Information Governance Incident Reporting Procedure
|
|
- Brice Blaze Montgomery
- 6 years ago
- Views:
Transcription
1 Information Governance Incident Reporting Procedure : 3.0 Ratified by: NHS Bury CCG Quality and Risk Committee Date ratified: 15 th February 2016 Name of originator /author (s): Responsible Committee / individual: Information Governance Manager NHS Bury CCG Quality and Risk Committee Date issued: 14 th March 2016 Review date: March 2018 Target audience: Equality Analysis Assessed: NHS Bury Clinical Commissioning Group Members, staff, volunteers and contractors Yes Information Governance Incident Reporting Procedure 3.0 1
2 Further information regarding this document Document name Category of Document in The Policy Schedule Author(s) Contact(s) for further information about this document This document should be read in conjunction with This document has been developed in consultation with Published by Copies of this document are available from Information Governance Incident Reporting Procedure CCG.GOV Governance Information Governance Manager All Information Governance Policies NHS Bury CCG Information Governance Operational Group NHS Bury Clinical Commissioning Group 21 Silver Street Bury BL9 0EN CCG Corporate Office CCG website Control History: Number Reviewing Committee / Officer Date 3.0 = policy once reviewed NHS Bury Clinical Commissioning Group, Quality and Risk Committee 15 th February 2016 Information Governance Incident Reporting Procedure 3.0 2
3 Information Governance Incident Reporting Procedure Table of Contents 1. Introduction Purpose Definitions Roles and Responsibilities The Process for Reporting Information Governance Incidents Cyber Security Incident Reporting and Management Process Reporting Closure and Lessons Learned from the IG Incident Training and Awareness Accountability, Responsibilities and Training Monitoring and review Legislation and related documents Information Governance Incident Reporting Procedure 3.0 3
4 1. Introduction 1.1 NHS Bury Clinical Commissioning Group (hereafter referred to as the CCG) is committed to a programme of effective risk and incident management. This procedure explains the system to be used for staff for the recording, reporting and reviewing of Information Governance, Information Security and / or cyber security incidents. Reporting an incident or a near miss is an integral part of personal, clinical and corporate governance. 1.2 Due to the increase in Information Governance and Cyber Security incidents, the HSCIC have introduced documentation called the Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Security Serious Incidents Requiring Investigation and on-line reporting via the IG Toolkit. The guidance covers reporting arrangements and actions that need to be taken when an IG incident and / or IG SIRI occurs. It also contains guidance regarding scoring an incident based on numbers of individuals affected together with other sensitivity factors. It is important as it defines when an incident becomes an IG SIRI. For a reported IG incident to become an IG SIRI, a level 2 score has been attained. This then has an effect on how the incident is reported which the HSCIC checklist outlines and the CCG must therefore ensure the correct process is followed. 1.3 The CCG has a responsibility to monitor all Information Governance related incidents that occur that may breach security and / or confidentiality of personal information. 1.4 All incidents must be reported using the CCG s Incident Reporting System Safeguard however, when an IG incident occurs there are extra reporting mechanisms the CCG must comply with. This procedure provides details about this. 1.5 This procedure applies to all staff who work for or on behalf of the CCG. Third party contractors and others (e.g. business partners, including other public sector bodies, volunteers, commercial service providers) who may potentially use the CCG s facilities must be aware of the importance of reporting perceived or actual events. 2. Purpose 2.1 This document sets out the directions across Bury Clinical Commissioning Group (the CCG) for the reporting and management of Information Governance / Cyber Security incidents. 2.2 This procedure applies to those members of staff who are directly employed by the CCG and for whom the CCG has legal responsibility 2.3 For those staff covered by a letter of authority / honorary contract or work experience the organisation s policies are also applicable whilst undertaking duties for or on behalf of the CCG. 3. Definitions 3.1 Information Governance Related Incident An Information Governance or Information Security related incident relates to breaches of security and / or the confidentiality of personal information which could be anything from users of computer systems sharing passwords, to a piece of paper identifying a patient being found in the high street. Information Governance Incident Reporting Procedure 2.1 4
