Information Asset Management Procedure

Transcription

1 Procedure Number: IG02 Version: 2.0 Approved by: Information Governance Working Group Date approved: July 2016 Ratified by: Audit and Risk Committee Date ratified: September 2016 Name of originator/author: Name of responsible individual: Review date: April 2018 Target audience: All Staff Louise Chatwyn Information Governance Manager Stuart Dalton Deputy Director of Governance Page 1 of 16

2 Version Control Sheet Version Date Who Change /12 G Lawrence First Version /13 Minor amendments following IGSG review /13 Amendment to reflect changes in the NHS structure on April 1 st /13 M Griffiths Reviewed for CCG ownership /13 Changes made from feedback from Audit & Risk August /16 L Chatwyn Review and update to current Summary of changes in Version 2 The old policy was transferred onto a new template to ensure consistency across IG documents Purpose defined to outline the objectives of the document. Now incorporates Mobile Working/Devices previously (stand alone documents) Roles and Responsibilities have been standardised. Training and awareness updated links Distribution now includes reference to documents being on the intranet Legislation and Related documents updated to reflect updated policies and legislation Appendices forms updated to currently in use documents Page 2 of 16

3 Contents 1. Introduction Purpose Scope Key Roles and Responsibilities Information Assessment Management Processes New IT Asset requirements IT Asset Movements Disposal of Assets Information Asset Management When Working Remotely Information Asset Registers Business Continuity Planning Failure to Comply Monitoring and Review Training Distribution and Implementation Associated Legislation and Documents References Appendices Appendix 1 VPN Request Form Appendix 2 Asset types and processes Page 3 of 16

4 1. Introduction Robust Information Governance requires clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources. Nene CCG is a public body, with information processing as a fundamental part of its purpose. It is important, therefore, that the organisation has clear and relevant Information Asset Management procedures and practices which are implemented throughout the CCG for the current and future management of information to ensure compliance with all appropriate legislation, and standards. Nene CCG is assessed against its Information Asset Management procedures and practices within the IG Toolkit Return. This document provides guidance about the appropriate actions required to ensure the safe management including the secure disposal of any CCG electronic data processing assets and all associated data held upon it 2. Purpose By its own nature IT equipment is constantly evolving and therefore the following list is not exhaustive however physical assets (some of which would be classified as mobile devices can be summarised as follows: Personal Computer (PC) or Workstation Laptop or Notebook Computer Local or Networked Data Server Backup Device and Tapes Local or Network Printer Local or Network Scanner USB Removable Device or Portable Hard Disk Still or Video Camera (used for work purposes) ipad Network Device (such as a switch, router or firewall) This document is a statement of the approach and intentions for Nene CCG to fulfil its statutory and organisational responsibilities. It will enable management and staff to make correct decisions, work effectively and comply with relevant legislation and the organisations aims and objectives. A commissioning Support Unit CSU provide a managed security service to Nene CCG for Information Management & Technology (IM&T). This includes support to the Senior Information Risk Officer on security and asset and risk management. The CSU will manage security along current best practice guidelines as provided by DH and in accordance with applicable legislation. Page 4 of 16

5 The CCG acknowledges that information is a valuable asset, therefore it is within its interest to ensure that the information processing systems, and electronic or paper based information held is suitably processed The CCG will ensure all information is dealt with legally, securely, efficiently and effectively in the best interests of its employees and all third parties with whom information is shared in order to support the delivery of high quality patient care, service planning and operational management. 3. Scope This document applies to all staff, whether permanent, temporary or contracted. They are responsible for ensuring that they are aware of all relevant requirements and that they comply with them on a day to day basis. Furthermore, the principles of this document apply to all third parties and others authorised to undertake work on behalf of Nene CCG. This document covers all aspects of handling information, in both paper and electronic format 4. Key Roles and Responsibilities Role Accountable Officer Senior Information Risk Officer Responsibility The Accountable Officer and the Board have ultimate accountability for actions and inactions in relation to this document The CCG s SIRO is responsible for having overall accountability for Information Governance; this includes the Data Protection and Confidentiality function. The role includes briefing the Board and providing assurance through the Audit and Risk Committee that the IG approach is effective in terms of resource, commitment and execution. Caldicott Guardian Deputy Director of Governance The SIRO for Nene CCG is the Chief Finance Officer The Caldicott Guardian has responsibility for ensuring that there are adequate standards for protecting patient information and that all data transfers are undertaken in accordance with Safe Haven guidelines and the Caldicott principles. The Caldicott Guardian for Nene CCG is the GP Chair The Deputy Director of Governance has overall day to day responsibility for the Information Governance in the CCG. The role includes briefing the Board, including the SIRO Page 5 of 16

