IGPOL53
Information Security Policy
Page 1 of 25
Version:
V12
Ratified By:
Finance & Risk Committee
Date ratified:
01/03/2021
Job Title of Author:
Information Governance and IT Projects Manager
Reviewed by Sub Group or Expert Group:
Technology Programme Board
Equality Impact Assessed by:
Information Governance and IT Projects Manager
Related Procedural Documents:
IGPOL62 – Information Governance Policy IGPOL88 - Internet, Email, Instant Messaging and Social Media Policy IGPOL65 – Transferring Personal Information Policy IGPOL67 – Mobile Computing Devices Policy
Review Date:
01/03/2024
It is the responsibility of users to ensure that you are using the most up to date document by accessing the copy available on MyCompliance
In developing/reviewing this policy Provide has had regard to the principles of the NHS Constitution
Page 4 of 25
Version Control Sheet Version MEIM&T 01 Information Security Policy
Date As of July 2010 IGPOL53 replaces MEIM&T 01
Author
Status
Comment
V5 IGPOL53
March ‘11
Information Governance Co-ordinator
Reviewed
Reviewed in line with transition to CECS CIC
V6
March 2013
Information Governance Manager
Reviewed
V6.1
August 2013
Information Governance Manager
Updated in line with Organisation and Policy Changes Approved Sept 13
Inclusion of statement within Information Security Compliance Statement re Personal Mobile Devices Policy, Email and Internet Policies. Update details of SIRO Role.
V7
Feb 2015
Information Governance Manager
V7.1
May 2016
Information Governance Manager
Annual Review in compliance with Cyber Essentials Accreditation.
Inclusion of statement re Intellectual Property Rights. Minor amendments. Reviewed and Approved by Technology Programme Board June 2016
V8
February 2017
Information Governance and IT Projects Manager
Yearly Review
Minor changes. Change to a formal 1 year review from V8.
Page 5 of 25
2 Year Review. Review in line with ICO Risk Review Recommendations
V8.1
November 2017
IG and IT Projects Coordinator
V9
June 2018
IG and Projects Manager
V10
February 2019
IG and IT Projects Manager
V11
December 2019
IG and Projects Manager
V12
January 2021
IG and Projects Manager
Appendix 3 Added.
Security Policy Compliance Statement added for 3rd parties.
IT Annual Review Mid Term Review. No change to current final review date 0f February 2020
Section 8 – Inclusion of prohibition of transporting printed patient visit lists.
IT
Yearly Review
IT
Yearly Review in line with requirements of ISO27001
Section 10 – removal of the requirement for mobile equipment to be security marked as per action from 2018/19 ISO27001 Internal Audit Action Plan. Changes to Backups documented, responsibilities around password management and DPO details.
Page 6 of 25
Contents 1.
Introduction .................................................................................................... 8
2.
Aim of Information Security ............................................................................ 8
3.
Purpose ......................................................................................................... 8
4.
Scope ............................................................................................................ 8
5.
Policy Compliance ......................................................................................... 9
6.
Responsibilities .............................................................................................. 9
7.
Personnel Security ....................................................................................... 10
8.
Security of Information on Paper .................................................................. 11
9.
Security of Electronic Information Systems and Electronic Records ............. 12
10. Physical Security Measures ......................................................................... 15 11. Administration of Computer Systems ........................................................... 16 12. Information Security Risk Management........................................................ 18 13. Monitoring and Review................................................................................. 19 Appendix 1: Information Security Roles and Responsibilities ............................... 20 Appendix 2: Information Security Policy Compliance Statement .......................... 22 Appendix 3: Information Security Policy Compliance Statement .......................... 23 EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 1: ‘Screening’ .............. 24 EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 2: ................................. 26
Page 7 of 25
1. Introduction Provide is dependent on reliable, secure information systems to support the delivery of healthcare. All healthcare organisations have a responsibility for the safe operation and management of their information systems to ensure they are appropriately protected from security breaches. Whilst security is an integral part of risk management and is continually assessed, it is vital that staff are fully aware of all aspects of information security and are supported by appropriate guidelines and policies. Applying this policy to working practice will greatly reduce the risk of loss, damage or misuse of information. The underlying principles of this policy have been written in accordance with national guidance, local policy and UK Law surrounding Information Security.
