Information Governance Incidents Cyber Security Incidents and Near Misses Reporting Procedure
|
|
- Clifton Arnold
- 5 years ago
- Views:
Transcription
1 Information Governance Incidents Cyber Security Incidents and Near Misses Reporting Procedure Procedure Number: IG05 Version: 2.3 Approved by: Information Governance Working Group Date approved January 2018 Ratified by: Audit and Risk Committee Date ratified: February 2018 Name of originator/author: Louise Chatwyn Information Manager Name of responsible individual: Clare Hodgson Deputy Director of Corporate Affairs Review date: May 2018 Target audience: All Staff Page 1 of 18
2 Version Control Sheet Version Date Who Change 1.0 G Lawrence /13 M Griffiths Review for CCG ownership /13 M Griffiths Changes made re feedback from Audit & Risk August /16 L Chatwyn Review and update to current /16 L Chatwyn Incorporation of Audit feedback /16 L Chatwyn Incorporation of Consultation minor amendment /17/ L Chatwyn Minor revisions to reflect current legislation and practice and changes under the General Data Protection Regulations (GDPR) Page 2 of 18
3 Contents 1. Introduction Purpose Scope Key Roles and Responsibilities What is an incident? Process Grading of information incidents Grading of Cyber Incidents Reporting Timescales for Information Incidents Monitoring and Review Training Distribution and Implementation Associated Legislation and Documents References Appendices Appendix 1 Reporting Form Appendix 2 Process Flowchart Appendix 3 Grading of incident Appendix 4 Grading of Cyber incident Page 3 of 18
4 1. Introduction Robust Information Governance requires clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources. The Health and Social Care Information Centre (HSCIC) mandates that it is essential that all Information Governance Serious Incidents Requiring Investigation (IG SIRIs) which occur in Health, Public Health and Adult Social Care services are reported appropriately and handled effectively. This document details what constitutes an Information Governance Information Incident, Near Miss and Cyber Security Incident. It sets out Nene CCGs procedure for the effective management of such incidents to ensure compliance with all appropriate legislation, and standards 2. Purpose From June 2013 all organisations processing health and adult social care personal data are required to use the IG Toolkit Incident Reporting Tool to report Level 2 IG SIRIs to the Department of Health (DH), Information Commissioner s Office (ICO) and other regulators. Note: The European Union General Data Protection Regulation (GDPR) which was adopted by the European Union in 2016, will automatically come into force in all EU Member States from 25 May GDPR will replace the current Data Protection Act The Government is introducing a UK Data Protection Bill which incorporates and supplements the GDPR to create a UK data protection regime pre and post Brexit. This policy will be fully updated in accordance with the new legislation in May Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to result in a risk for the rights and freedoms of individuals. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, without undue delay after first becoming aware of a data breach. 1. This document is a statement of the approach and intentions for Nene CCG to fulfil its statutory and organisational responsibilities. It will enable management and staff to make correct decisions, work effectively and comply with relevant legislation and the organisations aims and objectives. 1 SOURCE: Article 34 Page 4 of 18
5 3. Scope This document applies to all staff, whether permanent, temporary or contracted. They are responsible for ensuring that they are aware of all relevant requirements and that they comply with them on a day to day basis. Furthermore, the principles of this document apply to all third parties and others authorised to undertake work on behalf of Nene CCG. This document covers all aspects of information, in both paper and electronic format The CSU provide a managed security service to Nene CCG for Information Management & Technology (IM&T). This includes support to the Senior Information Risk Officer on security and asset and risk management. The CSU will manage security along current best practice guidelines as provided by DH and in accordance with applicable legislation Information Security risks relating to Cyber Security will be referred to the CSU IM&T Team Where information security incidents of fraud are identified, they may be referred to the Local Counter Fraud Specialist 4. Key Roles and Responsibilities Role Accountable Officer Senior Information Risk Officer Responsibility The Accountable Officer and the Board have ultimate accountability for actions and inactions in relation to this document The CCGs SIRO is responsible for having overall accountability for Information Governance; this includes the Data Protection and Confidentiality function. The role includes briefing the Board and providing assurance through the Audit and Risk Committee that the IG approach is effective in terms of resource, commitment and execution. Caldicott Guardian The SIRO for Nene CCG is the Chief Finance Officer The Caldicott Guardian has responsibility for ensuring that there are adequate standards for protecting patient information and that all data transfers are undertaken in accordance with Safe Haven guidelines and the Caldicott principles. The Caldicott Guardian for Nene CCG is the GP Chair Page 5 of 18
6 Data Protection Officer Deputy Director of Corporate Affairs Information Manager Managers All staff The DPO has responsibility for Data Protection compliance The DPO for Nene CCG is fulfilled by NEL CSU The Deputy Director of Corporate Affairs has overall day to day responsibility for the Information Governance in the CCG. The role includes briefing the Board, including the SIRO and Caldicott Guardian of information risks and information incidents The Information Manager has day to day responsibility for implementing and monitoring procedures to ensure compliance with relevant information legislation The Information Manager is responsible for co-ordinating analysis, investigation and upward reporting of events and recommendations for remedial action to prevent recurrence and ensure compliance and continuing improvement Managers and supervisors are responsible for ensuring that staff who report to them have suitable access to this document and it s supporting policies and procedures and that they are implemented in their area of authority. Managers are also responsible for ensuring the initial training compliance of all staff reporting to them Have a responsibility to: Be aware of the Information Governance requirements Support the CCG to achieve Toolkit Compliance Complete annual IG training Report information Incidents appropriately 5. What is an incident? There is no simple definition of a serious information incident. What may at first appear to be of minor importance may, on further investigation, be found to be serious and vice versa. As a guide the scope of an Information Governance Serious Incident Requiring Investigation (IG SIRI) 4 could include This type of incident will typically breach one of the principles of the Data Protection Regulations and/or the Common Law Duty of Confidentiality. 4 As Defined by HSCIC SIRI Reporting and Checklist Guidance V5.1 May 2015 Page 6 of 18
