Information Governance Policy (incorporating IM&T Security)

Transcription

1 (incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the Trust and third parties supplying goods and services to the Trust Version 5.1 Approved by Caldicott & IG Committee Date approved 14th June 2016 Ratified by Executive Management Committee Date ratified 22nd July 2016 Author Information Governance Manager Lead Director Director of Finance Name of Responsible individual/committee Caldicott & IG Committee TPSG- Consultation Caldicott & IG Committee BHT Document BHT Pol 051 Reference Department Document IG0005 Reference Date Issued May 2016 Review Date May 2019 Target Audience All Trust Staff Location Swan Live Intranet Policies & Guidelines/Policies & Strategies/Information Governance Equality Impact June 2016 Assessment

2 Approval and Authorisation Completion of the following detail signifies the review and approval of this document, as minuted in the senior management group meeting shown. Version Authorising Group Date 2.0 Caldicott & Information Governance Committee Dec Ratified Trust Management Committee April Ratified Trust Management Committee Caldicott & Information Governance Committee Dec Ratified by Trust Management Committee March Ratified by Executive Management Committee Change History Version Status Reason for change Author Date 2.6 Draft Minor amendments following consultation A Chilcott Dec Draft Circulated to Joint Management & Staff Committee A Chilcott Jan Approved Caldicott & Information Governance Chairman s A Chilcott April 10 action 3.0 Ratified Ratified Trust Management Committee A Chilcott May 10 Informal annual review no changes A Chilcott July Draft Formal review minor changes only. Circulated to A Chilcott Feb 13 Caldicott & IG Committee 4.0 Approved Caldicott Committee Chairman s action noted at the A Chilcott Apr 13 meeting TNC Minor change to section 4 re removal of SIRO job A Chilcott Jan 14 title 4.2 Update Annual informal review - Updated section 3.3- L Pask/ Nov 2014 Information Security regarding the new logging and reporting requirements of SIRI to the IG Incident Reporting Tool in the IG Toolkit. Section 5- updated 5.3 Caldicott Review2 and added new section 5.5 -HSCIC S Abraham 4.3 Draft Circulated to Caldicott and IG Committee L Pask / Nov 2014 S Abraham 4.3 Approved Caldicott and IG meeting L Pask / Mar Draft Formal review Added new section 5.6 NHS Constitution for England Revised section 6 Monitoring this policy Approved Approved by - Caldicott and IG Committee TPSG 1 S Abraham L Pask / S Abraham May 2016 June Approved Ratified by EMC July Added new section 5.7 following consultation Accessible Information Standard L Pask Aug 2016 Related Documents Ref # Document title Document Reference Document location 1 Confidentiality Code of Practice IG0008 Intranet

3 Ref # Document title Document Reference Document location 2 IT Access to Secure Areas Procedure IG0047 Intranet 3 Confidentiality and Data Protection Code of Conduct & IG0012 Intranet Agreement for Third Parties Supplying Goods, Services or Consultancy to the Trust 4 Freedom of Information Policy BHT Pol 042 Intranet 5 IT Network Remote Access Policy IG0056 Intranet 6 IT Asset Management procedure IG0054 Intranet 7 Safe Haven Procedure IG0048 Intranet 8 Computer User Access Management Policy IG0031 Intranet 9 IT Computer Usage Policy IG0009 Intranet 10 Trust Incident Reporting Policy & Procedure Intranet 11 Handling Reported Information Security Incidents Procedure IG0043 Intranet 12 IT Virus Control Procedure IG0044 Intranet 13 IT Network Security Policy IG0042 Intranet 14 IT Internet Access Policy IG0034 Intranet 15 IT User Account and Usage Policy IG0035 Intranet 16 Procedure for Implementing New Databases and Information IG0025 Intranet Flows 17 IT Server Security Procedure IG0055 Intranet 18 Information Governance Strategy IG0041 Intranet 19 Risk Management Policy BHT Pol 079 Intranet 20 Risk Management Strategy BHT S019 Intranet 21 Waste Management Policy BHT Pol 095 Intranet 22 Records Management Policy BHT Pol 125 Intranet 23 Records Management Strategy BHT S018 Intranet 24 Information Risk Policy IG0088 Intranet Reference Documents Ref Document title # 1. NHS Code of Conduct & Accountability code of conduct & Accountability 2. Freedom of Information Act a/2000/36/contents 3. Data Protection Act a/1998/29/contents 4. Health & Social Care Act a/2012/7/contents/enacted 5. NHS Care Records Guarantee (2011) V5 asmartcards/documents/crg. pdf 6. Caldicott Review 2 Dept of Health The Information Governance Review (2013) 7. HSCIC Sept A Guide to Confidentiality in Health & Social Care- Treating confidential information with respect. ent/uploads/system/uploads/ attachment_data/file/ / _InfoGovernance_ accv2.pdf ia/12822/guide-toconfidentiality-in-health-andsocial-care/pdf/hscicguide-to-confidentiality.pdf Internet Internet Internet Internet Internet Internet Internet 2

