Introduction

This policy sets out the intentions of Penrose Health to manage all the information within its remit to the standards required by law and regulation. In doing so, it supports high quality healthcare, through accurate, accessible and appropriately governed information. The organisation has put this policy in place to ensure staff are fully aware of their information management responsibilities.

This document uses definitions provided by the Cabinet Office. The Cabinet Office defines data as ‘qualitative or quantitative statements or numbers that are assumed to be factual, and not the product of analysis or interpretation’ and information as ‘output of some process that summarises interprets or otherwise represents data to convey meaning’. This definition will be used throughout this document. All references to information in this document encompass information and data.  This includes information which is personal, financial or falls within any other category. The organisation uses information to support healthcare for patients. Information is also used to support the administration of the NHS. In addition to these functions are requirements of NHS England and NHS Digital (NHSD) which form the wider governance structure that Penrose Health operates within.

This policy will set out the objectives and framework for the management of information within Penrose Health to ensure its security, maintaining its confidentiality, integrity and availability. This includes meeting our obligations under Data Protection Legislation (Data Protection Act 2018 and General Data Protection Regulation (EU) 2016/679 as referenced in this Act – identified in this documentation as the Data Protection Legislation) to those we hold information about, supporting the ongoing development of the organisation and ensuring that innovation supports our organisation’s development without undermining the security of the information we hold. The NHS and the administration of the NHS is dependent on the appropriate use of Personal Data; the management of secondary use of this data and business sensitive data.

Penrose Health recognises that effective information management is fundamental to good administration and operational effectiveness and is an enabler to the achievement of strategic goals.

This policy is part of the suite related to Information Governance which sets out the expected standards and controls around its use. They are: Information Governance, Information Quality, Information Management and Information Security. The overarching document which sets out Penrose Health’s approach to Information Governance is the Information Governance Framework. The concepts and standards are interrelated. It is important to consider all our obligations and intentions across the suite of policies.

This policy is intended to identify Penrose Health intentions related to the organisational implications of information security. Policies related to operational and technical implementation of Information Security requirements are documented in the suite of ICT policies for Penrose Health

Scope

This policy is applicable to:

• All information held and processed by Penrose Health all information must be managed and held within a controlled environment and to a standard of accuracy and completeness. This includes personal data of patients and staff, patient level data (non-identifiable) as well as corporate information. It applies to records, information and data regardless of format, in addition to legacy data held by the organisation.
• All information processed by ICT, provider of Penrose Health support services including ICT and IG services.
• All permanent, contract or temporary staff of Penrose Health and all third parties who have access to Penrose Health premises, systems or information. Any reference to staff within this document also refers to those working on behalf of the organisation on a temporary, contractual or voluntary basis.
• Information systems, data sets, computer systems, networks, software and information created, held or processed on these systems, together with printed output from these systems, and
• All means of communicating information, both within and outside the organisation and both paper and electronic, including data and voice transmissions, emails, post, voice and video conferencing. The organisation also believes that its internal management processes will be improved by the greater availability of information that will accrue by the recognition of information governance as a designated corporate function.

Purpose

This document defines the information security principles and objectives for Penrose Health. It outlines the systems that ensure current information security obligations are met and how changes, performance and incidents are governed. This document sets out the policy, stating the required standard.

Information is an asset that, like other important business assets, is essential to business and needs to be suitably protected. Its security must be maintained to the standards expected in law, regulations and contracts. The standard for the public sector is mandated by the Cabinet Office. It supports the confidentiality, integrity and availability of the information held, processed and the responsibility of the organisation. It is supported by an assurance process that demonstrates the ongoing management of the security of information, the associated risk and the process of change to ensure the correct controls are in place.

ISO/IEC 27002:2013 describes information security and information in the following terms, which set the remit and principles behind this policy and related controls:

“Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or by using electronic means, shown on films, or spoken in conversation. Whatever forms the information takes, or means by which it is shared or stored, it should always be appropriately protected.

Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimise business risk, and maximise return on investments and business opportunities.”

Penrose Health will achieve information security by the implementation, monitoring and improvement of suitable controls.

Penrose Health is responsible for driving improvements in Information Governance from these services and monitoring their management of risks associated with information security and any failures to maintain standards of information security. This ensures an efficient, effective and accountable service supporting high quality healthcare and appropriate clinical decision making. In those instances where we appropriately share or publish information we must ensure that this is done in a lawful and secure manner.

Objectives

This policy sets out Penrose Health objectives and principles for ensuring the security of information within its remit. It also identifies the risks, priorities and resources required to ensure information security management is carried out to the appropriate standard.

Penrose Health key objectives in relation to information security are to maintain and improve:

• Confidentiality - Access to Information is confined to those with appropriate authority and a legitimate relationship to it.
• Integrity – Information shall be complete and accurate. All systems, assets and networks shall operate correctly, according to specification.
• Availability - Information shall be available and delivered to the right person, at the time when it is needed.
• Accountability – Users are held responsible for their use of information.

To achieve this, the policy sets out:

• The organisation’s information security obligations
• The key areas of control and management of risk for information security across the organisation
• How the organisation will assess where information security impacts on business processes and how assurance is provided
• The expectation on the management of Information Assets, ICT systems and information to deliver information security and assurance.
• The responsibilities of staff in maintaining Information Security

The primary aims of information security are to:

• Ensure the confidentiality, integrity and availability of information within Penrose Health
• To reduce the risk of a security breach, data loss or breach of confidentiality
• To understand where risks to information security originate, what issues arise and the management of those risks
• To protect information assets from threats, both internal and external

Equality Analysis

This document demonstrates the organisation’s commitment to create a positive culture of respect for all individuals, including staff, patients, their families and carers as well as community partners.  The intention is, as required by the Equality Act 2010, to identify, remove or minimise discriminatory practice in the nine named protected characteristics of age, disability, sex, gender reassignment, pregnancy and maternity, race, sexual orientation, religion or belief, marriage and civil partnership. It is also intended to use the Human Rights Act 1998 and to promote positive practice and value the diversity of all individuals and communities.

Definitions

See Appendix A below for definitions not defined at the point of use.

Responsibilities

The Information Governance Framework sets out the core roles and responsibilities of individuals within Penrose Health. The responsibilities outlined below are specifically in relation to Information Security.

ICT Security Manager

The ICT Security Manager is responsible for the implementation of information security, this role includes:

• Monitoring and reporting as to the effectiveness of information security.
• Ensuring compliance with legislation, including the review and update of this policy.
• Review and update of all ICT security policies, protocols and procedures.
• Ensuring that relevant staff are aware of their security responsibilities.
• Ensuring that a security incident log is maintained and reported to the Information Governance Group.

Information Security Assurance

6.1 Provision of Information Services

Several key Information Services provide a crucial part in maintaining information security for Penrose Health. This includes Information and Communications Technology (“ICT”), Business Intelligence (also referred to as Informatics), Information Governance as well as physical security requirements for equipment on our premises.

Penrose Health works within a framework of written controls, risk management and systems to monitor and provide assurance. Scrutiny of these functions will be undertaken by Penrose Health as detailed in the relevant service specific policies, procedures and contracts in line with the Accountability and Responsibility detailed within this policy. It is expected that routine reports and evidence of the controls in place will be provided by the ICT provider, in a timely and appropriate manner. This will need to be in line with relevant assurance processes such as audit, the requirements of the Data Protection and Security Toolkit (DSPT) and risk management.

