Post on 25-May-2018
transcript
Information Risk
and Security: Information Governance (“IG”) Policy
(This document should be read in conjunction with the Data Protection and Information Sharing Policy and the relevant Informatics policies)
FINAL 4.0, Feb 2018
■ ■ ■
Information Risk and Security
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 2 Review Date: February 2021
SUMMARY
This Policy:
Ensures that all managers and staff are aware of and comply with the Trust’s
statutory obligations and responsibilities, including those under the Data Protection
Act (DPA), and the new General Data Protection Regulations (GDPR).
Encourages a consistent and proactive information risk management framework in
which data risks will be identified, considered and addressed, in order to provide
assistance and improve the quality of decision-making throughout the Trust, and
help to safeguard the Trust’s information assets.
Outlines the requirements of ‘privacy by design’ to ensure that this is a key
consideration in the early stages of any project and then throughout its lifecycle,
and also to ensure that processes for completing and reviewing Privacy Impact
Assessments are managed in a consistent and controlled way.
Sets out of the requirements for information risk management, including the role
and responsibilities of the Senior Information Risk Owner (SIRO), Information Asset
Owners (IAOs) and Information Asset Administrators (IAAs), and the processes for
maintaining the Trust’s Information Asset Register (IA).
DOCUMENT DETAILS
Author(s): Information Governance Officer
Date: February 2018 [FINAL 4.0)
Next Review Date: February 2021, or sooner if legislation requires
Ratifying Body/Committee: Information Governance Steering Group (IGSG)
Chair: Senior Information Risk Owner (SIRO)
Date Originally Ratified: 29 August 2014
Target Audience: All Staff
Date Equality Impact
Assessment Completed: February 2018 (also see issue dates below)
DOCUMENT HISTORY
Date of Issue
Version No.
Next Review Date
Date Approved
Director Responsible for Change
Nature of Change
Feb 2018 Final 4.0 Feb 2021 12 Mar 2018 SIRO/Caldicott
Guardian Scheduled
policy review.
Implications of the GDPR.
Dec 2016 Final 3.2 Dec 2017 09 Feb 2017 SIRO/Caldicott
Guardian Annual policy
review
Information Risk and Security
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 3 Review Date: February 2021
Date of Issue
Version No.
Next Review Date
Date Approved
Director Responsible for Change
Nature of Change
Oct 2015 Final 3.0 Aug 2017 30 Oct 2015 SIRO/Caldicott
Guardian Updated IAR
and PIA Process
Apr 2015 Final 2.0 Aug 2017 29 May
2015
SIRO/Caldicott
Guardian Addition of TNA
and change to audit process
Aug 2014 Final 1.0 Aug 2017 29 Aug 2014 SIRO/Caldicott
Guardian New Policy
The purpose of this policy is to ensure that there is a consistent, fair and transparent approach in its
application across Poole Hospital NHS Foundation Trust (hereafter referred to as the “Trust” or the
“organisation”). All managers and staff (at all levels) are responsible for ensuring that they are viewing
and working to the current version of this policy. If this document is printed in hard copy or saved to
another location, it must be checked that the version number in use matches with that of the live policy
on the intranet. All policies are published on the staff intranet and communication is circulated to all
staff when new policies or changes to existing policies are released. Managers are encouraged to use
team briefings to aid staff awareness of new and updated policies and procedures.