4 Table of Contents 1. PURPOSE SCOPE POLICY PRINCIPLES Openness Legal Compliance Information Security Information Quality Assurance MANAGEMENT STRUCTURE AND RESPONSIBILITY LEGISLATION AND KEY REFERENCE DOCUMENTS MONITORING THIS POLICY REVIEW OF THIS POLICY APPENDIX A - INFORMATION MANAGEMENT AND SECURITY FRAMEWORK. 12 3

5 1. PURPOSE Information is a vital and valuable asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in corporate governance, service planning and performance management. It is of paramount importance to ensure that the Trust s information and key information assets are efficiently managed, and to have a solid strategy in place to comply in full with the legal, regulatory and governance requirements and mandates. The purpose of the Policy is to establish a robust governance framework for information management and preserving the confidentiality, integrity, security and accessibility of data, processing systems and information in Buckinghamshire Healthcare NHS Trust. Appendix A provides a more detailed set of requirements in relation to information management and technology security controls. The Trust monitors its Information Governance (IG) controls through the Health and Social Care Information Centre (HSCIC) IG Toolkit (supported by Department of Health), which is a mandatory performance and management self-assessment tool, ensuring compliance with the legal and regulatory requirements of handling information, covering the areas of: Information Governance Management Confidentiality and Data Protection Assurance Information Security Assurance Clinical Information Assurance Secondary Use Assurance Corporate Information Assurance All information security requirements in the NHS Information Governance toolkit are based on the international standard BS ISO/IEC 27002: SCOPE This policy applies to all information, information systems, networks, applications, location, staff employed or working on behalf of the Trust and third parties supplying goods and services to the Trust. 3. POLICY PRINCIPLES The principles are to establish and maintain the security and confidentiality of information, information systems, applications and networks owned or held by the Trust by: Ensuring that all members of staff are aware of their personal responsibilities and fully comply with the relevant legislation as described in this and other policies. Introducing a consistent approach to security, ensuring that all members of staff fully understand their own responsibility and the need for an appropriate balance between openness and confidentiality in the management and use of information. Creating and maintaining within the organisation a level of awareness of the need for Information Security as an integral part of the day to day business and explaining how it should be implemented in the organisation. Supporting the principles of corporate governance and recognising its public accountability and at the same time safeguarding the confidentiality and security 4

6 of both personal information about patient and staff and commercially sensitive information. Recognising the need to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest. Protecting information assets under the control of the Trust. There are 4 key interlinked strands to the Information Governance Policy: Openness Legal compliance Information security Quality assurance 3.1 Openness Non-confidential information about the Trust and its services should be available to the public through a variety of media, in line with the NHS Code of Conduct & Accountability The Trust will establish and maintain policies to ensure compliance with the Freedom of Information Act 2000 The Trust will undertake or commission regular assessments and audits of its policies and arrangements for openness Patients should have ready access to information relating to their own health care, their options for treatment and their rights as patients The Trust will have clear procedures and arrangements for liaison with the press and broadcasting media The Trust will have clear procedures and arrangements for handling queries from patients and the public 3.2 Legal Compliance The Trust will comply with the Data Protection Act 1998 and will establish and maintain appropriate and adequate administration arrangements for responding to data subject access requests within the timescales defined under the Act. The Trust regards all identifiable information relating to patients and staff as confidential except where exemptions can be applied. Trust staff will be made aware of all other relevant legislation and guidance relating to information security and confidentiality. Patients will be informed of the purpose for which information is being collected and who may access it. Direct consent will be sought from the patient where appropriate for the collection, processing and disclosure of data. Procedures and guidance will be provided to ensure appropriate disclosure of patient information, having regard to established professional ethics, patient consent, and formal access controls for clinical records and statutory requirements. The Trust will undertake or commission regular assessments and audits of its compliance with legal requirements. 5

