Protective Marking and Classification of PCT Information v1 0 by nfzW895

VIEWS: 0 PAGES: 7

									                                                                                 Formatted: Font: 20 pt
            This is a Tier 2 IG Documentation


      Procedure for the
    Protective Marking and
       Asset Control of
         Information
Version:                                 1.0
Name of originator/author:               Ade Oduntan
Job title of originator/author:          Information Governance Manager
Contact details:                         Ade. Oduntan@ wpct.nhs.uk/
                                         020881277713

Date written:                            February 2009
Name of responsible                      Information Governance Steering Group
committee/individual:
Equality Impact Assessment carried out   None needed
and outcomes published (date):
Groups involved in consultation:
Date approved by committee:*
Date approved by PEC:*                   Not required
Date approved by Trust Board:*           Not required
Date procedure is valid:
Next Review date:
Target audience:                         All Staff
1. Introduction

   This Information Governance related procedure sets out the scheme of classification for
    PCT information. It is to be used to ensure that the PCT information is appropriately
    protectively marked when it is being handled.

   Please see also the Safe Haven Policy and the Procedure for handling of Internal Mail /
    the Use of Couriers for transporting Person Identifiable or Sensitive Data

2. Context - Why Information needs to be Protectively Marked and Classified

   A Protective Marking System (often referred to as the Protective Marking
    System/Information Classification Scheme is the UK Government's administrative
    system to ensure that access to information and other assets is correctly managed and
    safeguarded to an agreed and proportionate level throughout their lifecycle, including
    creation, storage, transmission and destruction. The system is designed to support and
    meet the requirements of relevant legislation, international standards and international
    agreements.

   Through the application of a protective marking and classification scheme, it is expected
    that as a result of national NHS Information Governance policy, that NHS organisations
    will be able to further demonstrate the effectiveness of their local IG practices.

   The protective marking scheme set out is similar to that used in central Government and
    other public sector organisations but takes account of important differences in the nature
    of NHS business activity and the kind of information used between the NHS and other
    public sector environments.

3. Application of Protective Markings on PCT Information

   Categories proposed for use are to be prefixed “NHS” to indicate their relevance to an
    NHS particular environment. Two types of protective marking categories should be
    utilised for PCT Information:

    1. NHS Confidential or
    2. NHS Unclassified

   The protective marking of PCT information is applicable to both information recorded on
    paper and that processed electronically including printouts, reports etc.



                                                                                               2
   When classifying PCT documents regard should be paid to the requirements of the
    Freedom of Information Act 2000 and the Data Protection Act 1998. If applied correctly,
    the Protective Markings will ensure that only genuinely sensitive material is safeguarded.
    The following points should be considered when applying a protective marking:

       Applying too high a protective marking can inhibit access, lead to unnecessary and
        expensive protective controls, and impair the efficiency of and the PCT's business.

       Applying too low a protective marking may lead to damaging consequences and
        compromise of the asset.

       The compromise of aggregated or accumulated information of the same protective
        marking is likely to have a higher impact (particularly in relation to personal data).

       The sensitivity of an asset may change over time and it may be necessary to
        reclassify assets. If a document is being de-classified or the marking changed, the
        file should also be changed to reflect the highest marking within its contents.

       Protective markings should wherever possible be restricted to information that would
        be exempt from disclosure, including temporary exemption, such as that for drafts of
        documents that are intended for publication.A note of the exemptions that might be
        relevant to the protective markings is included in Table 2 (ANNEX). However,
        nothing in this guidance should be taken as authoritative advice on the operation of
        the Freedom of Information Act.

       The following general baseline controls must be applied to all protectively marked
        material:

              Access is granted on a genuine ‘need to know’ basis.

              Assets must be clearly and conspicuously marked. Where this is not practical
               (for example the asset is a building, computer etc) staff must still have the
               appropriate personnel security control and be made aware of the protection
               and controls required.

              Only the originator or designated owner can protectively mark an asset. Any
               change to the protective marking requires the originator or designated
               owner's permission. If they cannot be traced, a marking may be changed, but
               only by consensus with other key recipients.

              Any protectively marked material that is to be released under the Freedom of
               Information Act is de-classified first and is marked as such. The originator, or
               specified owner, must be consulted before protectively marked material can
               be de-classified.

