To provide clear and effective management and accountability structures, governance processes, documented policies and procedures, a comprehensive IG training programme and adequate resources to manage and embed Information Governance throughout the Organisation. All Staff and Service Users No No Disability Sexual Orientation Sex Gender Reassignment Race Marriage/Civil Partnership Maternity/Pregnancy Age Religion or Belief Carers Yes If you have answered Yes to any of the questions then you are required to carry out a full Equality Analysis which should be approved by the Equality and Human Rights Lead please go to section 2 The above named policy has been considered and does not require a full equality analysis Equality Analysis Carried out by: Kaz Scott, IG Lead / DPO Date: 11 th October 2017 No 12

Policy General Policy GP20

Policy General Policy GP20 Email Policy General Policy GP20 Applies to All employees Committee for Approval Quality and Governance Committee Date of Approval September 2012 Review Date June 2014 Name of Lead Manager Head of Technology

More information

INFORMATION SECURITY AND RISK POLICY

INFORMATION SECURITY AND RISK POLICY INFORMATION SECURITY AND RISK POLICY 1 of 12 POLICY REFERENCE INFORMATION SHEET Document Title Document Reference Number Information Security and Risk Policy P/096/CO/03/11 Version Number V02.00 Status:

More information

DATA PROTECTION POLICY THE HOLST GROUP

DATA PROTECTION POLICY THE HOLST GROUP DATA PROTECTION POLICY THE HOLST GROUP INTRODUCTION The purpose of this document is to provide a concise policy regarding the data protection obligations of The Holst Group. The Holst Group is a data controller

More information

Mobile Working Policy

Mobile Working Policy Mobile Working Policy Date completed: Responsible Director: Approved by/ date: Ben Westmancott, Director of Compliance Author: Ealing CCG Governing Body 15 th January 2014 Ben Westmancott, Director of

More information

UWTSD Group Data Protection Policy

UWTSD Group Data Protection Policy UWTSD Group Data Protection Policy Contents Clause Page 1. Policy statement... 1 2. About this policy... 1 3. Definition of data protection terms... 1 4. Data protection principles..3 5. Fair and lawful

More information

UWC International Data Protection Policy

UWC International Data Protection Policy UWC International Data Protection Policy 1. Introduction This policy sets out UWC International s organisational approach to data protection. UWC International is committed to protecting the privacy of

More information

ICT Portable Devices and Portable Media Security

ICT Portable Devices and Portable Media Security ICT Portable Devices and Portable Media Security Who Should Read This Policy Target Audience All Trust Staff, contractors, and other agents, who utilise trust equipment and access the organisation s data

More information

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2 COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September 2018 Table of Contents 1. Scope, Purpose and Application to Employees 2 2. Reference Documents 2 3. Definitions 3 4. Data Protection Principles

More information

Data Encryption Policy

Data Encryption Policy Data Encryption Policy Document Control Sheet Q Pulse Reference Number Version Number Document Author Lead Executive Director Sponsor Ratifying Committee POL-F-IMT-2 V02 Information Governance Manager

More information

Mobile Computing Policy

Mobile Computing Policy Mobile Computing Policy Issue sheet Document reference NHSBSAIS004 Document location Title NHS Business Services Authority Mobile computing policy Author Head of Security and Information Assurance Issued

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Introduction Stewart Watt & Co. is law firm and provides legal advice and assistance to its clients. It is regulated by the Law Society of Scotland. The personal data that Stewart

More information

PS Mailing Services Ltd Data Protection Policy May 2018

PS Mailing Services Ltd Data Protection Policy May 2018 PS Mailing Services Ltd Data Protection Policy May 2018 PS Mailing Services Limited is a registered data controller: ICO registration no. Z9106387 (www.ico.org.uk 1. Introduction 1.1. Background We collect

More information

Motorola Mobility Binding Corporate Rules (BCRs)

Motorola Mobility Binding Corporate Rules (BCRs) Motorola Mobility Binding Corporate Rules (BCRs) Introduction These Binding Privacy Rules ( Rules ) explain how the Motorola Mobility group ( Motorola Mobility ) respects the privacy rights of its customers,