7 The Trust will establish and maintain policies to ensure compliance with the common law duty of confidentiality and all relevant Acts of Parliament. Patient and/or staff information will be shared with other agencies in accordance with agreed protocols and relevant legislation (e.g. Health and Social Care Act, Crime and Disorder Act, Protection of Children Act). 3.3 Information Security Systems will be established to ensure that corporate records including health records are available and accessible at all times. The Trust will establish effective authorisation procedures for the use and access to confidential information and records. Control over access and disclosure to health records is overseen by the Caldicott Guardian. The Trust will establish and maintain policies for the effective and secure management of its information assets and resources. The Trust will undertake or commission regular assessments and audits of its information and IT security arrangements. The Trust will promote effective confidentiality and security practice to its staff through policies, procedures and training. The Trust will establish and maintain incident reporting procedures which will include the monitoring and investigation where appropriate, of reported instances of actual or potential breaches of confidentiality or information security. All IG Serious Incidents Requiring Investigations (SIRI) will be assessed and graded by using Health & Social Care Information Centre (HSCIC) checklist guidance. All level 2 or above IG serious incidents are logged onto the Incident Reporting Tool in the IG Toolkit which then will automatically notify the Department of Health and Information Commissioners Office. 3.4 Information Quality Assurance The Trust will establish and maintain policies and procedures for information quality assurance and the effective management of records. The Trust will undertake or commission regular assessments and audits of its information quality and records management arrangements. Information Asset Owners and Line Managers are expected to take ownership of, and seek to improve, the quality of information within their services. Wherever possible, information quality should be assured at the point of collection. Data standards will be set through clear and consistent definition of data items, in accordance with national standards. 4. MANAGEMENT STRUCTURE AND RESPONSIBILITY All Trust staff are required to maintain the security, confidentiality, integrity and availability of all Trust information including that which relates to patients and staff. Information Governance responsibilities will be detailed in all job descriptions and staff contracts of employment and in the contracts for all suppliers and other external users. Non compliance with the policy can result in disciplinary action. 6

8 Trust Board It is the role of the Trust Board to define the Trust s policy in respect of Information Governance and risk and meeting legal, statutory and NHS requirements. Is responsible for ensuring that sufficient resources are provided to support the requirement of the policy. The responsibility for this is delegated through the Chief Executive Officer to the Finance Director as Senior Information Risk Owner (SIRO). Executive Management This committee is the forum for making major operational decisions and assists the Chief Executive in the performance of their duties. Committee Development and implementation of strategy, operational plans, policies, procedures and budgets. Monitoring of operating and financial performance. The assessment and control of risk, prioritisation and allocation of resources. Receives and acts on reports from the SIRO through the Caldicott & Information Governance Committee. Senior Information Risk Owner (SIRO) Information Asset Owner (IAO) Caldicott & Information Governance Committee The Senior Information Risk Owner is responsible for and takes ownership of the organisation s Information Governance/risk policy and acts as advocate for Information Governance risk on the Board. Authorises the Information Governance Toolkit Self-Assessment submissions. Ensures that an effective information assurance governance infrastructure is in place including information asset ownership, reporting, defined roles and responsibilities. Ensures that the Caldicott and Information Governance Committee have a suitably experienced chairman in place. Information Asset Owners are senior individuals involved in running the relevant business. Their responsibility is to identify, understand and address risk to the information assets they own. Responsible for the operational management of Trust s records in accordance with Trust policy. Accountable to the SIRO for providing assurance on the security and use of their information assets. This committee is responsible for overseeing day to day Information Governance issues. Develop, maintain and approve policies, standard procedures and guidance. Coordinate and raise awareness of Information Governance in the Trust. Report on an exception basis to the Trust Management Committee on information Governance issues and risk Support the Senior Information Risk Manager in completion of their delegated duties. Direct and monitor compliance with the HSCIC Information Governance Toolkit. 7