5 It could also be any event that has resulted or could result in: The integrity of an information system or data being put at risk The availability of an information system or information being put at risk An adverse impact, for example, embarrassment to the NHS, threat to personal safety or privacy, legal obligation or penalty, financial loss and / or disruption of activities Some more common areas of incidents are listed below but this list is not exhaustive and should be used as guidance only. If there is any doubt as to what you have found being an incident it is best to report it to the relevant personnel for this decision. Breach of security Loss of computer equipment due to crime or an individual s carelessness Loss of computer media, for example, cd s, memory sticks / USB sticks due to crime or an individual s carelessness Accessing any part of a database using someone else s authorisation either fraudulently or by accident Breach of confidentiality Finding a computer printout with personal identifiable data on it in a public area Finding any paper records about a patient / member of staff or business of the organisation in any location outside secured CCG premises Being able to view patient records in an employee s car Discussing patient and / or staff personal information with someone else in an open area where the conversation can be overheard A fax being received by the incorrect recipient 3.2 Information Governance Serious Incident Requiring Investigation (SIRI) There is no simple definition of an Information Governance incident. What may at first appear to be of minor importance may, on further investigation, be found to be serious or vice versa. As a guide, any incident involving the actual or potential loss of personal information that could lead to identity fraud or have other significant impact in individuals should be considered as serious. This definition applies irrespective of the media involved and includes both loss of electronic media and paper records. Categorising of the incident assists to distinguish the severity level of the Information Governance related incident and whether it is a SUI or not. This is explained in later sections of this procedure. 3.3 Information Governance Cyber Serious Incident Reporting Investigation For the purposes of reporting a Cyber incident, it is defined as anything that could (or has) compromised information assets within Cyberspace. These types of incidents include denial of service attacks, phishing s, social media disclosures, web site defacement, malicious internal damage, spoof website and cyber bullying. 5
6 4. Roles and Responsibilities 4.1 Chief Officer Has ultimate responsibility for the implementation of the provisions of this procedure. As the Accountable Officer they are responsible for the management of the organisation and for ensuring that the appropriate mechanisms are in place to support incident reporting for IG and cyber security incidents. 4.2 Caldicott Guardian To review and provide feedback regarding an incident where this relates to patient data. This may involve decision making about informing patients regarding an incident or not if this would deem to cause them harm / distress. 4.3 Senior Information Risk Owner (SIRO) To review Information Governance incidents and report Information Governance and information security issues to the Senior Management Team and ensure that any external reporting of the incident if required is undertaken 4.4 Information Governance Team To co-ordinate and investigate reported IG incidents, maintain IG Incident Logbook, make recommendations and act on lessons learnt. To liaise with the CCG Information Governance Lead, CCG SIRO and Greater Manchester Shared Services (GMSS) IT Services / IT Security Manager as appropriate pertaining to cyber security incidents. To escalate incidents to the CCG Information Governance Lead in order to inform the SIRO, and/or Caldicott Guardian as appropriate. To grade the incident and report it where necessary on the Information Governance Toolkit Incident Reporting Tool and local IG Incident Logbook. 4.5 CCG IT Manager To work with IT to investigate the Cyber Security incident, make recommendations and act on lessons learnt. To liaise with IG Teams as appropriate especially regarding reporting. To inform the Senior Information Risk Owner, and/or Caldicott Guardian as appropriate. To grade the incident, and ensure that where necessary it is reported on the IG Incident Reporting Tool Cyber Security section (through the IG Team). 4.6 GMSS IT Services / IT Security Manager To alert the CCG IT Manager and IG Team when a member of CCG staff report a potential or actual cyber security incident via Service Now so this can be investigated and assist with the grading of the incident. 5. The Process for Reporting Information Governance Incidents 6
7 5.1 Staff must follow the CCG s Incident Reporting Procedure in order to report any incident. All Information Security / Information Governance incidents must be reported using this procedure only and no other method. 5.2 Incidents must be logged on the CCGs Safeguard system by the member of staff reporting the incident. 5.3 Once the IG Team have been notified of an incident relating to Information Governance the team will ensure they are entered on the Incidents Logbook. 5.4 The IG Team will assess the incident and calculate the severity score according to the checklist contained within the Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Serious Incidents Requiring Investigation (SIRI s) Please see link below Annex A: 0Checklist%20Guidance.pdf 5.5 The IG Team based at the CCG where the incident has occurred must be notified of all Information Governance and Information Security incidents as well as logging this following the CCG s incident reporting processes. The immediate response to the incident and the escalation process for reporting and investigating of incidents will vary according to the severity level of the incident. 5.6 The flowchart (Figure 1) sets out the overall process for reporting, managing and investigating Information Governance incidents for the CCG for incidents scored level 1 and below and level 2 and above (IG SIRI s). 7