More information

Information Governance and Code of Conduct

Information Governance and Code of Conduct This document is also available in other languages and formats upon request Information Governance and Code of Conduct For further information and guidance contact the Information Governance team: Tel:

More information

INFORMATION ASSET MANAGEMENT POLICY

INFORMATION ASSET MANAGEMENT POLICY INFORMATION ASSET MANAGEMENT POLICY Approved by Board of Directors Date: To be reviewed by Board of Directors March 2021 CONTENT PAGE 1. Introduction 3 2. Policy Statement 3 3. Purpose 4 4. Scope 4 5 Objectives

More information

Information Handling and Classification Table

Information Handling and Classification Table Information Handling and Classification Table Title: Information Classification and Handling Table Reference: IS-07a Status: Approved Version: 1.2 Date: March 2018 Classification: Non-Sensitive/Open Author(s)

More information

Subject: Kier Group plc Data Protection Policy

Subject: Kier Group plc Data Protection Policy Kier Group plc Data Protection Policy Subject: Kier Group plc Data Protection Policy Author: Compliance Document type: Policy Authorised by: Kier General Counsel & Company Secretary Version 3 Effective

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Introduction The purpose of this document is to provide a concise policy regarding the data protection obligations of Youth Work Ireland. Youth Work Ireland is a data controller

More information

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION Document Control Owner: Distribution List: Data Protection Officer Relevant individuals who access, use, store or

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Addressing the General Data Protection Regulation (GDPR) 2018 [EU] and the Data Protection Act (DPA) 2018 [UK] For information on this Policy or to request Subject Access please

More information

POLICY. Version: 1.1 Quality and Performance Committee Date ratified: 12 th July 2017

POLICY. Version: 1.1 Quality and Performance Committee Date ratified: 12 th July 2017 EMAIL POLICY Version: 1.1 Ratified by: Quality and Performance Committee Date ratified: 12 th July 2017 Name & Title of originator/author: John Robinson, Senior Information Governance Specialist (embed

More information

The Data Protection Act 1998 Clare Hall Data Protection Policy

The Data Protection Act 1998 Clare Hall Data Protection Policy The Data Protection Act 1998 Clare Hall Data Protection Policy Introduction This document is a guide to the main requirements of the new Data Protection Act (DPA) that came into force on 24th October 2001.

More information

Information Governance Incident Reporting Policy

Information Governance Incident Reporting Policy Information Governance Incident Reporting Policy Version: 4.0 Ratified by: NHS Bury Clinical Commissioning Group Information Governance Operational Group Date ratified: 29 th November 2017 Name of originator

More information

Creative Funding Solutions Limited Data Protection Policy

Creative Funding Solutions Limited Data Protection Policy Creative Funding Solutions Limited Data Protection Policy CONTENTS Section Title 1 Introduction 2 Why this Policy Exists 3 Data Protection Law 4 Responsibilities 5 6 7 8 9 10 Data Protection Impact Assessments

More information

Remote Working & Mobile Devices Security Standard

Remote Working & Mobile Devices Security Standard TRUST-WIDE NON-CLINICAL DOCUMENT Remote Working & Mobile Devices Security Standard Standard Number: Scope of this Document: Recommending Committee: Approving Committee: SS02 All Staff Joint Information

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Data Protection Policy Version 3.00 May 2018 For more information, please contact: Technical Team T: 01903 228100 / 01903 550242 E: info@24x.com Page 1 The Data Protection Law...

More information

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS

More information

PS 176 Removable Media Policy

PS 176 Removable Media Policy PS 176 Removable Media Policy December 2013 Version 2.0 Statement of legislative compliance This document has been drafted to comply with the general and specific duties in the Equality Act 2010; Data

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Colin Sloey Implementation Date: September 2010 Version Number:

More information

Castle View Primary School Data Protection Policy

Castle View Primary School Data Protection Policy Castle View Primary School Data Protection Policy Aims The Headteacher and Governors of the school intend to comply fully with the requirements and principles of the Data Protection Act 1998. All staff

More information

Data Protection Policy

Data Protection Policy Page 1 of 6 General Statement The Local Governing Bodies of the academies have overall responsibility for ensuring that records are maintained, including security and access arrangements, in accordance