              A file, or group of protectively marked documents or assets, must carry the
               protective marking of the highest marked document or asset contained within
               it (e.g. a file containing CONFIDENTIAL and RESTRICTED material must be
               marked CONFIDENTIAL)
4. When NHS Confidential is to be used

   The marking NHS CONFIDENTIAL should be used for patients’ clinical records, patient
    identifiable clinical information, and information about NHS staff that passes between
    NHS staff, and between NHS staff and staff of other appropriate agencies). This will
    include patient demographic details that might identify people who have had a GP
    contact/hospital appointment within a particular timeframe or who may have a particular
    condition. (NOTE: In order to safeguard confidentiality, the term “NHS Confidential”
    should never be used on correspondence to a patient.)
                                                                                                 3
   The endorsement NHS CONFIDENTIAL should also be used to mark all other sensitive
    information. That is, material the disclosure of which is likely to:
         adversely affect the reputation of the organisation or it’s officers or cause
           substantial distress to individuals;
         make it more difficult to maintain the operational effectiveness of the
           organisation;
         cause financial loss or loss of earning potential, or facilitate improper gain or
           disadvantage for individuals or organisations;
         prejudice the investigation, or facilitate the commission of crime or other illegal
           activity;
         breach proper undertakings to maintain the confidence of information provided by
           third parties or impede the effective development or operation of policies;
         breach statutory restrictions on disclosure of information;
         Disadvantage the organisation in commercial or policy negotiations with others or
           undermine the proper management of the organisation and its operations.

5. How information marked NHS Confidential are to be applied and handled

   The endorsement NHS CONFIDENTIAL should be included at the top centre of every
    page of the document. A paper, printout or report etc marked NHS CONFIDENTIAL may
    also be endorsed with a suitable descriptor indicating the reason for the classification
    e.g. ‘NHS CONFIDENTIAL – PATIENT INFORMATION’ or ‘NHS CONFIDENTIAL –
    COMMERCIAL’. A list of the relevant descriptors is included in Table 1 (ANNEX).

   Documents so marked should be held securely at all times. That is, they should be
    stored in a locked room or equivalently within secured electronic systems to which only
    authorised persons have access.

   They should not be unattended at any time in any place where unauthorised persons
    might gain access to them.

   They should be transported securely in sealed containers and not unattended at any
    stage.

   Documents marked NHS CONFIDENTIAL not in a safe store or transport should be kept
    out of sight of visitors or others not authorised to view them.

   Information may be classified NHS CONFIDENTIAL in the light of the circumstances at a
    particular time. The classification should be kept under review and the information de-
    classified when the need for this protection no longer applies.

6. When NHS Unclassified is to be used
 NHS Unclassified is to be used for information that does not fall within the requirement to
    be marked as NHS Confidential

7.. How information marked NHS Unclassified are to be applied and handled
 No special precautions are necessary.

8. Risk Management


                                                                                              4
ANNEX

Protective marking and Classification of PCT Information - Marking
Information NHS CONFIDENTIAL - appropriate to paper and electronic documents and
files containing person-identifiable clinical or NHS staff information and other sensitive
information.


Table 1 – Descriptors that may be used with “NHS CONFIDENTIAL”

    Category                                        Definition

Appointments         Concerning actual or potential appointments not yet announced.
Barred               Where
                      there is a statutory (Act of Parliament or European Law) prohibition
                       on disclosure, or
                      disclosure would constitute a contempt of Court (information the
                       subject of a court order).
Board                Documents for consideration by an organisation’s Board of Directors,
                     initially, in private.
                     (Note: This category is not appropriate to a document that could be
                     categorised in some other way.)
Commercial           Where disclosure would be likely to damage a (third party) commercial
                     undertaking's processes or affairs.
Contracts            Concerning tenders under consideration and the terms of tenders
                     accepted.
For Publication      Where it is planned that the information in the completed document will
                     be published at a future (even if not yet determined) date.
Management           Concerning policy and planning affecting the interests of groups of staff.
                     (Note: Likely to be exempt only in respect of some health and safety
                     issues.)
Patient              Concerning identifiable information about patients
Information

Personal             Concerning matters personal to the sender and/or recipient.

                                                                                              5
Policy        Issues of approach or direction on which the organisation needs to take
              a decision (often information that will later be published).
Proceedings   The information is (or may become) the subject of, or concerned in a
              legal action or investigation.
Staff         Concerning identifiable information about staff




                                                                                     6
Table 2 - Freedom of Information Act Exemptions
                                         Possible Exemption
                                      [section(s) of the FOI Act]
  Category

Appointments   S 40    Personal information (may be subject to a public interest test)
Barred         S 44    Legal prohibitions on disclosure
Board

Commercial     S 43    Commercial interests (subject to a public interest test)
Contracts      S 43    Commercial interests (public interest test)
For Publication S 22   For future publication (public interest test)
Management     S 38    Endanger health and safety (public interest test)
Personal       S 40    Personal Information (may be subject to public interest test)
Policy         S 22    For future publication (public interest test)
Proceedings    S 30 Investigations and
               proceedings
               S 31    Law enforcement




                                                                                         7

								
To top