7 Unlawful disclosure or misuse of confidential data, recording or sharing of inaccurate data, information security breaches and inappropriate invasion of people s privacy. Personal data breaches which could lead to identity fraud or have other significant impact on individuals. Applies irrespective of the media involved and includes both electronic media and paper records relating to staff and service users. When lost data is protected e.g. by appropriate encryption, so that no individual s data can be accessed, then there is no data breach (though there may be clinical safety implications that require the incident to be reported down a different route) When the data is protected but there is a risk of individuals being identified then this remains an incident and should be reported. The sensitivity factors within the IG Incident Reporting Tool will reflect that the risk is low. What is an IG Cyber SIRI? There are many possible definitions of what a Cyber incident is, for the purposes of reporting a Cyber incident is defined as:- A Cyber-related incident is anything that could (or has) compromised information assets within Cyberspace. Cyberspace is an interactive domain made up of digital networks that is used to store, modify and communicate information. It includes the internet, but also the other information systems that support our businesses, infrastructure and services. 5 It is expected that the type of incidents reported would be of a serious enough nature to require investigation by the organisation. These types of incidents could include: Denial of Service attacks Phishing s Hacking Social Media Disclosures Web site defacement Malicious Internal damage Spoof website Cyber Bullying 6. Process Initial information is often sparse and it may be uncertain whether a SIRI has actually taken place. Suspected incidents and near misses should still be reported and can be recorded on the IG Toolkit Incident Reporting Tool, as 5 Source: UK Cyber Security Strategy, 2011 Page 7 of 18
8 lessons can often be learnt from them and they can be closed or withdrawn when the full facts are known Where it is suspected that an IG SIRI has taken place, it is good practice to informally notify key staff (the Information Team, SIRO, Caldicott Guardian.) as an early warning to ensure that they are in a position to respond to enquiries from third parties and to avoid surprises. For cyber incidents the Information team will liaise with the person(s) responsible for Information Technology (IT) and Information Security (IS) Where fraud is identified it will be referred to the Local Counter Fraud Specialist Under the GDPR, data processors will also be required to notify their customers, without undue delay after first becoming aware of a data breach Article 34 of the GDPR states 1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay 2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3) The incident reporting form can be found at appendix 1 The flow chart at appendix 2 details the process to be followed 7. Grading of information incidents There are 2 factors which influence the severity of an IG SIRI Scale & Sensitivity. Scale and Sensitivity tables can be found in appendices 3 and 4 Scale Factors Whilst any IG SIRI is a potentially a very serious matter, the number of individuals that might potentially suffer distress, harm or other detriment is clearly an important factor. The scale (noted below) provides the base categorisation level of an incident, which will be modified by a range of sensitivity factors. Sensitivity Factors Sensitivity in this context may cover a wide range of different considerations and each incident may have a range of characteristics, some of which may raise the categorisation of an incident and some of which may lower it. The same incident may have characteristics that do both, potentially cancelling each other out. For the purpose of IG SIRIs sensitivity factors may be: Page 8 of 18
9 i. Low reduces the base categorisation ii. High increases the base categorisation The IG SIRI category is determined by the context, scale and sensitivity. Every incident can be categorised as level: 0. Near miss/non-event 1. Level 0 or 1 confirmed IG SIRI but no need to report to ICO, DH and other central bodies/regulators. 2. Level 2 confirmed IG SIRI that must be reported to ICO, DH and other central bodies/regulators. Where an IG SIRI has found not to have occurred or severity is reduced due to fortunate events which were not part of pre-planned controls this should be recorded as a near miss to enable lessons learned activities to take place and appropriate recording of the event. 8. Grading of Cyber Incidents Although the primary factors for assessing the severity level is the criticality and scale of the incident, for example the potential for impact on confidentiality, integrity or availability. If more information becomes available, post incident investigation the Cyber SIRI level should be re-assessed. Please note: Conversely, when targeted systems are protected e.g. by an Intrusion Prevention System, so that no services are affected. The sensitivity factors will reflect that the risk is low. All Cyber SIRIs entered onto the IG Toolkit Incident Reporting Tool, confirmed as severity level 2, will trigger an automated notification to the DH and HSCIC. The IG Incident reporting tool works on the following basis when calculating the severity of an incident: There are 2 factors which influence the severity of a Cyber SIRI Scale & Sensitivity. Scale Factors Whilst any Cyber SIRI is a potentially a very serious matter, the scale is clearly an important factor. The scale provides the base categorisation level of an incident, which will be modified by a range of sensitivity factors. Sensitivity Factors Sensitivity in this context may cover a wide range of different considerations and each incident may have a range of characteristics, some of which may raise the categorisation of an incident and some of which may lower it. Page 9 of 18