6 Information Governance Lead Information Security Lead and Caldicott Guardian of information risks and information incidents The Information Governance Manager has day to day responsibility for implementing and monitoring procedures to ensure compliance with relevant information legislation The Information Governance Manager is responsible for completion of the IG Toolkit, actions arising to ensure compliance and subsequent workplans for continuing improvement CSU provide a managed security service to Nene CCG for Information Management & Technology (IM&T) The Information Security Lead will work closely with the CCG Information Governance Team Business Manager Information Asset Owners Managers All staff IT Helpdesk The CCG Business Manager will be the initial contact for all IT asset movements, new amend or disposals Information Asset Owners (IAO) will act as nominated owner of CCG information assets. Their responsibilities will include: Identify Information Asset Administrators to assist them with their duties, where this is appropriate and necessary. Document, understand and monitor what information assets are held, and for what purpose, how information is created, amended or added to, who has access to the information and why Managers and supervisors are responsible for ensuring that staff who report to them have suitable access to this document and it s supporting policies and procedures and that they are implemented in their area of authority. Managers are also responsible for ensuring the initial training compliance of all staff reporting to them Have a responsibility to: Be aware of the Information Governance requirements Support the CCG to achieve Toolkit Compliance Complete annual IG training Report information Incidents appropriately Will provide support to CCG users 5. Information Assessment Management Processes Page 6 of 16

7 Management of computers and networks shall be controlled through CSU IM&T standard documented policies and procedures The CCG recognises that the aim of information risk management is not to eliminate risk, but rather to provide the structural means to identify prioritise and manage the risks involved in all the CCG s information activities. The CCG is not willing to accept information risks in most circumstances that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents(s) of regulatory noncompliance, potential risk of injury or harm to staff, service users and other relevant stakeholders. 5.1 New IT Asset requirements All new requirements for IT assets must be requested via the CCG Business Manager. Access to and Novell for new starters to the CCG must also be requested via the CCG Business Manager A flow chart of asset types and processes can be found at Appendix 2 When assets are not available from current CCG resources, new IT assets shall be procured from the CSU IM&T Team on behalf of the CCG All requests are to be made through the CCG Business Manager by to maintain an auditable approval and budget process 5.2 IT Asset Movements Prior to an IT asset being moved, the user and/or line manager responsible for the asset must contact the CCG Business Manager to advise of the move The CCG Business Manager will liaise with CSU IM&T Team Notice of at least five working days must be given to the CSU IM&T Team prior to the movement of any asset. Only the CSU IM&T Team staff are permitted to move IT assets. The CCG Business Manager will adjust the asset register once the asset has been moved 5.3 Disposal of Assets Great care must be exercised when disposing of any equipment which has been used in the processing of information if there is any possibility that some information may remain in/on it Page 7 of 16

8 At the termination of employment, employees shall return all data processing equipment, tokens, smartcards & data stored on devices supplied for that purpose All computers and electronic media must be disposed of through the CSU IM&T Team. This includes computer disks Authorisation for disposals can only be granted by the Chief Finance Officer and must be processed via the CCG Business Manager In cases where the information is held electronically, reference must be made to the CSU IM&T Team for the appropriate action to be taken (Note formatting a disk and/or overwriting a tape does not necessarily destroy the information held on it). The CSU IM&T Team will arrange for the physical destruction of the media. CSU IM&T Team will dispose of media containing personally identifiable or organisationally sensitive information on the CCG s behalf. They will dispose of the equipment in an authorised, appropriate, legal and environmentally sound manner adhering to the WEEE (The Waste Electrical and Electronic Equipment Directive) standard and provide the CCG with a certificate of disposal. Non sensitive information may be disposed of offsite Removable media may only be used to store and share NHS information that is required for a specific business purpose. When the business purpose has been satisfied, the contents of removable media must be removed from that media through a destruction method that makes recovery of the data impossible. Alternatively the removable media and its data should be destroyed and disposed of beyond its potential reuse. In all cases, a record of the action to remove data from or to destroy data will be recorded by the CSU IM&T Team In cases where confidential information is held on hard copy (paper, film, etc.), when no longer required the media must be disposed of via the Confidential Waste process. Shredding machines and Confidential Waste sacks are made available throughout the unit and there are regular collections whereby confidential data is disposed of appropriately 5.4 Information Asset Management When Working Remotely This section aims to support staff who use organisation supplied mobile data devices or paper records at any site other than their normal place of work or at home, by ensuring that they are aware of the information security issues. In order to protect staff and other people, organisational assets and systems, staff who work at home or other sites must take appropriate security measures Staff are responsible for ensuring that unauthorised individuals are not able to see information, access systems or remove equipment or information. If equipment is Page 8 of 16

