Information Security Policy v5

Information Security Policy
Authors: Susan Hall, Information Governance

Manager
Stuart Cassidy, Service Manager,
Systems & Network Services
Owner: Sue Rushbrook, Director of S&NS
Publisher: Compliance Unit
Date of first issue: November 1996
Version: 5.0
Date of version issue: June 2014
Approved by: Information Governance Group
Date approved: June 2014
Review date: June 2016
Target audience: All Staff
Relevant Regulations Data Protection Act 1998
and Standards DoH Information Security Policy
Executive Summary
This policy sets out the technical and organisational
measures required to protect the Trusts information
assets, including systems and networks, patient records
and other corporate information, from all threats to their
security, integrity and availability.
This is a controlled document. Whilst this document may be printed,

the electronic version is maintained on the Q-Pulse system under
version and configuration control. Please consider the resource and
environmental implications before printing this document.
Version History Log
This area should detail the version history for this document. It
should detail the key elements of the changes to the versions.
Version Date Version Status & Details of significant

Approved Author location changes
4.0 Jan 2010 SH/SC Horizon No longer joint policy

with Selby & York PCT,
NEYNL SHA
Conformed to YHFT
Policy Template.
Incorporated new NHS
Code of Practice.
Introduced roles of SIRO,
IAO, IAA's
Updated external
references and
appendices
5.0 Reviewed SH Draft on IG Conformed to new Policy

Jan 2014 X drive Template, included
flowchart
Updated job titles
Updated references to
IG guidance documents
Replaced NHS
Connecting for Health
with NHS Health and
Social Care Information
Centre/ Information
Standards Board,
updated links
Replaced Information
Governance Committee
with Information
[INFORMATION SECURITY POLICY]

Version 5 Page 2 of 35
Governance Group
Replaced Risk and
Assurance Committee
with Corporate Risk
Management Group
Para 3.2.4 Internal and
external incident
reporting requirements
Para 3.2.8 information
security training
mandated for all staff
Removed references to
IT Strategy Group
Added roles of IG
Lead/Privacy Officer,
Chief Clinical Information
Officer
Para 5.8 Clarify
responsibilities of
Auditors
Appendix D Updated key
legislation

Contents
Number Heading Page
Process flowchart 6
1 Introduction & Scope 7
2 Definitions / Terms used in policy 8
3 Policy Statement 9
4 Equality analysis 11
5 Accountability 11
6 Consultation, Assurance and 14
Approval Process
7 Review and Revision 15
Arrangements
8 Dissemination and 16
Implementation
9 Document Control including 17
Archiving
10 Monitoring Compliance and 18
Effectiveness
10.1 Process for Monitoring 18
Compliance and Effectiveness
10.2 Standards/Key Performance 19

Indicators
11 Training 19
12 Trust Associated Documentation 20
13 External References 20
14 Appendices 20

Process flowchart
(Source: Information Security Management: NHS Code of
Practice DoH April 2007)
Core elements of an effective Information Security Management

System (ISMS) can be summarised as follows:
PLAN - Establish the Need
Define the business needs for information security and set these
out within a corporate information security policy.
Identify and assess the risks to information security.
Decide how the risks are to be managed/reduced/transferred, or
accepted
DO - Implement the plan
Develop and implement action plans to manage the identified
information security risks.
Implement training and awareness for all relevant staff.
CHECK - Monitor and review the measures in place
Establish processes to identify actual and potential information
security incidents or systems weaknesses.
Monitor and update information security risk assessments as
required.
Monitor the effectiveness of the ISMS in managing information
risks through internal reviews and independent audit.
ACT - Maintain performance
Review and update the ISMS as required.

1 Introduction & Scope
Information, whether in paper or electronic format, is of critical
importance to NHS patient care and supporting business
processes.
NHS organisations need to have robust information security
management arrangements:
for the protection of their patient records and key
information services
to meet the statutory requirements set out in the Data
Protection Act 1998 and other legislation
to satisfy their obligations under the NHS Information
Governance framework.
Additionally, clinicians are under a duty to meet information
security management standards set by their professional
regulatory bodies.
The purpose of this Policy is to protect, to a consistently high
standard, all information assets, including patient records and
other NHS corporate information, from all potentially damaging
threats, whether internal or external, deliberate or accidental.
Correctly applied and adhered to, the Policy will achieve a
comprehensive and consistent approach to the management of
information risk across the Foundation Trust.
The Policy forms part of the Foundation Trusts overall Information
Governance Programme. It will be supported by specific security
policies, technical standards and guidance, which will ensure that
its requirements are understood and met across the organisation.
Scope
This Policy applies to all information which is owned, held, or used,
jointly with other organisations or independently by York Teaching
Hospital NHS Foundation Trust. It embraces information in its
many forms, whether spoken, written, printed or stored on
computer.
The Policy also applies to all media and equipment used in
creating, storing, processing, using or transmitting that information.