10 The same incident may have characteristics that do both, potentially cancelling each other out. For the purpose of Cyber SIRIs sensitivity factors may be: iii. Low reduces the base categorisation iv. High increases the base categorisation The Cyber SIRI category is determined by the context, scale and sensitivity. Every incident can be categorised as level: 1. Level 0 or 1 confirmed Cyber SIRI but no alerting to HSCIC & DH. 2. Level 2 confirmed Cyber SIRI alerting to HSCIC & DH. 9. Reporting Timescales for Information Incidents The expectation is for Level 2 serious information incidents to be reported as soon as possible (usually within 24 hours of a breach being notified/identified locally) and with as much information as can be ascertained at the time. It is understood that further information will become available once the organisation conducts an investigation and the IG Incident Reporting Tool should be kept up to date with regards to any developments or further detail about the incident. A full record of the information incident should be complete within 5 working days from when the incident was initially reported. The reporting of Cyber SIRI Incidents within the tool does not replace local and national service desk reporting. Reported Cyber Incidents will not trigger an operational response. Local clinical and corporate incident management and reporting tools (including Strategic Executive Information System - STEIS) can continue to be used for local purposes but notifications of IG SIRIs for the attention of DH, NHS England and the ICO must be communicated using the IG Incident Reporting Tool. 10. Monitoring and Review Performance against key performance indicators will be reviewed on an annual basis through the IG Toolkit submission and used to inform the development of future documents. Unless there is major legislation or policy, this document will be reviewed annually 11. Training Appropriate Information Governance training will be provided to all staff annually. Training is available through ESR which can be found here: Page 10 of 18
11 12. Distribution and Implementation All policy and procedural documents in respect of Information Governance will be made available via the Nene CCG staff intranet. Staff will be made aware of procedural updates as they occur via team briefs, management communications and notification via the CCG staff intranet. 13. Associated Legislation and Documents To include but not limited to: Information Governance Policy and Management Framework Nene & Corby Serious Incident Policy Confidentiality Data Protection Policy Information Security Policy Information Asset Management Procedure Information Disclosure and Sharing Policy and Procedure Data Protection Impact Assessment Procedure Anti-Fraud and Bribery Policy The following references and areas of legislation should be adhered to. Confidentiality NHS Code of Practice Data Protection Act 1998 Caldicott Guardian principles Freedom of Information Act 2000 Environmental Information Regulations 2004 Access to Health Records 1990 Records Management NHS Code of Practice General Data Protection Regulation (GDPR) 14. References The IG Toolkit The EU General Data Protection Regulation Data Protection Act Freedom of Information Act Page 11 of 18
12 Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Security Serious Incidents Requiring Investigation d%20checklist%20guidance.pdf The NHS Constitution for England NHS Code of Confidentiality NHS Care Record Guarantee NHS Information Risk Management The Caldicott Review: Information Governance in the Health and Social Care System /192572/ _InfoGovernance_accv2.pdf Access to Health Records Act Appendices Appendix 1 Reporting Form A word copy of the reporting form is available from the Information Team Page 12 of 18
13 Information Security Incident Reporting Form completed forms as soon as possible to Provide as much information as you can, but do not delay sending in the form. Please note that data breaches must be reported to the supervisory authority within 72 hours GENERAL DETAILS Incident number: To be added by Information Governance Department/Section: Reporting officer: Investigated by: Contact number: Date form completed: Date of incident: Location of incident ABOUT THE INCIDENT Incident description. What has happened? How was the incident identified? What information does it relate to? eg. a file containing details of 100 service users name, address, direct debit details. What medium was the information held on? - Paper - USB stick - laptop, etc If electronic, was the data encrypted? Dealing with the current incident: Please list initial actions: - Who has been informed? - What has been done? Are further actions planned? If so, what? Have the staff involved in the security incident completed Data Security Awareness Training? Page 13 of 18
14 If so, what and when? (Please list) Preventing a recurrence: Has any action been taken to prevent recurrence? Are further actions planned? If so, what? IMPACT ASSESSMENT QUESTIONS 1. Was any data lost or compromised in the incident? eg. loss of an encrypted laptop will not actually have compromised any information, unless eg. the user was logged in when they lost it. 2. Was personal data lost or compromised? This is data about living individuals such as service users or employees. This could be a breach of the General Data Protection Regulations 3. If yes, was sensitive personal data compromised? This is data relating to health, ethnicity, sexual life, trade union membership, political or religious beliefs, potential or actual criminal offences, genetic or biometric. This could be a serious breach of the General Data Protection Regulations 4. Was adult social care, health or public health data involved? 5. What is the number of people whose data was affected by the incident? 6. Is the data breach unlikely to result in a risk to the individual/individuals? Physically, materially, or morally? Example - physical harm, fraud, reputation, financial loss, 7. Did people affected by the incident give the information to the CCG in confidence? Yes/ No (ie. with an expectation that it would be kept confidential) 8. Is there a risk that the incident could lead to damage to individuals eg. via identity theft/ fraud? eg. loss of bank details, NI numbers etc. 9. Could the incident damage an individual s reputation, or cause hurt, distress or humiliation eg. loss of medical records, disciplinary records etc.? 10. Can the incident have a serious impact on the reputation of the CCG? 11. Has any similar incident happened before in the section? 12. Please confirm you have contacted HR for advice regarding this incident, if applicable 13 If this incident involves the loss or theft of IT Equipment please confirm you have logged a call to the IT Help Desk? FURTHER ACTION: (to be completed by Information Governance) Completed by: Is further action required? Have data subjects been informed? Have key stakeholders been informed? Have control weaknesses been highlighted and recommendations made? Has sufficient and appropriate action been taken? Does the incident need reporting to Caldicott Guardian/SIRO? Does the incident need reporting to the ICO? Does the incident need reporting on the IG toolkit Page 14 of 18