9 being used outside of its normal location and might be left unattended, the user must secure it by other means (such as security cable, locked cabinet or room) Equipment in use will not be left unattended at any time Any equipment supplied for remote access to NHS resources must be stored securely when not in use. Where a system requires a PIN number and a VPN security token these must be stored separately A virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. A VPN enables users to send data between two computers across a shared or public internet work in a manner that emulates the properties of a point-to-point private link. The act of configuring and creating a virtual private network is known as virtual private networking A VPN request form can be found at Appendix 1 and a VPN guidance document is available from CSU IM&T Team CCG equipment must not be connected to any phone line, internet connection or network via a secure remote link (VPN) other than to access NHS resources Equipment, and paper files must be kept out of sight (in car boots) whilst in transit, locked away and ideally not be left unattended at any time. Equipment and paperwork must not be left in a vehicle overnight Any member of staff allowing access by an unauthorised person, deliberately or inadvertently may be subject to the CCGs disciplinary proceedings. The CSU IM&T Team is responsible for ensuring that access to supplied equipment requires a username and password and that anti-virus software is installed Portable device users must regularly connect to the network to ensure that the antivirus software remains updated. Failure to do so could result in unnecessary virus outbreaks Information Asset Registers The CCG will maintain an asset register of key Information Technology (IT) assets; this will include all IT hardware and software The CCG will maintain an asset register of information systems, use risk management procedures to estimate threat probability, including security risks, their vulnerability to damage, and impact of any damage caused. Each IT asset, (hardware, software, application or data) shall have a named custodian who shall be responsible for the information security of that asset 1 Source: Arden & GEM CSU Anti Virus Policy v1.11 DP-IT-PCM-4 Page 9 of 16

10 Measures will be taken to ensure that each system is secured to an appropriate and cost effective level and that data protection principles are implemented The Information Asset Register will be reviewed regularly to ensure it remains current and accurate and will be subject to internal audit and annual assessment in line with completion of the Information Governance Toolkit The Information Assurance Plan is detailed within the Information Security Policy 5.6 Data Flow Mapping Within the NHS, numerous urgent and routine transfers of patient and staff information take place each day for the purposes of healthcare and administration of healthcare services e.g. communications to patients, s to job candidates, patient notes made during a home visit, moving case notes. It has long been recognised that this information is more vulnerable to loss or compromise when outside the organisation i.e. being carried around or sent / copied from one location to another. Information mapping is essential as it will help to understand how data is transferred to and from the organisation, and give assurance that measures are in place to ensure data is secure in transit and that it reaches its destination promptly and safely. The requirement to map information flows has been included in organisational confidentiality audits since 2001 e.g. Version 6 of the Information Governance Toolkit (IGT) Information Governance Toolkit Requirement 350 To adequately protect personal information, organisations need to know how the information is transferred into and out of the organisation, risk assess the transfer methods and consider the sensitivity of the information being transferred. Transfers of all personal and sensitive information must comply with professional standards and relevant legislation (e.g. Principle 7 of the Data Protection Act 1998 which requires appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of, and accidental loss or destruction of, or damage, to personal data). Information Governance Toolkit Requirement 236 Organisations are responsible for the security and confidentiality of personal information they process. Processing may include the transfer of that information to countries outside of the UK, and where person identifiable information is transferred, organisations must comply with both the Data Protection Act 1998 and the Department of Health guidelines. Page 10 of 16