More information

Use of and Instant Messaging (IM) Policy

Use of  and Instant Messaging (IM) Policy Use of Email and Instant Messaging (IM) Policy Name of Author and Job Title: Mike Cavaye, IT & Digital Consultant Name of Review/Development Body: IT Services Ratification Body: Quality and Safety Group

More information

Information Security Strategy

Information Security Strategy Security Strategy Document Owner : Chief Officer Version : 1.1 Date : May 2011 We will on request produce this Strategy, or particular parts of it, in other languages and formats, in order that everyone

More information

Data Loss Assessment and Reporting Procedure

Data Loss Assessment and Reporting Procedure Data Loss Assessment and Reporting Procedure Governance and Legal Services Strategy, Planning and Assurance Directorate Approved by: Data Governance & Strategy Group Approval Date: July 2016 Review Date:

More information

Privacy Policy Inhouse Manager Ltd

Privacy Policy Inhouse Manager Ltd Privacy Policy Inhouse Manager Ltd April 2018 This privacy statement is designed to tell you about our practices regarding the collection, use and disclosure of information held by Inhouse Manager Ltd.

More information

Information Governance Incident Reporting Procedure

Information Governance Incident Reporting Procedure Information Governance Incident Reporting Procedure : 3.0 Ratified by: NHS Bury CCG Quality and Risk Committee Date ratified: 15 th February 2016 Name of originator /author (s): Responsible Committee /

More information

Made In Hackney Data Protection Policy Last Updated:

Made In Hackney Data Protection Policy Last Updated: Made In Hackney Data Protection Policy Last Updated: 16.05.2018 Definitions Charity GDPR Responsible Person Register of Systems Made In Hackney (MIH), a registered charity. means the General Data Protection

More information

Data Protection Policy

Data Protection Policy The Worshipful Company of Framework Knitters Data Protection Policy Addressing the General Data Protection Regulation (GDPR) 2018 [EU] and the Data Protection Act 1998 (DPA) [UK] For information on this

More information

Heavers Farm Primary School DATA PROTECTION AND INFORMATION MANAGEMENT POLICY Updated 2017

Heavers Farm Primary School DATA PROTECTION AND INFORMATION MANAGEMENT POLICY Updated 2017 Heavers Farm Primary School DATA PROTECTION AND INFORMATION MANAGEMENT POLICY Updated 2017 Introduction The Data Protection Act 1998 (the Act) is the primary legislation in the United Kingdom, which regulates

More information

INFORMATION TECHNOLOGY SECURITY POLICY

INFORMATION TECHNOLOGY SECURITY POLICY INFORMATION TECHNOLOGY SECURITY POLICY Author Responsible Director Approved By Data Approved September 15 Date for Review November 17 Version 2.3 Replaces version 2.2 Mike Dench, IT Security Manager Robin

More information

Network Account Management Security Standard

Network Account Management Security Standard TRUST-WIDE NON-CLINICAL DOCUMENT Network Account Management Security Number: Scope of this Document: Recommending Committee: Approving Committee: SS06 All Staff/ Services Users Joint Information Governance

More information

Cardiff University Security & Portering Services (SECTY) CCTV Code of Practice

Cardiff University Security & Portering Services (SECTY) CCTV Code of Practice Cardiff University Security & Portering Services (SECTY) CCTV Code of Practice Document history Author(s) Date S Gamlin 23/05/2018 Revision / Number Date Amendment Name Approved by BI annual revision Date

More information

This Privacy Policy applies if you're a customer, employee or use any of our services, visit our website, , call or write to us.

This Privacy Policy applies if you're a customer, employee or use any of our services, visit our website,  , call or write to us. Privacy Policy Background This policy explains when and why we collect personal information about you; how we use it, the conditions under which we may disclose it to others and how we keep it secure.