2. Aim of Information Security The fundamental aim of Information Security is to protect Confidentiality of information – protecting information from unauthorised disclosure or interception Integrity of information - safeguarding the accuracy and completeness of information Availability of information - Ensure that information is available to authorised users.
3. Purpose The purpose of this policy is to provide a framework of control to ensure the Confidentiality, Integrity and Availability of information and IT systems used within Provide is maintained by:
Striving to ensure that all Provide personnel are aware of, and are fully compliant with the relevant legislation as described in this and other policies
Introducing a consistent approach to information security, and ensuring that all members of staff fully understand their own responsibilities in relation to this; and
Identifying and Introducing controls to protect assets under the control of the organisation.
This Policy forms part of the organisation’s ISO27001 Information Security Management System (ISMS)
4. Scope
Page 8 of 25
This policy applies to all information, information systems, networks, applications, locations and users within Provide, and will overarch specific policy and procedure related to these assets. Whilst directed at Provide staff it is also relevant to anyone working in and around the organisation to include contractors, agency staff, students and volunteers.
5. Policy Compliance Contravention of this policy and associated procedures by staff, will be considered a serious matter and will be dealt with through Provide formal disciplinary process. Breaches of information by third parties/ contractors will be dealt with under the terms of the contract with the organisation and/ or criminal prosecution if applicable.
6. Responsibilities Chief Executive The Chief Executive of the Organisation has ultimate accountability for security of information in the organisation.
Senior Information Risk Owner (SIRO) Through designation from the Chief Executive, the Senior Information Risk Owner (SIRO), responsible for enforcement of the Policy, is the Executive Director of Finance.
Head of Technology and Data The Head of Technology and Data is responsible for the ‘day to day’ IT Security element of information security systems ie:
Ensuring that efficient and effective IT services are available at all times, and that Technology staff are provided with the appropriate skills, knowledge and tools to maintain the efficiency of the service
Developing protocols for disaster recovery / contingency plans, and for implementing programmes of security improvements; and
Ensure that where required training is provided to users of information systems either through in house courses or via third party agreements
The Head of Technology and Data is also responsible (either directly or via any out sourced Provider) for:
Providing effective and efficient IT and information services, and for ensuring necessary controls are in place for the protection of IT systems.
Granting appropriate access to approved users as authorised by the appropriate organisation line managers
Maintaining a register of all computers, other hardware and network assets
Regular audits of computers to ensure that antivirus software is installed and is up to date; to ensure that unauthorised software is not installed and in the case of mobile computers, that they are encrypted to required level Page 9 of 25
Regular back-up procedures and maintaining efficient storage of information
Responding to potential security risks, e.g. virus threats, and notifying and advising staff as appropriate
Technology Operations Manager
Following appropriate procedures for the specification of equipment and subsequent installation of any IT equipment; and
Maintaining a log of internet access and producing reports on this for the organisation.
Information Governance and IT Projects Manager The organisation’s Information Governance and IT Projects Manager will have a sound knowledge of Information Security and Data Protection Legislation requirements and will also be responsible for communicating security requirements to the organisation, providing advice in respect of the protection of patient, personal and confidential information
Provide Managers Provide Managers are individually responsible for the security of their own physical environments. They are responsible for ensuring that all of their staff (including temporary workers, third parties and contractors) understand the principles set out within this policy. Managers will ensure that their staff attend appropriate training courses on the use of information systems. Provide managers must also be aware of the procedures for reporting breaches of information security, and must act appropriately and quickly on any suspected or actual security breaches.
All Staff All staff (including third parties and contractors) must be aware of their responsibilities when using information, and must ensure that the confidentiality, integrity and availability of the information they use is maintained to highest standard.