The Policy is to be implemented by all staff of the Foundation
Trust, its information services contractors and other business
partners who access or use information held by the Trust.
2 Definitions / Terms used in policy

2.1 Information Security
Information security is the protection of:
Confidentiality i.e. access to information is restricted to
those with specified authority, and who need to know it
Integrity i.e. information is accurate, complete, and
where necessary, kept up-to-date
Availability i.e. information is delivered to the right
person in the appropriate form at the time when it is
needed.
2.2 Information Security Management System
An Information Security Management System (ISMS) is a

documented model for implementing, monitoring and
improving the effectiveness of information security
management within an organisation. NHS organisations are
required to develop an ISMS in order to demonstrate their
compliance with NHS information security standards.
2.3 Information Risk

Information Risk is essentially the chance of an event
occurring, which could compromise the security of Trust
information, information systems or processes. Poorly-
controlled information risks could lead to loss, destruction or
unauthorised disclosure of vital information assets.
Information risk should be identified and treated within the
organisations overall business risk management framework.
3 Policy Statement
3.1 Principles

3.1.1 The Foundation Trust accepts willingly all legal and ethical
obligations in respect of information security. Key
legislation is set out in Appendix D.
3.1.2 The Foundation Trust will address the management of

information security in accordance with the NHS Code of
Practice for Information Security Management. Appendix
E gives a summary of the activities covered by the Code.
3.1.3 The Foundation Trust will comply with all nationally

mandated requirements in respect of Information
Governance.
3.1.4 The Foundation Trust will develop, maintain and use its
information resources in the interests of high quality,
seamless patient care. To this end, it will actively
promote the appropriate sharing of information between
providers, whilst ensuring the proper protection of that
information.
3.1.5 The Foundation Trust is committed to the principles of

patient privacy and choice which underpin the NHS Care
Records Guarantee. As such the Trust will seek to
ensure that information is used with due regard for the
rights and preferences of individual patients.
3.1.6 In order to achieve compliance and to satisfy its

obligations to patients, staff and the wider NHS, the
Foundation Trust is committed to achieving recognised
best practice at acceptable cost.
3.2 Practice
3.2.1 The Foundation Trust will establish and maintain a
comprehensive Information Security Management System
(ISMS). This will be based on the NHS Information
Governance Toolkit, underpinned by British and
International Standards for information security (BS
ISO/IEC 27001/2:2005, BS 7799-1/2:2005 etc). The ISMS
will be developed in accordance with successive versions
of the Toolkit.
3.2.2 Threats to Trust data shall be appropriately identified

using formal risk assessment methods. Identified risks
shall be regularly reviewed and managed to ensure

information is of high quality, held and used with proper
regard to confidentiality, and available to authorised users
as and when they need it.
3.2.3 Appropriate technical and procedural contingency plans

shall be identified and implemented for Trust information
systems. Where dependence on systems is assessed as
critical, the affected Directorates/Departments shall
ensure that appropriate business continuity plans are put
in place.
3.2.4 Any breaches of information security, actual or near

misses, shall be recorded and notified as required by local
and national incident management and reporting policies.
Any resulting investigation will be supported by an
appropriately skilled and experienced Information Security
Officer. Incidents appearing to arise from staff misconduct
will be investigated under the Trusts Disciplinary Policy.
3.2.5 Appropriate measures shall be adopted to ensure the

integrity of data held on Trust systems. These measures
are set out fully in the Trusts Data Quality Policy and will
include incorporation of standard definitions and values in
Trust systems along with a robust programme of user
training, data validation and audit.
3.2.6 Compliance with this information security policy will be

enforced using a range of appropriate preventative
security tools.
3.2.7 Compliance will be monitored using a variety of technical

and procedural measures, including departmental
Information Governance compliance reviews and
implementation of audit trails to record access to and
modification of data.
3.2.8 Relevant information security training and awareness will

be mandatory for all staff.
3.2.9 This top-level policy will be supported by specific security

policies, technical standards and operational procedures,
which will ensure that information security requirements
are understood and met across the Trust.

4 Equality Analysis
The Trust aims to design and implement services, policies
and measures that meet the diverse needs of our service,
population and workforce, ensuring that none are placed at
an unreasonable or unfair disadvantage over others.
In the development of this policy, the Trust has considered
its impact with regard to equalities legislation. The outcome
of the Equality Analysis is reported at Appendix A.
5 Accountability
5.1 Chief Executive
The Chief Executive of the Foundation Trust is ultimately

accountable for the quality and security of the information
resources under its control, and for ensuring compliance with
the law and guidance. The CEO has overall responsibility for
ensuring that information risks are assessed and mitigated to an
acceptable level.
5.2 Senior Information Risk Owner
The Finance Director fulfils the role of Senior Information Risk