9 Caldicott Guardian The Caldicott Guardian acts in a strategic, advisory and facilitative capacity in the use and sharing of patient information. Responsible for approving, monitoring and reviewing protocols governing access to person identifiable information by staff within the Trust and other organisations both NHS and non NHS. Information Governance Provides expert technical advice and guidance to the Trust on matters relating to information governance. Manager/Information Acts as the Trust Information Security Manager. Security Officer Develops and provides suitable Information Governance training for all staff. Monitors actual or potential reported information security incidents within the organisation. Refer to policy IG0043 Handling Reported Security Incidents (BHT Pol 221). Supports and assists the IT security officer with regard to IT/information security incidents. Responsible for the timely completion and submission of the end of financial year HSCIC IG Toolkit self-assessment. Head of IT Operations / IT Security Officer Provides expert technical advice to the Trust on matters relating to IT Security and ensures compliance and conformance. Acts as the Trust IT Security Manager. Supports and assists Information Security Officer with regard to IT/information security incidents. Managers Responsible for ensuring that the policy and its supporting standards and guidelines are built into local processes and that there is ongoing compliance. That all staff job descriptions contain the relevant responsibility for information security, confidentiality and records management. That staff undertake information governance mandatory training and ongoing training needs are routinely assessed. Managers shall be individually responsible for the security of their physical environment where information is processed and stored. Day to day responsibility for the management of trust records within their respective area/department. All staff All staff, whether permanent, temporary or contracted, including students, contractors and volunteer staff shall comply with information security policy and procedures including the maintenance of data confidentiality and data integrity and ensure that no breach of information security or confidentiality, result from their actions. Failure to do so may result in disciplinary action. All staff must ensure they keep appropriate records of their work in the Trust and manage those records in keeping with this policy and with any other guidance subsequently produced. Each member of staff shall be responsible for the operational security of the information systems they use. All staff are required to undertake relevant Information Governance training covering confidentiality and information security. Third Party Contractors/third parties Appropriate contracts and confidentiality/information security agreements shall be in place with third party contractors/ third parties where potential or actual access to information assets is identified. 8

10 5. LEGISLATION AND KEY REFERENCE DOCUMENTS 5.1 The Trust is obliged to abide by all relevant UK and European Union legislation. The requirement to comply with this legislation shall be devolved to employees and agents of the Trust, who may be held personally accountable for any breaches of information security for which they may be held responsible. The Trust shall comply with the following legislation, key documents and other legislation as appropriate: The Data Protection Act (1998) The Data Protection (Processing of Sensitive Personal Data) Order 2000 The Copyright, Designs and patents Act (1988) The Computer Misuse Act (1990) The Health and Safety at Work Act (1974) Human Rights Act (1998) Regulation of Investigatory Powers Act 2000 Freedom of Information Act 2000 Health & Social Care Act 2008 Confidentiality: NHS Code of Practice Records Management: NHS Code of Practice Information Security Management: NHS Code of Practice Caldicott Committee Report 1997 and Caldicott Review The NHS Care Record Guarantee for England 2005 (Revised 2011) sets out the rules that govern how patient information is used in the NHS and what control the patient can have over this. It covers people's access to their own records, controls on others' access, how access will be monitored and policed, options people have to further limit access, access in an emergency, and what happens when someone cannot make decisions for themselves. Everyone who works for the NHS or for organisations delivering services under contract to the NHS has to comply with this guarantee. 5.3 The Department of Health Committee s Report on the Review of Patient Identifiable Information published December 1997 made a number of recommendations including the appointment of a Caldicott Guardian in all NHS organisations (Health Service Circular 1999/012) and also led to the establishment of a set of six clear principles, reflecting best practice in the handling of confidential patient information. The Principles were revised in September 2013 by the Caldicott 2 review Panel in their report Information To share or not to share: The Information Governance Review. This review highlighted the need for an appropriate balance between the protection of patient information and the need to share patient information when sharing would be in the patient s best interests, which has lead to the introduction of a new seventh Caldicott Principle. 5.4 A Cabinet Office data handling review in December 2008 mandated a range of standards for managing information and to ensure compliance with the Data Protection Act These are reflected within the NHS Information Governance Toolkit (Department of Health mandated self-assessment against compliance with current legislation, standards and national guidance). 5.5 In September 2013, the Health and Social Care Information Centre (HSCIC) also published A Guide to Confidentiality in Health & Social Care - Treating confidential information with respect. This guide summarises existing laws, principles and obligations 9