8 Figure 1: Incident Process Flowchart Potential or actual Information Governance / Information Security related incident identified Incident Management staff member who identified incident must log incident using CCG incident reporting tool (Safeguard) and inform Lead IG / IG Officer in CCG ASAP Incident Report received by IG Team logged on IG Incident Logbook Assessment of severity level for incident by Lead IG / IG Officer and associated personnel (e.g. Information Security Officers, Caldicott Guardian, SIRO, department who have reported incident) using the HSCIC grading tool Incident graded at Level 0-1 Incident scored at Level Inform CCG CG & SIRO Information Governance related Incident Information Governance related Serious Incident Requiring Investigation (SIRI) Manage locally Investigation Final Report (to be fed back to all parties concerned) and update to Logbook Feed into training and awareness sessions Report on IG Incident reporting Tool within 24 hrs (the score can be changed later if needs be) Hold Investigation Meeting (IG/CG/SIRO and other relevant parties). Form and document action plan/lessons learned. IG Team produce IG Incident Report IG Team feedback outcome and update Safeguard, Logbook and IG Toolkit Incident Reporting Tool (amend score if necessary) Close incident and if IG SIRI close on the IGTK Incident Reporting Tool Informs ICO and DH Reply to ICO investigation questions (if sent) & keep updated 8
9 6. Cyber Security Incident Reporting and Management Process 6.1 Figure 2 outlines the incident reporting process for cyber security incidents. In most cases, staff will report such incidents via the IT helpdesk as they will tend to be IT related such as PC / laptop not working correctly, phishing s or denial of access to a system or webpage. Due to this, the IG Team are linking with IT services and the GMSS IT Security Manager to capture such recorded incidents. They will be identified through the use of key words and confirmed whether they are cyber security incidents. The notification of this will be forwarded to the IG Team who will then liaise with IT Security staff to assess its severity and sensitivity and graded as per the HSCIC checklist. The incident is logged on the Cyber Security Incident Logbook and updated throughout the investigation process. 6.2 Incidents may also be captured via the CCG s incident procedure as well. In these cases, the IG Team will liaise with IT Security Manager to inform them and follow the same process as above. 6.3 For Cyber Security incidents, it is vital that the person responsible for any operational response, typically the CCG IT Manager is notified and the SIRO kept up to date. 6.4 Cyber security incidents scored Level 2 and above must be logged on the IG Toolkit Incident Reporting Tool. This then triggers an automated notification to the Department of Health and HSCIC. Please note the ICO are not informed of cyber incidents scored level 2 and above. 9
10 Figure 2: Cyber Security Incident Reporting Process Step One Notification from IT Services / GMSS IT Security Manager 7. Reporting 7.1 Reporting in the Annual Governance Statement / Statement of Internal Control Incidents classified at an IG SIRO level 2 and above are those that are classed as a personal data breach or high risk of reputational damage and are reportable to DoH and ICO. These incidents need to be detailed individually in the annual report / governance statement / Statement of Internal Control as per Table 1 below. Notes to assist in completion of the table can be found in the HSCIC checklist: ist%20guidance.pdf 10
11 Table 1 Summary Table of IG SIRI s SUMMARY OF SERIOUS UNTOWARD INCIDENTS INVOLVING PERSONAL DATA AS REPORTED TO THE INFORMATION COMMISSIONERS OFFICE [from year to year] Date of Incident (month) Jan Further action on information risk Nature of Incident Loss of inadequately protected electronic storage device Nature of data involved Name, address, NHS number Number of people potentially affected Notification Steps 1,500 Individuals notified by post The CCG will continue to monitor and assess its information risks, in lights of the events noted above, in order to identify and address any weaknesses and ensure continuous improvement of its systems. The member of staff responsible for this incident has been dismissed. 7.2 A summary of IG incidents must also be published in annual reports / governance statement using the summary table as highlighted in Table 2: Table 2 Annual Summary of IG reported incidents below Level 1 SUMMARY OF OTHER PERSONAL DATA RELATED INCIDENTS IN [insert year to year] Category Nature of Incident Total A Corruption or inability to recover electronic data B Disclosed in Error C Lost in Transit D Lost or stolen hardware E Lost or stolen paperwork F Non-secure Disposal hardware G Non-secure Disposal paperwork H Uploaded to website in error I Technical security failing (including hacking) J Unauthorised access / disclosure K Other Please note incidents designated as pure cyber are not required to be included in the annual reports and SIC at this time. However cyber incidents that are also IG SIRI s should be included. 7.3 Reporting by the HSCIC The document below explains how the HSCIC publish data on IG SIRI s. tatement.pdf 11
12 7.4 Reporting to the Information Governance Operational Group (IGOG) IG incidents are reported routinely at the IGOG Meeting via the IG Key Statistics Report. Lessons learned are discussed and actioned when necessary. 