Owner (SIRO). The SIRO has lead responsibility for
coordinating the development and maintenance of information
risk management policies, procedures and standards for the
Trust. The SIRO will:
Take ownership of information risk policy across the Trust
Act as advocate for information risk on the Board of

Directors
Provide written advice to the Accounting Officer (Chief

Executive) on the content of the Trusts Annual Governance
Statement in respect of information risk
5.3 Caldicott Guardian
The Trusts Medical Director acts as Caldicott Guardian,

overseeing the protection of patient confidentiality. The
Caldicott Guardian is an advisory role, providing a focal point for
all patient confidentiality and information sharing issues and

ensuring legal and ethical best practice in the management of
patient information and records.
5.4 Director, Systems and Network Services
Accountable to the Chief Executive, the Director of Systems

and Network Services has lead operational responsibility for the
security of the network infrastructure and information
technology provided for the Scarborough and York Health
Community. The Director of Systems and Network Services is
the Information Security Officer for the purposes of information
security incident reporting and investigation.
5.5 Chief Clinical Information Officer
Working as part of the Systems & Networks Services team, the

Chief Clinical Information Officer supports the safe and efficient
design, implementation and use of IT to deliver improvements in
the quality and outcomes of patient care. In particular, the
postholder will provide clinical overview and expertise to the
design and development of clinical information systems,
ensuring they are safe, effective, and evidence- based.
5.6 Deputy Director of Healthcare Governance
Accountable to the Senior Information Risk Owner and Caldicott

Guardian, the Deputy Director of Healthcare Governance is the
Trusts senior management lead for risk, incorporating
Information Governance, and chairs the IG steering group. The
post holder is Data Protection lead for the organisation.
5.7 Information Governance Lead
Accountable to the Deputy Director of Healthcare Governance,

the IG Lead manager will take operational lead for the
Information Governance programme, working with clinicians
and managers across the Trust to deliver good performance
against a background of rapid technical and organisational
change. The IG Lead takes operational responsibility for Data
Protection compliance and acts as Privacy Officer for the
organisation, ensuring appropriate monitoring of users
Summary Care Record viewing activity.
5.8 Management Arrangements

The Director of Systems and Network Services is accountable
to the Executive Board for implementation of this Policy in
respect of IT developments, including the National Programme.
The Information Governance Group (IGG) bears responsibility

for Information Security as the Trusts IG Steering Group. The
IGG:
ensures that the Trust undertakes annual assessments

of its Information Governance policies and
arrangements.
maintains an annual Information Governance
Improvement Plan and monitors the implementation of
that plan.
oversees collation of the Trusts Information
Governance Central Return, and ensures timely
approval by the Trusts Board of Directors.
The implementation of information security standards is closely
linked to the Foundation Trusts Risk Management programme,
and regular reports shall be made to the relevant Steering
Groups. The IGG reports to the Corporate Risk Management
Group, and the Director of Systems & Networks directly to the
Executive Board.
5.9 Auditors
Information Governance issues are mandated for inclusion in

the Internal Audit Annual Plan, and findings are reported in the
Head of Internal Audits Opinion. For monitoring and audit
responsibilities, see section 10 below.
5.10 Information Asset Owners
Information Asset Owners (IAO's) are senior individuals

involved in running a business function, who have specific
responsibility for the protection of the associated information
assets (computer systems, networks, paper based records).
They will understand and address risks to the information
assets they own and provide assurance to the SIRO on the
protection of those assets.

IAOs are also responsible for putting plans in place to ensure
that essential business functions can continue in the event of
any critical system failure
5.11 Information Asset Administrators
IAOs are supported by designated Information Asset

Administrators (IAA's), who have operational responsibility for
managing the protected asset. IAAs ensure that policies and
procedures are followed, recognise actual or potential security
incidents, consult their IAO on incident management, and
ensure that information asset registers are accurate and up to
date.
5.12 Responsibility of All Managers
All line managers, directors and heads of department have a

delegated responsibility for ensuring that legal and best practice
is observed in their operational area.
They will be supported by the Director of Systems and Network

Services, by the Information Governance lead and by members
of their teams with special responsibility for data quality and
security, including Information Asset Owners and Information
Asset Administrators.
Specific measures will include:
Ensuring that standards and procedures are documented

and actively implemented in every location where
information is collected and used
Ensuring that staff are properly trained and equipped to
fulfill their responsibilities
Making available adequate resources for reviewing,
monitoring and continually improving security and data
quality
Taking appropriate, positive action where standards are not
met, including the prompt reporting of any information
security incident or near-miss.