Information Risk and Security
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 4 Review Date: February 2021
TABLE OF CONTENTS
1. RELEVANT TO .............................................................................................................. 5
2. PURPOSE ..................................................................................................................... 5
3. GENERAL PRINCIPLES ................................................................................................ 6
Legislations, Regulations and Guidance ................................................................. 6
Information Risk and Security ................................................................................... 7
Staff Responsibilities ................................................................................................... 9
4. DEFINITIONS RELATING TO INFORMATION RISK AND SECURITY ............................. 10
4.1. Information Assets ........................................................................................ 10
4.2. Risk Terminology ........................................................................................... 11
5. MANAGEMENT OF INFORMATION ASSETS.............................................................. 12
5.1. Information Asset Register (IAR) .................................................................. 12
5.2. Senior Information Risk Owner (SIRO) ......................................................... 12
5.3. Information Asset Owners (IAOs) ................................................................ 13
5.4. Information Asset Administrators (IAAs) ...................................................... 14
6. PRIVACY IMPACT ASSESSMENTS (PIAs) ................................................................... 15
6.1. Privacy by Design ......................................................................................... 15
6.2. Privacy Impact Assessments (PIAs) ............................................................. 16
7. DATA RISK ASSESSMENTS AND RATINGS ................................................................. 17
7.1. Risk Assessment Matrix (Breaches, Near-Misses and PIAs) ........................ 17
7.2. Criticality Assessment Matrix (PIAs) ............................................................. 19
8. DATA BREACHES AND NEAR-MISSES ....................................................................... 20
8.1. Reporting and Recording ........................................................................... 20
8.2. Action, Investigation and Remediation ..................................................... 21
8.3. Serious Incidents Requiring Investigation ................................................... 21
8.4. Notifying Data Subjects ............................................................................... 22
9. DATA SECURITY AND PROTECTION STANDARDS .................................................... 23
10. IMPLEMENTATION AND REVIEW .............................................................................. 25
10.1. Consultation and Implementation ............................................................. 25
10.2. Policy Review Arrangements ...................................................................... 26
10.3. Monitoring Effectiveness .............................................................................. 26
TABLE OF APPENDICES
APPENDIX A: EQUALITY IMPACT ASSESSMENT ................................................................... 27
Information Risk and Security
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 5 Review Date: February 2021
THE POLICY
1. RELEVANT TO
1.1. All medical and non-medical individuals at all levels within Poole Hospital
NHS Foundation Trust (“the Trust”) are expected to comply with this policy,
including: individuals directly employed by the Trust (substantive/
permanent, fixed-term, bank/locum, etc); and individuals working within
but not directly employed by the Trust (volunteers, students, agency,
secondees, etc); hereafter referred to collectively as “staff”.
1.2. This policy covers all computer and non-computer based information
systems purchased, developed and managed by, or on behalf of, the
Trust. This policy is applicable to all areas of the Trust and adherence
should be included in all contracts for outsourced or shared services -
there are no exclusions. Further definitions can be found in Section 4.
1.3. This policy should be read in conjunction with other relevant policies,
procedures and guidance, including the:
Adverse Incident Reporting and Management Policy
Corporate Records and Archiving Policy
Data Protection and Information Sharing Policy
Data Security Statement (Information Governance Confidentiality & IT)
Duty of Candour Policy
Informatics (IT) Policies and Procedures
Risk Management Strategy
Serious Incident Policy
Subject Access and Other Information Rights Policy
CPA Introduction to Cyber Security
DH&SC Data Security and Protection Requirements 2017/18
IGA Records Management Code of Practice
Network and Information Systems Guidance Collection
NHS Digital Cyber and Data Security Policy and Good Practice
Privacy Notices (Patient/Service User and Staff Information)
2. PURPOSE
2.1. This policy ensures that all managers and staff are aware of and comply
with the Trust’s statutory obligations and responsibilities, including those
under the Data Protection Act (DPA), and the new General Data
Protection Regulations (GDPR) which takes effect from May 2018.
2.2. The purpose of this policy is to provide a consistent information risk
management framework in which data risks will be identified, considered
and addressed.
Information Risk and Security
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 6 Review Date: February 2021
2.3. This policy aims to encourage pro-active information risk management, in
order to provide assistance and improve the quality of decision-making
throughout the Trust, and help to safeguard the Trust’s information assets.
2.4. This policy outlines the requirements of ‘privacy by design’ to ensure that
privacy and data protection is a key consideration in the early stages of
any project, and then throughout its lifecycle, and also to ensure that
processes for completing and reviewing Privacy Impact Assessment are
managed in a consistent and controlled way.
