Information Governance Policy
Author(s) Beryl Woodall – Healthcare Operations Manager
John Hunt – Service Development Manager
Bob Medway – Corporate Informatics Manager
Pauline Curran – Information Governance / Access Manager
Lisa Beck – Information Governance Co-ordinator
Date March 2008
Policy Number IT02
Version number Version 2
Approving Committee Information Governance Board
Date March 2008
Review Date March 2011
Responsible for review Information Governance Board Managers
IT02 Information Governance Policy
Information Governance Board
March 2008
WRIGHTINGTON, WIGAN & LEIGH NHS TRUST
INFORMATION GOVERNANCE
INFORMATION GOVERNANCE POLICY
TABLE OF CONTENTS
1. POLICY STATEMENT .............................................................................. 7
2. SCOPE ...................................................................................................... 8
2.1 Policy Coverage..................................................................................... 8
2.2 Related Policy & codes of conduct:...................................................... 8
2.3 Legal & Regulation framework .............................................................. 9
2.3.1 Legal Acts..........................................................................................................9
2.3.2 NHS Regulatory framework.............................................................................10
2.4 Information Governance Management System.................................. 10
3. GOVERNANCE........................................................................................ 11
3.1 Information Governance Policy............................................................ 11
3.2 Review & Evaluation ............................................................................ 11
4. ORGANISATIONAL ARRANGEMENTS.............................................. 12
4.1 Information Governance Infrastructure .............................................. 12
4.1.1 Information Governance Board .......................................................................12
4.1.2 Information Governance Co-ordination ...........................................................12
4.1.3 Allocation of information governance responsibilities......................................12
4.1.4 Authorisation process for information processing facilities..............................14
4.1.5 Specialist Information Governance Advice......................................................14
4.1.6 Co-operation between organisations...............................................................15
4.1.7 Independent Review of information governance .............................................15
4.2 Security of third party access .............................................................. 15
4.2.1 Identification of risks from third party access ..................................................15
4.2.2 Governance requirements in third party contracts. ........................................16
4.3 Outsourcing ........................................................................................... 16
4.3.1 Governance requirements in outsourcing contracts........................................17
2
IT02 Information Governance Policy
Information Governance Board
March 2008
5. ASSET CLASSIFICATION & CONTROL .................................................. 17
5.1 Accountability for assets ........................................................................ 17
5.1.1 Inventory of Assets..........................................................................................17
5.2 Information classification ..................................................................... 17
5.2.1 Classification guidelines ..................................................................................17
5.2.2 Information labelling and handling...................................................................18
6. HUMAN RESOURCES SECURITY ........................................................ 18
6.1 Information governance in job definition & resourcing .................... 18
6.1.1 Including information governance in job descriptions......................................19
6.1.2 HR screening and policy ................................................................................19
6.1.3 Confidentiality Agreements in employment contracts .....................................19
6.1.4 Terms and conditions of employment .............................................................19
6.2 User training ........................................................................................... 19
6.2.1 Information Governance education and training .............................................20
6.3 Responding to incidents and malfunctions ..................................... 20
6.3.1 Reporting incidents & ‘near misses’ (including confidentiality breach, poor
quality information & lack of information) .................................................................20
6.3.2 Reporting weaknesses ....................................................................................21
6.3.3 Learning from incidents ..................................................................................21
6.3.4 Disciplinary process & removal of access rights .............................................21
6.4 Controlled / Secure Areas...................................................................... 21
6.4.1 Physical Security Perimeter ............................................................................22
6.4.2 Physical entry controls ....................................................................................22
6.4.3 Securing offices, rooms and facilities ..............................................................22
6.4.4 Working in controlled/secure areas .................................................................23
6.5 Equipment security ............................................................................... 23
6.5.1 Equipment siting and protection ......................................................................23
6.5.2 Power supply...................................................................................................23
6.5.3 Cabling security...............................................................................................24
6.5.4 Equipment maintenance..................................................................................24
6.5.5 Secure disposal or re-use of equipment..........................................................25
6.6 General Controls ................................................................................... 25
6.6.1 Clear desk/area and clear screen policy .........................................................25
6.6.2 Removal of property ........................................................................................25
7. COMMUNICATIONS AND OPERATIONS MANAGEMENT................... 26
7.1 Operational procedures and responsibilities..................................... 26
3
IT02 Information Governance Policy
Information Governance Board
March 2008
7.1.1 Documented operating procedures .................................................................26
7.1.2 Operational change control .............................................................................26
7.1.3 Incident management procedures...................................................................27
7.1.4 Segregation of duties ......................................................................................27
7.1.6 External facilities management .......................................................................28
7.2 System planning and acceptance ........................................................ 29
7.2.1 Capacity planning............................................................................................29
7.2.2 System acceptance .........................................................................................29
7.3 Protection against ‘malicious’ software .............................................. 29
7.3.1 Controls against malicious software................................................................30
7.4 Housekeeping ........................................................................................ 30
7.4.1 Information back-up.........................................................................................30
7.4.2 Operator logs...................................................................................................31
7.4.3 Fault logging (Helpdesk) .................................................................................32
7.4.4 Network controls..............................................................................................32
7.5 Handling & governance of ‘information’ media .................................. 32
7.5.1 Management of (re)movable ‘information’ media ...........................................32
7.5.2 Disposal of media............................................................................................33
7.5.3 Information handling procedures.....................................................................33
7.5.4 Security of system documentation ..................................................................33
7.6 Exchanges of information and software............................................. 33
7.6.1 Information exchange agreements..................................................................34
7.6.2 Security of media in transit ..............................................................................34
7.6.3 Electronic commerce security .........................................................................34
7.6.4 Security of electronic office systems ...............................................................35
7.6.5 Publicly available systems...............................................................................36
7.6.6 Other forms of Information Exchange (phone, fax, post) ................................36
8. ACCESS CONTROL ............................................................................... 37
8.1 Business requirement for access control ........................................... 37
8.1.1 Access control policy.......................................................................................37
8.2 User access management..................................................................... 38
8.2.1 User registration ..............................................................................................38
8.2.2 Privilege management.....................................................................................39
8.2.3 User password management ..........................................................................39
8.2.4 Review of user access rights...........................................................................39
8.3 User responsibilities ............................................................................ 39
8.3.1 Password use..................................................................................................39
8.3.2 Unattended user equipment ............................................................................40
4
IT02 Information Governance Policy
Information Governance Board
March 2008
8.4 Network access control ....................................................................... 40
8.4.1 Policy on use of network services ...................................................................40
8.4.2 Enforced Path..................................................................................................40
8.4.3 User authentication for external connections ..................................................41
8.4.4 Node authentication ........................................................................................41
8.4.5 Remote diagnostic port protection...................................................................41
8.4.6 Segregation in networks..................................................................................41
8.4.7 Network connection control .............................................................................41
8.4.8 Network routing control ...................................................................................41
8.4.9(Documentation of) Security of network services .............................................41
8.5 Operating system access control ....................................................... 41
8.5.1 Automatic terminal identification......................................................................41
8.5.2 Terminal/PC log on procedures.......................................................................42
8.5.3 User identification and authentication .............................................................42
8.5.4 Password management system ......................................................................43
8.5.5 Use of system utilities......................................................................................43
8.5.6 Terminal/PC time-out ......................................................................................43
8.5.7 Limitation of connection time...........................................................................44
8.6 Application access control .................................................................. 44
8.6.1 Information access restriction..........................................................................44
8.6.2 Sensitive system isolation ...............................................................................44
8.6.3 Event logging/Audit trails.................................................................................44
8.6.4 Monitoring system use ....................................................................................45
8.6.5 Clock synchronisation .....................................................................................45
8.7 Mobile computing and teleworking..................................................... 45
8.7.1 Mobile information handling & computing .......................................................45
8.7.2 Teleworking (inc Homeworking) ......................................................................46
9. SYSTEMS DEVELOPMENT AND MAINTENANCE ............................... 46
9.1 Information Governance requirements of systems. .......................... 46
9.1.1 Governance requirements analysis and specification .....................................46
9.2 Governance in information systems, paper records and processes 47
9.2.1 Input data validation/paper record creation .....................................................47
9.2.2 Control of internal processing..........................................................................48
9.2.3 Data item (inc message) authentication ..........................................................48
9.4.4 Output data validation .....................................................................................48
9.3 Cryptographic controls (including encryption) on use of
cryptographic controls ................................................................................. 49
9.3.1 Encryption .......................................................................................................49
9.4 Security of system files........................................................................ 49
9.4.1 Control of operational software .......................................................................49
5
IT02 Information Governance Policy
Information Governance Board
March 2008
9.4.2 Protection of system test data .........................................................................49
9.4.3 Access control to program source library ........................................................50
9.5 Information governance in development and support processes ... 50
9.5.1 Change control procedures .............................................................................50
9.5.2 Technical review of operating system changes...............................................51
9.5.3 Restrictions on changes to software ...............................................................51
9.5.4 Covert channels and Trojan code ...................................................................51
9.5.5 Outsourced software development..................................................................51
10. BUSINESS CONTINUITY ...................................................................... 51
10.1 Aspects of business continuity management................................... 51
10.1.1 Business continuity management process ....................................................52
10.1.2 Business continuity and impact analysis .......................................................52
10.1.3 Writing and implementing continuity plans ....................................................53
10.1.4 Business continuity planning framework .......................................................53
10.1.5 Continuity plan testing ...................................................................................53
11. COMPLIANCE ........................................................................................ 53
11.1 Compliance with legal requirements & regulation framework .......... 53
11.1.1 Identification of applicable legislation/regulations .........................................54
11.1.2 Intellectual property rights (IPR)....................................................................54
11.1.3 Safeguarding of organisational records.........................................................54
11.1.4 Data protection and privacy/confidentiality of personal information ..............54
11.1.5 Prevention of misuse of information processing facilities..............................58
11.1.6 Regulation of cryptographic controls .............................................................58
11.1.7 Collection of evidence ...................................................................................58
12. REVIEWS OF INFORMATION GOVERNANCE POLICY AND
TECHNICAL COMPLIANCE........................................................................... 59
12.1 Compliance with information governance policy .............................. 59
12.1.1 Technical compliance checking.....................................................................59
12.2 System audit considerations............................................................... 59
12.2.1 System audit controls ....................................................................................59
12.2.2 Access to system audit tools .........................................................................59
12.3. Review and monitoring ........................................................................ 59
13. ACCESSIBILITY ..................................................................................... 60
14. OTHER RELATED POLICIES ................................................................ 61
6
IT02 Information Governance Policy
Information Governance Board
March 2008
1. POLICY STATEMENT
Information is a vital asset, both in terms of the healthcare management of individual
patients and the efficient management of services and resources. It plays a key part in
healthcare governance, service planning and performance management.
It is therefore of paramount importance to ensure that information is effectively
managed and that appropriate policies, procedures, management accountability and
structures provide robust governance framework for information management.
The Trust will establish and maintain policies and procedures to ensure compliance
with requirements contained within the NHS Connecting for Health Information
Governance Toolkit.
This document sets out policy standards and common policy directions within
Wrightington, Wigan and Leigh NHS Trust for the Information Governance programme.
The policy is intended to cover the overlapping areas of Data Protection (incorporating
Confidentiality and Caldicott), Information Security (ISO17799 standard), Freedom of
Information, Data Quality and Records Management.
The intention is to promote and build a level of consistency across the Trust on this
baseline template.
Information Governance – Statement of Principles:
• Personal identifiable information will be classified and kept confidential and secure
at all times. Caldicott principles must be adhered to when using personal and
sensitive information.
• Integrity of information will be developed, monitored and maintained, to ensure that
it is of sufficient quality for use within the purposes it was collected.
• Availability of information for operational purposes will be maintained within set
parameters relating to its importance, via appropriate procedures and computer
system resilience.
• Compliance with legal and regulatory framework will be achieved, monitored and
maintained
• Awareness & understanding of all staff, with regard to their responsibilities, will be
routinely assessed and appropriate education & awareness provided
• Risk assessment in conjunction with overall priority planning (of organisational
activity) will be undertaken to determine appropriate, effective and affordable
information governance controls are in place
This policy has been assessed against the Equality Impact Assessment Form from the
Trust’s Equality Impact Assessment Guidance and as far as we are aware, there is no
7
IT02 Information Governance Policy
Information Governance Board
March 2008
impact on any Equality Target Group.
In implementing this policy, managers must ensure that all staff are treated fairly and
within the provisions and spirit of the Trust’s Equality, Diversity and Inclusiveness
Policy.
For more details, please contact the Human Resources Department on 01942 773766
or Email: equalityanddiversity@wwl.nhs.uk.
2. SCOPE
2.1 Policy Coverage
This policy covers all aspects of information within the organisation, including (but not
limited to:)
o Patient/Client/Service User information
o Staff related information
o Organisational information
This policy covers all aspects of handling information, including (but not limited to:)
o Structured record systems (paper & electronic)
o Transmission of information (fax, email, post, intranet / internet, text messaging &
telephone)
The policy covers all information systems purchased, developed and managed by the
organisation and any individual (directly employed or otherwise by the organisation)
accessing information owned by the organisation.
The Trust believes that accurate, timely and relevant information is essential to deliver
the highest quality care. It is the responsibility of all staff to ensure the quality of
information they obtain, record and actively use is in accordance to the requirements,
standards and legislation concerning Information Governance.
2.2 Related Policy & codes of conduct:
• Human Resource Policies – In setting out standards relating to Information
Governance a number of controls are specified relating to job responsibilities,
screening, terms and conditions of employment and disciplinary action. These
controls are a feature of HR Policy, Code of Conduct and Agenda for Change
Contracts of Employment.
• Physical Security Policies – A number of controls are specified relating to the
physical environments in which information is handled. As with links to HR
policy, these control areas are aligned with Estates/Facilities policy and
procedures.
