Get documents about "Iso Template It Knowledgebase
Description
Iso Template It Knowledgebase document sample
Document Sample
SECURITY
POLICY
FOR
GENERAL PRACTICE
Practice Name:
Practice Code:
With reference to the
NHSnet & Acceptable Use Policy
General Practice Security Policy
Purpose....................................................................................................................................... 3
Scope .......................................................................................................................................... 3
Introduction ................................................................................................................................ 3
Staff Responsibilities ................................................................................................................. 4
Partners .................................................................................................................................. 4
Practice Manager ................................................................................................................... 4
IT Specialist ........................................................................................................................... 4
Practice Staff .......................................................................................................................... 4
The Aims of an Information Security Policy ............................................................................. 5
Confidentiality ....................................................................................................................... 5
Integrity .................................................................................................................................. 5
Availability ............................................................................................................................ 5
Risk Assessment ........................................................................................................................ 6
Incident Reporting ..................................................................................................................... 6
Caldicott Report ......................................................................................................................... 7
Caldicott Principles ................................................................................................................ 7
Data Protection Act 1998 (DPA1998) ....................................................................................... 8
Human Rights Act 1998 (HRA1998) ........................................................................................ 9
Patient Information .................................................................................................................... 9
Access to Health Records Act 1990 (AHRA1990).................................................................. 10
Request for Copies of Information .......................................................................................... 10
Clean Desk Policy .................................................................................................................... 10
Computer Misuse Act 1990 (CMA1990) ................................................................................ 10
Computer Systems ................................................................................................................... 11
Transmitting Patient Data ........................................................................................................ 11
Computer viruses ..................................................................................................................... 12
Disposal of Information & Equipment .................................................................................... 12
Property Control....................................................................................................................... 13
Physical Safety & Security ...................................................................................................... 13
Training .................................................................................................................................... 13
Document Change History ....................................................................................................... 14
Notes: ....................................................................................................................................... 14
References: ............................................................................................................................... 14
Version No: 1 Page 2 of 14 (May 2001)
General Practice Security Policy
Purpose
This security policy document has been designed to provide a framework of
control for the security of the information and systems used within general
practice.
This is intended to be a practical tool to help inform and guide the practice
through its responsibilities.
This document relates to the recommendations of the Caldicott Report 1 (see
page 7), current legislation and the British Standard (BS77992) for Information
Security.
Where the practice is connected to the NHSnet, then this document is in
addition to the policies within the ‘Code and Practice for Connection 3’, referred
to as the Acceptable Use Policy (AUP).
Scope
This Security Policy is applicable to all main and branch surgery premises under
the responsibility of the Partners and the information systems and data that can
flow into or out of it.
Introduction
Information systems form a major part of the efficiency of a modern Doctor’s
practice. Adequate security procedures are critical in ensuring the
Confidentiality, Integrity and Availability of these systems.
Connection and access to the NHSnet is conditional on there being a Security
Policy in place.
Wherever personal information is held, on paper or computer, it is subject to the
Principles of the Data Protection Act 19984 (see page 8).
Individuals and the practice may be prosecuted or subject to a claim for
damages for any instance where the Data Protection Principles are breached or
where a person suffers loss, damage or harm from misuse of information.
Applying this policy to normal working within the practice will greatly reduce
the risk of loss, damage or misuse of information.
Version No: 1 Page 3 of 14 (May 2001)
General Practice Security Policy
Staff Responsibilities
Partners
The Partners at this practice endorse the requirements of this Security Policy
and encourage all staff to follow the guidance to the best of their ability.
Practice Manager
The Practice Manager should ensure that every member of staff understand the
principles within this Policy. This must include those staff who may only visit
on a casual basis but require access to information or computer systems
necessary to carry out their role.
The Practice Manager will co-ordinate the training and development of staff to
use the information systems in accordance with the guidance and relevant
legislation.
The Practice Manager should ensure that any notification required under the
Data Protection Act 1998 is maintained and is current and up-to-date.