7. Personnel Security Employed Staff Security requirements are addressed at the recruitment stage, and are included in job descriptions and in contracts of employment. Terms and conditions of employment include the employees’ responsibility for information security. Staff are expected to formally agree to this policy through the use of MetaEngage. Those staff who do not have regular access to a computer must complete the compliance statement in Appendix 1
Permanent and Temporary Contract Staff
Page 10 of 25
Permanent and temporary contract staff are expected to formally agree to adhere to this policy and their responsibilities for information security by signing the Compliance Agreement (see Appendix 1). They must be given instructions on how to access advice on security matters through an appropriate line manager. Contracts with external contractors who access the organisation’s information systems will be formally agreed before access is allowed. Any agreement to exchange data with third parties / external contractors will contain a reference to the obligation to adhere to policy. Where third party maintenance agreements are in force, the third parties are expected to comply with this policy and Provide’s confidentiality code of conduct Policy as well as any other local policies in place. Maintenance and repairs will only be made on approval by designated technology Staff. All contracts with 3rd parties where data is to be hosted off site must sign up to the terms of the Information Security Policy.
Information Security Awareness The Head of Technology and Data will assist the Information Governance Manager in raising awareness of Information Security throughout Provide. The Learning and Development team supported by the Information Governance and IT Projects Manager will establish an on-going training programme, to ensure that staff awareness is refreshed and updated as necessary. All new starters will attend Corporate Induction, which will include advice on the security and confidentiality of information. Temporary staff and contractors must also be made aware of security guidelines. All staff must complete Information Governance training appropriate to their role as referenced in the Information Governance Policy and Strategy (IGPOL62) This training contains Information Security guidelines. All staff are required to complete the refresher module annually. The Technology team will provide additional training on computer systems where any specific needs or gaps are identified
8. Security of Information on Paper Most paper records will contain sensitive or confidential information. It is therefore essential that security and confidentiality be safeguarded at all times.
Storage of Paper Records Staff located at the Provide Headquarters are expected to comply with the clear desk Policy in place. Where practicable, other departments should adopt a clear desk policy for paper and any removable storage media. As a minimum sensitive or business critical information must be locked away in an appropriate secure area when it is not in use, and should not be left on public view. Paper records should only be maintained in exceptional circumstances. They must be appropriately filed, in accordance with Provide Records Management Policy
Page 11 of 25
Transportation of Paper Records Staff are responsible for ensuring that paper records are kept confidential when in their possession or during transit. Staff must follow the procedures laid out in the organisation’s Transferring of Personal Information Policy (IGPOL65) The transportation of printed patient visit lists for use during a visit schedule is prohibited. The only exceptions to this are documents and/or plans of care that require inclusion in patient held notes, signatory responsibilities or other information required to aid the delivery of care. If such documents are to be transferred then staff must be fully aware of Provide Policy IGPOL65 – Transferring Confidential Information Policy and Procedures.
Disposal of Paper Records All employees should be aware of how easy it is to breach confidentiality by incorrect disposal of records containing sensitive and confidential information. Staff must dispose of confidential waste products by shredding, or putting information into confidential waste bins. This includes patient, staff and business sensitive information All confidential information, regardless of the way in which it is held or stored, will be governed by procedures for the retention of records. Staff should refer to Provide Records Retention Policy for further guidance.
9. Security of Electronic Information Systems and Electronic Records Staff are advised that the intentional or unintentional act of disclosing user names and passwords to allow unauthorised access and processing of data may constitute a breach of the Computer Misuse Act (1990). The disclosure of user names and passwords will also be considered a breach of this policy which may lead to Disciplinary action. Computer system users must:
Keep their passwords secret and never disclose them to colleagues Not allow colleagues or third parties to access patient or staff record systems under the login details.