11 when using or sharing confidential information and describes the confidentiality rules that people are entitled to expect to be followed in care settings run by the NHS or publicly funded adult social care services. 5.6 The NHS Constitution for England (revised 2013) sets out a series of patients rights and NHS pledges. All NHS bodies and private and third sector providers supplying NHS services are required by law to take account of the constitution in their decisions and actions. The relevant right for this requirement is: You have the right to privacy and confidentiality and to expect the NHS to keep your confidential information safe and secure. 5.7 Accessible Information Standard The Accessible Information Standard applies to service providers across the NHS and directs and defines a specific, consistent approach to identifying, recording and sharing the information and communication needs of patients, service users and their carers where those needs relate to a disability or impairment. The aim of the Standard is to establish a framework for identifying, recording and sharing this information so that patients can access services appropriately and independently and remain involved in decisions around their care and treatment. Ref: SCCI1605 Accessible Information Specification Organisations must provide one or more communication or contact methods which are accessible to and useable by the patient, service user, carer or parent and staff must use this method to contact this individual. Examples of accessible communication/contact needs include , text message, and telephone and when alternative contact methods are requested, it is important to remember that patient confidentiality and information security must not be compromised and reference should be made to the appropriate policy e.g. IT User Account and Usage Policy _it_user_account_and_ _usage_policy_v4.1_rvw_july_2018_1.pdf to ensure consent is appropriately documented and the patient or service user is made aware of the risks involved. 6. MONITORING THIS POLICY Elements to be monitored Key roles and responsibilities IG training compliance Information security breaches Best practice across the Trust Conformance with Dept of Health and HSCIC requirements Monitoring method Review job description and contract Report from training programme to identify staff who are noncompliant Incident reporting system Confidentiality spot checks IG Toolkit assessment Lead Line manager and HR Information Governance Information Governance Information Governance Information Governance Frequency of monitoring Annually Regular Regular Regular Three times a year Reporting arrangements SIRO Caldicott and IG Committee Caldicott and IG Committee, SIRO Caldicott and IG Committee Caldicott and IG Committee, SIRO 10

12 7. REVIEW OF THIS POLICY This document should be subject to review when any of the following conditions are met: a. The adoption of the Code of Conduct highlights errors and omissions in its content. b. Where other standards / guidance issued by the Trust conflict with the information contained. c. Where the knowledgebase regarding interpretation of the legislation evolves to the extent that revision would bring about improvement. d. 3 years from the ratification date. 11