More information

The General Data Protection Regulation

The General Data Protection Regulation PRIVACY NOTICE INFORMATION FOR (a) APPLICANTS TO AND USERS OF CHS COMMUNITY SUPPORT SERVICES; (b) OTHER STAKEHOLDERS CHS is committed to protecting your personal data. This privacy notice sets out how

More information

INFORMATION SYSTEMS SECURITY POLICY (ISSP)

INFORMATION SYSTEMS SECURITY POLICY (ISSP) INFORMATION SYSTEMS SECURITY POLICY (ISSP) Policy Number & Category IG 02 Information Governance Version Number & Date Version 3.7 February 2009 Ratifying Committee Date Approved March 2009 Next Review

More information

Element Finance Solutions Ltd Data Protection Policy

Element Finance Solutions Ltd Data Protection Policy Element Finance Solutions Ltd Data Protection Policy CONTENTS Section Title 1 Introduction 2 Why this Policy Exists 3 Data Protection Law 4 Responsibilities 5 6 7 8 9 10 Data Protection Impact Assessments

More information

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy DEPARTMENT OF JUSTICE AND EQUALITY Data Protection Policy May 2018 Contents Page 1. Introduction 3 2. Scope 3 3. Data Protection Principles 4 4. GDPR - Rights of data subjects 6 5. Responsibilities of

More information

RVC DATA PROTECTION POLICY

RVC DATA PROTECTION POLICY RVC DATA PROTECTION POLICY POLICY and PROCEDURES Responsibility of Data Protection Officer Review Date July 2019 Approved by CEC Author D.Hardyman-Rice CONTENTS PAGE 1) Policy Statement 3 2) Key definitions

More information

St Bernard s Primary School Data Protection Policy

St Bernard s Primary School Data Protection Policy St Bernard s Primary School Data Protection Policy St Bernard s RC Primary School, A Voluntary Academy Approved by Governors: 11.11.2015 Review date: Autumn 2016 St Bernard s Data Protection Policy General

More information

GDPR Data Protection Policy

GDPR Data Protection Policy GDPR Data Protection Policy Volleyball England 2018 VE Data Protection Policy May 2018 Page 1 GDPR Data Protection Policy 1. Introduction This Policy sets how the English Volleyball Association Limited

More information

GMSS Information Governance & Cyber Security Incident Reporting Procedure. February 2017

GMSS Information Governance & Cyber Security Incident Reporting Procedure. February 2017 GMSS Information Governance & Cyber Security Incident Reporting Procedure February 2017 Review Date; April 2018 1 Version Control: VERSION DATE DETAIL D1.0 20/04/2015 First Draft (SC) D 2.0 28/04/2015

More information

Information Technology Access Control Policy & Procedure

Information Technology Access Control Policy & Procedure Information Technology Access Control Policy & Procedure Version 1.0 Important: This document can only be considered valid when viewed on the PCT s intranet/u: Drive. If this document has been printed

More information

Guardian Electrical Compliance Ltd DATA PROTECTION GDPR REGULATIONS POLICY

Guardian Electrical Compliance Ltd DATA PROTECTION GDPR REGULATIONS POLICY 1. Statement of Policy (Guardian) needs to collect and use certain types of information about the Individuals or Service Users with whom they come into contact in order to carry on our work. This personal

More information

Pathways CIC Privacy Policy. Date Issued: May Date to be Reviewed: May Issued by Yvonne Clarke

Pathways CIC Privacy Policy. Date Issued: May Date to be Reviewed: May Issued by Yvonne Clarke Prepared by: M Franklin Issued: May 2018 Pathways Community Interest Company Review due: May 2020 Pathways CIC Privacy Policy Version 0.3 Approved by: Yvonne Clarke Approval date: 21.05.2018 Pathways CIC

More information

Acceptable Usage Policy (Student)

Acceptable Usage Policy (Student) Acceptable Usage Policy (Student) Author Arthur Bogacki Date 18/10/2017 Version 1.1 (content sourced and consolidated from existing Email and Electronic Communication, and User Code of Practice policies.)

More information

SAFE USE OF MOBILE PHONES AT WORK POLICY

SAFE USE OF MOBILE PHONES AT WORK POLICY SAFE USE OF MOBILE PHONES AT WORK POLICY Links to Lone Working Policy, Personal Safety Guidance, Lone Working Guidance, Information Governance Policy Document Type General Policy Unique Identifier GP31

More information

Enviro Technology Services Ltd Data Protection Policy

Enviro Technology Services Ltd Data Protection Policy Enviro Technology Services Ltd Data Protection Policy 1. CONTEXT AND OVERVIEW 1.1 Key details Rev 1.0 Policy prepared by: Duncan Mounsor. Approved by board on: 23/03/2016 Policy became operational on:

More information

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ). PRIVACY POLICY Data Protection Policy 1. Introduction This Data Protection Policy (this Policy ) sets out how Brital Foods Limited ( we, us, our ) handle the Personal Data we Process in the course of our

More information

Cognizant Careers Portal Terms of Use and Privacy Policy ( Policy )

Cognizant Careers Portal Terms of Use and Privacy Policy ( Policy ) Cognizant Careers Portal Terms of Use and Privacy Policy ( Policy ) Introduction This Policy applies to the Careers portal on the Cognizant website accessed via www.cognizant.com/careers ("Site"), which

More information

Cognizant Careers Portal Privacy Policy ( Policy )

Cognizant Careers Portal Privacy Policy ( Policy ) Cognizant Careers Portal Privacy Policy ( Policy ) Date: 22 March 2017 Introduction This Careers Portal Privacy Policy ("Policy") applies to the Careers portal on the Cognizant website accessed via www.cognizant.com/careers

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY 1 Your Data Protection Responsibilities DATA PROTECTION POLICY 1.1 Everyone has rights with regard to how their personal data is handled. Personal data is any information that a person can be identified

More information

Freedom of Information and Protection of Privacy (FOIPOP)

Freedom of Information and Protection of Privacy (FOIPOP) Freedom of Information and Protection of Privacy (FOIPOP) No.: 6700 PR1 Policy Reference: 6700 Category: FOIPOP Department Responsible: Records Management and Privacy Current Approved Date: 2008 Sep 30

More information

Procedure re-written. (i.e. All staff with responsibility for the creation, use and management of organisational responsibility)

Procedure re-written. (i.e. All staff with responsibility for the creation, use and management of organisational responsibility) Standard Operating Procedure Title of Standard Operation Procedure: Corporate Records Management Procedure Reference Number: ECT002863 Version No: 2.0 Supersedes Versions No: 0.1 Amendments Made: Procedure

More information

Data protection policy

Data protection policy Data protection policy Context and overview Introduction The ASHA Centre needs to gather and use certain information about individuals. These can include customers, suppliers, business contacts, employees

More information

Mobile Computing Policy

Mobile Computing Policy Mobile Computing Policy Overview and Scope 1. The purpose of this policy is to ensure that effective measures are in place to protect against the risks of using mobile computing and communication facilities..

More information

Data protection. 3 April 2018

Data protection. 3 April 2018 Data protection 3 April 2018 Policy prepared by: Ltd Approved by the Directors on: 3rd April 2018 Next review date: 31st March 2019 Data Protection Registration Number (ico.): Z2184271 Introduction Ltd

More information

The British Museum. Data Protection Code of Practise. 1 Introduction

The British Museum. Data Protection Code of Practise. 1 Introduction The Data Protection Code of Practice 1 Introduction 1.1 The 1998 Data Protection Act is aimed at ensuring a balance between individuals rights to privacy and the lawful processing of personal data undertaken

More information

1 Privacy Statement INDEX

1 Privacy Statement INDEX INDEX 1 Privacy Statement Mphasis is committed to protecting the personal information of its customers, employees, suppliers, contractors and business associates. Personal information includes data related

More information

DATA PROTECTION ISACA MALTA CHAPTER BIENNIAL CONFERENCE Saviour Cachia Commissioner for Information and Data Protection

DATA PROTECTION ISACA MALTA CHAPTER BIENNIAL CONFERENCE Saviour Cachia Commissioner for Information and Data Protection DATA PROTECTION ISACA MALTA CHAPTER BIENNIAL CONFERENCE 2016 Saviour Cachia Commissioner for Information and Data Protection Conception of DPA Council of Europe ETS 108 Convention on the protection of

More information

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ): Privacy Policy Introduction Ikano S.A. ( Ikano ) respects your privacy and is committed to protect your Personal Data by being compliant with this privacy policy ( Policy ). In addition to Ikano, this

More information

Information Security Incident

Information Security Incident Good Practice Guide Author: A Heathcote Date: 22/05/2017 Version: 1.0 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body