• Medical records policies – such as the Health Records Management Strategy
8
IT02 Information Governance Policy
Information Governance Board
March 2008
• Professional codes of conduct from the BMA, GMC and NMC and others (inc
Allied Health Professionals, Finance Professionals and NHS Managers)
• Research & ethics policies, including Research Governance initiatives and policy
2.3 Legal & Regulation framework
The policy is set out to comply with the following list of legal acts and the NHS
regulation framework.
2.3.1 Legal Acts
The organisation is bound by the provisions of a number of items of legislation
affecting the stewardship and control of information. The main relevant legislation is:
• Data Protection Act 1998
• Freedom of Information Act 2000
• Human Rights Act 1998
• Access to Health Records Act 1990 – regarding deceased patients’ records
• Computer Misuse Act 1990
• Crime & Disorder Act 1998
• Electronic Communications Act 2000
• Regulation of Investigatory Powers Act 2000 (& Lawful Business Practice
Regulations 2000)
Other relevant legislation regarding information governance practices and procedures
can be located in the Department of Health publication titled “NHS Information
Governance – Guidance on Legal and Professional Obligations.”
This policy describes the way in which information should be managed, in particular,
the way in which personal or sensitive information should be protected. In addition to
the above, other legislation can impact upon the way in which we should use
information. This includes:
• The Access to Medical Records Act 1990
• Blood Safety and Quality Legislation
• The Census (Confidentiality) Act 1991
• The Children Act 2004
• The Civil Contingencies 2004
• The Copyright, Designs and Patents Act 1990
• The Electronic Communications Act 2000
9
IT02 Information Governance Policy
Information Governance Board
March 2008
• The Environmental Information Regulations 2004
• The Gender Recognition Act 2004
• The Privacy and Electronic Communications Regulations 2003
• The Public Records Act 1958
• The Re-use of Public Sector Information Regulations 2005
• The Regulation of Investigatory Powers Act 2000
2.3.2 NHS Regulatory framework
In relation to many of the above requirements the NHS has set out and mandated a
number of elements of regulation that constitute ‘Information Governance’. The main
guidelines are as follows:
• ISO 17799 – Code of practice for the management of information security
• Confidentiality: NHS Code of Practice
• Information Governance Toolkit (delivered by NHS Connecting for Health)
• Records Management: NHS Code of Practice
• Information Security: NHS Code of Practice
There are also professional Codes of Conduct containing confidentiality procedures
which must be adhered to all times.
2.4 Information Governance Management System
There are a number of activities required in developing the overall Information
Governance Management System:
• Policy definition
• Determine Information Assets and document in register
• Risk assessment, identifying threats, vulnerabilities and impacts
• Select appropriate controls & implement, developing procedure and process
related documentation
• Produce applicability statement and combine documentation for formal
accreditation to standard (ISO17799)
This document sets out the policy. As part of the implementation the organisation will
implement an Information Asset register (see section 5.1.1). Risk assessment will be
undertaken via the Trust Risk Reporting Procedures.
Supporting all this will be appropriate integration with other policy areas (see 2.2) and
compilation of Information Governance procedures (linking to Information Governance
10
IT02 Information Governance Policy
Information Governance Board
March 2008
elements such as Data Quality Accreditation). This documentation set will be
maintained as the overall Information Governance Management System.
3. GOVERNANCE
3.1 Information Governance Policy
Objective: To provide clear direction and support and commitment to information
governance, through the issue and maintenance of an information governance policy
across the organisation.
Sections 1 and 2.1 set out the principles and coverage of this policy, which defines
Information Governance. The organisational management is committed to applying
the controls defined within this policy to ensure compliance with legal and regulatory
requirements. The policy sets out minimum levels of required activity across the
community in areas such as education, business continuity and access control.
3.2 Review & Evaluation
The organisation’s Caldicott Guardian, who is responsible for maintenance and review,
owns the policy. The Wrightington, Wigan and Leigh Information Governance Board
will facilitate a 3 year review.
• Review may also take place due to the following occurrences:
• Major policy breach within the Trust
• Identification of new threats or vulnerabilities
• Significant organisational restructuring
• Significant change in technical infrastructure
Evaluation will be carried out via a number of means:
• Information Governance Toolkit Assessment (annual exercise and submitted on
the 31st March to NHS Connecting for Health)
• Internal/External audit programmes
Evaluation will be set on a number of criteria including (not limited to):
• Number of reported policy breaches
• External assessment of organisational policy compliance
• Staff awareness
• Evidence of organisational commitment
The Information Governance Co-ordinator will also provide support as well as ‘friendly-
audit’ via a programme of spot checks in areas of the policy on an ongoing basis.
11
IT02 Information Governance Policy
Information Governance Board
March 2008
4. ORGANISATIONAL ARRANGEMENTS
4.1 Information Governance Infrastructure
Objective: A management framework within the organisation is established to initiate
and control the implementation of information governance and information assets.
This will include assigning roles, co-ordinating activity, liasing with specialist support
(Consortium team & external agencies)
4.1.1 Information Governance Board
Within the organisation there is a need to review and approve policy, allocate overall
responsibilities, monitor significant changes in risk assessment and approve major
initiatives to enhance information governance. By undertaking such responsibilities a
default commitment and visible support is given to the Information Governance
agenda.
Senior Management of the organisation are members of the Information Governance
Board, to show commitment of the organisation. The relevant Boards and Committees
(inc. the Trust Board and Executive Management Board of the Organisation) will
receive and approve the annual audit report for Information Governance) and
improvement plan. They will also be informed (and if necessary involved) in any
reports of serious threats/vulnerabilities or incidents and resolving action.
4.1.2 Information Governance Co-ordination
Detailed co-ordination of Information Governance activity will be handled by a specific
Information Governance sub-groups. These groups will:
• Agree roles and responsibilities across the organisation.
• Plan and resource organisation-wide information governance initiatives (such as
training)
• Identify and implement methodologies for areas such as risk assessment, quality
measurement
• Review security incidents and initiate resolution and learning.
• Assess and implement governance controls for information.
• Lead and facilitate development of information governance as part of the
infrastructure of the organisation.
4.1.3 Allocation of information governance responsibilities
Ownership of information assets – Each identified asset will have an appointed owner
who is ultimately responsible for the governance of the information asset. In the case
of systems this will be a senior figure within the organisation. Where there is no
obvious ‘owner’ the role will default to the Caldicott Guardian of the organisation.
12
IT02 Information Governance Policy
Information Governance Board
March 2008
Ownership of a system maybe vested in a management forum where the strategic
development of that system or organisational facility is decided. System owners will
be responsible for determining the access policy for the system or area, in conjunction
with advice from the system management and information governance roles.
System management – Each system to have an identified manager. The governance
role of the manager is to implement the system related processes that govern:
• management of access to the system
• audit of user activity
• system data validation processes (input, internal & output)
• supplier support (where applicable)
Caldicott Guardian role – This role is responsible for establishing and maintaining
procedures governing access to, and the use of, person-identifiable data held or
processed within systems or networks which are the responsibility of the organisation
and the secure transfer of such data from the organisation to other bodies. The
guardian also agrees local procedures and protocols to ensure consistency with any
relevant central requirements and guidance
Information Governance Co-ordinator role – The main features of this role are to
facilitate advice and support to the organisation, whilst leading on audit and
improvement plans relating to information governance. The role is responsible for co-
ordinating activity across the organisation to ensure that policy and process around the
information assets promote the required level of security and compliance with legal
and NHS Frameworks such as the Information Governance Toolkit.
Corporate Informatics Manager – The main feature of this role is to support, co-
ordinate and report on the Information Management Programme ensuring that all data
are maintained in accordance with the Data Protection Act. This role acts as the
nominated Data Protection Officer for the Trust and updates the registration to the
Information Commissioner annually.
Information Security Officer – The IT Services Manager is the nominated Information
Security Officer for the Trust and the Systems Development Manager manages this on
behalf of the IT Services Manager.
Physical security – Responsibility for the physical security of information assets will lie
with the Estates/Facilities function and/or other relevant departments,
Line Management/Executive Personnel governance elements – Responsibility will lie
with the Human Resource function, co-ordinated through the Information Governance
Board. Organisational line managers will be responsible for ensuring that appropriate
activities (training/user management) are facilitated for their staff and that compliance
with the Information Governance Policy and relevant system/acceptable use
policies/procedures are promoted.
Clinical & Corporate Governance – Through communication Executive responsibility
that is co-ordination via the Information Governance role, these are responsible for
13
IT02 Information Governance Policy
Information Governance Board
March 2008
determining the overall requirement and reporting arrangements for information
governance.
4.1.4 Authorisation process for information processing facilities
A process for authorising new information processing facilities will be used.
Information is an extremely valuable asset for which loss or lack of control can cause
operational difficulties. The organisation needs to know what information is collected,
used & shared, so the organisational responsibilities with regard to that information
can be carried out.
New systems – Any requirement for a new system, regardless of size & cost will be put
through the process for authorisation. Authorisation will be formally sought via the
IM&T Strategy Board and if required (e.g. major procurement) the Board
Significant new function (of existing system) – It is important to draw distinction
between new function and change to existing function. Both will have impact on
information, however changes to existing functions are covered by the policy controls
and processes associated with change control (see 8.1.2, 10.5.1). Significant new
functionality will be initiated by:
• User forum/Senior management requirement
• National strategic requirement
Following this initiation the request will be put through the same authorisation process.
The authorisation process will include:
• Identification of new sources of information & data items
• Identification of new purposes
• Identification of new disclosures
• Identification of threats/weaknesses & countermeasures to the confidentiality,
integrity and availability of information (to include technical specification for
resilience and hardware/software compatibility)
• User representation sign-off (group, or senior user)
• Caldicott Guardian sign-off
• IM&T Strategy Board sign-off / Change Management Board sign off (and if
required Board approval)
Post ‘authorisation’ activity will see new assets included in appropriate registers.
4.1.5 Specialist Information Governance Advice
The organisation requires specialist advice in order to carry out its duties. Ideally any
role for co-ordinating information governance activity will be a full time role that will by
default have a degree of specialisation. Failing that the organisation must determine
14
IT02 Information Governance Policy
Information Governance Board
March 2008
the required level of advice and develop appropriate relationships to secure that
advice.
The Information Governance Co-ordinator has the responsibilities (defined as
‘Information Governance responsibilities in 4.1.3) within their job description and will
maintain training and professional development activities in order to be adequately
trained to carry them out.
4.1.6 Co-operation between organisations
Incident management - The information governance infrastructure will develop
appropriate contacts in partner organisations. These will include:
• Primary Care Trusts (PCT’s)
• Department of Health
• NHS Connecting for Health
• Police
• Social Care Agencies
• Voluntary Organisations
Collaboration – Organisational staff involved in the governance of information will
actively participate in collaborative developments within the Health Economy.
Information Sharing – The organisation will, where there is a defined purpose (or set
of) that are beneficial and justifiable, sign up to information sharing agreements with
partner organisations, provided these agreements are set out within the boundaries of
applicable legislation and regulation and do not compromise the organisation or the
confidentiality of the personal/sensitive data that it holds.
4.1.7 Independent Review of information governance
The organisation will submit this policy and associated implementation elements to
regular review via, at minimum, internal audit.
Whilst the policy itself will be reviewed according to changes in legislation and
guidance, the minimum period between independent reviews will be three years.
4.2 Security of third party access
Objective: To maintain the security of organisational information processing facilities
and information assets, when accessed by third parties.
4.2.1 Identification of risks from third party access
Risks vary dependant on the type of access required. Physical on-site access has
different risks from off-site networked access. Risks from third party access are in
effect the same as the risks for any user, however the nature of third parties removes
the direct control over individuals that is present in a formal first party employment
arrangement. Following identification of risks, controls will be applied via contractual
15
IT02 Information Governance Policy
Information Governance Board
March 2008
arrangement as below.
4.2.2 Governance requirements in third party contracts.
Contractual arrangements with third parties will include agreement on the classification
of information, the need for confidentiality control and how this will be applied. Where
confidential information is to be (or could be) accessed, the organisation will require
any supplier to have formal contractual confidentiality clauses with all employees
accessing such data.
Two standard areas for inclusion are:
On-site access - Third parties with ‘on-site’ access will be required to wear ‘visitor’
identification badges (in addition to any organisational ID they may carry). Where
there is more of a partnership relation (such as with a University), then a joint ID badge
may suffice.
System access authorisation will be via the same process as any other user, but will
identify the individual as a third party.
Off-site access – ‘Network’ access for suppliers or partner organisations will be via
approved NHSnet connection (adhering to NHSnet connection codes/policy). It is
permissible for access to a system to be put into a third parties facilities by extension
of an organisations network, provided the network and the recipients own network are
kept separate. For more information, contact the IT Services department.
Other items that will be considered for inclusion:
• Methods for assessing whether assets have been compromised
• Controls over return/destruction of information
• Agreement on acceptable levels of data integrity and availability
• Liabilities of the parties to the agreement
• Legal responsibilities (Data Protection, Intellectual Property etc)
• The right to revoke agreement or access by any party in particular circumstances
• Protection against malicious software
• Arrangements for reporting and investigating potential breaches
• Involvement with additional subcontractors
• Authorisation and authentication processes for users
4.3 Outsourcing
Objective: To maintain the security of information when the responsibility for
information processing has been outsourced to another organisation. Arrangements
must address the risks and required security controls in the contract between the
parties.