IT Specialist
If appointed, the Practice IT Specialist is responsible for ensuring the correct
function and security of the computing systems, and granting access to
approved users.
Practice Staff
Security is everybody's business!
All members of staff are committed to preserving the security of the assets and
information of the practice. Additionally any concerns that threaten this security
will be brought to the attention of their manager.
Everyone must be aware of his or her responsibilities when using information
that is personal and may only be used in accordance with the Data Protection
Act 1998.
Additionally clinical information within a General Practice is governed by the
common law duty of confidentiality and the recommendations contained within
the Caldicott Report.
Version No: 1 Page 4 of 14 (May 2001)
General Practice Security Policy
The Aims of an Information Security Policy
Confidentiality
Everyone involved should maintain the Confidentiality of all data within the
practice by:
Ensuring that only authorised people can gain access to the information and
systems;
Not disclosing information to anyone who has no right to know or see it.
Integrity
Maintain the Integrity of all the data within the practice by:
Taking care over input;
Checking that the correct record is on the screen before updating;
Learning how the systems should be used and keeping up-to-date with
changes which may affect how it works;
Reporting apparent errors.
Availability
Maintain the Availability of all the data by:
Ensuring that the equipment is protected from security risks;
Ensuring that backups of the data are taken at regular intervals;
Ensuring that appropriate contingency is provided for equipment failure or
theft and that these contingency plans are tested and kept up-to-date.
Version No: 1 Page 5 of 14 (May 2001)
General Practice Security Policy
Risk Assessment
Effective security measures are essential for protection against a risk of an event
occurring or to reduce the impact of such an event. Such events may be
deliberate acts of sabotage or accidental.
Nevertheless, a range of security measures can be deployed to address: -
the Threat of something damaging the confidentiality, integrity or
availability of information held on systems or manual records
the Impact that such a threat would have if it occurred
the Chance of such a threat occurring
Practice staff are encouraged to consider the risks associated with the way that
they work and the computer systems and the information that is held on them.
Incident Reporting
Any incident that may or has led to a breach of security of the practice or
information held within it must be reported.
The responsible member of staff in this practice is detailed here:
Practice Security
Contact - Name:
Contact Details:
Version No: 1 Page 6 of 14 (May 2001)
General Practice Security Policy
Caldicott Report
Issued in December 1997 the Caldicott Report on Protecting and Using Patient
Information has been adopted by the NHS.
A set of principles was developed, against which every flow of patient-
identifiable information should be regularly justified and tested.
Caldicott Principles
1. Justify the purpose(s) for using confidential information.
2. Only use it when absolutely necessary.
3. Use the minimum required.
4. Access should be on a strict need-to-know basis.
5. Everyone must understand his or her responsibilities.
6. Understand and comply with the law.
A key part of the recommendations contained within the report was the
establishment of a network of Caldicott Guardians of patient information; your
Primary Care Group (or Trust) will have a nominated Guardian.
Caldicott Guardians have a responsibility to develop a framework of policies to
safeguard and govern the uses made of patient information within NHS
organisations.
Any concerns relating to the Caldicott Report should be made through the
Practice Manager.
Caldicott Guardian
Name:
Contact Details:
Version No: 1 Page 7 of 14 (May 2001)
General Practice Security Policy
Data Protection Act 1998 (DPA1998)
This Act came into force on the 1st March 2000 and applies to information
which relates to living individuals; processed by computer or held, and stored
manually in hard-copy – for example as part of a ‘relevant’ filing system.
Health records are specifically mentioned in the Act.
The practice will discharge its responsibilities under the Act by compliance with
the following Data Protection Principles: -
1. Personal data shall be processed fairly and lawfully and subject to conditions
2. Personal data shall be obtained for specified and lawful purposes and not
further processed in any manner incompatible with that purpose
3. Personal data shall be adequate, relevant and not excessive for the purpose
4. Personal data shall be accurate and where necessary, kept up to date
5. Personal data shall not be kept for longer than necessary for the purpose
6. Personal data shall be processed in accordance with the rights of the data
subjects
7. Appropriate security to prevent unauthorised or unlawful processing or
accidental loss or destruction of, or damage to the data
8. Personal data shall not be transferred outside of European Economic Area
unless similarly protected
(NB. Where applicable, the Data Protection Act 1984 required registration
every three years; under the 1998 Act this has been reduced to notification each
year! The Practice Manager is required to ensure that notification is adequate
and up-to-date.)