More information

Information Governance Policy

Information Governance Policy 2015 Information Governance Policy University of Wolverhampton Version 1.0 28 th October 2015 Policy Approval Procedure Information Governance Policy Policy Author: Stephen Hill Dept.: DAS Information

More information

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY 2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY Purpose: The purpose of this policy is to provide instruction and information to staff, auditors, consultants, contractors and tenants on

More information

Bring Your Own Device (BYOD) Policy

Bring Your Own Device (BYOD) Policy SH IG 58 Information Security Suite of Policies Bring Your Own Device (BYOD) Policy Version 1 Summary: Keywords (minimum of 5): (To assist policy search engine) Target Audience: Next Review Date: This

More information

Data Protection Policy

Data Protection Policy Introduction In order to; provide education, training, assessment and qualifications to its customers and clients, promote its services, maintain its own accounts and records and support and manage its

More information

Wye Valley NHS Trust. Data protection audit report. Executive summary June 2017

Wye Valley NHS Trust. Data protection audit report. Executive summary June 2017 Wye Valley NHS Trust Data protection audit report Executive summary June 2017 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act

More information

DATA PROTECTION IN RESEARCH

DATA PROTECTION IN RESEARCH DATA PROTECTION IN RESEARCH Document control Applicable to: All employees and research students Date first approved February 2006 Date first amended May 2015 Date last amended May 2015 Approved by Approval

More information

The Apple Store, Coombe Lodge, Blagdon BS40 7RG,

The Apple Store, Coombe Lodge, Blagdon BS40 7RG, 1 The General Data Protection Regulation ( GDPR ) is the new legal framework that will come into effect on the 25th of May 2018 in the European Union ( EU ) and will be directly applicable in all EU Member

More information

Data validation and database lock down for RFL sponsored studies Document Number: 037

Data validation and database lock down for RFL sponsored studies Document Number: 037 Data validation and database lock down for RFL sponsored studies Document Number: 037 Version: 1 Ratified by: Committee Date ratified: 30 September 2014 Name of originator/author: Directorate: Department:

More information

Data Sharing Agreement. Between Integral Occupational Health Ltd and the Customer

Data Sharing Agreement. Between Integral Occupational Health Ltd and the Customer Data Sharing Agreement Between Integral Occupational Health Ltd and the Customer 1. Definitions a. Customer means any person, organisation, group or entity accepted as a customer of IOH to access OH services

More information

Information Security Policy for Associates and Contractors

Information Security Policy for Associates and Contractors Information Security Policy for Associates and Contractors Version: 1.13 Date: 11 October 2016 Reference: 67972761 Location: Livelink Contents Introduction... 3 Purpose... 3 Scope... 3 Responsibilities...

More information

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy. I. OBJECTIVE ebay s goal is to apply uniform, adequate and global data protection

More information

Privacy Policy GENERAL

Privacy Policy GENERAL Privacy Policy GENERAL This document sets out what information Springhill Care Group Ltd collects from visitors, how it uses the information, how it protects the information and your rights. Springhill

More information

Islam21c.com Data Protection and Privacy Policy

Islam21c.com Data Protection and Privacy Policy Islam21c.com Data Protection and Privacy Policy Purpose of this policy The purpose of this policy is to communicate to staff, volunteers, donors, non-donors, supporters and clients of Islam21c the approach

More information

Corporate Information Security Policy

Corporate Information Security Policy Overview Sets out the high-level controls that the BBC will put in place to protect BBC staff, audiences and information. Audience Anyone who has access to BBC Information Systems however they are employed

More information

INFORMATION GOVERNANCE. Caldicott Approval Procedure

INFORMATION GOVERNANCE. Caldicott Approval Procedure NHS TAYSIDE INFORMATION GOVERNANCE Caldicott Approval Procedure Author: Peter McKenzie Review Group: Information Governance Group Review Date: September 2010 Last Update: September 2009 Document : NHST-ISC-CAP

More information

PRIVACY NOTICE VOLUNTEER INFORMATION. Liverpool Women s NHS Foundation Trust

PRIVACY NOTICE VOLUNTEER INFORMATION. Liverpool Women s NHS Foundation Trust PRIVACY NOTICE VOLUNTEER INFORMATION Liverpool Women s NHS Foundation Trust Introduction This document summarises who we are, what information we hold about you, what we will do with the information we