11 The CCG will undertake a periodic data flow mapping exercise and from this exercise determine the information risks regarding its data flows within the CCG and/or with it delivery partners. 6. Business Continuity Planning The CCG shall ensure that business impact assessment, business continuity and disaster recovery plans are produced for all mission critical information, applications, systems and networks In the event of a major incident or disaster, the Organisation may recall all equipment on loan to provide core services 7. Failure to Comply Any failure to comply and/or breaches of this document and associated policies, procedures and guidelines will be investigated thoroughly in accordance with the organisation s disciplinary policies. 8. Monitoring and Review Performance against key performance indicators will be reviewed on an annual basis through the IG Toolkit submission (requirements 236 and 350) and used to inform the development of future documents. Unless there is major legislation or policy changes, this document will be reviewed every two years 9. Training Appropriate training will be provided to all Staff commensurate with their role profile as necessary. Training is available through the HSCIC Information Governance Training Tool which can be found here: Distribution and Implementation A full set of policy and procedural documents to support Information Governance will be made available via the Nene CCG staff intranet. Staff will be made aware of procedural updates as they occur via team briefs, management communications and notification via the CCG staff intranet. 11. Associated Legislation and Documents To include but not limited to: Information Governance Policy and Management Framework Page 11 of 16

12 Nene & Corby Serious Incident Policy Information Governance Incidents, Cyber Security Incidents and Near Misses Reporting Procedure Confidentiality Data Protection Policy Information Security Policy Information Sharing Procedure Information Disclosure Procedure The following references and areas of legislation should be adhered to. Confidentiality NHS Code of Practice Data Protection Act 1998 Caldicott Guardian principles Freedom of Information Act 2000 Environmental Information Regulations 2004 Access to Health Records 1990 Records Management NHS Code of Practice Computer Misuse Act 1990 Electronic Communications Act 2000 Regulation of Investigatory Powers Act References The IG Toolkit Data Protection Act Freedom of Information Act Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Security Serious Incidents Requiring Investigation 20Checklist%20Guidance.pdf The NHS Constitution for England NHS Code of Confidentiality NHS Care Record Guarantee Page 12 of 16

13 NHS Information Risk Management The Caldicott Review: Information Governance in the Health and Social Care System / _InfoGovernance_accv2.pdf Access to Health Records Act Appendices Appendix 1 VPN Request Form Page 13 of 16

14 REQUEST FOR NEW SOFTVPN TOKEN GEM Service Desk Tel: This form is to be used to request a new VPN token in order to access the Trust s network remotely. In order to connect remotely you must have an NHS laptop with either a Broadband or a 3G Connection. Should you require either a laptop and/or a 3G SIM card, these must be requested separately via your IM&T Purchasing Procedure Please accurately complete all sections using capital letters Name Department Contact Number Request Date (Use the format dd/mm/yy) Reason for Requesting a SOFTVPN to New User Details Title Location Mobile No: Request Details Laptop Asset Laptop Model Laptop Details Laptop Make Connection Details Do you have a 3G connection? (If you require a 3G SIM card and/or USB Dongle this must be requested separately via your IM&T Purchaseprocedure) Yes No Do you have a Broadband connection? Yes No Do you have access to the configuration of your modem/router? Yes No If No, who configured your modem/router? What is your mobile number Please note that you will not be able to print work information on your home network printer Please sign to confirm you have read the following Provide Services Security Policy: IM&T 21 Use of Mobile Computing Devices* Policy Agreement (New User s Signature) I confirm I have read the Policy Budget Approval (To be completed by the Budget Holder) Budget Holders Name Budget Code The form must be sent from the budget holders account or their delegated representative to confirm agreement to these on-going costs. Monthly Cost for texting will be based on usage at standard(budget Holder s Signature) tariff Approximately 4p per text (price accurate as at May 2011 but may vary) (IM&T are liaising with Vodafone to re-negotiate tariff for Soft VPN texts) Annual Cost (Budget Holder s Signature) Form to be completed fully and ed to the itservicedesk@gemcsu.nhs.uk Forms submitted with inaccurate details will be rejected; forms will then need to be resubmitted Page 14 of 16

15 Appendix 2 Asset types and processes Page 15 of 16

16 Employee requests laptop Employee requests VPN Employee requests mobile phone Employee may require remote working and needs access to Nene Server Employee has laptop Employee may be required to work remotely and needs a mobile phone to undertake their role effectively Employee is a lone worker and personal safety could be compromised YES NO YES NO Director and Budget holder to agree budget available Request not supported by Director and budget holder Request supported by Director and budget holder Request not supported by Director and budget holder Employee has a personal mobile phone Employee does not have a personal mobile phone Executive Management Team approve request Business Manager to procure equipment No equipment provided VPN procured via Service Desk VPN not provided No handset issued If band 8c or above eligible for ipad Director and Budget holder to agree budget available Request sent to Service Desk 16 P a g e