Data Protection Act –
Notification Number:
Expiry Date:
Version No: 1 Page 8 of 14 (May 2001)
General Practice Security Policy
Human Rights Act 1998 (HRA1998)
The Human Rights Act 19985, incorporating the European Court of Human
Rights (ECHR), was adopted into UK law on 2nd October 2000.
It does not confer any new rights. The main difference is that individuals will be
able to enforce the Convention in the UK courts, if they think a public
authority* has breached or is likely to breach a Convention right or freedom
affecting them. This may result in more challenges, well founded or otherwise.
*A GP surgery carrying out work within the NHS is a public authority for the
purposes of the Human Rights Act.
The key Articles that relate to work within this practice and the NHS include:
Article 2: Right to life
Article 3: Right not to be subjected to inhuman or degrading treatment
Article 5: Right to liberty
Article 8: Right to respect for private and family life
Article 12: Right to marry & found a family
This practice will not act in any way that is incompatible with the HRA1998.
Patient Information
Patients have a right to expect that information about them is kept confidential!
This practice will use patient-identifiable information only for the individual
patient’s health care, for internal audit arrangements and to justify certain
payments to the practice. Under certain circumstances, it may be possible for
visiting computer engineers to view patient-identifiable information. Such
engineers are bound by strict contractual and legal confidentiality requirements.
All other uses of information will require patient consent or where the
disclosure can be justified.
The General Medical Council (GMC) gives additional guidance on when
disclosures may be justified.
Data that has been anonymised such that patients cannot be identified may be
used by the practice and others for research purposes without seeking further
consent.
Version No: 1 Page 9 of 14 (May 2001)
General Practice Security Policy
Access to Health Records Act 1990 (AHRA1990)
Except in the case of records of the deceased, the Access to Health Records Act
19906 has been repealed.
Access to all health records now comes under the Data Protection Act 1998,
without any date limits.
Request for Copies of Information
Under the DPA1998 any person has the right to request a copy of any
information held about them, this is known as a ‘Subject Access Request’.
Under the AHRA1990 a close relative or someone with a claim resulting from
the patient’s death can request the relevant health records of the deceased.
This practice will deal promptly and with sensitivity any request under these
pieces of legislation.
Generally the practice has 40 days in which to comply with the request.
Advise the Practice Manager and follow the relevant procedure if any such
request is received.
Clean Desk Policy
It is the policy of this practice to ensure that where practical all documents and
information are removed from desktops and correctly filed when not in use.
Computer Misuse Act 19907 (CMA1990)
This legislation has created three criminal offences related to computer systems.
Unauthorised Access.
Unauthorised access with the intent to commit or facilitate the commission
of further offences.
Unauthorised modification.
If you suspect that any of these offences are, or may be being committed, notify
the Practice Manager or a Partner for advice.
Version No: 1 Page 10 of 14 (May 2001)
General Practice Security Policy
Computer Systems
Practice systems will only be used for approved purposes authorised by the
Partners and managed by the Practice Manager or if applicable the IT specialist.
Only software may be installed that is approved and then only used in
accordance with the software licence agreement.
Practice systems are regularly ‘backed-up’ for protecting and recovering the
systems and data in an emergency.
If the internal network is connected to other services outside the practice then
additional care must be taken when using these services.
One such service is the NHSnet. This is a private network for the NHS offering
information and e-mail communications. If connected, access will be possible
through this service to connect to the World Wide Web (WWW), commonly
known as the Internet. This will enable the practice user to view (or browse) a
whole range of ‘Web Sites’ and send e-mail communications around the world.