5.13 Individual responsibility
Every member of staff should undertake Information

Governance training as appropriate to their role. Requirements
are identified in the Corporate Statutory and Mandatory training
programme.
Every member of staff is responsible for ensuring that no

breach of information security occurs as a result of their actions.
Breaches of information security may result in appropriate

disciplinary action being taken against the member(s) of staff
concerned.
In the case of a criminal offence, staff may be personally liable

and may face prosecution.
Staff are actively encouraged, and have an obligation to report

immediately any perceived risks to information security, or
suspected breaches of the Policy.
The additional responsibilities of staff who use computers are

set out in Appendix F.
6 Consultation, Assurance and Approval Process

The Trust will involve stakeholders and service users in the
development of its policies.
6.1 Consultation Process

The Senior Information Risk Owner, Caldicott Guardian and
Deputy Director of Healthcare Governance have all been
formally consulted in the process of reviewing this Policy.
The Policy was also circulated, for information and comment,
to the Systems & Networks IG Standards Group and
Information Governance Group.
6.2 Quality Assurance Process
Following consultation with stakeholders and relevant
consultative committees, this policy has been through quality
assurance checks prior to being reviewed by the authorising
committee to ensure it meets the NHSLA standards for the
production of policy and equalities legislation and is

compliant with the Development and Management of Policies
policy.
6.3 Approval Process
The approval process for this policy complies with that
detailed in section 6.3 of the Development and Management
of Policies Policy. The approving body for this policy is the
Executive Board.
The Checklist for Review and Approval has been completed
and is included as Appendix B1 and the completed Virtual
Policy Review Group Checklist is included as Appendix B2.
7 Review and Revision Arrangements
On reviewing this policy, all stakeholders identified in section
6.1 will be consulted. The persons responsible for review are
the owner and authors of the policy.
Subsequent changes to this policy will be detailed on the

version control sheet at the front of the policy and a new version
number will be applied.
Subsequent reviews of this policy will continue to require the

approval of the Information Governance Group and Executive
Board.
Substantial changes to the policy will continue to require the

approval of the appropriate committees and changes will be
detailed on the version control sheet at the front of the policy.
Subsequent reviews of this policy will continue to require the
approval of the appropriate committee as determined by the
Policy for Development and Management of Policies.
8 Dissemination and Implementation

8.1 Dissemination
Once approved, this policy will be brought to the attention of
all relevant staff working at and for York Hospital NHS
Foundation Trust following the completed Plan for
dissemination of the policy (See Appendix C)

This policy is available in alternative formats, such as Braille
or large font, on request to the author of the policy.
8.2 Implementation of Policies
8.2.1 Together with members of the Systems & Network
Services team, and working with Departments and
Directorates as appropriate, the Director of Systems &
Network Services will lead on implementation of the
technical security measures required by this Policy.
8.2.2 Corporate and local induction procedures, along with
any IT training received, will introduce new starters to
the rules and procedures applicable to them. Existing
staff will be exposed to relevant guidance documents
through the Statutory and Mandatory training
programme, and further training as appropriate to their
job role, through the IT training and Learning and
Development programmes.
8.2.3 To support implementation of this Policy, the
Information Governance Team has published a series
of Staff Guides. The Staff Guides summarise
operational requirements by function (e.g. E-mail) or
topic area (e.g. Data Protection). The Guides will be
introduced to new starters attending introductory
Windows and CPD training, and will be made available
to all staff as described under Section 8.1
(Dissemination).
9 Document Control including Archiving

9.1 Register/Library of Policies
This policy will be stored on Staffroom, in the policies and
procedures section and will be stored both in an alphabetical
list as well as being accessible through the portals search
facility and by group. The register of policies will be
maintained by the Healthcare Governance Directorate.
If members of staff want to print off a copy of a policy they
should always do this using the version obtainable from
Staffroom but must be aware that these are only valid on the
day of printing and they must refer to the intranet for the

latest version. Hard copies must not be stored for local use
as this undermines the effectiveness of an intranet based
system.
9.2 Archiving Arrangements
On review of this policy, archived copies of previous versions
will be automatically held on the version history section of each
policy document on Q-Pulse. The Healthcare Governance
Directorate will retain archived copies of previous versions
made available to them. Policy Authors are requested to
ensure that the Policy Manager has copies of all previous
versions of the document.
It is the responsibility of the Healthcare Governance
Directorate to ensure that version history is maintained on
Staffroom and Q-Pulse.
9.3 Process for Retrieving Archived Policies
To retrieve a former version of this policy from Q-Pulse, the
Healthcare Governance Directorate should be contacted.