8. Closure and Lessons Learned from the IG Incident Set target timescale for completing investigation and finalizing report Report reviewed and signed off by appropriate persons or appraisal group Identify who is responsible for disseminating lessons learnt Closure of IG SIRI only when all aspects, including any disciplinary action against staff, are settled Update the IG Incident Reporting Tool The record cannot be closed until all the data fields are populated including Actions taken and Lessons Learned. HSCIC External IG Delivery Team will be notified by when an incident is closed and monitor progress The CCG Board must publish data breaches involving the processing of personal data without a legal basis, where one is required. Reports of IG SIRIs should be published on the CCG website and can be easily exported from the IG Incident Reporting Tool for publication 8. Training and Awareness This procedure will be available on the CCG s Policy Library on the intranet and on the Information Governance page on the staff intranet. Staff are also informed about the reporting of incidents during Mandatory training. Lessons learned from incidents will be fed back into future training or where appropriate to the staff concerned to encourage further participation and demonstrate the value of reporting to the CCG. The relevant committees in the CCG s where IG is itemed are made aware of information governance related incidents reported and the associated action plans to mitigate similar incidents occurring in the future. All staff will continue to be informed about the importance of reporting information governance related incidents via a variety of media such as handouts, leaflets, intranet, newsletter, s and training sessions. 9. Accountability, Responsibilities and Training Overall accountability for procedural documents across the organisation lies with the Chief Officer who has overall responsibility for establishing and maintaining an effective document management system, for meeting all statutory requirements and adhering to guidance issued in respect of procedural documents. Overall responsibility for the Incident Reporting Procedure lies with the Risk Manager who has delegated responsibility for managing the development and implementation of Information Governance Incident Reporting procedural documents. 12
13 The Senior Information Risk Officer (SIRO), with support from the Information Asset Owners, is responsible for any issues of information risk that arise from incidents and ensuring appropriate actions are in place to mitigate future risk. The Caldicott Guardian is responsible for overseeing and advising on issues of service user confidentiality for the CCG. Line managers are responsible for ensuring that all staff, particularly new staff, temporary staff, contractors and volunteers, know what is expected of them with respect to confidentiality and protecting information. They are also responsible for monitoring compliance with this guideline e.g. undertake ad hoc audits to check for inappropriate disclosures, records left out, abuse of passwords etc. Staff are responsible for maintaining the confidentiality of all personal and corporate information gained during their employment with the CCG and this extends after they have left the employ of the CCG. Individual staff members are personally responsible for any decision to pass on information that they may make. All staff are responsible for adhering to the Caldicott Principles, the Data Protection Act and the Confidentiality Code of Conduct. Staff will receive instruction and direction regarding the policy from a number of sources: Policy /strategy and procedure manuals; line manager; specific training course; other communication methods (e.g. team brief/team meetings); staff Intranet; All staff are mandated to undertake Information Governance training on an annual basis. This training should be provided within the first year of employment and then updated as appropriate in accordance with the Information Governance policy. 10. Monitoring and review 10.1 Performance against Key Performance Indicators will be reviewed on an annual basis and used to inform the development of future procedural documents This procedure will be reviewed on a yearly basis, and in accordance with the following on an as and when required basis: legislative changes; good practice guidance; case law; significant incidents reported; new vulnerabilities; and changes to organisational infrastructure. 11. Legislation and related documents 11.1 A set of procedural document manuals will be available via the CCG staff Intranet Staff will be made aware of procedural document updates as they occur via team briefs, team meetings and notification via the CCG staff Intranet All documents in the CCG Policies and Procedures Register are relevant. 13
Information Governance Incident Reporting Policy
Information Governance Incident Reporting Policy Version: 4.0 Ratified by: NHS Bury Clinical Commissioning Group Information Governance Operational Group Date ratified: 29 th November 2017 Name of originator
More informationGMSS Information Governance & Cyber Security Incident Reporting Procedure. February 2017
GMSS Information Governance & Cyber Security Incident Reporting Procedure February 2017 Review Date; April 2018 1 Version Control: VERSION DATE DETAIL D1.0 20/04/2015 First Draft (SC) D 2.0 28/04/2015
More informationInformation Governance Incident Reporting Policy and Procedure
Information Governance Incident Reporting Policy and Procedure Policy Number Target Audience Approving Committee IG007 CCG/GMSS Staff CCG Chief Officer Date Approved February 2018 Last Review Date February
More informationInformation Governance Incidents Cyber Security Incidents and Near Misses Reporting Procedure
Information Governance Incidents Cyber Security Incidents and Near Misses Reporting Procedure Procedure Number: IG05 Version: 2.3 Approved by: Information Governance Working Group Date approved January
More informationINFORMATION SECURITY AND RISK POLICY
INFORMATION SECURITY AND RISK POLICY 1 of 12 POLICY REFERENCE INFORMATION SHEET Document Title Document Reference Number Information Security and Risk Policy P/096/CO/03/11 Version Number V02.00 Status:
More informationStopsley Community Primary School. Data Breach Policy
Stopsley Community Primary School Data Breach Policy Contents Page 1 Introduction... 3 2 Aims and objectives... 3 3 Policy Statement... 4 4 Definitions... 4 5 Training... 5 6 Identification... 5 7 Risk