16
IT02 Information Governance Policy
Information Governance Board
March 2008
4.3.1 Governance requirements in outsourcing contracts
It is important to draw distinction between third party supplied/supported software and
outsourcing arrangements. Outsourcing is when a third party is paid to deliver a
complete service (or element of larger service). The elements that will be included in
any arrangement are:
• Identification, awareness and understanding of responsibilities (inc legal
compliance requirements)
• Service level agreements on availability of service (accessibility of information),
integrity (quality checks) and confidentiality
• The right of audit
5. Asset classification & control
5.1 Accountability for assets
Objective: To maintain appropriate protection for organisational assets. All major
assets to have identified owners and maintenance responsibilities assigned.
Responsibility can be delegated but accountability remains with the asset owner.
5.1.1 Inventory of Assets
It is impossible to implement required controls completely across the organisation
without an inventory of assets.
Information & software assets – Systems, databases, files, associated documentation
(training manuals, procedures etc). Each owner (see 4.1.3) is accountable for
implementation and maintenance of information assets relating to their system or area.
This may be delegated to system management staff.
Physical assets – Computer equipment, communications equipment etc. Where
ownership of an item resides with the organisation, then the IT department will be
responsible for implementing and maintaining an asset register. If a department
purchases physical assets separately then they are responsible for keeping a local
asset register up to date. Ideally as part of IT operational policy, purchase and supply
of equipment should be handled via a single function (with the IT section).
The Security Officer role is responsible for facilitating the development of asset
registers and compilation of subset inventories into an organisational view.
5.2 Information classification
Objective: To ensure that information assets receive an appropriate level of protection,
each significant asset will be classified in order to produce clarity in the need for
controls when handling the asset.
5.2.1 Classification guidelines
Information will be classified in one of three categories:
17
IT02 Information Governance Policy
Information Governance Board
March 2008
Personally identifiable - Structured filing systems (electronic or paper) containing
identifiable information are, subject to the terms of the Data Protection Act 1998 and
afforded a degree of legal protection in their handling.
Organisationally sensitive – This classification includes any information relating to
activity that does not identify an individual, but may cause operational difficulties if the
information became unavailable or was disclosed in the wrong environment. This
classification should not in any way be seen as a level of secrecy from the public. It is
envisaged it will only be used for documentation that if disclosed would be prejudicial
to developments (such as draft service development plans).
Public information – Information that does not contain data on individuals or has any
degree of service sensitivity will be considered in the public domain. In line with
developments of the ‘Freedom of Information Act’ – this information will be actively
contained within publication schemes and made freely available. It is envisaged the
majority of documentation that is afforded ‘organisationally sensitive’ status will at
appropriate time be made publicly available.
Responsibility for definition of an information asset into these categories remains with
the originator or owner. By default any information identifying an individual falls into
the ‘Personal Identifiable’ category.
5.2.2 Information labelling and handling
In line with the above classification guidelines, processes for the appropriate labelling
and handling of information will be drawn up. At this stage it is not envisaged that
information will be routinely labelled, although this may form policy in time.
Development of response to Freedom of Information Act may well see information
labelled as ‘organisationally sensitive’ information, with a default that anything not
labelled as such, which does not contain personally identifiable information (subject to
Data Protection legislation), is ‘public’
Whilst such organisational change/development takes place, reliance must be based
on staff judgement. Guidelines for handling information will be drawn up and
publicised (see 8.6.3). These will be integrated in to training (See 6.2) and cover the
copying, storage, transmission (in any form) and destruction.
All retention and disposal of information will be within the good practice guidelines of
the Records Management: NHS Codes of Practice (April 2006).
6. Human Resources Security
6.1 Information governance in job definition & resourcing
Objective: To reduce the risks of human error, theft, fraud or misuse of facilities.
Responsibilities will be addressed during recruitment, included in contracts and
monitored during and individual’s employment.
18
IT02 Information Governance Policy
Information Governance Board
March 2008
6.1.1 Including information governance in job descriptions
All staff handling information (of any sort) within the organisation, will have their
responsibilities laid out within their job descriptions.
In section 4.1.3 (Allocation of information governance responsibilities), more detailed,
specific responsibilities/roles are defined. Staff under taking any of these more
specific roles will have the relevant responsibilities laid out in their job description and
contract, over and above the basic statements in all employees’ documentation.
6.1.2 HR screening and policy
As part of separate, but linked, Human Resources policy, the organisation will have
implemented some or all of the following:
• Availability of references for new employees
• Confirmation of claimed academic and professional qualifications
• Independent identity check (passport or similar document)
As reliance on information is key to the efficient and safe running of an organisation,
there is a need to be as sure as possible about the identity, character and
qualifications of employees, particularly as we move to electronic systems with a much
wider capacity to share data.
6.1.3 Confidentiality Agreements in employment contracts
As part of the employee’s terms and conditions of employment (contract), there will be
an agreement to maintain confidentiality of information, in line with section 5.2
(Information classification).
Casual staff and third parties (including volunteers associated with League of friends,
Patient Participation Groups etc), not covered by an employment contract, are required
to sign a confidentiality agreement/honorary contract prior to being given access to
information processing facilities. All such staff will be informed about the need and
method for maintaining confidentiality; regardless of what access their role gives them
to information.
6.1.4 Terms and conditions of employment
Staff contracts should reflect the employee’s responsibility for information governance.
It should note these responsibilities are required in perpetuity and not for the length of
the staff member’s employment. Terms and conditions will also state the
responsibilities extend to all places and all times, including outside the work
environment and timings.
6.2 User training
Objective: To ensure users are aware of threats to confidentiality, quality and security
of information. Users will be trained in the use of systems and appropriate procedures
to ensure the quality and appropriate handling of information, in order to minimise
risks to the organisation from poor information governance.
19
IT02 Information Governance Policy
Information Governance Board
March 2008
6.2.1 Information Governance education and training
Training is always a difficult task in organisations with limited resource and competing
priorities. This element of policy has been set in two levels, firstly what should be in
place now and secondly what developments are envisaged.
Current provision:
Induction – The organisation will ensure that all newly employed staff receive basic
guidance in organisational policy in relation to information governance as part of an
overall organisational induction. There is an Information Governance Market Place
event held on Induction days which staff must visit to learn and ask questions about
the varying aspects of Information Governance.
System training – All user training on systems will include details and education on
appropriate policy and procedure elements for that system. These will focus on both
security and data quality elements. In line with requirements for Information Quality
Assurance (Reflected in the IG Toolkit standards) processes for system based tasks,
such as search and registration of patients will be detailed in procedure manuals that
provide both the ‘how to’ elements and the ‘why’ element to promote consistency and
common understanding within users.
Mandatory training – all staff are required to complete the mandated Information
Governance e-learning programme on a yearly basis which consists of tests to check
compliance.
‘Drop-in’ education sessions – The organisation will provide a regular programme of
training available to staff, on an ‘as-needs’ basis. This may be delivered in conjunction
with the Information Governance Co-ordinator as part of a regular education
programme incorporating seminars on information sharing and other items.
6.3 Responding to incidents and malfunctions
Objective: To minimise the damage from incidents and malfunctions and to monitor
and learn from incidents. Appropriate procedures will be in place to communicate
incidents to appropriate areas of the organisation. As part of training, employees and
third party contractors will also be made aware of definitions of incidents/weaknesses
and the process for dealing with them.
6.3.1 Reporting incidents & ‘near misses’ (including confidentiality breach, poor
quality information & lack of information)
The organisation will ensure that there is a robust procedure for reporting of incidents
that is combined with other appropriate reporting procedures within the organisation.
The Trust risk reporting procedures should be followed and also Information
Governance incidents including breaches of confidentiality and information security
should be reported to the Information Governance Co-ordinator to be reported on the
Information Governance Risk Log which is regularly tabled at the Information
Governance Board. Information Security incidents regarding IT Equipment and
software, such as stolen laptops etc should be reported to the IT Services team. If an
20
IT02 Information Governance Policy
Information Governance Board
March 2008
issues is considered serious breach of confidentiality or information security this
should then be reported to the Regional NHS Agency (previously SHA) such as a
batch of more than 50 patients personal data going missing.
Incidents relating to clinical use of data - Where an information incident relates to the
clinical care of a patient, the reporting procedure will be integrated with the clinical
incident reporting procedure.
Incidents relating to non-clinical use of data – Where an information incident relates to
non-clinical use of information (including administration data) the reporting procedure
will be integrated with Risk Management incident reporting procedure as stated in the
paragraph above.
Near misses – Near misses will also be reported as valuable learning can be gathered
from them as to why an incident itself did not occur.
Integration of procedure with existing organisational procedures will reduce the training
and awareness requirements in the long term.
6.3.2 Reporting weaknesses
Within user training awareness of ‘weaknesses’ will be raised and users will be
instructed to report these to either line managers or ‘owners’ of the system.
6.3.3 Learning from incidents
The organisation will set up some or all of the following processes for learning from
incidents, near misses or weaknesses:
User forums – As part of the development and management of systems, the
organisation will consider the input of users in a user group. Within such forum any
incidents or weaknesses will be discussed.
Training integration – Incidents will be highlighted in training to educate staff.
Organisational newsletters – Specific incidents and responses should routinely be
considered for publication in organisational communications, such as Trust internal
newsletters.
All learning from incidents should only be instigated once the incident has been
satisfactorily resolved. Future risk reduction will in part be based on effective learning.
6.3.4 Disciplinary process & removal of access rights
Any incident where organisational policy and procedure has been violated by staff
(either maliciously or accidentally) will be subject to formal disciplinary policy under the
organisations Human Resource policy framework and where appropriate the
‘Professional Regulatory framework’. Such policy will form the basis of any
investigation and outcome. The organisation reserves the rights to remove access for
staff under investigation or disciplined either temporarily or permanently.
6.4 Controlled / Secure Areas
Objective: To prevent unauthorised access, damage and interference to business
premises and information. Areas should be protected by a defined security perimeter.
Protection provided should be commensurate with the identified risks. A clear desk
and clear screen policy is required to reduce risk of unauthorised access or damage to
papers, media and information processing facilities. 21
IT02 Information Governance Policy
Information Governance Board
March 2008
The healthcare environment is by nature ‘public facing’ and there is high risk to
equipment and breaches of confidentiality, whilst perhaps there is little risk to the
quality of information from the public. This policy section needs to be viewed and read
in conjunction with the Trust’s general security policy where applicable.
6.4.1 Physical Security Perimeter
Elements of perimeters are defined as: Walls, card controlled entry gates, manned
reception desks etc. The elements other than walls require a degree of agreed and
implemented process, covered later in this policy. Physical security perimeter within a
‘public area’ is difficult to achieve, so three levels of area are defined and the
perimeters should be set around these:
Open Public area – Areas where the public are allowed to move freely, such as
corridors, waiting areas, some ward environments etc. Security based on general
security arrangements, such as staff vigilance, security patrols and CCTV.
Controlled Public area – Areas, which the public can be present in, but only following
authorised access by staff (through controlled entry systems). This covers areas such
as maternity units. Once within these areas, control over the public is again via staff
vigilance and perhaps CCTV.
Staff only areas – No member of the general public is allowed access, except on
special controlled occasions, when they are accompanied at all times by a member of
staff. Staff only areas may also be subject to restriction to only certain staff members
and others when accompanied.
6.4.2 Physical entry controls
Entry to either ‘controlled public areas’ or ‘staff only areas’ requires physical entry
controls. Care and thought should be taken to place these controls in the most
appropriate position. Physical entry controls must be operated within defined
processes that deal with situations like, staff without their cards (forgotten or not yet
issued) and short term issue of access devices to visitors/temporary staff
Staff access rights to controlled areas will be regularly reviewed and updated.
6.4.3 Securing offices, rooms and facilities
Within any area there should be the facility to protect information and information
processing facilities. Such facilities maybe lockable offices or filing cabinets. Staff
should be educated in the operation and use of these facilities and their use within a
department determined and implemented. This should be subject to regular review to
ensure adequate protection for the information, but appropriate availability to those
that need it, when they need it.
Guidance for departmental evaluation:
22
IT02 Information Governance Policy
Information Governance Board
March 2008
Signage for buildings, offices and other areas should only give minimum indication of
purpose.
Doors and windows should be locked when unattended, with external protection
considered for windows, particularly at ground level.
6.4.4 Working in controlled/secure areas
All members of staff should wear ID badges at all times, in all areas, but especially in
controlled/secure areas.
Third party support services should only be granted restricted access to
controlled/secure areas, which should be authorised and monitored.
6.5 Equipment security
Objective: To prevent loss, damage or compromise of assets and interruption to
6.5.1 Equipment siting and protection
business activities, equipment should be physically protected from security threats or
environmental hazards. This will also consider equipment siting and disposal.
All of the following guidance points should be considered when siting equipment and
used if possible:
• Computer screens and paper records should be positioned to reduce the risk of
overlooking during their use. Screen shields and folders should be routinely
considered for ‘open public’ areas.
• Equipment should be sited away from overlooked windows (unless additional
window protection is in place). Use of ‘cages’ and security cables should be
routinely considered for equipment in ‘open public’ and ‘controlled public’ areas.
• Equipment should be sited away from fire risks, explosives, water, dust, chemicals,
and electromagnetic radiation.
• ‘Critical’ equipment such as servers, network infrastructure should be sited in an
appropriately controlled environment, in terms of temperature, humidity and
physical access etc.
• Eating & drinking must not be allowed near ‘critical’ equipment and must be
actively discouraged near other equipment. Staff causing damage to equipment
due to spillage or other associated issue may be responsible for the cost of repair
or replacement.
6.5.2 Power supply
Power supply to equipment should be routinely considered in all new installations (of
equipment or systems). Existing power supply should be regularly reviewed. Both
should be undertaken in line with areas detailed below.
Critical systems & infrastructure – Any system that is used for ‘Diagnostic support’
(e.g. Pathology, Radiology) or ‘Direct Provision of Patient Care’ (e.g. Pharmacy,
General Practice systems) must be provided with power supply protection.