Not attempt to circumvent computer security controls in order to gain unauthorised access to computer systems. This includes but is not limited to using someone else’s user name and password and modifying user access rights without appropriate authorisation
Ensure that Smartcard’s are locked away or are kept their person when not in use
Not share Smartcard’s or Smartcard Pin Numbers
Page 12 of 25
Not leave computers unattended without logging out of the system to a level that requires a password to gain access (Ctrl, Alt, Delete then click on ‘lock computer’ or press the Windows key and ‘L’ simultaneously)
Ensure that computerised data is stored in appropriate network files and folders on the organisation’s computer network so that it can be securely backed up
Ensure that sensitive and confidential data of any kind is not saved on the computer’s internal hard drive (C Drive). Data is not backed up and will be lost in the event of a failure of the individual computers hard disk drive; and
Not relocate computing equipment as this should always be carried out by appropriate Technology staff
Not use USB sticks that have not been issued by Provide
User Access Controls In accordance with Data Protection Legislation and Computer Misuse Act (1990), access to the organisation’s computer network and associated patient and staff data is controlled and restricted to authorised users only. Formal procedures are to be followed by Provide staff and any outsourced IT service providers to ensure that access to systems is secure. Access to Network utilities (including remote access, Internet and email) will only be granted to users with strict approval from line managers, and in line with the current access control procedures. The Provide Technology Service Desk must be informed of any new starters, leavers and movers, in order to ensure only authorised users have access. All computer systems and clinical information systems will wherever possible be secured by 2 factor authentication via the use of a smartcard and associated PIN number. Other systems will be secured by unique user logins and passwords. Procedures will be followed for the distribution, disclosure, resetting and maintenance of passwords by the Technology Department. Password changes are enforced on systems to force users to change passwords at regular intervals. Users can also change their passwords and are expected to do so if there is concern that login details may have become compromised. Staff using Provide Systems must be properly trained and made aware of their responsibilities before being given access to a live system For further details see – ITPOL11 – Access Control Policy
Laptops and Portable Devices Staff should avoid storing Confidential Information on laptops and portable devices (including smart phones) due to risk of theft or hardware failure. All Laptops, tablets, mobile phones or any mobile computing device, which holds person-identifiable data, must be encrypted to Department of Health recommended standards. Laptops and tablet devices must have ‘full hard disk’ encryption software installed. This method of encryption encrypts the entire local hard disk drive, turning all the data on it
Page 13 of 25
into what appears to be meaningless code. In the event that the laptop is lost or stolen no data on it can be recovered without the individual staff members ‘key’ or password. All new laptops are issued with the encryption software installed on them as standard and regular audits will be undertaken to ensure that encryption is deployed and operational. Any contractors working with Provide must ensure that where authorised to do so, any Provide data held on their own laptops or mobile computing equipment is encrypted to 256 Bit AES Level or equivalent standard. Failure to comply with this section and use by staff of unapproved and unencrypted laptops and portable devices will be seen as a serious breach of this policy and may lead to disciplinary action or sanctions.
Mobile Devices and Removable Media Provide complies with Department of Health policy and specifically that ALL removable media must be encrypted to AES 256Bit Encryption standard or equivalent. To comply with this the organisation has implemented the following: Staff must:
Only save/ write data to encrypted USB sticks that have been issued by Provide. Staff must not to use personal memory sticks.
Not connect any other removable storage devices to the IT network without prior agreement and approval from the Provide Technology Team
Where transferring information to removable media such as CD–ROM, DVD or USB memory stick, staff must ensure that:
The media selected is suitable to carry the data, so no data can be lost due to media malfunction. If in doubt staff should contact the Technology Service desk for advice
Data, which has not been previously saved to a networked drive, is backed up to the network as soon as possible
Once data is no longer required on the device it is deleted (once having been copied to a network location if necessary)
Removable media containing sensitive or confidential data is disposed of securely when no longer required.
Staff must not use Removable media devices as a way of backing up business critical data including patient information. Requirements should be discussed with the Technology team in the first instance.
Emailing Patient Identifiable and Sensitive Information Emails containing Patient Identifiable information must be encrypted to 256Bit AES or equivalent Standards. For further information see IGPOL65 - Transferring Personal Information Policy and Procedures.
Instant Message Systems Page 14 of 25
Provide’s approved standard and supported Instant Messaging software is Skype for Business and SystmOne Instant Messaging for communicating confidential information. Users are prohibited from using any other software to communicate confidential (patient, staff or business), not approved by the organisation, for Instant Messaging. Users must not circumvent, cause to circumvent, or use tools to circumvent established security and controls applied to instant Messaging Software. The organisation reserves the right to monitor staff’s use of approved instant messaging systems (including SystmOne Instant Messaging, MS Teams and Airmid) to ensure compliance with this Policy.