2.5. The Trust, and individual members of staff, have a legal obligation to
comply with all appropriate legislation in respect of information handling,
and information risk and security. This policy does not allege to cover all
situations; therefore the responsibility lies with staff/departments to ensure
that the confidentiality/security of information is maintained whilst under
their ownership and to seek advice from senior management or the
Information Governance Department as necessary.
3. GENERAL PRINCIPLES
Legislations, Regulations and Guidance
3.1 The Data Protection Act (DPA) is the main piece of UK legislation which
governs the use of personal data which identifies living individuals. The
General Data Protection Regulation (GDPR) takes effect from 25 May
2018 and will replace the 1995 data protection directive which originated
the DPA. This policy has been revised to reflect the Trust’s obligations
under the new EU GDPR and the updated DPA in the UK.
3.2 The principles of data protection legislation specify that appropriate
technical and organisational measures must be in place to secure
against unauthorised or unlawful processing of information, and to
protect information from accidental loss, destruction or damage. In
practice, this means that the Trust must ensure that:
3.2.1 Security measures are designed and organised to fit the nature of
the information being held and the level of harm that may result
from a breach;
3.2.2 Staff are clear about their responsibilities relating to information risk
and security, as well as those of the Senior Information Risk Owner
(SIRO), Information Asset Owners (IAOs) and Administrators (IAAs);
3.2.3 Appropriate physical and technical security is in place for all
information, backed up by robust policies and procedures, and
reliable, knowledgeable and well-trained staff;
3.2.4 Breaches can be dealt with swiftly, effectively and consistently.
Information Risk and Security
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 7 Review Date: February 2021
3.3 There are other rules and regulations which specify how information
should be handled. These include, but are not limited to:
Access to Health Records 1990
Access to Medical Reports Act 1998
Civil Contingencies Act 2004
Code of Practice on Confidential Information 2014
Common Law Duty of Confidentiality
Computer Misuse Act 1990
Confidentiality NHS Code of Practice
Crime and Disorder Act 1998
Criminal Justice and Immigration Act 2008
Freedom of Information Act 2000
HMG: Information Sharing by Practitioners in Safeguarding Services
HSCIC Guide to Confidentiality 2013
Human Rights Act 1998 (Article 8)
Information Security NHS Code of Practice
International Information Security Standard: ISO/IEC 27002: 2005
NHS Care Record Guarantee for England
Mental Capacity Act 2005
Records Management Code of Practice 2016
Regulations and Investigatory Powers Act 2000
Social Care Record Guarantee for England
3.4 Failure to meet the requirements of this policy, which reflect the Trust’s
obligations under data protection legislation, exposes the organisation to
enforcement action and fines of either:
up to €10,000,000 or 2% of annual turnover (whichever is higher), for
breaches in the lower tier (including record keeping, contracting and
security clauses); or
up to €20,000,000 or 4% of annual turnover (whichever is higher), for
breaches in the higher tier (including non-compliance with ICO orders,
data subjects’ rights, international transfers, and the basic principles of
data protection legislation – including consent requirements).
Information Risk and Security
3.5 Information is a vital asset, both in terms of the clinical management of
individual patients and the efficient management of services and
resources. It plays a key part in clinical governance, service planning and
performance management. It is of paramount importance to ensure that
corporate and sensitive personal information about individuals is secure,
held confidentially and appropriately protected when shared to support
the provision of healthcare for patients.
3.6 Without effective security, information assets may become unreliable and
untrustworthy, may not be accessible where or when needed, or may be
compromised by unauthorised third parties. All NHS organisations, and
Information Risk and Security
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 8 Review Date: February 2021
those who supply or make use of NHS information, have an obligation to
ensure that there is adequate provision for the security management of
the information resources that they own, control or use. This is set out in
the NHS Code of Practice on Information Security Management 2007.
3.7 The Trust also has a legal obligation to ensure that appropriate security
management arrangements are in place for the protection of patient
records and key information services, to meet the statutory requirements
set out within data protection legislation (see 3.1-3.2) and to satisfy its
obligations under the Civil Contingencies Act 2004.