23
IT02 Information Governance Policy
Information Governance Board
March 2008
As a minimum this must be UPS (Uninterruptible Power Supply) for the Server and a
number of access terminals/PCs. This is to enable access in the event of a power
failure, so the system can be shut down in an orderly manner, whilst continuity activity
(fallback plans) are invoked. UPS equipment must be regularly checked to ensure it
has adequate capacity and tested in accordance with the manufacturers
recommendations. If the organisation has a ‘protected circuit’ available, there should
be a formal procedure for evaluating system infrastructure and access points that
should be attached to that.
6.5.3 Cabling security
Due to the nature of many healthcare premises, full implementation of cabling security
is not currently possible. The following defines minimum requirements for all
installations, and additional minimum requirements for new builds (not new
installations into old premises).
Existing premises:
• Power and telecommunication lines should be protected by ducting from source to
socket(s)
• System sweeps for unauthorised devices should be undertaken.
New build premises:
• Power and telecommunications lines should be underground/underfloor and not
routed through public areas.
6.5.4 Equipment maintenance
Equipment should be maintained in accordance with supplier recommendations by
authorised personnel.
Maintenance records of preventative and corrective action should be kept identifying
the inventory of the affected equipment.
Equipment being sent off-site should be subject to appropriate controls.
Security of equipment off-premises
Authorisation processes to remove equipment, either as a one-off or regular
occurrence will be implemented. The following guidelines should be considered:
• Equipment and media taken off premises should not be left unattended in public
places. Portable computers should be disguised where possible when travelling
(and carried as hand luggage).
• Manufacturers instructions for protection of equipment should be followed
• Home-working controls should be determined by a risk assessment and suitable
controls applied as appropriate.
• Adequate insurance cover should be in place to protect equipment off-site.
24
IT02 Information Governance Policy
Information Governance Board
March 2008
6.5.5 Secure disposal or re-use of equipment
A procedure for the identification and processing of equipment that is no longer
required for its current function is in place. Where equipment is to be re-used within
another location in the organisation, any data will be erased, using tools that overwrite
the data. The previous owner is responsible for ensuring that any data they wish to
keep is copied to an appropriate storage facility prior to the overwrite.
Equipment that is to be ‘donated’ to other organisations will also have all data erased
via overwriting by IT Services.
Equipment that is being disposed of will also be subject to erasure via overwriting
before the media elements are removed and destroyed by IT Services.
Non-media elements (i.e. not hard discs) can be considered for recycling schemes.
Due to the nature of healthcare data, despite erasure via overwriting, it is policy that
hard discs are not included in recycling schemes. IT Services to be involved in this
process.
6.6 General Controls
Objective: To prevent compromise or theft of information and information processing
facilities. Information and information processing facilities should be protected from
disclosure to, modification of or theft by unauthorised persons and controls should be
in place to minimize loss or damage
6.6.1 Clear desk/area and clear screen policy
Given the public nature of the healthcare environment, these policy elements are
crucial to the appropriate handling of information. Failures of these policies in areas
open to the public will by their nature be public. Whilst damage or distress is unlikely,
the impact of a distressing occurrence may have serious implications for the
organisation and even the well being of individuals. The following guidance points
should be included in procedures and education of staff for any item of information that
is either patient/staff identifiable or organisationally sensitive:
• Paper and computer media should be stored in suitable lockable cabinets when not
in use and ensure they are not in public view.
• Patient information should be locked away when not required.
• Personal computers and computer terminals should not be left logged on when
unattended and should be protected by screensaver passwords (even though this
may mean having a single ‘screensaver’ password known by multiple staff).
• Information should not be left on printers or fax machines
6.6.2 Removal of property
Equipment, information or software should not be taken off-site without authorisation.
Equipment will be subject to a process of logging out and back.
25
IT02 Information Governance Policy
Information Governance Board
March 2008
Formal records (e.g. medical records) will be subject to a tracking system that
incorporates logging out and back.
Spot checks will be undertaken to detect unauthorised removal of property. Staff will
be informed that these take place, although not when and how.
7. Communications and operations management
7.1 Operational procedures and responsibilities
Objective: To ensure the correct and secure operation of information processing
facilities, responsibilities and procedures for the management and operation of all
information processing facilities should be established. This links to Data Accreditation
developments, medical records procedures and security/IT operational procedures
7.1.1 Documented operating procedures
As part of the system/area specific application of the Information Governance policy a
set of documented operating procedures will be drawn up. This high level policy
cannot list them in detail, but sets out the framework in which they will be created.
Responsibility for co-ordination and monitoring will reside with the System Managers
Information Group and the Information Security Officer.
Procedures will be documented as follows:
Training materials – For procedures carried out by general users of the systems
documentation within detailed training materials and user manuals will suffice
System operations – Each system/area will draw up detailed information on
procedures required to ensure the smooth running of the system. These will typically
be both regular operational tasks and irregular system maintenance/change elements.
Technical operations – Areas to be considered include: routine maintenance, start
up/shut down procedures, housekeeping, capacity monitoring etc.
Change control documents –
The following items should be included in documentation (where appropriate):
• Contact details (for support, queries etc)
• Instruction for handling errors, including known impacts
• Effective document management
All operating procedures will be subject to regular review.
7.1.2 Operational change control
Poor change control is one of the major factors relating to system failure. By default
the ‘system management’ role for each area/system is responsible for the application
of change control procedures for their system/area.
26
IT02 Information Governance Policy
Information Governance Board
March 2008
The following elements must be considered when developing change control
procedures:
• Identification and recording of significant changes
• Assessment of the potential impact of such changes
• Formal approval procedure for proposed changes
• Communication of changes to all relevant personnel
• Formal acceptance or revocation procedures for changes
Change control procedures must be applied in the following circumstances:
• Changes to datasets collected
• Changes to standard report provision
• Changes to user procedure (& documentation)
• Changes to operational system provision procedures (backups etc)
7.1.3 Incident management procedures
Each system/area will draw up procedures for managing incidents. User training will
highlight what an incident is and provide required information for dealing with them.
This element of the policy is concerned with management of reported incidents, not the
process for actual reporting.
Procedural elements that will be included in managing incidents:
• Analysis and identification of the cause
• Actions to prevent recurrence
• Collection of audit trail and/or similar evidence
• Communication with affected and involved staff
• Further reporting if necessary (NHSIA security board etc)
As with the reporting procedure the management procedures will be integrated with
other incident management procedures in the organisation.
7.1.4 Segregation of duties
Each system/area will consider the need to segregate duties to reduce the risk of
accidental or deliberate system misuse. It is however difficult in an environment of
limited resource to implement such controls, however the following areas require
segregation:
• Financial system – ordering & receipt of goods and services
27
IT02 Information Governance Policy
Information Governance Board
March 2008
• System access requests – Authoriser of request must not action creation of
account
Use of segregation of duties as a control will be formally evaluated in any new system
or development of existing functionality.
Appropriate links to other ‘double-check’ procedures will be drawn (such as
prescription issue & dispensing).
7.1.5 Separation of development and operational facilities
Development of supplied systems – Where the contracted supplier controls the
development environment, overall compliance with ISO17799 will be sought in
contractual arrangements. This will include controls over staff access to development
and live environments and development tools.
In-house developed systems – In line with supplied systems, the following elements
must be considered and applied if possible:
• Development environments should run on different processors, or in different
domains or directories
• Compilers, editors and system utilities should not be accessible from operational
systems when not required.
• Rules for transfer of software/code from development to operational status should
be defined, including reversal procedures & linkage to change control.
• On-site ‘Test’ environments of supplied & in-house developed systems – Each
system will evaluate the feasibility of a ‘test’ environment. This will be used for
training, system update testing and functionality development testing. Access
request and control policy/procedures for each system where there is an ‘onsite
test’ environment will incorporate requirements for user access to that as well. On-
site test environments will:
• Contain ‘dummy’ data. This may be ‘scrambled’ copy of ‘live’ data, but in such
away that individuals cannot be identified. Whilst the ‘test’ environment should
have full audit facilities, it is unlikely resource will allow these to be monitored;
hence to avoid breach of confidentiality etc, data must be scrambled.
• Clearly identify at the ‘log-in’ and during usage that the user is in the ‘test’
environment as opposed to the ‘live’, to prevent data being entered to the wrong
system.
7.1.6 External facilities management
Risks to information assets from External Facilities management arrangements should
be identified and reviewed regularly. Appropriate controls and procedures from other
sections of this policy should be discussed and their implementation by the provider
identified. These should include identification of responsibilities to monitor information
governance elements and procedures for reporting and handling information
governance issues.
28
IT02 Information Governance Policy
Information Governance Board
March 2008
7.2 System planning and acceptance
Objective: To reduce the likelihood and impact of system failure.
Projections of future capacity requirements should be made, to reduce the risk of
system overload. Operational requirements of new systems should be established,
documented and tested prior to their acceptance and use.
7.2.1 Capacity planning
The IT department (and any other responsible for system capacity) should monitor
system capacity. This should include network bandwidth, storage capacity and system
response times.
The department(s) responsible for the provision of capacity elements will lead on a co-
ordinated plan for the organisation’s infrastructure. They will be supported by the
departmental/area ‘system owners’ who will provide details of their requirements of the
systems, in terms of total number of users, expected volumes of concurrent usage,
peak usage timings and system development requirements.
The department(s) responsible for providing capacity elements will advise and guide
on the required resources, lead times and costs of the co-ordinated development plan.
A system for agreeing priorities to capacity developments will be agreed across the
organisation and implemented by the IM&T Strategy Board.
7.2.2 System acceptance
New systems, existing system upgrades/new versions will only be installed following
the definition of formal acceptance criteria. System Owners are responsible for co-
ordinating the acceptance criteria and involving the required areas of the organisation.
The following are controls that should be considered:
• Performance and capacity requirements.
• Preparation and testing of routine operating procedures (such as standard reports
etc)
• Testing of security controls (passwords, usernames, information access controls)
• Business continuity arrangements & tests
• Training provision to all appropriate staff, including education/communication of
upgrades
System owners should document the acceptance criteria, both prior to and post
installation.
7.3 Protection against ‘malicious’ software
Objective: To protect the integrity of software and information from viruses, ‘worms’
and other malicious software. Linking to training, communication, incident reporting
and development of appropriate preventative procedures.
29
IT02 Information Governance Policy
Information Governance Board
March 2008
7.3.1 Controls against malicious software
The organisation sets the following controls as policy to address the risk of reduced
integrity and availability of its information assets:
• All software installed on organisational assets to be appropriately licensed
• Use of unauthorised software is prohibited
• Installation and regular update of anti-virus software (for detection and repair) on
all appropriate machines (servers and clients)
• Routine checking of all email attachments and internet downloads
• Procedures for reporting and handling virus attacks & recovering from them.
• Awareness of malicious ‘hoax’ attacks and procedure for handling them, including
reporting to IT helpdesk.
• Staff awareness of above controls and their responsibilities.
The last bullet is perhaps the most important, as it is staff vigilance that will ensure
only licensed software is used and that email attachments are dealt with appropriately.
For more detail regarding email & Internet, see specific system policies.
7.4 Housekeeping
Objective: To maintain the integrity and availability of information processing and
communication services. Routine procedures should be established for carrying out
the agreed back-up strategy, taking backup copies of data and rehearsing their timely
restoration.
7.4.1 Information back-up
Information back-up is one part of Business Continuity. All systems should have some
sort of backup facility. For large specific applications this will typically be a tape or CD
writing backup facility as well as arrangements such as 3 day loss of email to
mirrored discs and backup servers to provide additional non clinical
resilience in the event of component or power failure. organisation employing
100 staff at average
For smaller applications (such as access databases) and data hourly rate of £20,
folders, the regular backup of shared network storage drives where 5 minutes
should suffice. productivity are lost
per working hour
Users who keep large amounts of information on local hard equates to a cost of
£4000. Three times a
discs should consider shared storage facilities or other backup year = £12,000. NB
facilities such as CD writers. this is just the loss of
efficiency, not
Each system/area will determine the appropriate backup additional costs of
procedure using the following guides, with advice from the IT telephone calls or loss
department and Information Security Officer: of information
• Regularity of backup – it makes sense to backup a system
30
IT02 Information Governance Policy
Information Governance Board
March 2008
every time a change (or set of changes) is made. For multi-user systems (such as
PAS), there should be as a minimum, the provision of ‘mirrored discs/raid arrays’
for continual backup and a removable media backup on a daily basis.
• Timing of routine backup – where a system is required on a continual basis at all
hours, appropriate timeslots for backups should be determined between the users
and the system management/technical staff
• Size of backup – In conjunction with ‘regularity’, the amount of data backed up
should be determined. It is not always possible to backup the entirety of data on a
system due to time & capacity constraints. Therefore procedures that take
backups of ‘data entered on that day’, which combined with less regular ‘full
backups’ can be implemented, so that complete recovery can be achieved (up to
the last ‘daily backup’) via a combination of backup tapes/CDs.
• Storage and protection of backup media – Storage should be in a location remote
from the main system, but subject to at least the same environmental and physical
protection as the main system.
• As part of backup procedures regular testing and full restoration of backups to a
separate system (see advice on left) should be implemented.
• Retention periods for backup information should be determined, with ideally at
least 3 complete backup cycles in place prior to disposal
• Backup media should be appropriately disposed of following decommissioning.
• Backup media should be regularly replaced to avoid wear and tear
• A Journal file should not be stored on the same disk as the file it is journaling
When determining the backup requirements of a system, the organisation will calculate
the cost of system failure to the organisation, in terms of reduced efficiency (loss of
staff productivity), damage and distress.
This combined with the likelihood of failure if sufficient backup is not implemented can
give a rough cost of failure to the organisation in a given period. This can then be
used in determining the prioritisation of resource allocated to information backup.