10. Physical Security Measures In order to minimise loss of, or damage to, Provide assets, equipment, wherever possible and practical, must be physically protected from security threats and environmental hazards. All IT equipment will be asset tagged.
Equipment Location and Protection Computing equipment and Information processing/storage facilities must be positioned to reduce risk from environmental threats and from unauthorised access. Where equipment must be positioned in public areas, it must be positioned to reduce the potential of unauthorised staff and patients seeing the display screen. This means that the screen must be positioned to avoid unauthorised viewing or the use of a screen privacy filter where this is not possible. IT equipment must be physically secured in reception areas and vulnerable or open areas wherever possible. Laptops and tablet must not be left on docking stations or desks in plain sight where they can be easily removed/ stolen unless they have been secured by use of an approved security lock.
Physical Entry Controls In order to minimise the potential loss or theft of information, secure or sensitive areas must be protected by appropriate entry controls. All staff are required to wear identification at all times Only authorised personnel are to be given access to restricted areas. These include wiring closets, data centres and server rooms. Visitors to secure areas must be escorted by authorised Provide personnel and must be supervised
Security of Offsite Information and Equipment All staff are advised that they are personally responsible for the security and confidentiality of information entrusted to their care.
Page 15 of 25
Sensitive information held offsite includes any patient, staff or corporate information held outside the organisation, office or department in which it is normally based, and refers to information in manual or electronic format. Information is considered held offsite in the following circumstances (this list is not exhaustive):
Working at home
Information held in briefcases etc.
Information or documents needed for a meeting and being transported between different sites
Information held on a Provide owned PC/laptop/tablet etc.; and
Information held on other types of electronic equipment (e.g. Smart Phone, USB memory sticks, CD-ROM etc.)
Please refer to the Mobile Computing Devices Policy (IGPOL67) for further information
11. Administration of Computer Systems The management of access to computers, networks and associated systems will be controlled by standards that are followed by the Head of IT and Data and any authorised outsourced IT service providers in line with their Service Level Agreement. Changes to information systems, applications or networks must be reviewed and approved by the Head of IT and Data or designated staff. Systems will only be purchased, installed, repaired and operated by authorised competent or qualified IT personnel. The Provide Technology Department will make every effort to ensure computer equipment is installed within safe and secure environments as provided by the organisation and required under the requirements of the Health & Safety at Work Act (1974).
Intellectual Property Rights The organisation shall ensure that all information products are properly licensed and approved by authorised Technology Staff. Users shall not install software on the organisation’s property without permission from the Technology Department. It is a disciplinary offence for staff to install unauthorised or unlicensed software.
Installing, Removing and Procurement of Software Any requests for installation and removal of software must be directed to the Technology Service desk in the first instance. Once installed it must not be altered, copied or modified. All requests for procurement of software must be submitted to the Provide Technology Service Desk. This includes the procurement of physical software media, software licenses and electronic software downloads. Departments must not procure any software independently. This is to ensure compatibility with other organisation Page 16 of 25
systems, compliance with relevant licensing laws (such as the Copyrights Design and Patents Act 1988) and so that the organisation receives value for money (VFM) with all software purchases.
Malicious Software Computer systems are continually at risk from virus infection. A computer virus infection can cause serious disruption to services, loss of data and can be difficult to remove. Viruses can be received via a number of sources, including email attachments, macros within documents, downloaded documents from the Internet and from external media such as USB memory sticks or CD/ DVDs. The following preventative controls will be taken by the organisation’s Technology Department:
Ensure the latest anti-virus software is installed on all computers and is regularly updated
Carry out regular audits of computer systems and software
All staff must be vigilant and inform the Technology Service Desk immediately of any suspicion that a computer has been ‘infected’ by a virus
Information Data Backups and Retrieval It is the responsibility of the Technology Department to ensure that regular backups are taken of server-based file systems, and that these backups are monitored, logged and tested for reliability at regular intervals. All back-ups taken will be replicated into a secure storage account within Provide CIC’s Cloud infrastructure hosted in Microsoft’s Azure platform. The storage account will be hosted within the UK. Staff must adhere to the appropriate locally agreed procedures when carrying out backups. The Provide Technology Service Desk should be contacted where clarification is required. Requests to retrieve information from archived backup media should be made through the Provide Technology Service Desk.