13 Information Governance Policy Appendix A - INFORMATION MANAGEMENT AND SECURITY FRAMEWORK Information takes many forms and includes data stored on computers, transmitted across networks, printed copy, handwritten, sent by fax, stored on tapes, diskettes, CDs, DVDs, USB memory sticks and other mobile media, or spoken in conversation and over the telephone. Data represents an extremely valuable asset and to ensure its integrity the Trust must safeguard accuracy and completeness by protecting against unauthorised use/disclosure, modification or intelligent interruption. The increasing reliance of the NHS on information technology for the processing of data and delivery of healthcare makes it necessary to ensure that these systems are developed, operated, used and maintained in a safe and secure fashion to protect from events, accidental or deliberate, that may jeopardise healthcare activities. This document is intended to reflect guidance and best practice contained in the Department of Health Information Security Management: NHS Code of Practice, April 2007 The key issues addressed by this framework are: Confidentiality Data is secure and access is confined to those with specified authority to view the data. Integrity All system assets are operating correctly according to specification and in the way the current user believes them to be operating. Availability Relevant information is delivered to the right person when it is needed. 1. Information Security Awareness Training Information security awareness training shall be included in the staff induction process. An ongoing awareness programme shall be established and maintained in order to ensure that staff awareness is refreshed and updated annually. 2. Contracts of Employment Staff security requirements shall be addressed at the recruitment stage and all contracts of employment shall contain a confidentiality clause. Information security expectations of staff shall be included within appropriate job definitions. All contract agreements with Third Party suppliers of goods, services or consultancy with access or possible access to Trust information assets shall contain a confidentiality clause and an undertaking that any information obtained during the course of performing the contract is confidential and shall only be used for the sole purpose of the execution of the contract and will provide all necessary precaution to ensure that all such information is kept secure. They also must sign up to the Trust Third Party Confidentiality Code of Conduct & Non-Disclosure agreement, IG

14 3. Security Control of Assets Each information asset, (hardware, software, IT application or data) shall have a named information asset owner who shall be responsible for the information security of that asset. A register of all computing assets and their owners will be established and maintained by the IT department. 4. Access Controls to IT secure Areas Only authorised personnel who have a justified and approved business need shall be given access to restricted areas containing information system and data storage facilities. Records of access will be maintained. 5. User Access Controls and monitoring Access to information shall be restricted to authorised users who have a bona-fide business need to access the information. Electronic audit trail shall be maintained and reviewed as necessary where the system is capable of providing these. 6. Computer Access Control Access to computer facilities shall be restricted to authorised users who have a business need to use the facilities. Access to data, system utilities and program source libraries shall be controlled and restricted to those authorised users who have a legitimate business need e.g. systems or database administrators. 7. Security of IT system In order to minimise loss or damage to all assets, equipment shall be physically protected from threats and environmental hazards. The Trust will define certain locations as IT secure areas and the equipment will be installed and sited in accordance with the manufacturer s specification. All items of computer equipment must be recorded on the Trust register of IT assets. IT equipment should be kept out of view of the general public if possible: where this is not possible computer screens should not normally be visible from public circulation areas. Wherever possible screen savers should be applied. Areas housing computer equipment should keep the doors and windows closed or locked when unattended. 8. IT System Management Responsibilities will be appropriately assigned for the management of IT systems. These will include the management, monitoring and auditing of access to IT systems and the timely management of new starters and leavers and those changing job role. In addition, the National Programme for IT (NPfIT) requires Trusts to have established appropriate confidentiality audit procedures. 13

15 9. Computer and Network Procedures Management of computer and networks shall be controlled through standard documented procedures that have been authorised by the IT Department. Network risk assessments will be developed and undertaken routinely by the IT Department. A register of both internal and external users and systems will be maintained by the IT department who will be responsible for determining and controlling access rights. The Trusts network is protected from intrusion by a series of controls implemented on Trust firewalls and these are checked on a regular basis and updated as appropriate or as required. 10. Protection from Malicious Software The Trust shall use software countermeasures and management procedures to protect itself against the threat of malicious software. The Trust will maintain an IT Virus Control Procedure. 11. User media Removable media of all types that contain software or data from external sources, or that have been used on external equipment, require the approval of the IT Security Officer before they may be used on the Trust s systems. Such media must also be fully virus checked before being used on the organisation s equipment. Users breaching this requirement may be subject to disciplinary action. Staff and contractors who are permitted to use portable media to transfer person identifiable data in the performance of their duties must apply industry standard AES256 data encryption procedures. Only the Trust approved encrypted memory/usb sticks may be used where use of these are deemed necessary. The use of port control will restrict access only to Trust permitted devices. 12. Access to the Internet and The Trust will ensure adequate provision of user training to support access to Internet and . The Trust will maintain appropriate policies covering all areas regarding access to the internet and use of System Procurement and Acceptance Trust policies on security and confidentiality must be reflected in any procurement for new or enhanced systems. All purchases of hardware, software and other related IT services e.g. IT support, maintenance or consultancy must be made through the Trust s approved purchasing arrangements using the standard NHS Terms and Conditions. Managers must ensure that the Trust policy - Policy for the Procurement or Implementation of New IT Systems, Databases, Software and Information Flows IG0025 and that acceptance criterion are agreed with the supplier and Trust IG & IT services and must be thorough and adequately documented and demonstrate conformance to data security and confidentiality specifications. 14