15 Does the incident need reporting to CSU Information Security Manager? Has the Incident Log been updated? Further investigation undertaken by:- Date incident closed:- You can also contact the following for advice: Information Team and Corporate Services X 1436/1202 Appendix 2 Process Flowchart Make initial assessment, complete report and refer to IG Team within 72 hours Manage in accordance with local procedures Report to IG Working Group IG SIRI level 0 or 1? Page 15 of 18 Consider requirement to notify Data Subject
16 IG SIRI level 2? Report externally to ICO and DH via IG Reporting Tool Report internally to IG Working Group Review grading in light of findings Investigation Recommendations and actions Liaise with Quality Team if incident overlaps with NHSE SIRI specification** Incident Closure, note lessons learned and implement action plan ** Appendix 3 Grading of incident Source: f Baseline Scale 0 Information about less than 11 individuals 1 Information about individuals 1 Information about individuals 2 Information about individuals 2 Information about individuals 2 Information about 501 1,000 individuals 3 Information about 1,001 5,000 individuals 3 Information about 5,001 10,000 individuals Page 16 of 18
17 3 Information about 10, ,000 individuals 3 Information about 100,001 + individuals Low: For each of the following factors REDUCE the baseline score by 1 (A) No sensitive personal data (as defined by the Data Protection Act 1998) at risk nor data to which a duty of confidence is owed (B) Information readily accessible or already -1 for each in the public domain or would be made available under access to information legislation e.g. Freedom of Information Act 2000 (C ) Information unlikely to identify individual(s) High: The following factors INCREASE the baseline score by 1 (D) Detailed information at risk e.g. clinical/care case notes, social care notes (E) High risk confidential information (F) One or more previous incidents of a +1 for each similar type in the past 12 months (G) Failure to implement, enforce or follow appropriate organisational or technical safeguards to protect information (H) Likely to attract media interest and/or a complaint has been made directly to the ICO by a member of the public, another organisation or an individual (I) Individuals affected are likely to suffer substantial damage or distress, including significant embarrassment or detriment (J) Individuals affected are likely to have been placed at risk of or incurred physical harm or a clinical untoward incident Appendix 4 Grading of Cyber incident Cyber Baseline Scale 0 No impact: Attack(s) blocked 0 False Alarm 1 Individual, Internal group(s), team or department affected 2 Multiple departments or entire organisation Page 17 of 18
18 affected Low: For each of the following factors REDUCE the baseline score by 1 (1) A tertiary system affected which is -1 hosted on infrastructure outside health and social care networks High: The following factors INCREASE the baseline score by 1 (2) Repeat Incident (previous incident within last 3 months) (3) Critical business system unavailable for over 4 hours +1 for each (4) Likely to attract media interest (5) Confidential information release (nonpersonal) (6) Require advice on additional controls to put in place to reduce reoccurrence (7) Aware that other organisations have been affected (8) Multiple attacks detected and blocked over a period of 1 month Page 18 of 18
GMSS Information Governance & Cyber Security Incident Reporting Procedure. February 2017
GMSS Information Governance & Cyber Security Incident Reporting Procedure February 2017 Review Date; April 2018 1 Version Control: VERSION DATE DETAIL D1.0 20/04/2015 First Draft (SC) D 2.0 28/04/2015
More informationInformation Governance Incident Reporting Policy
Information Governance Incident Reporting Policy Version: 4.0 Ratified by: NHS Bury Clinical Commissioning Group Information Governance Operational Group Date ratified: 29 th November 2017 Name of originator
More informationInformation Governance Incident Reporting Procedure
Information Governance Incident Reporting Procedure : 3.0 Ratified by: NHS Bury CCG Quality and Risk Committee Date ratified: 15 th February 2016 Name of originator /author (s): Responsible Committee /
More informationInformation Governance Incident Reporting Policy and Procedure
Information Governance Incident Reporting Policy and Procedure Policy Number Target Audience Approving Committee IG007 CCG/GMSS Staff CCG Chief Officer Date Approved February 2018 Last Review Date February
More informationData Loss Assessment and Reporting Procedure
Data Loss Assessment and Reporting Procedure Governance and Legal Services Strategy, Planning and Assurance Directorate Approved by: Data Governance & Strategy Group Approval Date: July 2016 Review Date:
More information1. Introduction and Overview 3
Data Breach Policy Contents 1. Introduction and Overview 3 1.1 What is a Serious Information Governance Incident? 3 1.2 What causes a SIGI? 3 1.3 How can a SIGI be managed? 4 2. How to manage an incident
More informationMotorola Mobility Binding Corporate Rules (BCRs)
Motorola Mobility Binding Corporate Rules (BCRs) Introduction These Binding Privacy Rules ( Rules ) explain how the Motorola Mobility group ( Motorola Mobility ) respects the privacy rights of its customers,
More informationData Encryption Policy
Data Encryption Policy Document Control Sheet Q Pulse Reference Number Version Number Document Author Lead Executive Director Sponsor Ratifying Committee POL-F-IMT-2 V02 Information Governance Manager
More informationInformation Security Incident
Good Practice Guide Author: A Heathcote Date: 22/05/2017 Version: 1.0 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body
More informationStopsley Community Primary School. Data Breach Policy
Stopsley Community Primary School Data Breach Policy Contents Page 1 Introduction... 3 2 Aims and objectives... 3 3 Policy Statement... 4 4 Definitions... 4 5 Training... 5 6 Identification... 5 7 Risk
More informationData Protection Policy
Data Protection Policy Data Protection Policy Version 3.00 May 2018 For more information, please contact: Technical Team T: 01903 228100 / 01903 550242 E: info@24x.com Page 1 The Data Protection Law...