3.8 The Trust recognises that organisations and their information systems and
networks are faced with security threats from a wide range of sources,
including vandalism, fire and flood. Dependence on information systems
and services means the Trust is more vulnerable to security threats. The
interconnecting of public and private networks and sharing of information
resources increases the difficulty of achieving access control.
3.9 The Trust places great importance on minimising any possible or potential
risk to information security whilst safeguarding the interests of patients and
staff, as well as protecting the position of the Trust itself. Information
security is characterised as the preservation of:
confidentiality – ensuring that information is accessible only to
those authorised to have access;
integrity – safeguarding the accuracy and completeness of
information and ensuring that all systems, assets and networks
operate correctly, according to specification;
availability – ensuring that authorised users have access to
information and associated assets when required.
3.10 The Trust acknowledges that information risk and security management is
an essential element of broader information governance and an integral
part of good management practice. The intention is to embed
information risk management in a very practical way into business
processes and functions – such as through key approval and review
processes / controls – rather than imposing it as an extra requirement.
3.11 Information risk is inherent in all administrative and business activities;
everyone working for or on behalf of the Trust continuously manages
information risk. Information risk management is not solely about
eliminating risk, but also to provide the structural means to identify,
prioritise, and manage the risks involved in all Trust activities. This involves a
balance between the cost of managing and treating information risks
against the anticipated potential benefits that will be derived.
3.12 The Trust is committed to maintaining and developing an infrastructure for
information, and ensuring that all information assets have an appropriate
level of security. Information risk and security management is integrated
Information Risk and Security
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 9 Review Date: February 2021
into the Trust’s overall corporate risk management process. The Trust has
established a comprehensive information security assurance framework in
line with mandatory data security and protection requirements, under the
leadership of the Senior Information Risk Owner (SIRO), and embedded in
the directorate structures via the Information Asset Owners (IAOs) and
Information Asset Administrators (IAAs).
3.13 The Trust has in place an Information Asset Register (IAR) which is
maintained by the Information Governance Department using Privacy
Impact Assessments (PIAs) provided by IAOs and IAAs. The PIA acts as a
risk assessment for each asset and records all data sets and data flows.
3.14 The Trust has processes in place to develop and maintain appropriate
plans for the speedy restoration of all critical IT systems. All systems will
have threats and vulnerabilities assessed to determine how critical they
are to the Trust. Individual work areas will have procedures in place to
maintain essential services in the event of IT system failure. The Trust has
established business continuity and disaster recovery plans for all critical
information systems and networks. Please also see the Trust’s Business
Continuity Policy and the IT Trust-Wide Business Continuity Plan.
3.15 All risks associated with any aspect of information governance are
entered onto the Trust’s risk register and managed locally to reduce them
to the lowest possible level. The Trust’s adverse incident reporting system
(Datix) is used to report, monitor and investigate all breaches of
confidentiality and information security, as well as the lessons learnt and
grading of breaches.
Staff Responsibilities
3.16 Every member of staff is personally responsible for taking precautions to
ensure the security of information, both whilst it is in their possession and
when it is being transferred from one person or organisation to another. If
staff are unsure about sharing information, they should refer to the Data
Protection and Information Sharing Policy, the NHS Confidentiality Code
of Practice, or take advice from their line manager, the Information
Governance Department or the Caldicott Guardian, as appropriate.
3.17 Staff who manage or lead on projects/service changes are also
responsible for completing Privacy Impact Assessments (PIA), and
additional responsibilities apply to Information Asset Owners (IAOs – see
5.3) and Information Asset Administrators (IAAs - 5.4).
3.18 To ensure that staff are effectively informed about what is required of
them in relation to information risk and security, this policy has been
produced to identify the legal requirements and provide an
understanding of what the Trust requires staff to do to keep personal
information safe and secure. This policy is highlighted during the Trust’s
induction programme, within all information governance training sessions
Information Risk and Security
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 10 Review Date: February 2021
and materials, and should be covered by line managers during local
induction. This policy is also specifically referred to within the Trust’s Privacy
Impact Assessment template and supporting guidance.