16 The IG0025 and the Business Case for each procurement must be presented at the IT Capital Sub-Group and be approved before the procurement can proceed. Failure to do so may result in a delay in system installation. 14. Accreditation of Information Systems The Trust shall ensure that all new information systems, applications and networks include a security plan and are risk assessed and are approved by the IT Security Officer and Information Security Officer before they commence operation. 15. System Change Control Changes to information systems, applications or networks shall be reviewed and approved by the IT Service Support Manager. 16. Intellectual Property Rights The Trust shall ensure that all information products are properly licensed and approved by the IT Department. Users shall not install software on the Trust s property without permission from the IT Department. 17. Information Risk Assessment and Management All key/critical computer systems will be subject to periodic risk assessments carried out by systems managers/administrators. In the cases of manual information processes, line managers will carry out risk assessments. The Trust will develop a procedure for carrying out IM&T systems risk assessments. The procedure will include: Roles and Responsibilities Timescales Planned and unplanned assessments Assessment of assets of the system Evaluation of potential threats/risks Assessment of likelihood of threats/risks occurring Identification of practical cost effective treatment plans Implementation programme for treatment plans Reporting Once identified, information security risks shall be managed on a formal basis. They shall be recorded within a baseline risk register and action plans shall be put in place to effectively manage those risks. The risk register and all associated actions shall be reviewed at regular intervals. Any implemented information security arrangements shall also be a regularly reviewed feature of Trust s risk management programme. 18. Business Continuity and Disaster Recovery Plans The Trust shall ensure that business impact assessment, business continuity and disaster recovery plans are produced for all mission critical information, applications, systems and networks. 15

17 Information Asset Owners (IAOs) are responsible for ensuring that business continuity plans are in place and identifying need for early review due to, for example, system or environment changes. Each plan for coping with disastrous failure must be approved by the appropriate level of authority in the Trust and be adequately resourced. 19. Data Quality and Validation The Information Asset Owners will ensure there is up to date, complete and accurate data within information system that support operational and clinical decision-making. Where possible validation of data entry and data analysis at input stage will be incorporated and maintained. 20. Information Security Incident Management All information security events and suspected weaknesses must be reported through the Trust Incident Reporting Policy & Procedures. The Information Security officer/information Governance Manager will maintain an Information Governance procedure for Reported Information Security Incidents. Information security events shall be appropriately reviewed to establish their cause and impacts with a view to avoiding similar events. 21. Disposal of IT Equipment and/or confidential/sensitive data IT equipment disposal must only be authorised by the IT Department. The IT department must ensure that, where possible, data storage devices are securely purged of sensitive data before disposal and organise any proposed secure destruction arrangements where it is not. A procedure for disposal will be documented and retained by the IT department. Unusable computer media must be destroyed (e.g. floppy disks, magnetic tapes, CD-ROMS). Where this is performed by an approved third party organisation, a certificate of disposal must be obtained. All data must be disposed off securely and in accordance with the relevant legislation and Trust policies. Contracts with the third party suppliers must have clauses relating to the safe and secure disposal of media containing data processed on behalf of the Trust. Disposal of equipment must be in accordance with the Trust Standing Orders and Standing Financial Instructions. 22. Standards of Business Conduct/Declaration of Interests All Trust staff and members of the Board must comply with the Trust Guidance on Standards of Business Conduct for Trust Staff available on the Trust intranet. 16