More informationInformation Security Policy
Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Colin Sloey Implementation Date: September 2010 Version Number:
More informationINFORMATION SECURITY AND RISK POLICY
INFORMATION SECURITY AND RISK POLICY 1 of 12 POLICY REFERENCE INFORMATION SHEET Document Title Document Reference Number Information Security and Risk Policy P/096/CO/03/11 Version Number V02.00 Status:
More informationPS Mailing Services Ltd Data Protection Policy May 2018
PS Mailing Services Ltd Data Protection Policy May 2018 PS Mailing Services Limited is a registered data controller: ICO registration no. Z9106387 (www.ico.org.uk 1. Introduction 1.1. Background We collect
More informationBirmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018
1.0 Executive Summary Birmingham Community Healthcare NHS Foundation Trust 2017/17 Data Security and Protection Requirements March 2018 The Trust has received a request from NHS Improvement (NHSI) to self-assess
More informationCreative Funding Solutions Limited Data Protection Policy
Creative Funding Solutions Limited Data Protection Policy CONTENTS Section Title 1 Introduction 2 Why this Policy Exists 3 Data Protection Law 4 Responsibilities 5 6 7 8 9 10 Data Protection Impact Assessments
More informationData Breach Notification Policy
Data Breach Notification Policy Policy Owner Department University College Secretary Professional Support Version Number Date drafted/date of review 1.0 25 May 2018 Date Equality Impact Assessed Has Prevent
More informationICT Portable Devices and Portable Media Security
ICT Portable Devices and Portable Media Security Who Should Read This Policy Target Audience All Trust Staff, contractors, and other agents, who utilise trust equipment and access the organisation s data
More informationUWTSD Group Data Protection Policy
UWTSD Group Data Protection Policy Contents Clause Page 1. Policy statement... 1 2. About this policy... 1 3. Definition of data protection terms... 1 4. Data protection principles..3 5. Fair and lawful
More informationCOMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2
COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September 2018 Table of Contents 1. Scope, Purpose and Application to Employees 2 2. Reference Documents 2 3. Definitions 3 4. Data Protection Principles
More informationThis Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).
PRIVACY POLICY Data Protection Policy 1. Introduction This Data Protection Policy (this Policy ) sets out how Brital Foods Limited ( we, us, our ) handle the Personal Data we Process in the course of our
More informationSubject: Kier Group plc Data Protection Policy
Kier Group plc Data Protection Policy Subject: Kier Group plc Data Protection Policy Author: Compliance Document type: Policy Authorised by: Kier General Counsel & Company Secretary Version 3 Effective
More informationThe Role of the Data Protection Officer
The Role of the Data Protection Officer Adrian Ross LLB (Hons), MBA GRC Consultant IT Governance Ltd 28 July 2016 www.itgovernance.co.uk Introduction Adrian Ross GRC consultant Infrastructure services
More informationInformation Security Incident Reporting Policy
Information Security Incident Reporting Policy Date Published June 2016 Version 3 Last Approved Date 23 rd May 2018 Review Cycle 1 Year Review Date May 2019 Learning together; to be the best we can be
More informationUWC International Data Protection Policy
UWC International Data Protection Policy 1. Introduction This policy sets out UWC International s organisational approach to data protection. UWC International is committed to protecting the privacy of
More informationNational College for High Speed Rail DATA BREACH NOTIFICATION PROCEDURE
National College for High Speed Rail DATA BREACH NOTIFICATION PROCEDURE Document Reference Version Author Owner Workstream / Business area Classification Approval Level Version approval date Review schedule
More informationPS 176 Removable Media Policy
PS 176 Removable Media Policy December 2013 Version 2.0 Statement of legislative compliance This document has been drafted to comply with the general and specific duties in the Equality Act 2010; Data
More informationBreach Notification Form
Breach Notification Form Report a breach of personal data to the Data Protection Commission Use this form if you are a Data Controller that wishes to contact us to report a personal data breach that has
More informationData Protection Policy
Data Protection Policy Introduction Stewart Watt & Co. is law firm and provides legal advice and assistance to its clients. It is regulated by the Law Society of Scotland. The personal data that Stewart
More informationPRIVACY NOTICE VOLUNTEER INFORMATION. Liverpool Women s NHS Foundation Trust
PRIVACY NOTICE VOLUNTEER INFORMATION Liverpool Women s NHS Foundation Trust Introduction This document summarises who we are, what information we hold about you, what we will do with the information we
More informationElement Finance Solutions Ltd Data Protection Policy
Element Finance Solutions Ltd Data Protection Policy CONTENTS Section Title 1 Introduction 2 Why this Policy Exists 3 Data Protection Law 4 Responsibilities 5 6 7 8 9 10 Data Protection Impact Assessments
More informationINFORMATION TECHNOLOGY SECURITY POLICY
INFORMATION TECHNOLOGY SECURITY POLICY Author Responsible Director Approved By Data Approved September 15 Date for Review November 17 Version 2.3 Replaces version 2.2 Mike Dench, IT Security Manager Robin
More informationCardiff University Security & Portering Services (SECTY) CCTV Code of Practice
Cardiff University Security & Portering Services (SECTY) CCTV Code of Practice Document history Author(s) Date S Gamlin 23/05/2018 Revision / Number Date Amendment Name Approved by BI annual revision Date
More informationGuardian Electrical Compliance Ltd DATA PROTECTION GDPR REGULATIONS POLICY
1. Statement of Policy (Guardian) needs to collect and use certain types of information about the Individuals or Service Users with whom they come into contact in order to carry on our work. This personal
More informationGDPR Compliance. Clauses
1 Clauses GDPR The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a privacy and data protection regulation in the European Union (EU). It became enforceable from May 25 2018. The
More informationData Protection Policy
Data Protection Policy Addressing the General Data Protection Regulation (GDPR) 2018 [EU] and the Data Protection Act (DPA) 2018 [UK] For information on this Policy or to request Subject Access please
More informationInformation Security Strategy
Security Strategy Document Owner : Chief Officer Version : 1.1 Date : May 2011 We will on request produce this Strategy, or particular parts of it, in other languages and formats, in order that everyone
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationPrivacy Impact Assessment
Automatic Number Plate Recognition (ANPR) Deployments Review Of ANPR infrastructure February 2018 Contents 1. Overview.. 3 2. Identifying the need for a (PIA).. 3 3. Screening Questions.. 4 4. Provisions
More informationUSER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.