More informationData Loss Assessment and Reporting Procedure
Data Loss Assessment and Reporting Procedure Governance and Legal Services Strategy, Planning and Assurance Directorate Approved by: Data Governance & Strategy Group Approval Date: July 2016 Review Date:
More informationBirmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018
1.0 Executive Summary Birmingham Community Healthcare NHS Foundation Trust 2017/17 Data Security and Protection Requirements March 2018 The Trust has received a request from NHS Improvement (NHSI) to self-assess
More informationData Encryption Policy
Data Encryption Policy Document Control Sheet Q Pulse Reference Number Version Number Document Author Lead Executive Director Sponsor Ratifying Committee POL-F-IMT-2 V02 Information Governance Manager
More informationICT Portable Devices and Portable Media Security
ICT Portable Devices and Portable Media Security Who Should Read This Policy Target Audience All Trust Staff, contractors, and other agents, who utilise trust equipment and access the organisation s data
More information1. Introduction and Overview 3
Data Breach Policy Contents 1. Introduction and Overview 3 1.1 What is a Serious Information Governance Incident? 3 1.2 What causes a SIGI? 3 1.3 How can a SIGI be managed? 4 2. How to manage an incident
More informationInformation Security Policy
Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Colin Sloey Implementation Date: September 2010 Version Number:
More informationInformation Security Strategy
Security Strategy Document Owner : Chief Officer Version : 1.1 Date : May 2011 We will on request produce this Strategy, or particular parts of it, in other languages and formats, in order that everyone
More informationInformation Security Incident
Good Practice Guide Author: A Heathcote Date: 22/05/2017 Version: 1.0 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body
More informationDATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:
DATA PROTECTION SELF-ASSESSMENT TOOL Protecture: 0203 691 5731 Instructions for use touches many varied aspects of an organisation. Across six key areas, the self-assessment notes where a decision should
More informationBusiness Continuity Policy
Business Continuity Policy Version Number: 3.6 Page 1 of 14 Business Continuity Policy First published: 07-01-2014 Amendment record Version Date Reviewer Comment 1.0 07/01/2014 Debbie Campbell 2.0 11/07/2014
More informationREPORTING INFORMATION SECURITY INCIDENTS
INFORMATION SECURITY POLICY REPORTING INFORMATION SECURITY INCIDENTS ISO 27002 13.1.1 Author: Owner: Organisation: Document No: Chris Stone Ruskwig TruePersona Ltd SP-13.1.1 Version No: 1.0 Date: 1 st
More informationINFORMATION TECHNOLOGY SECURITY POLICY
INFORMATION TECHNOLOGY SECURITY POLICY Author Responsible Director Approved By Data Approved September 15 Date for Review November 17 Version 2.3 Replaces version 2.2 Mike Dench, IT Security Manager Robin
More informationCorporate Information Security Policy
Overview Sets out the high-level controls that the BBC will put in place to protect BBC staff, audiences and information. Audience Anyone who has access to BBC Information Systems however they are employed
More informationData Breach Incident Management Policy
Data Breach Incident Management Policy Policy Number FCP2.68 Version Number 1 Status Draft Approval Date: First Version Approved By: First Version Responsible for Policy Responsible for Implementation
More informationPrivacy Breach Policy
1. PURPOSE 1.1 The purpose of this policy is to guide NB-IRDT employees and approved users on how to proceed in the event of a privacy breach, and to demonstrate to stakeholders that a systematic procedure
More informationPS 176 Removable Media Policy
PS 176 Removable Media Policy December 2013 Version 2.0 Statement of legislative compliance This document has been drafted to comply with the general and specific duties in the Equality Act 2010; Data
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationINFORMATION ASSET MANAGEMENT POLICY
INFORMATION ASSET MANAGEMENT POLICY Approved by Board of Directors Date: To be reviewed by Board of Directors March 2021 CONTENT PAGE 1. Introduction 3 2. Policy Statement 3 3. Purpose 4 4. Scope 4 5 Objectives
More informationSecurity and Privacy Breach Notification
Security and Privacy Breach Notification Version Approval Date Owner 1.1 May 17, 2017 Privacy Officer 1. Purpose To ensure that the HealthShare Exchange of Southeastern Pennsylvania, Inc. (HSX) maintains
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationInformation Governance Policy (incorporating IM&T Security)
(incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the
More informationRemote Working & Mobile Devices Security Standard
TRUST-WIDE NON-CLINICAL DOCUMENT Remote Working & Mobile Devices Security Standard Standard Number: Scope of this Document: Recommending Committee: Approving Committee: SS02 All Staff Joint Information
More informationPOLICY. Version: 1.1 Quality and Performance Committee Date ratified: 12 th July 2017
EMAIL POLICY Version: 1.1 Ratified by: Quality and Performance Committee Date ratified: 12 th July 2017 Name & Title of originator/author: John Robinson, Senior Information Governance Specialist (embed
More informationSAFE USE OF MOBILE PHONES AT WORK POLICY
SAFE USE OF MOBILE PHONES AT WORK POLICY Links to Lone Working Policy, Personal Safety Guidance, Lone Working Guidance, Information Governance Policy Document Type General Policy Unique Identifier GP31
More informationClyst Vale Community College Data Breach Policy
Clyst Vale Community College Data Breach Policy Contents 1. Aim Page 2 2. Definition Page 2-3 3. Scope Page 3 4. Responsibilities Page 3 5. Reporting a data breach Page 3-4 6. Data breach plan Page 4 7.