More information

Mobile Working Policy. Item 15.3

Mobile Working Policy. Item 15.3 Mobile Working Policy Item 15.3 Authorship: Committee Approved: Chris Wallace, Information Governance Manager, North Yorkshire & Humber Commissioning Support Unit Management Team Approved date: Review

More information

PCA Staff guide: Information Security Code of Practice (ISCoP)

PCA Staff guide: Information Security Code of Practice (ISCoP) PCA Staff guide: Information Security Code of Practice (ISCoP) PCA Information Risk and Privacy Version 2015.1.0 December 2014 PCA Information Risk and Privacy Page 1 Introduction Prudential Corporation

More information

A Homeopath Registered Homeopath

A Homeopath Registered Homeopath A Homeopath Registered Homeopath DATA PROTECTION POLICY Scope of the policy This policy applies to the work of homeopath A Homeopath (hereafter referred to as AH ). The policy sets out the requirements

More information

General Data Protection Regulation (GDPR) Key Facts & FAQ s

General Data Protection Regulation (GDPR) Key Facts & FAQ s General Data Protection Regulation (GDPR) Key Facts & FAQ s GDPR comes into force on 25 May 2018 GDPR replaces the Data Protection Act 1998. The main principles are much the same as those in the current

More information

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018 1.0 Executive Summary Birmingham Community Healthcare NHS Foundation Trust 2017/17 Data Security and Protection Requirements March 2018 The Trust has received a request from NHS Improvement (NHSI) to self-assess

More information

Information Governance Incident Reporting Policy and Procedure

Information Governance Incident Reporting Policy and Procedure Information Governance Incident Reporting Policy and Procedure Policy Number Target Audience Approving Committee IG007 CCG/GMSS Staff CCG Chief Officer Date Approved February 2018 Last Review Date February

More information

Information Classification and Handling Policy

Information Classification and Handling Policy Information Classification and Handling Policy Document Title: Author(s) (name, job title and Division): Version Number: Document Status: Date Approved: Approved By: Effective Date: Date of Next Review:

More information

INNOVENT LEASING LIMITED. Privacy Notice

INNOVENT LEASING LIMITED. Privacy Notice INNOVENT LEASING LIMITED Privacy Notice Table of Contents Topic Page number KEY SUMMARY 2 ABOUT US AND THIS NOTICE 3 USEFUL WORDS AND PHRASES 4 WHAT INFORMATION DO WE COLLECT? 4 WHY DO WE PROCESS YOUR

More information

ma recycle GDPR Privacy Policy .com Rely and Comply... Policy Date: 24 May 2018

ma recycle GDPR Privacy Policy .com Rely and Comply... Policy Date: 24 May 2018 ma recycle.com Rely and Comply... GDPR Privacy Policy Policy Date: 24 May 2018 Max Recycle Hawthorne House Blackthorn Way Sedgeletch Industrial Estate Fencehouses Tyne & Wear DH4 6JN T: 0845 026 0026 F:

More information

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012 HIPAA Privacy and Security Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012 Goals and Objectives Course Goal: Can serve as annual HIPAA training for physician practice

More information

WIT Diverse Campus Services Ltd. Data Protection Policy

WIT Diverse Campus Services Ltd. Data Protection Policy WIT Diverse Campus Services Ltd. Data Protection Policy Introduction WIT Diverse Campus Services Limited and/or its associated companies ( us or we ) have created this privacy statement to demonstrate

More information

POWER AND WATER CORPORATION POLICY MANAGEMENT OF EXTERNAL SERVICE PROVIDERS

POWER AND WATER CORPORATION POLICY MANAGEMENT OF EXTERNAL SERVICE PROVIDERS POWER AND WATER CORPORATION POLICY MANAGEMENT OF EXTERNAL SERVICE PROVIDERS Prepared by: Approved by: Chief Procurement Officer John Baskerville Chief Executive File number: D2015/65737 June 2015 MANAGEMENT

More information

Acceptable Use of Policy

Acceptable Use of  Policy Acceptable Use of email Policy Printed copies must not be considered the definitive version DOCUMENT CONTROL POLICY NO. 82 Policy Group: Author: Reviewer: Information Assurance and Security Andrew Turner

More information