These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy. I. OBJECTIVE ebay s goal is to apply uniform, adequate and global data protection
More informationSAFE USE OF MOBILE PHONES AT WORK POLICY
SAFE USE OF MOBILE PHONES AT WORK POLICY Links to Lone Working Policy, Personal Safety Guidance, Lone Working Guidance, Information Governance Policy Document Type General Policy Unique Identifier GP31
More informationFOUNDRY COLLEGE. General Data Protection Regulation (GDPR) Policy Incorporating Freedom of Information
FOUNDRY COLLEGE General Data Protection Regulation (GDPR) Policy Incorporating Freedom of Information Document Control Information Version DATE DESCRIPTION 1 01/02/2012 Adopted for Foundry College 2 27/01/2013
More informationDATA PROTECTION POLICY THE HOLST GROUP
DATA PROTECTION POLICY THE HOLST GROUP INTRODUCTION The purpose of this document is to provide a concise policy regarding the data protection obligations of The Holst Group. The Holst Group is a data controller
More informationAdkin s Privacy Information Notice for Clients, Contractors, Suppliers and Business Contacts
Adkin s Privacy Information Notice for Clients, Contractors, Suppliers and Business Contacts POLICY STATEMENT Adkin is committed to protecting and respecting the privacy of all of our clients. This Policy
More informationDATA PROTECTION POLICY
1 Your Data Protection Responsibilities DATA PROTECTION POLICY 1.1 Everyone has rights with regard to how their personal data is handled. Personal data is any information that a person can be identified
More informationInformation backup - diagnostic review Abertawe Bro Morgannwg University Health Board. Issued: September 2013 Document reference: 495A2013
Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board Issued: September 2013 Document reference: 495A2013 Status of report This document has been prepared for the internal
More informationInformation Governance Policy (incorporating IM&T Security)
(incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Introduction The purpose of this document is to provide a concise policy regarding the data protection obligations of Youth Work Ireland. Youth Work Ireland is a data controller
More informationEco Web Hosting Security and Data Processing Agreement
1 of 7 24-May-18, 11:50 AM Eco Web Hosting Security and Data Processing Agreement Updated 19th May 2018 1. Introduction 1.1 The customer agreeing to these terms ( The Customer ), and Eco Web Hosting, have
More informationINFORMATION GOVERNANCE HANDBOOK
INFORMATION GOVERNANCE HANDBOOK 1 Version 2.0 Information Reader Box Document Name Author Information Governance Handbook Information Governance Team CSU Publication Date 09/12/2015 Review Date 09/12/2016
More informationACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION
ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION Document Control Owner: Distribution List: Data Protection Officer Relevant individuals who access, use, store or
More informationNetwork Account Management Security Standard
TRUST-WIDE NON-CLINICAL DOCUMENT Network Account Management Security Number: Scope of this Document: Recommending Committee: Approving Committee: SS06 All Staff/ Services Users Joint Information Governance
More informationData Security Standards
Data Security Standards Overall guide The bigger picture of where the standards fit in 2018 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a
More informationData Protection Policy
The Worshipful Company of Framework Knitters Data Protection Policy Addressing the General Data Protection Regulation (GDPR) 2018 [EU] and the Data Protection Act 1998 (DPA) [UK] For information on this
More informationIslam21c.com Data Protection and Privacy Policy
Islam21c.com Data Protection and Privacy Policy Purpose of this policy The purpose of this policy is to communicate to staff, volunteers, donors, non-donors, supporters and clients of Islam21c the approach
More informationFrequently Asked Questions
Frequently Asked Questions After having undertaken a period of research within recreational cricket, this document is aimed at addressing the frequently asked questions from cricket Clubs, Leagues, Boards
More informationDirective on security of network and information systems (NIS): State of Play
Directive on security of network and information systems (NIS): State of Play Svetlana Schuster Unit H1 Cybersecurity and Digital Privacy DG Communications Networks, Content and Technology, European Commission
More informationIntroductory guide to data sharing. lewissilkin.com
Introductory guide to data sharing lewissilkin.com Executive Summary Most organisations carry out some form of data sharing, whether it be data sharing between organisations within the group or with external
More informationPrivacy Policy GENERAL
Privacy Policy GENERAL This document sets out what information Springhill Care Group Ltd collects from visitors, how it uses the information, how it protects the information and your rights. Springhill
More informationADMA Briefing Summary March
ADMA Briefing Summary March 2013 www.adma.com.au Privacy issues are being reviewed globally. In most cases, technological changes are driving the demand for reforms and Australia is no exception. From
More informationBusiness Continuity Policy
Business Continuity Policy Version Number: 3.6 Page 1 of 14 Business Continuity Policy First published: 07-01-2014 Amendment record Version Date Reviewer Comment 1.0 07/01/2014 Debbie Campbell 2.0 11/07/2014
More informationCybersecurity Considerations for GDPR
Cybersecurity Considerations for GDPR What is the GDPR? The General Data Protection Regulation (GDPR) is a brand new legislation containing updated requirements for how personal data of European Union
More informationPOLICY. Version: 1.1 Quality and Performance Committee Date ratified: 12 th July 2017