3.19 Failure to comply with data protection legislation can lead to
enforcement action from the ICO, including monetary penalty notices
(see 3.4), claims for compensation and/or criminal prosecution. It is the
responsibility of every individual member of staff to be familiar with this
policy (and all other related policies) to ensure the confidentiality, security
and integrity of information is maintained whilst under their ownership. Any
failure by a member of staff to follow the processes outlined in this policy
may result in initiation of the Trust’s Staff Disciplinary Procedure.
4. DEFINITIONS RELATING TO INFORMATION RISK AND SECURITY
4.1. Information Assets
4.1.1. The following are examples of information assets:
Databases and data files
System information and documentation
Research information
Operations and support procedures
Audit data
Manuals and training materials
Contracts and agreements
Business continuity plans
Back-up and archive data
Applications and System Software
Data encryption utilities
Development and Maintenance tools
Computing hardware including Servers, PCs, Laptops, PDA,
mobile communications devices and removable media
Environmental services necessary for the safe operation of
Information assets e.g. power and air-conditioning
People skills and experience
Shared services, including networks and printers
Paper records, including patient case notes and staff records.
This above list is illustrative only and should be considered when
identifying, recording and assessing the risk of information assets.
4.1.2. Minimum security standards will be incorporated into all assets.
New operational software must be quality assured. System test
and live data should be separated and adequately protected.
All changes to systems, including externally commissioned
systems, must pass through a formal change control procedure.
Further advice is available within the Trust’s IT Security Policy or
from the Trust’s IT Security Manager (via the IT Service Desk).
Information Risk and Security
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 11 Review Date: February 2021
4.2. Risk Terminology
Key Terms Description
Breach Any event or circumstance that led to unintended
or unexpected harm, loss or damage.
Near-Miss Any event or circumstance which was avoided but
had the potential to lead to unintended or
unexpected harm, loss or damage.
Serious Incidents
Requiring Investigation (SIRI)
Any breaches where the consequences are so
significant or the potential for learning is so great that a heightened level of response is required.
Risk The chance of something happening or a hazard
being realised, which will have an impact on
objectives. It is measured in terms of consequence and likelihood.
Consequence The outcome of an event or situation, expressed
qualitatively or quantitatively, being a loss, injury,
disadvantage or gain. There may be a range of
possible outcomes associated with an event.
Likelihood A measure of the probability that the
consequence will occur, as a qualitative
description or synonym.
Risk Management The systematic application of management
policies, procedures and practices to the tasks of
identifying, analysing, assessing, treating and
monitoring risk.
Risk Assessment The overall systematic process of determining the
level of risk that an event/set of events poses in
combination with the likelihood of its occurrence.
Risk Rating The ‘score’ that a risk is given following risk
assessment using a risk matrix.
Control An activity (action) which reduces the
consequence and/or likelihood
Risk Mitigation The process of introducing specific measures
(controls) to minimise or eliminate risks. Risk
mitigation measures can be directed towards
reducing the severity of risk consequences,
reducing the likelihood of the risk occurring, or reducing the organisations exposure to the risk.
Further definitions are available in the Trust’s Risk Management Strategy
and the Adverse Incident Reporting and Management Policy.
Information Risk and Security
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 12 Review Date: February 2021
5. MANAGEMENT OF INFORMATION ASSETS
5.1. Information Asset Register (IAR)
5.1.1. The Trust’s information assets are recorded on a central
Information Asset Register (IAR), which is maintained by the
Information Governance Department. The IAR helps managers
and the Trust to identify who is responsible for what assets, and
where data routinely goes to and/or comes from.
5.1.2. The IAR is populated, updated and maintained using information
provided by Information Asset Owners (IAOs – see 5.3) and
Administrators (IAAs – see 5.4) via the Trust’s Privacy Impact
Assessment (PIA) process. A PIA is required when a new or
updated system/process is proposed which will or could
potentially introduce new (or make changes to the existing) data
management processes, or when an existing information asset is
identified which is not currently recorded on the IAR. See Section
6 for full details about PIAs and the process involved.