Penrose Health uses several mechanisms to manage information security. These are detailed below and in the relevant written controls. The ICT service maintains a list of information security issues, risks and mitigations for routine discussion with the Information Governance Lead. Organisational controls are monitored via the Information Governance risk register linked to ICT risks. The ICT service also meets on a monthly basis to review trends in cyber security. It ensures appropriate counter measures are taken to protect the organisation’s infrastructure and information. This includes information that is held on-site and with current networks, as well as that held off-site and off-line. ICT ensures appropriate disposal and destruction processes to the required standard.

6.2 Management of Information Risk

In order to appropriately manage Information Risk and prioritise the Information Security Assurance, it is important to identify and quantify risk through the routine work of the organisation and those providing key services, such as ICT. This risk needs to account for the value of the asset, the potential severity of any impact and the likelihood of an occurrence.

Risks are captured in the relevant Departmental Risk Register and will be reviewed on at least a monthly basis. Risk Registers will be maintained for each ICT Network and contribute to the overall Corporate Risk Register through escalation via Internal Assurance for inclusion on the corporate register. These are reviewed on a regular basis in accordance with the terms of reference for Internal Assurance.

6.3 Forensic readiness

• Protect Penrose Health, staff and clinical systems through the availability of reliable digital evidence gathered from its systems and processes;
• Allow consistent, rapid investigation of major events or incidents with minimum disruption to the organisation’s business;
• Enable the pro-active and comprehensive planning, gathering and storage of evidence in advance of that evidence actually being required;
• Demonstrate due diligence and good governance of [the organisation’s] information assets;

6.4 System Level Security Policies

Each Key Information System is required to have a system level security policy that details, where appropriate:

• Access control requirement specifications (such as whether two-part authentication is required and is in place).
• Authorisation process for access to the system (user registration and deregistration).
• Assignment of responsibilities for the system (access, maintain and issue resolution).
• Details on system design and dependencies, including encryption.
• Provisions for reports generated by system utilities on use and audit logs.
• What system documentation is in place.
• Login controls - threshold of failed logins.
• Password controls:
• Must not be based on your username
• Must contain characters from three of the following four categories
• Uppercase alphabetic characters (A-Z)
• Lowercase alphabetic characters (a-z)
• Arabic numerals (0-9)
• Non-alphanumeric characters, for example: ! $ # %
• Must not repeat any of your last 4 passwords
• Passwords must be changed once every 90 days
• Backup requirements.
• Back-up data testing arrangements.
• Business Continuity or back-up plans for system data and software applications.
• Details of UPS technologies or other system continuity support.
• Schedules of tests.
• Input data validation.
• Risk Assessment for the System on key areas.
• The policy must detail what security reports are available and who can provide them for the following issues, where appropriate:
• Access log files generated by the system.
• Current user overview
• Account monitoring (unused accounts etc.)
• Forensic readiness assessment

Each system level policy will be reviewed on at least an annual basis.

6.5 Definition of a key Information System

Key Information Systems (Assets) are defined as:

• Systems which other business critical assets are dependent upon (e.g. Network).

6.6 Information Security Incidents

All information Security Incidents must be recorded and reported to the Information Governance lead and the ICT service-desk. Information Security Incidents or suspected Information Security Incidents must be reported immediately. The Information Governance lead will carry out an assessment of the severity of the incident using the Data Security and Protection Incident Reporting tool to determine whether the incident is reportable.

If the incident is reportable to the Information Commissioners Office, it must be reported via the organisation’s Data Security and Protection Toolkit within 72 hours. This is a requirement of Data Protection Legislation.

Prior to reporting, the Information Governance lead will escalate to the Data Protection Officer for advice.

The Information Governance lead will provide a report to the senior management on a routine basis in line with the Incident and Risk Management PolicyThe report will note which issues were resolved, which have been escalated as risks and the associated action plan for the management or mitigation of the risk.

6.7 Information Sharing and Transmission

Where information is shared or transmitted, maintaining the security, confidentiality and integrity of the data is a legal requirement, in addition to ensuring an appropriate lawful basis. No Personal Confidential Data should be shared, transmitted or published without the appropriate approval of the Information Governance lead or reference to the relevant process, such as legal disclosure or disclosure under Data Protection Legislation or Access to Health Care provisions.