10.1 Process for Monitoring Compliance and Effectiveness
In order to fully monitor compliance with this policy and to ensure that the minimum requirements of the NHSLA
Risk Management Standards for Acute Trusts are met, the policy will be monitored as follows:-
Minimum Process for Responsible Frequency Responsible Responsible Responsible

requirement to be monitoring Individual/ of individual/ individual/ individual/
monitored committee/ monitoring committee/ committee/ committee/ group
group group for review group for for monitoring of
of results developing an action plan
action plan
a. Information
Security 1. In-year Director of Ongoing via Information Director of Information
Standards within reviews and Systems & regular Governance Systems & Governance Group
Information evidence Network Services Standards Group Network Services
collection and SNS IG meetings and SNS IG Corporate Risk
Governance
Standards Group Standards Group Management
Toolkit
Group
Executive Board
Trust Board
2. Internal Audit Internal Audit Annually Corporate Risk Internal Audit

Management working with IG
Group Team, SNS, other
Trust Depts and
Directorates.
10.2 Standards/Key Performance Indicators
Information Governance Toolkit, new version released annually by
the Department of Health, hosted by the Health and Social Care
Information Centre.
Information Security Management: NHS Code of Practice
published by the DoH, April 2007.
11 Training
Training requirements should be identified during the
development stage.
Any training requirements identified within this policy that are
of a Corporate Statutory or Mandatory nature will be outlined
in the Statutory/Mandatory Training Brochure. This can be
accessed via the link on Staff Room (the Trust Intranet), on
the network at Q:\York Hospital Trust\Mandatory Training or
the Learning Hub (the organisations online learning
platform).
If this training is deemed to be Statutory or Mandatory and is
not identified within the Statutory/Mandatory Training
Brochure then application must be made by the Policy
Author to the Corporate Learning and Development Team to
have it added.
These training requirements are used to develop the
customised profiles that can be viewed by learners when
they access their personal online learning account. It is then
the learners responsibility to undertake this learning with the
support of their line manager and the line managers
responsibility to review this at annual KSF appraisal.
The Corporate Statutory and Mandatory Training
Identification Policy and Procedure document describes the
processes relating to the identification, review, delivery and
monitoring of statutory and mandatory training including non-
attendance.
12 Trust Associated Documentation
Information Governance Policy and Strategy
Data Protection Policy
Acceptable Use of Internet and E-Mail
User Access Protocol
Data Quality Policy
Records Management Policy
Risk Management Policy and Procedure
AIRS Policy, Serious Incident Policy
Information Governance Staff Guide Series
13 External References
Health and Social Care Information Centre Information
Security:
http://systems.hscic.gov.uk/infogov/security
Information Governance Toolkit:
https://nww.igt.hscic.gov.uk/
Information Commissioner: www.ico.gov.uk/
14 Appendices
Appendix A Equality Analysis
Appendix B1 Checklist for Review and Approval
Appendix B2 Virtual Policy Review Group Checklist
Appendix C Plan for dissemination of policy

Appendix D Key Legislation relating to Information
Security
Appendix E Information Security Management: Scope

Appendix F The Ten Essential Rules

Appendix A: Equality Analysis
To be completed when submitted to the appropriate committee for
consideration and approval.
Name of Policy: Information Governance Policy
1. What are the intended outcomes of this work?

To promote the secure handling and storage of information
whether in paper or electronic format.
2 Who will be affected?

Everyone who works for or on behalf of the Trust regardless of
whether they are paid or unpaid.
3 What evidence have you considered?

Principal model is national policy as represented in the NHS
Information Governance Toolkit. The Policy is designed to protect
the information rights of all people, including protected groups.
a Disability
In this and related policies, provision has been made for those who
may lack capacity to consent in relation to information sharing and
use.
b Sex
This policy is inclusive and does not differentiate between people
on the basis of this characteristic.
c Race
d Age .

e Gender Reassignment
f Sexual Orientation
g Religion or Belief
h Pregnancy and Maternity.

i Carers
j Other Identified Groups
None
4. Engagement and Involvement
a. Was this work subject to consultation? Yes
b. How have you engaged stakeholders Via consultation with
in constructing the policy Information Governance
Group
c. If so, how have you engaged As above
stakeholders in constructing the policy
d. For each engagement activity, please state who was involved, how
they were engaged and key outputs
Medical Director / Caldicott Guardian, Senior Information Risk
Owner and representatives of Departments and Directorates on
the Information Governance Group
Outputs = review, approval, systems for training and compliance

monitoring
5. Consultation Outcome
Now consider and detail below how the proposals impact on
elimination of discrimination, harassment and victimisation,
advance the equality of opportunity and promote good relations
between groups
a Eliminate discrimination, harassment Makes information rights
and victimisation available to all
b Advance Equality of Opportunity Makes information rights
available to all
c Promote Good Relations Between Encourages dialogue

Groups between Trust and service
users
d What is the overall impact? Information rights available
to all
Name of the Person who carried out this assessment:

Susan Hall, Information Governance Lead
Date Assessment Completed 2nd December 2013
Name of responsible Director Sue Holden

Appendix B Checklist for the Review and Approval
To be completed and attached to any document which guides
practice when submitted to the appropriate committee for
Yes/No/
Title of document being reviewed: Comments
Unsure
1 Development and Management of Policies
Is the title clear and unambiguous? Yes
Is it clear whether the document is a
guideline, policy, protocol or Yes
procedures?
2 Rationale
Are reasons for development of the
Yes
document stated?
3 Development Process
Is the method described in brief? Yes
Are individuals involved in the
Yes
development identified?
Do you feel a reasonable attempt has
been made to ensure relevant expertise Yes
has been used?
Is there evidence of consultation with
Yes
stakeholders and users?
Has an operational, manpower and
financial resource assessment been Yes
undertaken?
4 Content
Is the document linked to a strategy? Yes
Is the objective of the document clear? Yes
Is the target population clear and
Yes
unambiguous?
Are the intended outcomes described? Yes