7.4.2 Operator logs
System operational staff (in IT departments typically) will maintain an activity log for
each system they are responsible for. This will include:
• System start/finish times, for planned downtime, unplanned downtime and system
maintenance routines
• System error reports & corrective action taken
• Operator identification for each log entry
31
IT02 Information Governance Policy
Information Governance Board
March 2008
7.4.3 Fault logging (Helpdesk)
As part of IT helpdesk operations, all reported or encountered faults with systems
should be logged. Procedures should be in place to review fault/helpdesk logs for
resolution.
Network management
Objective: To ensure the safeguarding of information in networks and the protection of
the supporting infrastructure.
7.4.4 Network controls
Where possible responsibility for the organisation’s network should be segregated
from responsibility for computer operations. Responsibility of control over the
organisations network should be formally allocated to the appropriate person within the
IT department, Network Manager. Liaison with appropriate staff within the NHS
Information Authority Security team should be established.
The ‘network manager’ is responsible for implementation of appropriate controls.
7.5 Handling & governance of ‘information’ media
Objective: To prevent damage to assets and interruptions to business activities, media
should be controlled and physically protected (see section 7 as well). Appropriate
procedures will be established to protect paper documents and computer media from
damage, theft, unauthorised access and misinterpretation. (Also refer to specific
Medical Record procedures)
7.5.1 Management of (re)movable ‘information’ media
The media on which information is stored is a key element to the appropriate handling
and use of information. The following controls will be applied to the management of
media.
• Procedures for the tracking of paper-based information will be used. Due to the
nature of ‘original’ paper information being in one place at one time, it is important
that critical records are tracked. This will apply to paper Medical Records and any
other paper record that by its nature requires formal control.
• Re-usable media used for transit (such as floppy discs) will have contents erased
when no longer required, provided original source information is still available.
• Staff who are required to remove information via any media will be made aware of
the detailed ‘Mobile information handling and computing policy’. This will include a
one-off Authorisation process agreed with line management.
32
IT02 Information Governance Policy
Information Governance Board
March 2008
7.5.2 Disposal of media
Careless disposal of media could result in breaches of confidentiality or risk to the
integrity of the organisation; therefore the following controls form the policy for disposal
of media:
• Paper media (including carbon copies, computer printouts) containing information
that is classified as ‘Personally Identifiable’ or ‘Organisationally sensitive’ (see
5.2.1 classification guidelines) will be disposed of via secure methods such as
shredding. Collection of media for controlled disposal will be via ‘confidential’
waste sacks or bins. Where these are used in areas open to the public, they will
not be labelled as such, and will be identified to staff via colour or other non-
obvious identification method. Contracts with external waste contractors will
contain confidentiality clauses and indemnities. Confidential paper waste maybe
recycled by appropriate external contractors, via appropriate agreements with
required security controls in place.
• Portable media (CD’s, DVD’s, floppy discs) will be erased, prior to disposal via
secure means, such as incineration by external contractor working to appropriate
security controls (confidentiality clauses, indemnities)
7.5.3 Information handling procedures
Where required systems/areas will design and implement procedures for handling
information. As a default, the policy for handling information, in line with its
classification is as follows:
Personal sensitive information & Organisational sensitive information:
• Accessed only by staff with a ‘need to know’ and a ‘justified purpose’
• Only minimum information accessed, used and shared
• Only distributed to named individuals where possible (in conjunction with first bullet
point) via an honorary contract or detailed information sharing agreement
• Stored and filed appropriately in a timely manner
Specific policy elements around handling information communication via email, fax and
phone are covered under 8.7.7
7.5.4 Security of system documentation
Documentation for systems, both paper and electronic will, as a default, be considered
‘organisational sensitive’ information. It will therefore be stored securely and only
available to those that have a justified need to access it. System documentation
includes data structures, network structures, authorisation processes etc.
7.6 Exchanges of information and software
Objective: To prevent loss, modification or misuse of information exchanged between
organisations. To exchange information in compliance with relevant legislation (See
section 12). To set agreed standards and procedures to protect information and media
in transit and storage
33
IT02 Information Governance Policy
Information Governance Board
March 2008
7.6.1 Information exchange agreements
Information exchange operates on two levels. There is routine sharing of information
between organisations for general operational activity and also strategic sharing of
data for planning and development purposes, which may be both regular and ad-hoc.
Routine sharing – The organisation will participate in common, high-level principle
agreements set out across the community(ies) of which it is part. It is recognised that
the boundaries change periodically and it is part of the Information Governance role to
maintain the organisation’s participation.
General procedures/controls for routine sharing of information are covered in the
remainder of this section (8.7)
Strategic/development sharing - New or existing strategic partnerships (such as Crime
reduction, Child/Vulnerable People protection) require information from across
organisations to develop. Where such an arrangement exists or is proposed, the
organisation will ensure that it evaluates and agrees to appropriate formal procedures
for extracting and sharing information, that are compliant with relevant legislation (see
section 12). Such procedures should refer to relevant sections of this policy and be
based on high-level principle documents.
7.6.2 Security of media in transit
The following controls should be considered when developing procedures for
information exchange using physical media (paper or electronic storage)
• Use of reliable or in-house couriers agreed between the organisations
• Appropriate packaging to prevent physical damage
• Use of lockable containers, tamper evident packaging
• Personal delivery
• Any records or equipment ‘in transit’ must be locked and out of sight when a
member of staff is not present, i.e. locked in a car boot. Remember no health
records are to go off site.
7.6.3 Electronic commerce security
In healthcare terms, the use of electronic commerce is gradually developing, so this
policy section will at this stage feature basic control, but itself will develop further over
time. The use of e-commerce for financial transactions is subject to organisational
‘Standing Financial Instructions’ and not covered further by this policy.
Healthcare e-commerce may include:
• Electronic referrals & appointment bookings
• Electronic discharge notification
• Test requesting and results reporting
34
IT02 Information Governance Policy
Information Governance Board
March 2008
The key issues that must be addressed by specific policy/procedure for an ‘electronic’
system are:
• Authentication – proof the user or data source is who they claim to be
• Authorisation – proof the user or data source is authorised to undertake what they
are attempting or have done.
• Liability – who is responsible for reducing risk/failure within the system(s)
The development of such systems is really the replacement of existing paper based
arrangements, so any formal agreement documentation between organisations must
be amended at the appropriate time to reflect any change.
Detailed policy and procedural application of information governance controls will be
set out in a policy framework related to the specific applications
Security of electronic mail
Electronic mail is the subject of a specific ‘system security policy’, which seeks to
reduce risk from misuse, viruses and system failure. The policy also details the criteria
by which email should be monitored, that includes as a key component, informing
users of monitoring that takes place and that consent will be gathered for
investigations unless it would prejudice such activity.
Permitted Use:
• Use email for business purposes, including sending patient data (following
assessment of risk and application of controls, see section 4.4 prior to sending any
patient data)
• Limited personal use is permitted
Non-permitted use:
• Excessive personal use (or private gain)
• Use email accounts other than your own or ‘generic/team’ email accounts (such as
Helpdesk@….) or accounts where the ‘owner’ has set you up with access (usually
termed ‘delegate access’)
• Sending offensive, defamatory material or breach confidentiality via email
• Mis-represent organisations or enter into contractual agreements
For more details see: ‘E-mail policy .
7.6.4 Security of electronic office systems
For the purpose of the policy, electronic office systems includes: Calendar systems
(such as Outlook), Word processing, spreadsheets, databases and underlying
electronic infrastructure required to operate such systems. The following policy
controls will be applied:
35
IT02 Information Governance Policy
Information Governance Board
March 2008
• An individual user is responsible (along with line manager) for controlling delegate
access to their calendar (and other similar functions). Delegate access should be
provided on a ‘need to know’ basis
• Users of database tools are required to adhere to the ‘authorisation for new
information processing’ control (see 4.1.4)
• The organisation will provide (or develop) an infrastructure allowing staff to save
files/documents to shared network drives that are regularly backed up.
• Department heads/line managers will be responsible for defining who is allowed
access to appropriate areas of shared network drives/folders. The principle of ‘all
doors closed, unless specifically authorised’ will be applied to shared network
drives/folders.
• Users are responsible for deleting files when no longer required and will regularly
purge their folders. Occasionally IT support will request this and each user must
endeavour to comply.
7.6.5 Publicly available systems
Access for staff to publish information to organisational websites (Internet/NHSnet) or
organisational Intranets, shall be controlled by a request and authorisation process.
Content shall be routinely monitored and removed when out of date.
7.6.6 Other forms of Information Exchange (phone, fax, post)
As there are many varied situations specific policy is difficult to set in relation to these
areas, however the following minimum standards will be applied:
Phone conversations (inc answer phones):
• No personal information shall be given out over the phone without best endeavours
by the member of staff to confirm the identity of the other party and the wishes of
the individual concerned.
• Phone calls that may feature personal or sensitive information about any individual
will be made in private areas if at all possible.
• Answer phone messages will only be left in ‘urgent’ situations
• If an answer phone message is left, minimal information will be provided
Fax:
• Faxes will be sent to named individuals
• Faxes containing personal and/or sensitive data will be preceded by a cover sheet
including a confidentiality statement and will only be sent in urgent circumstances.
Each sheet will be marked ‘confidential’
• Fax machines will be sited away from public areas
36
IT02 Information Governance Policy
Information Governance Board
March 2008
• Minimal information will be transmitted
• The intended recipient will be notified prior to sending and checked with post
receipt.
• The organisation will notify at least one fax (ideally one per significant department)
as a ‘Safe Haven’, where patient & sensitive data can be sent to that is installed in
a secure environment.
Post:
• Will be sent to a named individual
• Will be marked ‘Private and confidential’ if it contains personal and/or sensitive
information and will not be sent in re-seal able envelopes. The envelope must be
securely sealed to prevent anyone from tampering with the contents.
8. Access control
8.1 Business requirement for access control
Objective: To control access to information. Access should be controlled on the basis
of business and security requirements and the user’s role in the operation of the
organisation.
8.1.1 Access control policy
Controlling access to information is one of the key elements of organisational
compliance with legislation such as the Data Protection Act. Access control works on
two levels, the physical control and the system control. Physical access control
(access to buildings and facilities) is not limited to governance (security) of information
and should be covered by other organisational policy, of which the Information
Governance policy should integrate (see section 7). System control is very much the
remit of the Information Governance policy.
System access control policy statements:
The following statements are the rules that will be applied to controlling access to any
information system within the organisation, by employed staff and third parties.
• ‘System Owners’ are responsible for determining the controls applied to access
information in their system in line with rules set in this policy section
• Access to systems and information will be on a need to know and need to use
basis.
• Setup and regular maintenance of access controls in systems will take account of
all relevant legislation and regulations. Advice must be sought from the IT Security
Officer, who will in turn seek more specialist advice if required.
• Access controls will be based on user roles, clinical specialty, geographical
location and connection time requirements
• Access control will be reviewed regularly
37
IT02 Information Governance Policy
Information Governance Board
March 2008
• Systems will be developed to include ‘sealed envelopes’ where patients and
clinicians can request information is stored that they do not wish to appear in
normal usage of the system. Access control rules about who can open a sealed
envelope will also be developed
• Given the complexity of health data and the likelihood of clinical incident that may
result from unavailability of (seemingly unrelated) data, the rule of ‘everything is
generally permitted unless expressly forbidden’ should be applied. The reverse of,
‘everything is forbidden unless expressly permitted’ may result in severe clinical
incident. This position is acceptable in the short term and should over time move
to controls where data not typically accessed by a role is only available via
‘emergency’ access procedures, which are fully auditable and identify to the user
that they are accessing data they do not have general permission for.
• As a general rule, administration staff should see little or no clinical data, accepting
there are some admin roles that need clinical information and that some clinical
information can be inferred by administration data (clinic purpose etc)
8.2 User access management
Objective: To prevent unauthorised access to information systems, formal procedures
should be in place to control the allocation of access rights to information systems and
services, which cover all stages in the life-cycle of system access.
8.2.1 User registration
All multi-user systems will have a formal process for requesting and removing access.
Formal records of all users, past and present, will be kept. The registration process for
a system can be combined with that of others or kept separate. It is envisaged that
core systems managed within the organisation would be subject to one process and
management, whereas other systems may require separate registration processes.
User registration processes will include:
• Allocation of a unique User ID. The use of a generic User ID is only permitted in
limited circumstances and must be agreed by the Caldicott Guardian who will
control the circumstances under which these are used. This is very rarely used
now in the National NHS systems being adopted and applied.
• Authorisation of the access request from line manager or ‘System Owner’, who is
responsible for confirming the provisional user has a ‘need to use’ and ‘need to
know’ the information contained within the system that is accessible via their user
role.
• Notification to the user of their responsibilities under this and associated policy,
and their acceptance of those via the employee’s signature to the form
• Confirmation to the staff who create the access that the requirements of the
process are complete before the access is created and issued.
• Access change request procedure, authorised by line management or System
owner, usually on the basis of changed role or enhanced responsibilities
38
IT02 Information Governance Policy
Information Governance Board
March 2008
• Access revocation procedure, authorised by line management or system owner,
initiated by user leaving or other request for revocation (changed role – no longer
needed)
• Periodic review and removal of redundant user Ids and accounts. This will be done
by system management at least every 6 months, ideally more frequently for core
systems. Liaison is required with the Human Resources Department to provide a
regular list of leavers in order that their access and passwords rights are removed
from key patient systems to prevent unauthorised information disclosure.
8.2.2 Privilege management
Allocation and use of privileges (feature that allows a user to override normal controls)
will be restricted and controlled. They will be allocated on a ‘need to use’ basis and on
an ‘event-by-event basis’. Record of allocation will be kept.