5.1.3. The IAR gives the Trust the knowledge it needs to support with
identifying and managing the risks and security of information
assets. An IAO or IAA can request to see an extract of the IAR
showing their assets at any time by contacting the Information
Governance Department.
5.2. Senior Information Risk Owner (SIRO)
5.2.1. The Senior Information Risk Owner (SIRO) is an Executive Director
who takes overall ownership of the Trust’s Information Risk and
Security Policy, and acts as champion for information risk on the
Board. The current SIRO is the Trust’s Finance Director.
Information Risk and Security
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 13 Review Date: February 2021
5.2.2. The SIRO implements and leads the Information Governance risk
assessment and management processes within the Trust and
advises the Board on the effectiveness of information risk
management across the Trust. The SIRO is responsible for:
o ensuring that information assets are identified, that a register
of assets is maintained, and that each major asset has an
assigned owner and administrator;
o coordinating and overseeing the development and
implementation of the Information Risk and Security Policy;
o ensuring that systems, policies, processes and standards are in
place to ensure rigorous information governance across the
Trust;
o ensuring that the Board is adequately briefed, and providing a
focal point for the resolution and discussion of information risk
issues, advising on information security and risk management
strategies and providing periodic reports and briefings on
progress.
5.3. Information Asset Owners (IAOs)
5.3.1. An Information Asset Owner (IAO) is a nominated manager/senior
member of staff who takes responsibility for individual information
assets, in terms of security, user access, risk assessment and
business continuity. They are supported by an Information Asset
Administrator (IAA), per asset (this can be the same person).
5.3.2. Within the Trust, IAOs are usually Directors, Heads of Department
or Directorate Managers, however the level of authority required
Information Risk and Security
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 14 Review Date: February 2021
for an asset will depend on the type of asset and the information
it contains. For example, a Trust-wide business critical patient
information system may have a Director, whereas a department-
level statistics spreadsheet may have a Department Manager.
5.3.3. The responsibilities of an IAOs are outlined in the IAO Job
Summary available on the intranet. As an example, they are
responsible for:
o ensuring that all information assets are appropriately owned,
managed and recorded on the Information Asset Register
(IAR);
o supporting the Senior Information Risk Owner (SIRO) in
managing the risks associated with all information assets, and
providing the SIRO with reports and risk assessments as
required;
o ensuring that a Privacy Impact Assessment (PIA) is completed
for all new and amended information assets, and this is
regularly reviewed;
o ensuring that business continuity strategies and plans are in
place and tested for all critical information assets.
5.4. Information Asset Administrators (IAAs)
5.4.1. An Information Asset Administrator (IAA) is a nominated
administration, clerical or operational member of staff who takes
responsibility for individual information assets, in terms of security,
user access, risk assessment and business continuity. They support
allocated IAOs with information assets.
Information Risk and Security
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 15 Review Date: February 2021
5.4.2. Within the Trust, IAAs are usually administration or operational
staff, however the level of authority required for an asset will
depend on the type of asset, the information that it contains and
the authority level of the IAO. For example, a Trust-wide business
critical patient information system may have a Deputy Director or
Department Head, whereas a department-level statistics
spreadsheet may have an Administrator or Secretary.
5.4.3. IAAs are responsible for supporting the relevant IAO(s) with
meeting their responsibilities (See 5.3 above). Full details of an
IAA’s responsibilities are outlined in the IAA Job Summary.
6. PRIVACY IMPACT ASSESSMENTS (PIAs)
6.1. Privacy by Design
6.1.1. ‘Privacy by design’ is an approach to projects that promotes
privacy and data protection compliance from the start. This
approach is a requirement of data protection legislation and
therefore the Trust must ensure that privacy and data protection is
a key consideration in the early stages of any project, and then
throughout its entire lifecycle.