Only encrypted USB memory devices, encrypted Laptops or other authorised mobile devices (e.g. Blackberry or other smart phone) owned by the organisation are permitted for the transportation of personal identifiable information and/or business sensitive information. Staff with an approved business need to use a mobile device should gain authorisation from their manager, before transferring any information to a mobile device. Such devices are encrypted following the ICT encryption protocol.

6.8 Performance of Information Systems

The performance of Information systems and dependencies will be provided to the Information Governance Lead and Director with responsibility for ICT, where applicable, on at least a quarterly basis. Any risks resulting from performance will be added to the relevant Risk Register in line with the Risk Management and Assurance Framework.

Information Systems consist of but are not limited to:

• Network
• Servers
• Key databases and datasets
• Email systems
• Portable devices (such as laptops, memory sticks)
• Cloud based platforms

Performance reports will provide details of, where appropriate (for the reporting period):

• The level of performance for different teams and services (for example Network, Voice and Mobile Working)
• Change Control management
• Information Security priorities and actions
• Network capacity, trends and management
• Server capacity, trends and management
• The number of helpdesk calls received, resolved and open
• Number of User authorised User accounts
• Number of User accounts activated
• Number of User accounts deactivated
• Number of Information Security Incidents, Events or Near Misses
• Lessons Learnt from Information Security Incidents
• Compliance Monitoring
• Audit findings and reports
• Review Meetings
• Changes to Controls and system policies
• System intrusion reports
• Virus software effectiveness
• User Surveys

6.9 Change Management

The Information Governance Lead  will authorise, (either personally or via pre-arranged criteria to enable the Information Governance lead for internal assurance to give authorisation), the Change Management process for each Network and Key Information Asset. The IG lead will be advised on any changes that impact on Information Security. A Data Protection Impact Assessment and Information Security Risk assessment will be provided along with an outline of the proposed change. This will include details of the nominated Senior Responsible Officer for the change and Project Board where possible, as well as the reporting line to the organisation.

It is expected that Information Security Assurance will be provided to the Information Governance Lead  as part of the process of routine management and in good time to effect change.

All new processes, services, information systems, and other relevant information assets are developed and implemented in a secure and structured manner, and will comply with Information Management, Quality, Governance and Security accreditation. They will account for data quality, confidentiality and data protection requirements.

It is a legal requirement that the impact of any change is assessed and signed off before the change process is initiated. This change will include:

• A data protection impact assessment for changes impacting on data subject privacy, rights and freedoms.
• A security assessment for changes impact on ICT security (network, telephony) or physical security.
• A risk assessment on the potential risks of the change incorporating any risks to the delivery of the change. This risk assessment must balance the benefits of undertaking the change against the risks, and those risks of not undertaking the change.

A procurement and contract review requirement for any use of third parties for the provision of services impacting on information management or security.

6.10 Change Management that requires Caldicott Guardian sign off

Where the following criteria apply, the sign-off of the Caldicott Guardian for the relevant organisation(s), will be required before any change can commence:

• Where patient records (regardless of format) are impacted.
• Where a data protection impact assessment has indicated a significant change or threat to privacy.

Information Security Principles

7.1 Access Control

Access Control is required for the management of appropriate access to all information assets. Access to sensitive, confidential or personal confidential data will be restricted. Access control requirements will be elaborated in more detail for information assets and within System Level Policies, as required.

Access Control will be routinely monitored, audited and removed promptly once a legitimate basis for access no longer exists for a member of staff. Access will be provided in line with the training and awareness provided to staff.

Appropriate authentication of users is required for both information and physical systems: the standards required will be outlined in the relevant system requirements.