More informationINFORMATION SECURITY POLICY
Open Open INFORMATION SECURITY POLICY OF THE UNIVERSITY OF BIRMINGHAM DOCUMENT CONTROL Date Description Authors 18/09/17 Approved by UEB D.Deighton 29/06/17 Approved by ISMG with minor changes D.Deighton
More informationNDIS Quality and Safeguards Commission. Incident Management System Guidance
NDIS Quality and Safeguards Commission Incident Management System Guidance Version 1 - May 2018 Acknowledgment This guidance is published by the Australian Government, using resources developed by the
More informationData Breach Notification Policy
Data Breach Notification Policy Policy Owner Department University College Secretary Professional Support Version Number Date drafted/date of review 1.0 25 May 2018 Date Equality Impact Assessed Has Prevent
More information"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.
Rushcliff Ltd Data Processing Agreement This Data Processing Agreement ( DPA ) forms part of the main terms of use of PPS, PPS Express, PPS Online booking, any other Rushcliff products or services and
More informationEco Web Hosting Security and Data Processing Agreement
1 of 7 24-May-18, 11:50 AM Eco Web Hosting Security and Data Processing Agreement Updated 19th May 2018 1. Introduction 1.1 The customer agreeing to these terms ( The Customer ), and Eco Web Hosting, have
More informationPS Mailing Services Ltd Data Protection Policy May 2018
PS Mailing Services Ltd Data Protection Policy May 2018 PS Mailing Services Limited is a registered data controller: ICO registration no. Z9106387 (www.ico.org.uk 1. Introduction 1.1. Background We collect
More informationInformation Security Data Classification Procedure
Information Security Data Classification Procedure A. Procedure 1. Audience 1.1 All University staff, vendors, students, volunteers, and members of advisory and governing bodies, in all campuses and locations
More informationInformation Security Incident Reporting Policy
Information Security Incident Reporting Policy Date Published June 2016 Version 3 Last Approved Date 23 rd May 2018 Review Cycle 1 Year Review Date May 2019 Learning together; to be the best we can be
More informationInstitute of Technology, Sligo. Information Security Policy. Version 0.2
Institute of Technology, Sligo Information Security Policy Version 0.2 1 Document Location The document is held on the Institute s Staff Portal here. Revision History Date of this revision: 28.03.16 Date
More informationThis policy should be read in conjunction with LEAP s Conflict of Interest Policy.
Policy Number 4.1 Policy Name Release No. 2 Release Date August 2017 Date For Next Review August 2018 Policy LEAP Social Services/Different Abilities Services (LEAP) is committed to the effective, timely
More informationNetwork Account Management Security Standard
TRUST-WIDE NON-CLINICAL DOCUMENT Network Account Management Security Number: Scope of this Document: Recommending Committee: Approving Committee: SS06 All Staff/ Services Users Joint Information Governance
More informationWye Valley NHS Trust. Data protection audit report. Executive summary June 2017
Wye Valley NHS Trust Data protection audit report Executive summary June 2017 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act
More informationThe GDPR toolkit. How to guide for Executive Committees. Version March 2018
The GDPR toolkit How to guide for Executive Committees Version 1.0 - March 2018 Contents Document Purpose... 3 What s included... 3 Step 1 - How to assess your data... 5 a) What is GDPR?... 5 b) Video
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationNHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy
NHS Gloucestershire Clinical Commissioning Group 1 Document Control Title of Document Gloucestershire CCG Author A Ewens (Emergency Planning and Business Continuity Officer) Review Date February 2017 Classification
More informationCybersecurity for Health Care Providers
Cybersecurity for Health Care Providers Montgomery County Medical Society Provider Meeting February 28, 2017 T h e MARYLAND HEALTH CARE COMMISSION Overview Cybersecurity defined Cyber-Threats Today Impact
More informationIt applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).