EMAIL POLICY Version: 1.1 Ratified by: Quality and Performance Committee Date ratified: 12 th July 2017 Name & Title of originator/author: John Robinson, Senior Information Governance Specialist (embed
More informationClyst Vale Community College Data Breach Policy
Clyst Vale Community College Data Breach Policy Contents 1. Aim Page 2 2. Definition Page 2-3 3. Scope Page 3 4. Responsibilities Page 3 5. Reporting a data breach Page 3-4 6. Data breach plan Page 4 7.
More informationGuidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17
GUIDELINES ON SECURITY MEASURES FOR OPERATIONAL AND SECURITY RISKS UNDER EBA/GL/2017/17 12/01/2018 Guidelines on the security measures for operational and security risks of payment services under Directive
More informationSWBCCG Pol 18. Information Governance handbook
SWBCCG Pol 18 Information Governance handbook 1 SWBCCG Pol 18 Information Reader Box Directorate Purpose Document Purpose Document Name Author Sandwell and West Birmingham CCG Guidance Procedures Information
More information"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.
Rushcliff Ltd Data Processing Agreement This Data Processing Agreement ( DPA ) forms part of the main terms of use of PPS, PPS Express, PPS Online booking, any other Rushcliff products or services and
More informationLCU Privacy Breach Response Plan
LCU Privacy Breach Response Plan Sept 2018 Prevention Communication & Notification Evaluation of Risks Breach Containment & Preliminary Assessment Introduction The Credit Union makes every effort to safeguard
More informationThe GDPR and NIS Directive: Risk-based security measures and incident notification requirements
The GDPR and NIS Directive: Risk-based security measures and incident notification requirements Adrian Ross LLB (Hons), MBA GRC Consultant IT Governance Ltd 4 May 2017 Introduction Adrian Ross GRC consultant
More informationPTLGateway Data Breach Policy
1 PTLGateway Data Breach Policy Last Updated Date: 02 March 2018 Data Breach Policy This page informs you of our policy which is to establish the goals and the vision for the breach response process. This
More informationBring Your Own Device (BYOD) Policy
SH IG 58 Information Security Suite of Policies Bring Your Own Device (BYOD) Policy Version 1 Summary: Keywords (minimum of 5): (To assist policy search engine) Target Audience: Next Review Date: This
More informationNEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?
NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:
More informationInformation Security Data Classification Procedure
Information Security Data Classification Procedure A. Procedure 1. Audience 1.1 All University staff, vendors, students, volunteers, and members of advisory and governing bodies, in all campuses and locations
More informationGeneral Data Protection Regulation (GDPR) Key Facts & FAQ s
General Data Protection Regulation (GDPR) Key Facts & FAQ s GDPR comes into force on 25 May 2018 GDPR replaces the Data Protection Act 1998. The main principles are much the same as those in the current
More informationData Protection Policy
Introduction In order to; provide education, training, assessment and qualifications to its customers and clients, promote its services, maintain its own accounts and records and support and manage its
More informationINNOVENT LEASING LIMITED. Privacy Notice
INNOVENT LEASING LIMITED Privacy Notice Table of Contents Topic Page number KEY SUMMARY 2 ABOUT US AND THIS NOTICE 3 USEFUL WORDS AND PHRASES 4 WHAT INFORMATION DO WE COLLECT? 4 WHY DO WE PROCESS YOUR
More informationDEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy
DEPARTMENT OF JUSTICE AND EQUALITY Data Protection Policy May 2018 Contents Page 1. Introduction 3 2. Scope 3 3. Data Protection Principles 4 4. GDPR - Rights of data subjects 6 5. Responsibilities of
More informationData Breach Notification: what EU law means for your information security strategy
Data Breach Notification: what EU law means for your information security strategy Olivier Proust December 8, 2011 Hunton & Williams LLP Key points 1. Introduction 2. Overview of data breach requirements
More informationData Protection Privacy Notice
PETA Limited Page 1 of 7 Data Protection Privacy Notice PETA Limited provides a range of services to both members of the public and to those employed within business. To enable us to provide a service,
More informationRegulating Cyber: the UK s plans for the NIS Directive
Regulating Cyber: the UK s plans for the NIS Directive September 2017 If you are a digital service provider or operate an essential service then new security and breach notification obligations may soon
More informationRemote Working & Mobile Devices Security Standard
TRUST-WIDE NON-CLINICAL DOCUMENT Remote Working & Mobile Devices Security Standard Standard Number: Scope of this Document: Recommending Committee: Approving Committee: SS02 All Staff Joint Information
More informationData Breach Incident Management Policy
Data Breach Incident Management Policy Policy Number FCP2.68 Version Number 1 Status Draft Approval Date: First Version Approved By: First Version Responsible for Policy Responsible for Implementation
More informationRVC DATA PROTECTION POLICY
RVC DATA PROTECTION POLICY POLICY and PROCEDURES Responsibility of Data Protection Officer Review Date July 2019 Approved by CEC Author D.Hardyman-Rice CONTENTS PAGE 1) Policy Statement 3 2) Key definitions
More informationma recycle GDPR Privacy Policy .com Rely and Comply... Policy Date: 24 May 2018
ma recycle.com Rely and Comply... GDPR Privacy Policy Policy Date: 24 May 2018 Max Recycle Hawthorne House Blackthorn Way Sedgeletch Industrial Estate Fencehouses Tyne & Wear DH4 6JN T: 0845 026 0026 F:
More informationPolicy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.