Cabling Security All business critical and major power, telecommunications and network cabling, carrying data or supporting information services, must be protected from interception or damage from theft, fire, water, electrical surges and power cuts. Underground telecommunications lines are to be used where possible. Where it is necessary for cables to terminate at a junction box or cabinet located in a public area, the junction box or cabinet must be treated as a sensitive area and must be kept locked at all times.
Power Supplies Critical computer and telecommunications equipment are protected by uninterruptible power supplies (UPS). Disaster Recovery and Business Continuity plans have been
Page 17 of 25
developed to cover the action to be taken on failure of the UPS. UPS equipment are to be regularly tested, to ensure serviceability and capacity. Multiple redundant power supplies will be installed in to critical computer equipment (e.g. Servers), to avoid a single point of failure.
Secure disposal or re-use of hardware Hardware and computer equipment that is no longer required must be properly disposed of in accordance with local procedures and national guidance for the destruction of electronic equipment. The disposal and removal of computer hardware, and data on removable media, can only be authorised by the Provide Technology Department. The organisation has a contract in place for the secure destruction of Computer Hardware and removable media. Other companies or contractors must not be used without prior authorisation from the Head of Technology and Data and without a written Data Processing Contract in place. IT personnel must ensure that data on transportable media is purged of sensitive data before disposal or re-use, or ensure that it is otherwise securely destroyed
12. Information Security Risk Management Risk management involves identifying, selecting and adopting appropriate and costjustified security and contingency ‘countermeasures’, to reduce risks to an acceptable level. Risks may include loss, theft, damage or destruction of information and information systems, and may be deliberate acts of sabotage, or purely accidental. To ensure that effective security countermeasures are introduced to prevent and reduce risk, the following mechanisms have been put in place.
Monitoring and Audit Regular internal audit will be carried out on all information systems and assets, to ensure compliance with national legislation and requirements and the terms of this policy. External audit will be carried out as required. An audit trail of system access and use will be maintained and reviewed on a regular basis where possible with existing systems. Any new system introduced must be capable of audit.
Assets Inventory An up to date register of current information, software and hardware assets is maintained, to ensure that effective protection is applied to all Provide assets, and to guarantee there is effective asset management. Staff must comply with any audits that are undertaken from time to time and ensure that the equipment issued to them is made available to Technology Engineers during such time.
Business Continuity Planning and Disaster Recovery
Page 18 of 25
The Head of Technology and Data will ensure that disaster recovery plans are developed for all critical applications, systems and networks. Service leads must ensure that Business Continuity plans are in place for their business-critical processes. Further information can be found in the organisation’s Business Continuity and Service Recovery Policy (IGPOL13)
Reporting Incidents All staff are required to be aware of the potential threats to the security of information and information systems, and report any suspected/actual incidences of breaches in security to their line manager. Security incidents will be reported and managed in line with Provide Incident Reporting Policy and procedures.
13. Monitoring and Review All staff are responsible for monitoring their compliance with the principles and procedures detailed within this procedure: line managers and supervisors should also monitor compliance on a regular basis. This policy will be reviewed every year by the Information Governance Manager. Earlier review may be required in response to exceptional circumstances, organisational change or relevant changes in legislation.
Page 19 of 25
Appendix 1: Information Security Roles and Responsibilities The purpose of this document is to describe the information security roles in the organisation and name the people who fulfil these roles. Role
Responsibility
Name
Contact details
Senior Information Risk Owner (SIRO)
Has overall responsibility for the management of Information Security
Philip Richards,
01206587305
Information Is responsible Governance for ensuring Manager the organisation complies with the Data Protection Act Legislation and in particular with regards to Information Security. Responsible for communicating security requirements to the organisation, providing advice in respect of the protection of patient, personal and confidential information
Stephen Woodford
Head of Technology and Data
Chris Wright
Responsible for the ‘day to day’ IT Security element of information
Philip.Richards1@nhs.net
Executive Finance and Corporate Governance Director 07796262418 Stephen.Woodford@nhs.net
Information Governance Manager
07887874699 christopherwright1@nhs.net
Page 20 of 25
Role
Responsibility
Name
Contact details
Dr Paul Spowage
Paul.spowage@nhs.net
security systems Caldicott Guardian
Data Protection Officer
Is responsible for guarding the confidentiality of patient information.