8.2.3 User password management
Password allocation will be managed via formal processes, potentially as part of the
processes related to 9.2.1 (User registration). The processes will:
• Require users to sign a statement to not share passwords
• Ensure users are aware of the need to change passwords
• Issue initial passwords by means of face to face contact (ideally at initial system
training) where identity can be checked, or posted to the user in sealed packaging
with their name clearly displayed and marked ‘for addressee only’. Issuing of
passwords via electronic means (e.g. email to user) is expressly forbidden as many
email accounts can ‘legitimately’ be read by other users.
• Promote ‘quality’ passwords that are not easy to guess
• Re-issue forgotten passwords following positive identification of the user
System password rules are defined in 9.5.4.
8.2.4 Review of user access rights
System Owners and System Managers will review access rights at regular intervals (at
least annually).
8.3 User responsibilities
Objective: To prevent unauthorised access. Users will be made aware of their
responsibilities for maintaining effective access controls, particularly with regard to the
use of passwords and the security of equipment.
8.3.1 Password use
All users will be advised to:
39
IT02 Information Governance Policy
Information Governance Board
March 2008
• Keep passwords confidential
• Avoid keeping paper records of passwords
• Change passwords if they believe they have been compromised (informing the IT
helpdesk) and when requested by a system
• Select passwords that are easy to remember, but not based on anything easy to
guess, free of consecutive identical characters.
• Change temporary passwords at first log on.
8.3.2 Unattended user equipment
All users will be advised to:
• Log out of PCs/Terminals when finished or leaving the desk or activate a password
protected screensaver
• Ensure installed equipment is not moved to a vulnerable location, such as near a
window etc.
8.4 Network access control
Objective: Protection of networked services to ensure that users who have access to
networks and network services do not compromise the security of those services.
8.4.1 Policy on use of network services
Users will only be provided with direct access to the services that they have been
specifically authorised to use. Access to services will, by default, be covered by the
user registration control for access to systems (9.2.1) Management controls and
procedures to protect the network are defined in the following sections.
8.4.2 Enforced Path
The principle that will be applied is to limit routing options at each point in the network
through pre-defined choices. This will be achieved, where possible by:
• Allocating dedicated lines or telephone numbers
• Automatically connecting ports to specified applications systems
• Limiting menu and submenu options for users
• Enforcing the use of specified security gateways for external network users
(remote access servers & facilities)
• Restricting network access by setting up separate logical domains, for groups
within the organisation
Currently between organisations firewalls are used to control cross organisational
access, however firewall control is typically an all or nothing approach, in that allowing
40
IT02 Information Governance Policy
Information Governance Board
March 2008
one user from an organisation through allows all users through, with reliance on
internal security and other measures. The policy will be to regularly review the need
and use of this technology within the community for community communications.
Development and implementation of other control areas in this policy may well lead to
an appropriate level of Trust for some of these organisational barriers to be removed.
8.4.3 User authentication for external connections
In line with NHS Connecting for Health NHSNet security policy, authentication for
external connections will be via the same approved methods and standards as remote
access to NHSnet.
8.4.4 Node authentication
Where groups of remote users are connected to a secure, shared computer facility
further connection can be made via node authentication as an accepted method.
8.4.5 Remote diagnostic port protection
IT & other departments managing hardware infrastructure will ensure that any remote
diagnostic port on hardware they manage is protected and there are robust procedures
for allowing authenticated access by others such as system suppliers.
8.4.6 Segregation in networks
Segregation of networks in to separate logical domains will be promoted by the IT
department in the development of organisational (and wider) infrastructure.
8.4.7 Network connection control
Routing controls based on positive source and destination address checking should be
implemented where possible.
8.4.8 Network routing control
See above
8.4.9(Documentation of) Security of network services
Network service security in the organisation will be fully documented, reviewed and
updated.
8.5 Operating system access control
Objective: To prevent unauthorised computer access. Security facilities at the
operating system level should be used to restrict access to computer resources,
including terminal identification, access records, authentication mechanisms and
access time restrictions.
8.5.1 Automatic terminal identification
System management & owners will identify the requirement for the use of automatic
terminal identification, where there is potential and need for limiting access to a system
41
IT02 Information Governance Policy
Information Governance Board
March 2008
or system function to particular locations. For example there may be a need to limit
access to certain functions on a Theatre system to terminals within operating theatre
locations. If access restrictions to a location can be applied, in operational terms and
the system can support them, they will be applied.
8.5.2 Terminal/PC log on procedures
Log on procedures within systems will disclose the minimum information about the
system to prevent unauthorised users being provided with log on details. The following
are minimum standards for systems to meet. Not all systems will currently meet these,
and these discrepancies should be identified in a system specific security policy
(application of the Information Governance Policy on a system basis). Systems that
do not meet these criteria will be developed to do so. If development is too costly,
then these criteria will be set as a minimum for eventual replacement systems:
• A general warning notice that access should only be by authorised users will be
shown at the commencement of log on procedures
• When an error occurs with a log on attempt, systems will not detail what is
incorrect (i.e. will not display a message such as ‘incorrect password’, they will
simply report a phrase such as ‘log-on details incorrect’. An unauthorised attempt
to log on does not then know what was wrong.
• Systems will not provide help messages during the log-on procedure that would aid
an unauthorised user.
• Systems will only allow three incorrect log on attempts and will record all details
connected with these log on attempts
• Following three unsuccessful log on attempts systems will freeze accounts for a
minimum of 4 hours or if possible until specific authorisation to unfreeze the
account is given by system management
• Following successful log-on, systems will display date and time of last successful
log on and details of any unsuccessful log on attempts, to prompt authorised users
to notice failed log-on attempts, which may be unauthorised. (This control does not
currently apply to operating systems such as Windows NT and 2000)
• Log on procedures will have a maximum time length for completion of the
procedure, recommended as no more than 2 minutes. If log on details are not
completed successfully in that time the log on should terminate.
8.5.3 User identification and authentication
All users will have a unique identifier for each system that they use in order that user
activity can be traced to an individual member of staff. User Ids should not give any
indication of the access privileges for that user. For example the name of a member of
staff should not be combined with their job role details.
Exceptional circumstances may require the use of a ‘generic’ user ID. Approval of the
Caldicott Guardian and IT Security Officer are required before these are set up. The
authorisation process will have to determine why the unique User ID of an individual
42
IT02 Information Governance Policy
Information Governance Board
March 2008
cannot be used. For example in an operating theatre situation, the need to log in and
out of a system for different staff to enter data in a pressured, but reasonably secure
area is an additional incumbent to their work. In such situations it may be permissible
that the lead clinician be issued with an additional unique User ID allowing access to
the required functions for that operational situation. This additional ID could be used to
record all activity in that session as the lead clinician is ultimately responsible.
8.5.4 Password management system
All information systems will feature password control. As with 9.5.2 (Log on
procedures), the following policy elements will be applied to all systems, unless
evaluation finds that cost or system architecture does not support it. In such
circumstances the statements will be applied to replacement systems.
• Initial passwords will be issued to users during training or other face to face contact
or by secure post (see 9.2.3). These will be flagged as initial passwords requiring
immediate change by the user on first log-on
• User selection of passwords will include a confirmation procedure to check for user
error when inputting the new password
• Passwords will be a minimum of 6 characters in length and should not allow the
same character to be entered consecutively more than twice.
• Password change will be enforced every 3 months as a minimum.
• Each password change will be a minimum of 3 characters different from all
passwords used by that user in the last 12 months.
• Passwords will not be displayed in readable format on screen at log on or change
• Passwords will be stored in an encrypted form using a one-way algorithm
8.5.5 Use of system utilities
Some of the organisations systems will have system utilities that may be capable of
overriding system and application security measures. Use of these functions/utilities
will therefore be restricted to the minimum practical number of authorised personnel.
Their usage will be logged.
8.5.6 Terminal/PC time-out
Multi-user information systems within the organisation will have an inactivity time-out.
This will be set to a default minimum of ten minutes. Systems that are only used in
secure operating environments may have timeout extended following authorisation of
the system owners, Caldicott Guardian and IT Security Officer. This may be
necessary for systems such as ‘Theatres’.
PC Screensavers, with or without password protection are covered in clear desk/clear
screen policy statements (see 7.3.1)
43
IT02 Information Governance Policy
Information Governance Board
March 2008
8.5.7 Limitation of connection time
Due to the ‘open all hours’ nature of many healthcare information systems, application
of this control will be limited.
Systems that require overnight batch processing for reports or other calculation
exercises may by default limit connection time of general users.
8.6 Application access control
Objective: To prevent unauthorised access to information held in information systems.
Security facilities should be used to restrict access within application systems
8.6.1 Information access restriction
The system element of the access control policy (see 9.1.1) requires that the following
controls should be considered for all information systems within the organisation, and
applied via system specific security policy:
• Security groups based on user role and specialty (specifically in clinical systems)
will be set up that have access to data via a matrix of access rules developed by
the system owners.
• Access to system functions will be restricted via menu and interface structure
design for each user role.
• Add, Amend, Create, Delete and view access permissions will also be a facet of
user role tables
8.6.2 Sensitive system isolation
With regard to information on systems, any system containing patient identifiable
information (including Patient Administration Systems) is considered sensitive and
should operate in a separate controlled computing environment on separate servers
from organisational ‘operational’ systems, such as E-mail and Microsoft office tools.
8.6.3 Event logging/Audit trails
Systems will be capable of logging events that have a relevance to potential breaches
of security. These logs will be kept for a minimum of two years (or longer where
required by a specific system policy). The logs will cover the following events as a
minimum standard:
• Log on attempts – recording User Ids, dates and times and success/failure of
attempt.
• Creation, amendment and deletion of data – recording User Ids, dates and times.
Where systems offer ‘restricted, but not prohibited access’ to some data items/records,
the use of these ‘emergency’ facilities (such as the proposed ‘Sealed envelope’ idea)
will be subject to audit records.
44
IT02 Information Governance Policy
Information Governance Board
March 2008
All systems containing patient information procured following the ratification of this
policy will also feature audit records of access to individual records. This will be set at
the level of retrieval of an individual record. Lists of records retrieved via a search will
not be recorded in an audit (due to volume of data), however each committed search
will have the search criteria and the user details recorded so the search can be
recreated. Recreation of a search will be via a restricted system utility that is capable
of producing results based on the date and time of the initial run of the search, so that
the same results are produced for an investigation.
8.6.4 Monitoring system use
Each system management role will develop procedures for monitoring the use of each
system. Regular standard processes to examine failed access attempts, data
manipulation spot checks and any other logged system event will be a part of
management of each system.
Users will be informed of monitoring activity during training on each system.
All monitoring of systems will be within lawful business practice regulations (2000) and
developments of the Regulation of Investigatory Powers Act (2000).
Spotchecks of ‘view’ audit trails will be implemented, potentially via the organisational
Information Governance role, when system with this capacity are procured and
implemented.
Use of ‘restricted’ access facilities (such as sealed envelopes – NHSIA consultation
Winter 02/03) will trigger ‘privacy alarms’ that will be checked by the Information
Governance role and senior management
8.6.5 Clock synchronisation
All system clocks will be set to Greenwich Mean Time in the winter and British
Summer Time in the summer. Accuracy will be checked at least twice a year if the
system does not perform any other form of synchronisation
8.7 Mobile computing and teleworking
Objective: To ensure information security when using mobile computing and
teleworking facilities. This policy sets high level controls, which are detailed further in
the ‘Mobile Computing, Home & Off-site working (with Information) Policy’
8.7.1 Mobile information handling & computing
Mobile computing devices covered are: Laptop computers, Handheld (also known as
palmtops, blackberries, PDAs, pocket PCs). Many of the controls for computing
devices also apply to use of paper based information.
Physical protection – Devices and paper information need to be used in public
environments, so users need to ensure that they are physically protected. Devices
and information will be transported out of site of the public at all times. Devices owned
by the organisation will be security marked. The use of security chains for laptops will
be encouraged where possible. Users will make all endeavours to ensure their activity
45
IT02 Information Governance Policy
Information Governance Board
March 2008
is not overlooked and equipment and records remain within their site at all times
possible
Access controls – All devices will feature username and password access control to
reduce the chance of unauthorised access to information. The IT department will
ensure all latest security patches are applied to a device’s operating system.
Connection to other networks – No organisational device will be connected to another
organisation’s network without express permission (Procedure is documented in the
full ‘Mobile Computing, Home & off-site working (with information) policy’.
8.7.2 Teleworking (inc Homeworking)
Teleworking is the use of communication technology to enable staff to work remotely
from a fixed location (including their home). Homeworking with either IT equipment or
paper records will only be permitted for staff who have been through the authorisation
process. The following elements of policy are included:
• Physical security standards of the off-site facility (inc Home). Sensitive information
must be able to be locked away when not in use, with access only by the member
of staff.
• Classifications of information to be accessed and/or retained off-site. Identifiable
patient information and organisationally sensitive information must not be held on
IT equipment not owned and managed by the organisation
• Agreement by staff members to prevent unauthorised access to information by
relatives/friends/visitors and others.
• Backup and continuity procedures must be in place to ensure that information is
not lost.
9. Systems development and maintenance
9.1 Information Governance requirements of systems.
Objective: To ensure that information governance controls are built into information
systems and information processes. Governance requirements will be specified prior
to and implemented in development projects. Existing governance elements will be
regularly reviewed.
9.1.1 Governance requirements analysis and specification
The IM&T Board and Information Governance Board will be involved in the
development of new information system functionality (inc new systems and
development to existing systems) and processes to ensure that all governance
requirements are included:
Security – Security controls required will reflect the business value of the information
assets based on risk assessment of failure of a system or absence of the information
to the organisation.