London School of Economics & Political Science IT Services Policy Remote Access Policy Jethro Perkins Information Security Manager Summary This document outlines the controls from ISO27002 that relate
More information1.7 The Policy sets out the manner by which the University will respond to Subject Access Requests.
1 Introduction 1.1 Article 15 of the General Data Protection Regulations (GDPR) provides individuals (Data Subjects) with the right to access personal information so that they are fully informed of the
More informationMobile Computing Policy
Mobile Computing Policy Issue sheet Document reference NHSBSAIS004 Document location Title NHS Business Services Authority Mobile computing policy Author Head of Security and Information Assurance Issued
More informationRequirements for a Managed System
GDPR Essentials Requirements for a Managed System QG Publication 6 th July 17 Document No. QG 0201/4.3 Requirements for a Managed GDPR System The General Data Protection Regulation GDPR will apply in the
More informationHow the GDPR will impact your software delivery processes
How the GDPR will impact your software delivery processes About Redgate 230 17 202,000 2m Redgaters and counting years old customers SQL Server Central and Simple Talk users 91% of the Fortune 100 use
More informationAPF!submission!!draft!Mandatory!data!breach!notification! in!the!ehealth!record!system!guide.!
enquiries@privacy.org.au http://www.privacy.org.au/ 28September2012 APFsubmission draftmandatorydatabreachnotification intheehealthrecordsystemguide. The Australian Privacy Foundation (APF) is the country's
More informationTechnical Requirements of the GDPR
Technical Requirements of the GDPR Purpose The purpose of this white paper is to list in detail all the technological requirements mandated by the new General Data Protection Regulation (GDPR) laws with
More informationSupporting the NHS to Improve Cyber Security. Presented by Chris Flynn Security Operations Lead NHS Digital s Data Security Centre
Supporting the NHS to Improve Cyber Security Presented by Chris Flynn Security Operations Lead NHS Digital s Data Security Centre https://www.youtube.com/watch?v=3bqt7zkkq JA 2 Start with why And why it
More informationData Processing Agreement DPA
Data Processing Agreement DPA between Clinic Org. no. «Controller». and Calpro AS Org. nr. 966 291 281. «Processor» If the parties have executed a Data Management Agreement, the Date Management Agreement
More informationPolicy General Policy GP20
Email Policy General Policy GP20 Applies to All employees Committee for Approval Quality and Governance Committee Date of Approval September 2012 Review Date June 2014 Name of Lead Manager Head of Technology
More informationWye Valley NHS Trust. Data protection audit report. Executive summary June 2017
Wye Valley NHS Trust Data protection audit report Executive summary June 2017 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act
More informationHSCIC Audit of Data Sharing Activities:
Directorate / Programme Data Dissemination Services Project / Work Data Sharing Audits Status Final Acting Director Chris Roebuck Version 1.0 Owner Rob Shaw Version issue date 19-Jan-2015 HSCIC Audit of
More informationINFORMATION SECURITY POLICY
Open Open INFORMATION SECURITY POLICY OF THE UNIVERSITY OF BIRMINGHAM DOCUMENT CONTROL Date Description Authors 18/09/17 Approved by UEB D.Deighton 29/06/17 Approved by ISMG with minor changes D.Deighton
More informationBOARD OF DIRECTORS (OPEN) Meeting Date: 14 th November 2018
BORD OF DIRECTORS (OPEN) Meeting Date: 14 th November 2018 Open BoD 14.11.18 Item 14 TITLE OF PPER TO BE PRESENTED BY CTION REQUIRED Senior Information Risk Owner (SIRO) nnual Report Phillip Easthope,
More informationDATA PROTECTION IN RESEARCH
DATA PROTECTION IN RESEARCH Document control Applicable to: All employees and research students Date first approved February 2006 Date first amended May 2015 Date last amended May 2015 Approved by Approval
More informationData Protection and GDPR
Data Protection and GDPR At DPDgroup UK Ltd (DPD & DPD Local) we take data protection seriously and have updated all our relevant policies and documents to ensure we meet the requirements of GDPR. We have
More information