6.1.2. Core privacy considerations should be integrated into existing
project management and risk management methodologies and
policies. The procedures described in this policy are in place to
ensure that all new (and updated/reviewed) projects, processes
and systems introduced to the Trust comply with confidentiality,
privacy and data protection requirements.
6.1.3. Taking a ‘privacy by design’ approach is an essential tool in
minimising privacy risks and building trust. Designing projects,
processes, products or systems with privacy in mind at the outset
can lead to benefits which include:
Potential problems are identified at an early stage, when
addressing them will often be simpler and less costly;
The Trust is more likely to meet its legal obligations and avoid
breaches of the GDPR and DPA;
Actions are less likely to be privacy intrusive and have a
negative impact on individuals; and
Increased awareness of privacy and data protection across
the Trust.
6.1.4. Privacy Impact Assessments (PIAs) are an integral part of taking a
‘privacy by design’ approach, and is the tool that the Trust uses to
identify, and where possible reduce, the information governance
risks of projects, processes and systems within the organisation. A
Information Risk and Security
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 16 Review Date: February 2021
PIA can reduce the risks of harm to individuals through the misuse
of their personal information and can also help to design more
efficient and effective processes for handling personal data.
6.1.5. All staff who manage or lead on projects/service changes are
also responsible for completing PIAs as required, and additional
responsibilities apply to Information Asset Owners (IAOs – see 5.3)
and Information Asset Administrators (IAAs - 5.4).
6.2. Privacy Impact Assessments (PIAs)
6.2.1. Data protection legislation dictates that a Privacy Impact
Assessment (PIA) is mandatory where the data processing is “likely
to result in a high risk to the rights and freedoms” of the data
subject(s). This is particularly relevant where there is any
automated processing (including profiling) or where the
processing involves any special categories of data (such as
health or social care information). The ICO has also published
a Code of Practice on the requirements for conducting PIAs.
6.2.2. The Trust takes the approach that a PIA should be completed
whenever a new or updated system/process is proposed which
will or could potentially introduce new (or make changes to the
existing) data management processes. This is intertwined with
other processes such as IT Requests for Change. PIAs are also
used by the Trust to register all information assets onto the
Information Asset Register (see 5.1 for further details).
6.2.3. The PIA process is most effective when started at an early stage of
a project, preferably when the project is being designed and
scoped. A condensed version of the PIA is completed by
potential external stakeholders/providers and third parties as part
of any tender process. A full PIA must then be completed for the
preferred provider once the contract has been awarded, in
conjunction with the relevant project manager and Information
Asset Owner (see 5.3). The PIA should be updated throughout the
project as changes are considered and decisions contemplated.
6.2.4. The completed PIA is used as a formal data risk assessment, and
should be assigned two risk ratings:
a) Data processing rating based on the categories and volume of
data, and the impact on the rights of the data subjects. This is
assessed using the risk matrix in 7.1 of this policy); and
b) Criticality rating based on the system usage requirements. This
should feed into business continuity and disaster recovery
plans, both at a local and Trust-wide level, as appropriate. This
is assessed using the risk matrix in 7.2 of this policy).
Information Risk and Security
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 17 Review Date: February 2021
6.2.5. Any information security risks identified as part of the PIA will be
managed on a formal basis via the Trust’s adverse incident
reporting procedures, and relevant risks will be recorded within
the Trust’s risk register. Measures should be put in place to ensure
each asset is secured to an appropriate level, and action plans
must be in place to demonstrate effective management of risks.
6.2.6. The PIA should also record all data sets and data flows, which will
then feed into the Information Asset Register, and provides
assurance that the Trust completes ongoing data mapping.
6.2.7. PIAs should be completed by appropriate individuals with
sufficient knowledge of the asset/system/process, and must be
approved by the relevant Information Asset Owner prior to being
sent to the Information Governance Department for review.
6.2.8. As part of the PIA process, it may be necessary for the project
lead/Information Asset Owner/etc to liaise with any third party
organisations to gain appropriate assurance of compliance, and
(where appropriate), seek the views of data subjects or their
representatives on the intended processing.