Our Privacy Policy 1 Purpose Mission Australia is required by law to comply with the Privacy Act 1988 (Cth) (the Act), including the Australian Privacy Principles (APPs). We take our privacy obligations
More informationAccess Control Policy
Access Control Policy Version Control Version Date Draft 0.1 25/09/2017 1.0 01/11/2017 Related Polices Information Services Acceptable Use Policy Associate Accounts Policy IT Security for 3 rd Parties,
More informationLCU Privacy Breach Response Plan
LCU Privacy Breach Response Plan Sept 2018 Prevention Communication & Notification Evaluation of Risks Breach Containment & Preliminary Assessment Introduction The Credit Union makes every effort to safeguard
More informationDATA PROTECTION POLICY THE HOLST GROUP
DATA PROTECTION POLICY THE HOLST GROUP INTRODUCTION The purpose of this document is to provide a concise policy regarding the data protection obligations of The Holst Group. The Holst Group is a data controller
More informationData Privacy Breach Policy and Procedure
Data Privacy Breach Policy and Procedure Document Information Last revision date: April 16, 2018 Adopted date: Next review: January 1 Annually Overview A privacy breach is an action that results in an
More informationInformation Governance Policy
NHS Dorset Clinical Commissioning Group Information Governance Policy 16 December 2015 Supporting people in Dorset to lead healthier lives PREFACE This policy sets out best practice guidance for all staff
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationINFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare
INFORMATION SECURITY A briefing on the information security controls at Computershare One line heading > One line subheading INTRODUCTION Information is critical to all of our clients and is therefore
More informationINFORMATION SYSTEMS SECURITY POLICY (ISSP)
INFORMATION SYSTEMS SECURITY POLICY (ISSP) Policy Number & Category IG 02 Information Governance Version Number & Date Version 3.7 February 2009 Ratifying Committee Date Approved March 2009 Next Review
More informationPRIVACY NOTICE VOLUNTEER INFORMATION. Liverpool Women s NHS Foundation Trust
PRIVACY NOTICE VOLUNTEER INFORMATION Liverpool Women s NHS Foundation Trust Introduction This document summarises who we are, what information we hold about you, what we will do with the information we
More informationCompany Policy Documents. Information Security Incident Management Policy
Information Security Incident Management Policy Information Security Incident Management Policy Propeller Studios Ltd is responsible for the security and integrity of all data it holds. Propeller Studios
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationPTLGateway Data Breach Policy
1 PTLGateway Data Breach Policy Last Updated Date: 02 March 2018 Data Breach Policy This page informs you of our policy which is to establish the goals and the vision for the breach response process. This
More informationPrivacy Policy GENERAL
Privacy Policy GENERAL This document sets out what information Springhill Care Group Ltd collects from visitors, how it uses the information, how it protects the information and your rights. Springhill
More informationSWBCCG Pol 18. Information Governance handbook
SWBCCG Pol 18 Information Governance handbook 1 SWBCCG Pol 18 Information Reader Box Directorate Purpose Document Purpose Document Name Author Sandwell and West Birmingham CCG Guidance Procedures Information
More informationData Handling Security Policy
Data Handling Security Policy May 2018 Newark Orchard School Data Handling Security Policy May 2018 Page 1 Responsibilities for managing IT equipment, removable storage devices and papers, in the office,
More informationBOARD OF DIRECTORS (OPEN) Meeting Date: 14 th November 2018
BORD OF DIRECTORS (OPEN) Meeting Date: 14 th November 2018 Open BoD 14.11.18 Item 14 TITLE OF PPER TO BE PRESENTED BY CTION REQUIRED Senior Information Risk Owner (SIRO) nnual Report Phillip Easthope,
More informationVirginia State University Policies Manual. Title: Information Security Program Policy: 6110
Purpose Virginia State University (VSU) uses information to perform the business services and functions necessary to fulfill its mission. VSU information is contained in many different mediums including
More informationINFORMATION GOVERNANCE HANDBOOK
INFORMATION GOVERNANCE HANDBOOK 1 Version 2.0 Information Reader Box Document Name Author Information Governance Handbook Information Governance Team CSU Publication Date 09/12/2015 Review Date 09/12/2016
More informationUse of and Instant Messaging (IM) Policy
Use of Email and Instant Messaging (IM) Policy Name of Author and Job Title: Mike Cavaye, IT & Digital Consultant Name of Review/Development Body: IT Services Ratification Body: Quality and Safety Group
More informationInformation Security Controls Policy
Information Security Controls Policy Version 1 Version: 1 Dated: 21 May 2018 Document Owner: Head of IT Security and Compliance Document History and Reviews Version Date Revision Author Summary of Changes
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationStatutory Notifications
Registration under the Health and Social Care Act 2008 Statutory Notifications Guidance for registered providers and managers of NHS GP and other primary medical services May 2013 Statutory notifications
More informationData Protection Policy
Data Protection Policy Data Protection Policy Version 3.00 May 2018 For more information, please contact: Technical Team T: 01903 228100 / 01903 550242 E: info@24x.com Page 1 The Data Protection Law...