Yes/No/
Unsure
Are the statements clear and
Yes
unambiguous?
5 Evidence Base
Is the type of evidence to support the
Yes
document identified explicitly?
Are key references cited? Yes
Are the references cited in full? Yes
Are local/organisational supporting Yes
documents referenced?
5a Quality Assurance
Has the standard the policy been written Yes
to address the issues identified?
Has QA been completed and approved? Yes
6 Approval
Does the document identify which Yes
committee/group will approve it?
If appropriate, have the staff side Yes
committee (or equivalent) approved the
document?
7 Dissemination and Implementation
Is there an outline/plan to identify how Yes
this will be done?
Does the plan include the necessary Yes
training/support to ensure compliance?
8 Document Control
Does the document identify where it will Yes
be held?
Have archiving arrangements for Yes
superseded documents been
addressed?

Yes/No/
Unsure
9 Process for Monitoring Compliance
Are there measurable standards or Yes
KPI's to support monitoring compliance
of the document?
Is there a plan to review or audit Yes
compliance with the document?
10 Review Date
Is the review date identified? Yes
Is the frequency of review identified? If Yes

so, is it acceptable?
11 Overall Responsibility for the Document
Is it clear who will be responsible for Yes
coordinating the dissemination,
implementation and review of the
documentation?
Individual Approval
If you are happy to approve this document, please sign and date it and
forward to the chair of the committee/group where it will receive final
approval.
Name Sue Rushbrook Date May 2014
Signature Sue Rushbrook
Committee Approval
If the committee is happy to approve this document, please sign and date it
and forward copies to the person with responsibility for disseminating and
implementing the document and the person who is responsible for
maintaining the organisations database of approved documents.
Name Approved by the Date June 2014
Signature Chair of the Information Governance Group

Appendix C Plan for dissemination of policy
To be completed and attached to any document which guides
practice when submitted to the appropriate committee for
Title of document: Information Security Policy
Date finalised:
Previous document in use? V 4.0
Dissemination lead Susan Hall
Which Strategy does it relate to? Information Governance
If yes, in what format and where? Previous Policy available
electronically on Intranet
Proposed action to retrieve out Policy Manager will hold
of date copies of the document: archive
Dissemination Grid
To be disseminated to: Notice of update to all
staff with summary of
requirements
Method of dissemination Induction
Mandatory Training
Programme
Staff Room
who will do it? Systems and Network
Services Team
IG Team
and when? Next available
Format (i.e. paper Electronic
or electronic)
Dissemination Record
Date put on register / library On Approval
Review date Unknown
Disseminated to All staff via Staff Room
Format (i.e. paper or electronic) Electronic
Date Disseminated
No. of Copies Sent N/A
Contact Details / Comments No substantial change to
communicate. Supporting IG Staff
Guides set out detailed
requirements.

Appendix D Key Legislation Relating to Information
Security
The following is an indicative summary only. Fuller information is
available in the DoH publication NHS Information Governance
Guidance on Legal and Professional Obligations (September
2007)
1 THE DATA PROTECTION ACT 1998

Data Protection law protects the privacy of individuals. It places
obligations on organisations that record and use personal
information, and gives rights to people about whom information
is held. The 1998 Act applies to information held in manual files
as well as computer-based records, and requires extra
precautions where information is of a sensitive nature, such as
health details.
a Responsibilities of Data Controllers

The Foundation Trust is a Data Controller under the terms of
the 1998 Act. As such we must be open about the uses we
intend to make of personal information, notifying our activities
on a public register. The register is posted on the Information
Commissioners website.
Those staff who have lead responsibility for a collection of

personal information, whether paper-based or held on computer
must be able to demonstrate that all processing is carried out
within the terms of the Trusts register entry.
In addition, we are required to abide by the eight Data
Protection Principles, which are enforceable in law. Broadly
these state that personal data must be:
1. Obtained fairly and lawfully, i.e. being open and honest
about what we are recording and why
2. Used and disclosed only for the declared purposes
3. Adequate, relevant and not excessive
4. Accurate and, where necessary, kept up-to-date
5. Held no longer than is necessary for the declared purpose
6. Processed in line with individuals rights (see under b)
below)
7. Surrounded by proper security
8. Not transferred abroad without adequate safeguards.