7.2 Responsibility for Equipment

Any equipment issued to staff is for the purpose of conducting the business of the organisation and is required to be used in an appropriate and professional manner.  Staff are responsible for the equipment issued to them and following the appropriate protocols and procedures for working off site, working remotely and for the return of any equipment no longer required by the staff member.

Information Security Incidents and Events

8.1 Identifying and managing Information Security Incidents

All information Security Incidents must be recorded and reported to the Information Governance lead and the ICT service-desk. Information Security Incidents or suspected Information Security Incidents must be reported immediately.

These will be highlighted to the nominated Information Security Officer via the ICT service-desk. Examples of incidents are on the intranet and in procedures for incident management.

The Information Governance lead will carry out an assessment of the severity of the incident using the Data Security and Protection Incident Reporting tool to determine whether the incident is reportable via the Data Security and Protection Toolkit.

If the incident is reportable to the Information Commissioners Office, it must be reported via the organisation’s Data Security and Protection Toolkit within 72 hours. This is a requirement of Data Protection Legislation. Prior to reporting, the Information Governance Lead will escalate to the Data Protection Officer for approval of the report.

The Information Governance lead will provide a report to the Senior Management Team  on a routine basis in line with the Incident and Risk Management Policy. The report will note which issues were resolved, which have been escalated as risks and the associated action plan for the management or mitigation of the risk.

Training

All staff will be made aware of their responsibilities for information security through generic and specific training programmes and guidance. Training requirements will be publicised via the Communications team.

The ICT Security Manager is responsible for ensuring ICT security awareness and training for all staff.

Monitoring and compliance

This policy and the associated controls will be monitored through the Risk Management system for the organisation.  The Risk Register will be reviewed on a monthly basis and additionally in response to any Information Security Incident or enforcement action by the Information Commissioner’s Office. Information Risk Management is a key component of wider assurance and control in setting the priorities for the information governance work plan.

Information Risk Owners, assisted by Information Risk Administrators, will be required to routinely review the Risks and Information Flows associated with the Information Assets utilised to fulfil the business functions and activities within their remit.

Further monitoring will be undertaken through the change control process.

10.1 Non-Compliance

Failure to comply with the standards and appropriate governance of information as detailed in this policy, supporting protocols and procedures can result in disciplinary action. All staff are reminded that this policy covers several aspects of legal compliance that as individuals they are responsible for. Failure to maintain these standards can result in criminal proceedings against the individual. These include but are not limited to:

• Common law duty of confidentiality
• Computer Misuse Act 1990
• Data Protection Act 2018
• Freedom of Information Act 2000
• Human Rights Act 1998
• Public Records Act 1958
• Health and Social Care Act 2012
• Care Act 2014
• General Data Protection Regulation (EU) 2016/679

Review

Review will take place every three years or earlier until rescinded or superseded, due to legal or National Policy changes.

The audience of this document should be aware that a physical copy may not be the latest version.  The latest version, which supersedes all previous versions, is available in the policy register for the organisation. Those to whom this policy applies are responsible for familiarising themselves periodically with the latest version and for complying with policy requirements at all times.

Statement of evidence/references

The following is a list of the Key legislative and regulatory framework

• Data Protection Act 2018
• Freedom of Information Act 2000
• Computer Misuse Act 1990
• Common law duty of confidentiality
• Human Rights Act 1998
• Health and Social Care Act 2012
• Care Act 2014
• NHS Constitution
• Information Commissioner Offices guidance, passim.
• Care Quality Commission Requirements (for commissioned healthcare services)
• General Data Protection Regulation (EU) 2016/679

Other relevant policies are:

• Information Governance
• Information Quality
• Information Management
• ICT security policies

Implementation and dissemination of document

The Policy once approved will be shared with all staff through the all staff email, updated on the Penrose Health intranet page, included in staff briefings and placed in the policy register. A team and management briefing will be provided to support this dissemination.

In addition to the monitoring detailed above, awareness of the policy will be checked through a staff survey and spot checks on at least an annual basis.