Medical Director
Oversight of John data Adegoke protection strategy and acting in an advisory capacity to ensure compliance with Data Protection requirements.
John.Adegoke@nhs.net
Page 21 of 25
Appendix 2: Information Security Policy Compliance Statement Provide Staff, Agency Staff, Work Experience Students and Volunteers I,…………………………………………………… Based at………………..…………… (Please print name)
Confirm that I have read and understand the Information Security Policy; Have read and understood the associated Email Policy and Procedures, Internet Policy , Mobile Computing Devices Policy and Transferring of Personal Information Policy Understand that the use of Provide IT Systems is audited for the purposes of detecting inappropriate and/ or unauthorised access to systems Understand that mobile devices, e.g. memory sticks, laptops, tablets etc., are at high risk of loss or theft and that I must take all precautions to ensure their security Will only use encrypted Provide approved memory sticks for Provide business and not use personally owned ones; Will ensure that appropriate approval has been given for the holding of any confidential, sensitive or person-identifiable data on any mobile computing device and that the device/data is encrypted to the latest Department of Health’s recommendations; Understand that any user name, password or PIN Numbers issued to access Provide systems are for my use only and I will not disclose these details to others either deliberately or through carelessness behaviour. Will use any mobile computing devices in line with legislation e.g. Data Protection Act 1998 and the Seven Caldicott Principles ensuring that no information is kept for longer than is necessary; Agree to return any equipment to the organisation when it is no longer needed, or when I leave Provide; Agree to comply with the Information Security Policies as amended from time to time, and understand that it is my responsibility to appraise myself of any changes to the policies, when notified; Undertake when working within other partner organisations to comply with that organisation’s Information Security Policies. Understand that any failure to comply with this agreement (which I have signed) could result in disciplinary action which may ultimately lead to dismissal or criminal prosecution.
Signed: …………………………………….…….
Date:……………………….
A signed copy of this declaration should be forwarded to: Information Governance Provide 900 The Crescent Colchester Business Park Colchester CO4 9YQ *Where staff have regular access to a Provide computer then this agreement will be signed electronically via Metacompliance.
Page 22 of 25
Appendix 3: Information Security Policy Compliance Statement For Third Parties accessing handling/processing Provide’s Information or accessing Provide’s systems I confirm that I have read and understood the Information Security Policy; I confirm that I understand and agree to comply with Provide Information Security Policy; Name: ………………………………………………………………… On behalf of: …………………………………………………………. Signed: ……………………………………………………………….. Date: …………………………………………………………………..
A signed copy of this declaration should be forwarded to: Information Governance Provide 900 The Crescent Colchester Business Park Colchester CO4 9YQ Or Emailed to Provide.infogov@nhs.net
Page 23 of 25
EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 1: ‘Screening’ Name of project/policy/strategy (hereafter referred to as “initiative”):
Information Security Policy
Provide a brief summary (bullet points) of the aims of the initiative and main activities: Define organisation policy regarding Information Security Provide a framework of control tro ensure the Confidentiality, Integrity and Availability of information and IT systems used within the organisation Encourage an effective and positive work ethic towards information security Reduce the risk of loss of, damage to or misuse of patient, staff or business data Reduce security threats by promoting awareness and good practice Protect the organisation and its staff against potential liability
Project/Policy Manager:
IG & IT Projects Manager
Date: 20/02/2019
This stage establishes whether a proposed initiative will have an impact from an equality perspective on any particular group of people or community – i.e. on the grounds of race (incl. religion/faith), gender (incl. sexual orientation), age, disability, or whether it is “equality neutral” (i.e. have no effect either positive or negative). In the case of gender, consider whether men and women are affected differently. Q1. Who will benefit from this initiative? Is there likely to be a positive impact on specific groups/communities (whether or not they are the intended beneficiaries), and if so, how? Or is it clear at this stage that it will be equality “neutral”? i.e. will have no particular effect on any group. Neutral
Q2. Is there likely to be an adverse impact on one or more minority/under-represented or community groups as a result of this initiative? If so, who may be affected and why? Or is it clear at this stage that it will be equality “neutral”? Neutral
Page 24 of 25