More informationData Protection Policy
Page 1 of 6 General Statement The Local Governing Bodies of the academies have overall responsibility for ensuring that records are maintained, including security and access arrangements, in accordance
More informationUWTSD Group Data Protection Policy
UWTSD Group Data Protection Policy Contents Clause Page 1. Policy statement... 1 2. About this policy... 1 3. Definition of data protection terms... 1 4. Data protection principles..3 5. Fair and lawful
More informationBring Your Own Device (BYOD) Policy
SH IG 58 Information Security Suite of Policies Bring Your Own Device (BYOD) Policy Version 1 Summary: Keywords (minimum of 5): (To assist policy search engine) Target Audience: Next Review Date: This
More informationSubject: Kier Group plc Data Protection Policy
Kier Group plc Data Protection Policy Subject: Kier Group plc Data Protection Policy Author: Compliance Document type: Policy Authorised by: Kier General Counsel & Company Secretary Version 3 Effective
More informationEmployee Security Awareness Training Program
Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,
More informationPrivacy Impact Assessment
Automatic Number Plate Recognition (ANPR) Deployments Review Of ANPR infrastructure February 2018 Contents 1. Overview.. 3 2. Identifying the need for a (PIA).. 3 3. Screening Questions.. 4 4. Provisions
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationInformation backup - diagnostic review Abertawe Bro Morgannwg University Health Board. Issued: September 2013 Document reference: 495A2013
Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board Issued: September 2013 Document reference: 495A2013 Status of report This document has been prepared for the internal
More informationEnviro Technology Services Ltd Data Protection Policy
Enviro Technology Services Ltd Data Protection Policy 1. CONTEXT AND OVERVIEW 1.1 Key details Rev 1.0 Policy prepared by: Duncan Mounsor. Approved by board on: 23/03/2016 Policy became operational on:
More informationMobile Working Policy. Item 15.3
Mobile Working Policy Item 15.3 Authorship: Committee Approved: Chris Wallace, Information Governance Manager, North Yorkshire & Humber Commissioning Support Unit Management Team Approved date: Review
More informationPolicy Title; Business Continuity Management Policy. Date Published/Reviewed; February 2018
Policy Title; Business Continuity Management Policy Date Published/Reviewed; February 2018 Business Lead; Head of Strategic Governance CCMT sponsor; Deputy Chief Constable Thames Valley Police ensures
More informationInformation Security Policy for Associates and Contractors
Information Security Policy for Associates and Contractors Version: 1.13 Date: 11 October 2016 Reference: 67972761 Location: Livelink Contents Introduction... 3 Purpose... 3 Scope... 3 Responsibilities...
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationUpcoming PIPEDA Changes What is changing and what to do about it
Upcoming PIPEDA Changes What is changing and what to do about it Danny Pehar Global Television Cyber Security Expert 02 Danny Pehar Put Text Here This slide is 100% editable. Adapt it to your needs and
More informationThe University of British Columbia Board of Governors
The University of British Columbia Board of Governors Policy No.: 118 Approval Date: February 15, 2016 Responsible Executive: University Counsel Title: Safety and Security Cameras Background and Purposes:
More informationNEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?
NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:
More informationAccess to personal accounts and lawful business monitoring
Access to personal email accounts and lawful business monitoring Contents Policy statement... 2 Access to personal emails... 2 Manager suspects misuse... 3 Lawful business monitoring... 4 Additional information...
More informationCyber Security Program
Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by
More informationInformation Governance and Code of Conduct
This document is also available in other languages and formats upon request Information Governance and Code of Conduct For further information and guidance contact the Information Governance team: Tel:
More informationPolicy. Business Resilience MB2010.P.119
MB.P.119 Business Resilience Policy This policy been prepared by the Bi-Cameral Business Risk and Resilience Group and endorsed by the Management Boards of both Houses. It is effective from December to
More informationDATA BREACH POLICY [Enniskillen Presbyterian Church]
DATA BREACH POLICY [Enniskillen Presbyterian Church] Enniskillen Presbyterian Church is committed to complying with data protection legislation and will take appropriate technical and organisational measures
More informationData protection. 3 April 2018
Data protection 3 April 2018 Policy prepared by: Ltd Approved by the Directors on: 3rd April 2018 Next review date: 31st March 2019 Data Protection Registration Number (ico.): Z2184271 Introduction Ltd
More informationUWC International Data Protection Policy
UWC International Data Protection Policy 1. Introduction This policy sets out UWC International s organisational approach to data protection. UWC International is committed to protecting the privacy of
More informationPCA Staff guide: Information Security Code of Practice (ISCoP)
PCA Staff guide: Information Security Code of Practice (ISCoP) PCA Information Risk and Privacy Version 2015.1.0 December 2014 PCA Information Risk and Privacy Page 1 Introduction Prudential Corporation
More informationPolicy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.
London School of Economics & Political Science IT Services Policy Remote Access Policy Jethro Perkins Information Security Manager Summary This document outlines the controls from ISO27002 that relate
More informationCybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City
1 Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City The opinions expressed are those of the presenters and are not those of the Federal Reserve Banks, the
More informationAPF!submission!!draft!Mandatory!data!breach!notification! in!the!ehealth!record!system!guide.!
enquiries@privacy.org.au http://www.privacy.org.au/ 28September2012 APFsubmission draftmandatorydatabreachnotification intheehealthrecordsystemguide. The Australian Privacy Foundation (APF) is the country's
More informationGDPR Draft: Data Access Control and Password Policy
wea.org.uk GDPR Draft: Data Access Control and Password Policy Version Number Date of Issue Department Owner 1.2 21/01/2018 ICT Mark Latham-Hall Version 1.2 last updated 27/04/2018 Page 1 Contents GDPR
More informationCloud Security Standards
Cloud Security Standards Classification: Standard Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January 2018 Next
More information