It is a CRIMINAL OFFENCE for a person knowingly or
recklessly to obtain or disclose personal data without the
consent of the data controller. Staff should always follow
proper procedures when accessing and using personal
information.
b Individuals Rights
People can expect to be told about the uses we intend to make
of the information held about them. We should routinely check
that they understand and agree to those uses. If anyone
objects to a proposed use, we should respect their wishes
unless there are overriding reasons to go ahead, such as a
legal duty or where someones life could be put at risk by not
acting.
People have the right to view what information is held about
them, challenge any errors and claim compensation if they have
suffered loss or harm as a result of mishandling. This right of
subject access to records is subject to certain conditions and
patients must make formal application to the appropriate
hospitals Subject Access Team.
2 THE DATA PROTECTION (PROCESSING OF SENSITIVE

PERSONAL DATA) ORDER 2000
The Order amends the DPA 1998 by defining several
circumstances under which
it would be lawful to disclose sensitive personal data without
explicit consent.
However, there must be a substantial public interest in making
the disclosure;
therefore, any decision must involve the Caldicott Guardian and
may require referral
to the organisations legal advisers.
3 COPYRIGHT, DESIGNS AND PATENT ACT 1988

Copyright law protects intellectual property. It means that
unauthorised copying of published material, including computer
software, is a criminal offence. Therefore staff must not borrow
CDs and copy the programs on them for their own use. Staff
should work with Systems and Networks Services to ensure
that any new software is properly authorised and licensed for
the intended use. Software installations are subject to periodic
audit and copies of licence documentation must be available for
review.
4 COMPUTER MISUSE ACT 1990
The Computer Misuse Act 1990 was introduced to discourage
hackers, virus writers and other people who interfered with
computers without authority. It is an offence to access or
modify systems and data without permission. So, staff should
know the limits of their authority to view and amend information
held on computer, and stick to them.
5 THE FREEDOM OF INFORMATION ACT 2000 (FOIA)
The purpose of the FOIA is to promote greater openness and
accountability in public life. Anyone can request information
from public authorities (including NHS Trusts). People can ask
for anything of interest to them, such as financial data,
performance reports, clinical standards, policies and procedures
etc. Every NHS organisation must have an agreed process for
handling FOI requests: in York Teaching Hospital Foundation
Trust, requests should be forwarded immediately to the
Information Governance Team. Normally, we must provide the
information within 20 days. There are exemptions for some
types of information, for example, we do not have to disclose
truly personal information about patients or staff, or any
information provided to us in confidence. FOI challenges us to
keep adequate, accurate records of our activities, to ensure the
tone is always professional and objective, and to make sure we
are able to locate information quickly on demand. Information
should only be kept for as long as it is needed. More than ever,
staff should be aware of their local Records Management
policies and procedures.
6 THE POLICE AND CRIMINAL EVIDENCE ACT 1984 / THE

CIVIL EVIDENCE ACT 1995
These Acts provide the legal basis for the use of documents
and records to be admissible as evidence in court proceedings.
Their scope includes electronic patient records.
7 THE PRIVACY AND ELECTRONIC COMMUNICATIONS

(EC DIRECTIVE) REGULATIONS 2003
These Regulations are concerned with the processing of
personal information and the protection of privacy in the
electronic communications sector.

8 THE NATIONAL HEALTH SERVICE ACT 2006
Section 251 of the NHS Act 2006 (originally enacted under
Section 60 of the Health and Social Care Act 2001), allows the
common law duty of confidentiality to be set aside in specific
circumstances where anonymised information is not sufficient
and where patient consent is not practicable.
Since April 2013, the Health Research Authority advises the

Health Secretary which research proposals should be granted
S.251 approval.

Appendix E Information Security Management: Scope
The NHS Code of Practice lists a number of areas that should be
addressed by an effective information security management
system. The scope is summarised in the key international
standards, ISO17799 and ISO27001, as follows:
Security Policy
Management should define a policy to clarify their direction of, and
support for, information security, meaning a short, high-level
information security policy statement laying down the key
information security directives and mandates for the entire
organisation.
Organising information security
The principles of information security require that all reasonable
care is taken to prevent inappropriate access, modification or
manipulation of data from taking place. In the case of the NHS, the
most sensitive of our data is patient record information.
Information Governance is there to ensure these principles are

upheld by setting clear guidelines (policy) for all NHS users.
Asset management
Essential information about hardware and software (e.g. unique
identifiers, version numbers and physical locations) should be
recorded in inventories, and software licensing requirements met.
Human resources security
The organisation should manage system access rights etc. for
starters, movers and leavers, and should undertake suitable
security awareness, training and educational activities.
Physical and environmental security
The end user environment (and sensitive material stored or
disposed of within it) should be subject to a range of physical and
environmental controls.
Communications and Operations management
Security Controls for systems and network management should be
in place.