The NHSnet managed service provider (BT or Cable & Wireless) monitors the
use of this network. Connection to inappropriate sites on the Internet,
downloading or sending offensive material may lead to investigation,
disconnection and possibly prosecution.
Any incident that may or has led to a breach of security of the practice or
information held within it must be reported.
Transmitting Patient Data
Some physical areas may be restricted and provide a ‘safe haven’ for the use
and control of patient information.
It cannot be assumed that other premises have the same level of security.
Fax machines must be used with care; if in doubt check with the recipient first.
The NHSnet and Internet are not secure for the transmission of personal or
patient information without further protection such as encryption. This area is
subject to a wider policy from the NHS Executive and the British Medical
Association.
Version No: 1 Page 11 of 14 (May 2001)
General Practice Security Policy
Computer viruses
Unless completely isolated, computer systems are continually at risk from virus
infection. This risk is greater as the volume of data transferred between systems
and networks increases.
While most viruses are relatively harmless, they can cause serious disruption to
both the user and the wider network. Prevention is much more effective than
the cure!
Viruses may be received as,
an attachment to an e-mail or message,
a macro within a word processor or spreadsheet document,
an infected program that has been downloaded,
an addition to diskettes or CD’s.
Care must be taken before sending or receiving data from the NHSnet or wider
Internet.
Anti-virus software is installed and will be scanning the practice systems; this
must not be disabled.
Computer diskettes or CD’s must be scanned for viruses, using the approved
anti-virus product, before use.
If a virus is suspected, immediate action is essential, inform the Practice
Manager.
Disposal of Information & Equipment
Information containing personal details that is no longer required must be
disposed of in accordance with the practice local procedure to prevent
inadvertent disclosure.
Computer disks and equipment that contain personal data must have that
information permanently deleted or destroyed. Re-formatting a disk or a
computer ‘hard-drive’ does not guarantee that the information is deleted.
If in doubt ask the Practice Manager for advice.
Version No: 1 Page 12 of 14 (May 2001)
General Practice Security Policy
Property Control
Practice assets and equipment will not be removed from the premises or lent to
anyone without the permission of a Partner or Practice Manager.
Details will be entered in a logbook by the Practice Manager, as required, to
control the movement of property from the premises.
Physical Safety & Security
This practice will work within the requirements of the relevant Health & Safety
at Work Act to maintain a safe and secure environment for the benefit of its
employees, visitors and patients.
Safety and security systems installed on the premises must be operated in
accordance with their instructions and should not be tampered with or repaired
other than by suitably competent or qualified persons.
Electrical equipment will be used in accordance with the Electricity at Work
Regulations.
Suspected defects must be reported as soon as possible.
Training
Practice staff will receive adequate training to fulfil their role and understand
their responsibilities within the practice.
Induction information and completion of the Safety & Security Checklist will
initiate this training.
Further training requirements are reviewed regularly to ensure continued
awareness and compliance with system developments, legislation and good
security practice.
Version No: 1 Page 13 of 14 (May 2001)
General Practice Security Policy
Document Change History
Version Date Comments
Draft 1 February Draft document circulated to Project Connect Security group
2001 for discussion and comment.
Draft 2 April 2001 Document updated from comments and additional sections added.
Handbook section removed for separate document.
Version No 1 May 2001 Document issued to practices.
Notes:
References:
1
The Caldicott Committee: Report on the review of patient-identifiable information – December 1997
2
BS7799 Part 1 (ISO/IEC 17799:2000) Code of Practice for Information Security Management – British
Standards Institute
3
Code and Practice for Connection of General Practices to NHSnet (Interim) Version 1.2 – 21/12/2000
4
Data Protection Act 1998 (Ch29) – Act of the UK Parliament
5
Human Rights Act 1998 (Ch42) – Act of the UK Parliament
6
Access to Health Records Act 1990 (Ch23) – Act of the UK Parliament
7
Computer Misuse Act 1990 (Ch18) – Act of the UK Parliament
Version No: 1 Page 14 of 14 (May 2001)