46
IT02 Information Governance Policy
Information Governance Board
March 2008
Confidentiality – The Corporate Informatics Lead will ensure that compliance with the
Data Protection Act (1998) and Common Law duty of confidentiality are paramount
concerns of system and process developments, in conjunction with organisation wide
compliance endeavours (see section 12). It should be noted that any advice given and
implemented will not absolutely guarantee legal compliance.
Integrity/Quality – In line with compliance with the fourth data protection principle, data
quality will be a specific element of system/process analysis and specification.
Specific policy elements are detailed in 10.2.1, 2, 3 and 4.
9.2 Governance in information systems, paper records and processes
Objective: To prevent loss, modification or misuse of data in information systems and
paper records. Controls on input, processing and output of data will be built in to
information systems. Paper clinical record policy elements are included, but are also
the subject of specific policy on paper record creation.
9.2.1 Input data validation/paper record creation
Data collection processes (electronic and paper) will have rule based data input
designed into them along the following guidelines:
• Value ranges – Acceptable ranges will be indicated on paper forms and built into
systems so that only values within the determined range will be accepted.
• Invalid characters – Paper collection forms will indicate where the required
collection is either numeric or character based. Electronic systems will ensure that
data collection fields will only accept characters relevant to the data item being
collected (e.g. numeric characters will not be allowed in ‘name’ fields)
• Missing or incomplete data – Paper forms will indicate where items of data must be
completed in relation to the collection purpose of the form. Electronic systems will
feature rules (that may allow local configuration) that indicate to users when
required data items have not been completed before data collection screens can
be committed (saved to the database).
• Identifiers – The NHS Number will be used as the common identifier on all patient
records and correspondence. The organisation will ensure processes around data
collection and transfer, capture and use the NHS number. Local identifiers
(hospital numbers) are permitted.
The Information Governance role will support the use of the above guidelines, however
they will only be successfully applied with input from the user and clinical communities
within the organisation, so there is a responsibility for the ‘System owners’ and ‘system
management’ to be involved in input/collection data validation processes.
Responsibility for review and development of input/collection validation will by default
lie with the ‘system management’.
Line managers of staff will have default responsibility to ensure their staff are aware of
processes and procedures relating to the quality of inputted data.
47
IT02 Information Governance Policy
Information Governance Board
March 2008
Validation routines within data collection will be part of operational processes required
for the Information Quality Assurance Requirements on the IG Toolkit.
The Data Standards Officer receives and implements ‘Data Set Change Notices’ from
the Department of Health.
9.2.2 Control of internal processing
This control only applies to electronic systems and relates to any ‘automated’ process
that takes inputted data and processes it into another form, such as creating a result
from a calculation run on two data fields.
Elements of an information system that run an internal process on data will be
specified in developments and tested before system acceptance. Regular testing will
then be run as a series of validation checks. Frequency of such checks will be based
on the importance of the information asset. Checks will be run as part of change
control and system acceptance procedures (see 8.1.2, 8.2.2 and 10.5.1) when system
developments affect any of the internal processing.
Standard system reports or processes will be checked so that if they have a running
order this is maintained.
9.2.3 Data item (inc message) authentication
Data items in paper format will be subject to rules and guidelines detailed in medical
record policies and procedures for authentication of the author. Typically reliance is on
signature of staff completing forms or records
Data items in electronic format will be attributable to the User ID recorded in any audit
trail relating to the creation, amendment or deletion of data.
9.4.4 Output data validation
Despite implementation of controls on both data collection/input and internal system
processing, data cannot be entirely relied on without further checks on ‘output’. For
the purpose of this policy output is defined as follows:
• Regular or ad-hoc reports compiled from summary of information on multiple
records. These may be run by users or specific ‘Information Analysis staff’
• Viewing and use of individual records (both paper and electronic) for delivery and
management of care.
Information analysis staff will be responsible for running regular validation checks on
reports. Confirmation of the validity will require input from the system owners.
Typically reports can be validated by comparison with other data/reports
Use of individual records (paper and electronic) within the delivery and management of
care will be checked as part of a regular programme by clinical audit departments.
Staff line managers will have a default responsibility to ensure their employees are
familiar with processes/procedures around handling data output, especially with regard
48
IT02 Information Governance Policy
Information Governance Board
March 2008
to interpretation.
9.3 Cryptographic controls (including encryption) on use of cryptographic controls
Whilst the policy accepts the benefits of cryptography, it recognises this is very much a
development area within healthcare. Development and use of these facilities is
expected on both a national and local basis. Subsequent review of this policy will
ensure developments planned are appropriately controlled.
Until such time the following policy statements will apply:
9.3.1 Encryption
• Use of encryption solutions for email will be actively encouraged, at the moment
the IT Services are looking at guidance to adopt for the Trust systems and
processes in line with NHS Connecting for Health guidance. Guidance at the
moment is to password protect excel or word files containing personal or sensitive
information if this has to be emailed as a last resort. Do not advise sending any
personal identifiable information via email
• ‘Web-based’ applications which require the transfer of sensitive data (such as e-
referrals) will use 128 bit, Secure Socket Layer (SSL) encryption
• Encryption of databases will be encouraged.
9.4 Security of system files
Objective: To ensure that IT projects and support activities are conducted in a secure
manner, access to system files should be controlled.
9.4.1 Control of operational software
Where operational software is vendor supplied, the following controls will be
considered and implemented in contractual agreements. If software is developed ‘in-
house’ the same controls will be applied where possible.
• Updates of operational software will only be performed by authorised staff (supplier
side), following authorisation from the organisation (see also 8.1.2, 8.2.2 and
10.5.1 change control)
• Updates should not be implemented on an operational system until successful
testing and user acceptance is obtained. (See 8.2.2)
• Audit logs of all updates to test facilities and operational software will be
maintained
• Previous software versions will be retained as a contingency measure.
9.4.2 Protection of system test data
Many operational systems will have test environments to check updates before they
are implemented in live systems. These will be subject to the same security
49
IT02 Information Governance Policy
Information Governance Board
March 2008
procedures and access controls as operational systems, in addition the following will
also be considered:
• Test systems should indicate via continuous display to the user that they are in a
test environment
• Test systems that are ‘populated’ with a copy of ‘live’ operational data should have
identifying information in the database scrambled via a system routine. This is
required as resource to audit access of data on a test system is unlikely to be
available and without scrambling identifiable data could be accessed by users who
do not need to know it.
9.4.3 Access control to program source library
To reduce likelihood of corruption (accidental or malicious), program source library
access will be strictly controlled. In the case of vendor supplied software this will
be in contract with the supplier, however controls are also applicable to ‘in-house’
developed software:
• Access to source libraries will be only set up for authorised staff
• Program listings will be held in secure environments (see 8.6.4)
• Audit log of accesses to source libraries will be kept
• Old source programs will be archived with a note of the operational period (times
and dates) of the software.
9.5 Information governance in development and support processes
Objective: To maintain the security and integrity of application system software and
information. All proposed changes to systems and processes should be evaluated to
check they do not compromise the security and integrity of the system or operating
environment.
9.5.1 Change control procedures
All changes to existing systems will be subject to change control procedures that will
evaluate the potential impact of change on system security, data quality and
availability elements. Two forms of changes are covered:
• In built system functions, such as switches for mandatory fields or user definable
code lists.
• Vendor controlled changes, where alteration to software code is required, for the
addition of new data collection, processing or functionality (see also 10.5.3)
Change requests will be made via an authorisation process controlled by system
management and system owners. Following receipt of request, analysis of the impact
of changes will be undertaken by system management. Significant change proposals
that have not originated from the userbase will be tested with users prior to
commitment to change.
50
IT02 Information Governance Policy
Information Governance Board
March 2008
System management and the userbase will create a set of formal acceptance criteria
for each change. System management of systems subject to regular change will
compile a set of common acceptance criteria
Where a system has a test environment all changes will be carried out there first and
evaluated against the acceptance criteria prior to being installed in live systems.
Changes will be scheduled with the userbase to ensure minimum disruption to
operational business.
System management will ensure any changes to system documentation resulting from
change will be put in place.
9.5.2 Technical review of operating system changes
When it is necessary to change or update an underlying operating system, applications
will be reviewed and tested to ensure that integrity has not been compromised. The IT
department (and suppliers) will lead changes to operating systems ensuring the
relevant other departments are brought in and that sufficient time is allowed for testing.
9.5.3 Restrictions on changes to software
Both in-house and vendor supplied software will be controlled by restricting
responsibility to authorise changes to system management and system owners.
Changes to vendor supplied software will be governed by contractual agreement with
the supplier.
9.5.4 Covert channels and Trojan code
The organisation will protect itself from covert channels and Trojan code that allow
unauthorised access to information by applying the following controls.
In-house developed software – Application developers will be bound by contract terms
of employment and job description responsibilities from inserting covert channels and
Trojan code
Vendor supplied software – Contractual arrangements will ensure that the vendor does
not insert covert access channels or Trojan code. Should these be found to be
present in any vendor supplied software, contracts will contain appropriate penalty or
termination clauses agreed by legal departments.
9.5.5 Outsourced software development
(Organisations to insert controls required if they have any outsourced software
development).
10. Business Continuity
10.1 Aspects of business continuity management
Objective: To counteract interruptions to business activities and to protect critical
business processes from effects of major failures or disaster to an acceptable level
through a combination of preventative and recovery controls. Continuity plans will be
developed, implemented and tested
51
IT02 Information Governance Policy
Information Governance Board
March 2008
10.1.1 Business continuity management process
The organisation will develop a process for management of continuity across the
organisation comprising of:
• Risk assessment and management, to identify critical business processes and
systems, threats, vulnerabilities and probability of failure
• System resilience requirements to reduce probability of failure
• Communication responsibilities to initiate manage and restore from continuity
plans.
• Plan management, development and testing responsibilities
Departmental co-ordination and collaboration will be key to the development of
effective and efficient continuity planning. Senior management of the organisation will
actively encourage participation of all required parties by including the responsibility in
job descriptions and performance reviews.
Senior management will set the high level priorities for continuity of systems based on
the business objectives and priorities of the organisation. This will aid prioritisation of
resource available to build system resilience and effective disaster recovery for
systems identified as ‘mission critical’. This will aid the continuity planning for these
systems, however policy is that all systems will be covered by continuity plans.
10.1.2 Business continuity and impact analysis
Continuity requirements will be determined by identifying events that can cause
disruption to business processes. These will include, but are not limited to:
• Fire, flood, impact damage
• Equipment & component failure, severe capacity restriction
• Power supply withdrawal
• Malicious attack including physical and network/system intrusion
• Theft of information and media (including paper) resulting in unavailability of
information.
Where information systems (including procedures for paper based information usage)
are shared between organisational departments (such as a Patient Administration
System), the ‘system management’ role will co-ordinate analysis of impact of
disruptions to systems by involving representatives from each potential affected area.
This will identify both impact and required recovery periods. Where a system is
specific to a department then the department will be responsible allocating
responsibility for co-ordinating analysis within the department, which may well still lie
with the ‘system management’ role
52
IT02 Information Governance Policy
Information Governance Board
March 2008
10.1.3 Writing and implementing continuity plans
The following will be included in all business continuity plans:
• Identification and agreement of all key responsible staff (including alternatives) and
procedures, including key elements of initiation, communication (to all required to
take remedial action and those affected who require to continue operating),
recovery and restoration to normal activity
• Education programmes for staff in agreed continuity procedures
• Follow up action to learn from incident and ensure further risk is reduced if possible
(see 6.3.4)
• Maintenance schedule specifying how and when the plan will be tested and the
process for maintaining the plan
Where required the following will also be included:
• Identification of restoration priorities, if there is a requirement to restore operations
to specific key areas in an ordered manner, or partial restoration can be achieved
effectively prior to full restoration.
10.1.4 Business continuity planning framework
System focussed business continuity planning will be incorporated with wider
organisational continuity plans where available, so that should there be a requirement
for the organisation to move essential business operations to alternative (temporary)
locations, essential information for operation at temporary locations is available.
10.1.5 Continuity plan testing
Each individual plan will be tested on a regular basis. This will be a minimum of
annually. The following testing elements will be performed as a minimum standard for
each critical information system:
• Technical recovery testing at alternative site or to test system.
• Table top simulation to ensure all staff with specific responsibilities and a sample of
the userbase are aware of procedures and crisis management roles.
Formal records of tests and outcomes will be made for analysis and incorporation in
review and development of plans.
There are other testing methods that can be applied to business continuity plans,
these will be incorporated in later developments of this policy.
11. Compliance
11.1 Compliance with legal requirements & regulation framework
Objective: To avoid breaches of any criminal or civil law, statutory, regulatory or
contractual obligations and of any security requirements.
53
IT02 Information Governance Policy
Information Governance Board
March 2008
11.1.1 Identification of applicable legislation/regulations
For (current) list relating to the legal and regulation requirements see 2.4.1. Each
system specific application of the Information Governance policy will list all applicable
legislation/regulation including any specifically related to the system.
11.1.2 Intellectual property rights (IPR)
The organisation will comply with legal restrictions on the use of material subject to
intellectual property rights such as copyright, design rights and trademarks. The
following controls will be used
• Staff members will not be allowed to load software onto the organisations network
and computers without authorisation (including downloading software from the
internet), which will include a check on the intellectual property rights (licensing)
applicable to the software
• Capacity requirements in terms of licences for multi-user systems will be monitored
to ensure that licences are not used inappropriately. Contractual arrangements will
ensure easy expansion of licence requirements
• The organisation will actively participate in NHS wide application licensing.
• Copies of software will only be made under the authorisation of the IT department
who will check on licensing requirements.
11.1.3 Safeguarding of organisational records
The following forms of organisational record need to be securely retained for statutory
or regulatory requirements, including defence against potential civil or criminal action.