Access Control
Logical access to IT systems, networks and data must be suitably
controlled to prevent unauthorised use.
Information systems acquisition, development and

management
Information security must be taken into account in the Systems
Development Lifecycle (SDLC) processes for specifying,
building/acquiring, testing, implementing and maintaining IT
systems.
Information security incident management
Information security incidents should be identified, responded to,
recovered from and followed up using an information security
management process.
Business continuity management
Business Continuity Management should be in place to counteract
interruptions to business activities and to protect critical business
processes from the effects of major failures or disasters.
Compliance
The organisation must comply with applicable legislation such as
copyright, data protection, protection of financial data and other
vital records, cryptography restrictions, rules of evidence etc.

Appendix F The Ten Essential Rules
Most employees now use computers as part of their job role and
therefore have specific responsibilities for information security.
Access to our computers and networks is conditional on your
agreement to abide by the ten essential security rules, which
represent a minimum standard of good practice:
1. Always work under your own user name and password.

2. Choose a password that is not obvious to anyone and change it
if you have any reason to suspect it has become known.
3. Never allow anyone else to work under your user name.
4. Always log out when you leave a PC, or disconnect your
session on a Windows Terminal.
5. Keep sensitive information out of sight: position screens
carefully and file confidential papers safely when not in use.
6. Understand how to save your work onto the network so that it is
secure, available to those who need it, and backed up
appropriately.
7. Do not attempt to access any information which you are not
authorised to see.
8. Do not use equipment, software or data belonging to your
organisation for any purpose other than official business. These
resources are not for personal use (limited exception for
Internet use see Internet and E-mail Guidelines).
9. Do not introduce games or any software unless it is formally
authorised by Systems and Networks and licensed for use on
the premises.
10. If you suspect a security weakness, virus infection or breach
of any of these rules, report it immediately to your manager.
If you need help to understand or comply with these rules, contact

the Systems and Network Service Desk on (01904 72) 5000.
Compliance is monitored and breaches will be formally
investigated and dealt with appropriately under the Trusts
Disciplinary Policy.


Information Security Policy v5

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Information Security Policy v5

Hochgeladen von

Copyright:

Verfügbare Formate

Information Security Policy

Authors: Susan Hall, Information Governance

This is a controlled document. Whilst this document may be printed,

Version Date Version Status & Details of significant

4.0 Jan 2010 SH/SC Horizon No longer joint policy

5.0 Reviewed SH Draft on IG Conformed to new Policy

[INFORMATION SECURITY POLICY]

[INFORMATION SECURITY POLICY]

10.2 Standards/Key Performance 19

[INFORMATION SECURITY POLICY]

Core elements of an effective Information Security Management

[INFORMATION SECURITY POLICY]

[INFORMATION SECURITY POLICY]

2 Definitions / Terms used in policy

An Information Security Management System (ISMS) is a

2.3 Information Risk

[INFORMATION SECURITY POLICY]

3.1.2 The Foundation Trust will address the management of

3.1.3 The Foundation Trust will comply with all nationally

3.1.5 The Foundation Trust is committed to the principles of

3.1.6 In order to achieve compliance and to satisfy its

3.2.2 Threats to Trust data shall be appropriately identified

[INFORMATION SECURITY POLICY]

3.2.3 Appropriate technical and procedural contingency plans

3.2.4 Any breaches of information security, actual or near

3.2.5 Appropriate measures shall be adopted to ensure the

3.2.6 Compliance with this information security policy will be

3.2.7 Compliance will be monitored using a variety of technical

3.2.8 Relevant information security training and awareness will

3.2.9 This top-level policy will be supported by specific security

[INFORMATION SECURITY POLICY]

The Chief Executive of the Foundation Trust is ultimately

5.2 Senior Information Risk Owner

The Finance Director fulfils the role of Senior Information Risk

Take ownership of information risk policy across the Trust

Act as advocate for information risk on the Board of

Provide written advice to the Accounting Officer (Chief

5.3 Caldicott Guardian

The Trusts Medical Director acts as Caldicott Guardian,

[INFORMATION SECURITY POLICY]

5.4 Director, Systems and Network Services

Accountable to the Chief Executive, the Director of Systems

5.5 Chief Clinical Information Officer

Working as part of the Systems & Networks Services team, the

5.6 Deputy Director of Healthcare Governance

Accountable to the Senior Information Risk Owner and Caldicott

5.7 Information Governance Lead

Accountable to the Deputy Director of Healthcare Governance,

5.8 Management Arrangements

[INFORMATION SECURITY POLICY]

The Information Governance Group (IGG) bears responsibility

ensures that the Trust undertakes annual assessments

Information Governance issues are mandated for inclusion in

5.10 Information Asset Owners

Information Asset Owners (IAO's) are senior individuals

[INFORMATION SECURITY POLICY]

5.11 Information Asset Administrators

IAOs are supported by designated Information Asset

5.12 Responsibility of All Managers

All line managers, directors and heads of department have a

They will be supported by the Director of Systems and Network

Specific measures will include:

Ensuring that standards and procedures are documented

[INFORMATION SECURITY POLICY]