Q3. Is the impact of the initiative – whether positive or negative - significant enough to warrant a more detailed assessment (Stage 2 – see guidance)? If not, will there be monitoring and review to assess the impact over a period time? Briefly (bullet points) give reasons for your answer and any steps you are taking to address particular issues, including any consultation with staff or external groups/agencies. Neutral
Guidelines: Things to consider
Equality impact assessments at Provide take account of relevant equality legislation and include age, (i.e. young and old,); race and ethnicity, gender, disability, religion and faith, and sexual orientation. The initiative may have a positive, negative or neutral impact, i.e. have no particular effect on the group/community. Where a negative (i.e. adverse) impact is identified, it may be appropriate to make a more detailed EIA (see Stage 2), or, as important, take early action to redress this – e.g. by abandoning or modifying the initiative. NB: If the initiative contravenes equality legislation, it must be abandoned or modified. Where an initiative has a positive impact on groups/community relations, the EIA should make this explicit, to enable the outcomes to be monitored over its lifespan. Where there is a positive impact on particular groups does this mean there could be an adverse impact on others, and if so can this be justified? - e.g. are there other existing or planned initiatives which redress this? It may not be possible to provide detailed answers to some of these questions at the start of the initiative. The EIA may identify a lack of relevant data, and that data-gathering is a specific action required to inform the initiative as it develops, and also to form part of a continuing evaluation and review process. It is envisaged that it will be relatively rare for full impact assessments to be carried out at Provide. Usually, where there are particular problems identified in the screening stage, it is envisaged that the approach will be amended at this stage, and/or setting up a monitoring/evaluation system to review a policy’s impact over time.
Page 25 of 25
EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 2: (To be used where the ‘screening phase has identified a substantial problem/concern) This stage examines the initiative in more detail in order to obtain further information where required about its potential adverse or positive impact from an equality perspective. It will help inform whether any action needs to be taken and may form part of a continuing assessment framework as the initiative develops. Q1. What data/information is there on the target beneficiary groups/communities? Are any of these groups under- or over-represented? Do they have access to the same resources? What are your sources of data and are there any gaps? N/A
Q2. Is there a potential for this initiative to have a positive impact, such as tackling discrimination, promoting equality of opportunity and good community relations? If yes, how? Which are the main groups it will have an impact on? N/A
Q3. Will the initiative have an adverse impact on any particular group or community/community relations? If yes, in what way? Will the impact be different for different groups – e.g. men and women? N/A
Q4. Has there been consultation/is consultation planned with stakeholders/ beneficiaries/ staff who will be affected by the initiative? Summarise (bullet points) any important issues arising from the consultation.
N/A
Q5. Given your answers to the previous questions, how will your plans be revised to reduce/eliminate negative impact or enhance positive impact? Are there specific factors which need to be taken into account? N/A
Page 26 of 25
Q6. How will the initiative continue to be monitored and evaluated, including its impact on particular groups/ improving community relations? Where appropriate, identify any additional data that will be required. N/A
Guidelines: Things to consider
An initiative may have a positive impact on some sectors of the community but leave others excluded or feeling they are excluded. Consideration should be given to how this can be tackled or minimised. It is important to ensure that relevant groups/communities are identified who should be consulted. This may require taking positive action to engage with those groups who are traditionally less likely to respond to consultations, and could form a specific part of the initiative. The consultation process should form a meaningful part of the initiative as it develops, and help inform any future action. If the EIA shows an adverse impact, is this because it contravenes any equality legislation? If so, the initiative must be modified or abandoned. There may be another way to meet the objective(s) of the initiative.
Further information: Useful Websites www.equalityhumanrights.com Website for new Equality agency www.employers-forum.co.uk – Employers forum on disability www.disabilitynow.org.uk – online disability related newspaper www.efa.org.uk – Employers forum on age © MDA 2007 EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage One: ‘Screening’
Page 27 of 25