• Patient records
• Staff records (employment contracts, staff reviews etc)
• Financial records (orders, receipts invoices etc)
• Public accountability records (board minutes, papers etc)
The full list of organisational records requiring safeguarding can be found in ‘Health
Service Circular 99/053 – For the record.’
Many records will be required to be kept for a number of years, therefore the
organisation will ensure that technology change does not make important records
inaccessible. This will be either by maintaining relevant technical standards, or by the
transfer of data at the relevant time to new technology and media.
11.1.4 Data protection and privacy/confidentiality of personal information
This policy section will summarise the organisations method of compliance with UK
Data Protection legislation by reference to relevant sections of this policy and
54
IT02 Information Governance Policy
Information Governance Board
March 2008
additional statement where required. Additionally minimum standards around
managing confidentiality are detailed:
First principle: ‘Personal data shall be processed fairly and lawfully and, in particular,
shall not be processed unless – at least one condition in schedule 2 is met, and in the
case of sensitive personal data at least one of the conditions in schedule 3 is met’
• The organisation will provide and promote materials for patients (data subjects)
that identify how their information is processed and protected.
• This (and other developing activities) will form the basis of ‘informed implied
consent’ for general uses of information. This will to reasonable extent meet the
condition of consent for processing of personal data
• For the processing of sensitive data (including physical or mental health or
condition), most activity will be compliant under schedule three, condition eight –
‘processing is necessary for medical purposes and is undertaken by a health
professional of person who in the circumstances owes a duty of confidentiality
which is equivalent to that which would arise if that person were a health
professional. (‘Medical purposes includes the purposes of preventative medicine,
medical diagnosis, medical research, the provision of care and treatment and the
management of health services’)
• The organisation will actively develop, in line with national policy direction, systems
to record the wishes of patients that are expressed in response to information
presented to them.
• The organisation will maintain an accurate, up to date notification with the
Information Commissioner on the purposes, sources, subjects and disclosures of
data it uses.
Second principle: ‘Personal data shall be obtained only for one or more specified and
lawful purposes, and shall not be further processed in any manner incompatible with
that purpose or purposes’
• The organisations notification will detail the specified and lawful purposes that data
shall be obtained and processed for.
• The organisation will actively participate in protocols for Information Sharing
between organisations to ensure that further processing and sharing is carried out
in a manner compatible with notified purposes. (see 8.7.1)
Third principle: ‘Personal data shall be adequate, relevant and not excessive in relation
to the purpose or purposes for which they are processed’
• The organisation will conduct routine audits/reviews as part of good data
management practice to ensure that information collection is adequate, relevant
and not excessive.
• Professional guidelines on taking and making of records will be adhered to.
Fourth principle: ‘Personal data shall be accurate and where necessary kept up to
date’
55
IT02 Information Governance Policy
Information Governance Board
March 2008
• Validation processes and routines will be developed, utilised and maintained as per
section 10.2.
• The organisation in signing up to Information Sharing agreements or specific
subject policies (such as vulnerable adults) will ensure that the accuracy of data
shared between organisations is covered in the agreement.
Fifth principle: ‘Personal data held for any purpose or purposes shall not be kept for
longer than is necessary for that purpose or those purposes.’
• The organisation will instigate retention and disposal procedures in line with central
NHS guidance – currently HSC 1999/053 ‘For the record’ – see 12.1.3
Sixth principle: ‘Personal data shall be processed in accordance with the rights of data
subjects under this act’
• Right of subject access to records. The organisation ensures that a formal process
for patients to request access to their records is in place and that response will be
achieved within 40 days (following receipt of all data necessary to process
request). Such requests will be formally required in writing (or email) and contain
enough information for the organisation to identify and provide the relevant
information to the patient. The organisation will provide either sight of the
information or a copy on request. For charges, please refer to the Access to
Health Records Policy and Procedure. The senior clinician involved with the
patient may choose to remove information that could cause undue harm or distress
to the subject. The consent of third parties identified must be sought before their
information is released, unless there are significant practical reasons why it cannot
be sought. Consent is required from the last treating clinician before any records
are disclosed.
• Right of preventing processing likely to cause damage or distress. The
organisation operates a culture of confidentiality, however patients may make
specific requests, which if possible should be acted upon. However any request
that makes treatment or management of a patient, dangerous or impossible may
be refused. Requests not to share information will be adhered to unless specific
extreme circumstances or legal requirements override them (See override section
below).
• Right to take action to rectify inaccurate data. Factual information in patient
records that is inaccurate will be corrected but not deleted. Subjective information
(i.e. that which is not solid fact) that is highlighted as inaccurate, in the belief of the
patient, will not be corrected, as it may alter evidence required in any future action.
The patient’s view will however be added to the notes to indicate there is
discrepancy between the recorded information and the patient’s viewpoint.
Seventh principle: ‘Appropriate technical and organisational measures shall be taken
against unauthorised or unlawful processing of personal data and against
accidental destruction of, or damage to, personal data’
• In essence application of the ‘Information Governance Policy’ and appropriate
controls, moving to compliance with ISO17799 is seen as a reasonable degree of
compliance with this policy.
56
IT02 Information Governance Policy
Information Governance Board
March 2008
Eighth principle: ‘Personal data should not be transferred to a country of territory
outside the economic area unless that country or territory ensures an adequate
level of protection for the rights and freedoms of data subjects in relation to the
processing of personal data’
• Anyone requiring to transfer data should take advice from Information Governance
staff prior to doing so. There are conditions where the eighth principle does not
apply, but these have to be considered individually.
Override of confidentiality or patient’s express wishes:
• Responsibility for withholding/disclosing patient information without the patient’s
consent lies with the senior clinician in charge of the patient’s care. Occasionally
time and situations will not allow this person to make a decision, if the decision
cannot be delayed, it must be taken by the next most senior clinician. Information
withheld will be reviewed and the restriction withdrawn when appropriate. Please
refer to the Use, Consent and Disclosure of Information Policy located on the
Information Governance intranet pages.
• Actions taken to withhold or disclose information will be documented in the patient
record as soon as possible after the event, identifying all those involved.
Disclosure without consent maybe permitted in the following scenarios or under the
following legislation (giving a power to disclose):
• Notification of new births
• Notification of communicable diseases
• Prevention/detection of a serious crime, i.e. terrorism, murder (under the Police
and Criminal Evidence Act or Crime & Disorder Act)
• Notification of medical condition affecting driving to DVLA (noting DVLA medical
officers make the final judgement)
• Prevention of harm to a patient or others (under certain conditions relating to Data
Protection, Human Rights, Police and Criminal Evidence Acts)
Disclosure without consent is required under the following legislation:
• Road Traffic Act 1988
• Prevention of Terrorism act (89) & Terrorism Act (00)
• Children’s Act (section 47 enquiries)
• Where support of section 60 of the Health & Social Care act has been provided,
either as a ‘class regulation’ or specific authorisation from the ‘Patient Information
Advisory Group’ or the Secretary of State for Health.
Other disclosure regulations are listed in the Department of Health Publication – “NHS
Information Governance – Guidance on Legal and Professional Obligations.”
57
IT02 Information Governance Policy
Information Governance Board
March 2008
The organisation will support any member of staff who, using careful consideration and
professional judgement, can satisfactorily justify any decision to disclose or withhold
information against a patient’s wishes, where documentary evidence can backup
claims of action taken or not taken. Advice on application of legal powers and duties is
available from the Trust Legal Department.
11.1.5 Prevention of misuse of information processing facilities
Previous controls detail the authorisation and access control policy statements (see
9.1 & 9.2).
The organisation will permit limited personal use of IT facilities and systems, these will
be detailed in specific policies relating to the functions themselves (see Email and
Internet policies for examples).
Monitoring of activity will take place, in line with Lawful Business Practice regulations
(2000). Detailed policy statements on monitoring activity is covered in specific system
policy, however in general, monitoring will only take place at a base level to ensure
system efficiency, unless there are grounds for further investigation, set out in the
regulations.
Staff will be made aware that basic monitoring may take place, and that specific
circumstances may lead to investigation. Where possible their consent will be sought
to monitor individual’s activity unless there are serious situations where informing and
consent may be prejudicial to the investigation. Such situations will have to be fully
documented and relevant parties (inc legal advice) engaged.
Any misuse of facilities will be dealt with under the disciplinary process of the
organisation. Separate legal proceedings may be necessary, including seeking
prosecution under the Computer Misuse Act 1990.
11.1.6 Regulation of cryptographic controls
Cryptographic controls, when implemented, will be put in place with appropriate
reference to the ‘Electronic Communications Act 2000’ and any subsequent legislation.
11.1.7 Collection of evidence
Where evidence is required for internal or external support of action against an
individual processes for collection will incorporate the following minimum standards:
• Retrieval of paper information will note who withdrew it, when it was withdrawn and
incorporate procedure to ensure it is not tampered with. For example the use of a
medical record in investigation will record who requested and received the record,
any copies of the original that were made, and who witnessed this activity.
• Retrieval of electronic information will follow similar processes. Any copies of
information will be witnessed during the copying process. A second copy maybe
taken and safely secured to ensure a copy taken at the time can be accessed to
verify any data presented has not been tampered with, as the operational system
may, by general use, contain additional/amended data from normal required
58
IT02 Information Governance Policy
Information Governance Board
March 2008
operations.
12. Reviews of information governance policy and technical compliance
Objective: To ensure compliance of systems with organisational information
governance policies and standards, regular review of implementation and applicability
of the standard should be carried out.
12.1 Compliance with information governance policy
All areas within the organisation will be considered for regular review to ensure
compliance with information governance policies and standards. This will be achieved
via a number of means:
• As part of internal/external annual audit cycle
• Via spot-check programme to be developed and co-ordinated by the Information
Governance team
• Information Governance Toolkit annual assessment
The first element is a local process, and the last a regulatory requirement. Therefore
the middle element will be developed with both the first and last elements in mind, to
ensure there is no repetition of activity.
12.1.1 Technical compliance checking
As part of the organisational audit cycle, the organisation will include regular checks on
technical elements of the IT infrastructure, many of which are related to security.
These will be required to meet appropriate E-GIF and NHSIA (NHSnet)
security/operational standards as a minimum.
12.2 System audit considerations
Objective: To maximise the effectiveness of and to minimise interference to/from the
system audit process.
12.2.1 System audit controls
Any required/planned audit will take account of risk to business operations and be
planned around required timing. Factors to be included are, the removal of key staff to
meet with auditors, the scope of checks and the requirement for production of audit
reports from the system.
12.2.2 Access to system audit tools
Access to any software tools or reports that form part of audit of a system will be
restricted
12.3. Review and monitoring
59
IT02 Information Governance Policy
Information Governance Board
March 2008
All managers are responsible for regularly monitoring adherence to this policy.
Managers should periodically undertake quality control checks to ensure that the
standards as detailed in this policy are maintained.
The policy will be reviewed every 3 years (or sooner if new legislation, codes of
practice or national standards are to be introduced).
13. Accessibility
Further guidance regarding Information Governance encompassing data protection,
freedom of information, information security, information quality assurance, records
management and the Information Governance programme can be located on the
following web pages:
• Trust Information Governance pages
http://intranet/Departments/information_gov/default.asp
• Trust IT Services pages
http://intranet/IT_Support/default.asp
• Trust Health Records Pages
http://intranet/Departments/Healthcare_Operations/Health_Records_Service/de
fault.asp
• NHS Connecting for Health Information Governance website
http://www.connectingforhealth.nhs.uk/
• Department of Health
http://www.dh.gov.uk/en/AdvanceSearchResult/index.htm?searchTerms=infor
mation+governance
• ISO 17799
http://www.iso.org/iso/support/faqs/faqs_widely_used_standards/widely_used_
standards_other/information_security.htm
For any further information, please contact the Information Governance Co-ordinator
for the Trust.
This document can be made available in a range of alternative formats e.g. large print,
Braille and audiocassette.
Equality and Diversity
This policy has been assessed against the Equality Impact Assessment Form from
the Trust's Equality Impact Assessment Guidance. Should you believe there to be
any positive or negative impacts as a result of the implementation of this Policy, not
already identified, please contact the policy author.
60
IT02 Information Governance Policy
Information Governance Board
March 2008
In implementing this policy, managers must ensure that all staff are treated fairly and
within the provisions and spirit of the Trust's Equality, Diversity and Inclusiveness
Policy.
For more details, please contact the Human Resources Department on 01942
773766 or Email: mailto:equalityanddiversity@wwl.nhs.uk
14. Other related policies
Please find below other policies related and associated with this overarching
Information Governance Policy:
• Access to Health Records Policy
• Data Protection Policy
• Fax Policy with associated Fax Header Template
• FOI Policy and Procedure
• Health Records Retention and Destruction Policy
• Health Records Management Policy
• Corporate Records Management Strategy and Policy
• Use, Consent and Disclosure of Information Policy
• Fairness and Transparency Policy, Leaflet and Poster
• Data Protection Guide for Researchers
• Keep IT Safe Booklet
• Protecting Your Data Leaflet
All the above are located on the Information Governance intranet pages as well as the
following Department of Health good practice guidelines stated below
• Confidentiality: NHS Code of Practice
• Records Management: NHS Code of Practice
• Information Security: NHS Code of Practice
• Safe Haven guidance posters for phone, fax, post and transporting data
All IT Policies are located on the IT Services intranet pages which are as follows:
• Technical Support Service Charter
• Electronic Mail Policy
• IM&T Security Policy
• Ensuring Security and Confidentiality in NHS Organisations
• Small Systems Policy
• Portable IT Equipment Policy
• Internet User Policy
• Removable Computer Media Policy
• PC Disposal Procedure
• New User Account Request Form
• Security Incident Reporting Form
61
IT02 Information Governance Policy
Information Governance Board
March 2008
• Remote Access Procedure
• Request for Change Form
• Change Management Process
62