6.2.9. Depending on the risk rating and content of the assessment, it
may be necessary for the PIA to be reviewed and authorised by
the Senior Information Risk Owner (SIRO), Caldicott Guardian
and/or the Information Governance Steering Group (IGSG). The
Information Governance Department will make this decision and
discuss any reasons with the Project Lead and Information Asset
Owner, as appropriate.
6.2.10. It is the responsibility of the Project Lead and/or Information Asset
Owner (as appropriate) to ensure that PIAs are reviewed on a
regular basis, the frequency of which is proportionate to the risk
rating of the system (see Section 7 below).
7. DATA RISK ASSESSMENTS AND RATINGS
7.1. Risk Assessment Matrix (Breaches, Near-Misses and PIAs)
In alignment with the Trust’s Risk Management Strategy, all information
risks are assessed using a 5x5 risk assessment matrix.
The tables over leaf should be used to grade all breaches and near-
misses recorded via Datix (see 8.1), and to provide a ‘data processing’
rating for assets via Privacy Impact Assessments (see 6.2).
The Trust is also required to score all breaches against the HSCIC Serious
Incidents Requiring Review (SIRI) checklist – see 8.3.1 for details.
Information Risk and Security Policy
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 18 Review Date: February 2021
Risk Assessment Matrix LIKELIHOOD OF OCCURRENCE
1 2 3 4 5
Rare /
Exceptional
Unlikely Possible / Reasonable
Chance
Likely Almost
Certain IMPACT
5 Catastrophic Serious breach with the potential for ID theft, or over 1000
individuals affected. Damage to the NHS’ reputation,
national media coverage.
5 10 15 20 25
4 Major Serious breach with either particular sensitivity, eg sexual health details, or up to 1000 individuals affected. Damage
to the organisation’s reputation, local media coverage.
4 8 12 16 20
3 Moderate Serious breach of confidentiality, e.g. up to 100 individuals affected. Damage to the organisation’s reputation, low-key
local media coverage.
3 6 9 12 15
2 Minor Potential serious breach and risk assessed high, e.g.
unencrypted records of up to 20 individuals. Damage to the
organisation’s reputation, possible local media.
2 4 6 8 10
1 Negligible Minimal discernible effect on the organisation, media interest unlikely. Less than 5 individuals affected or risk
assessed as low, e.g. files were encrypted. Damage to staff
member’s reputation.
1 2 3 4 5
Risk Score Risk Category Definition Decision Min. Reviews
1 – 3 Very Low An acceptable level, subject to review Tolerate 6 – 12 months
4 – 7 Low An acceptable level, subject to review and possible action Tolerate or Treat 3 – 6 months
8 – 14 Moderate Unacceptable level, requires review and action Treat or Transfer At least quarterly
15 – 25 High Unacceptable level, requires urgent review and action Treat, Transfer or Terminate At least monthly
TOLERATE – accept the risk
TREAT – take actions to lessen the consequence of likelihood
TRANSFER – pass responsibility for the risk to another e.g. contractor or service provider.
TERMINATE – the risk is too high and the activity should not proceed or should be done differently.
Information Risk and Security Policy
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 19 Review Date: February 2021
7.2. Criticality Assessment Matrix (PIAs)
The table below should be used to provide a ‘criticality’ rating for assets via Privacy Impact Assessments (see 6.2). Each
category should be considered to assess the impact of the asset being unavailable (i.e. offline, unusable, etc) for 5
days. When all categories have been assessed, the maximum score on any one category is the overall final rating.
Category
Consequence Quality Finance Targets Safety Reputation Litigation Rating
Catastrophic Gross failure to
meet professional
standards
>£5M
>10% off planned.
Fail to meet
national target >2
quarters by >20%
Multiple fatalities.
Multiple permanent
injuries
Full Public Enquiry
Criminal
prosecution – no
defence. Executive
officer fined or
imprisoned
5
Major Failure to meet
national standards £500K - £5M
5% - 10% off
planned. Fail to
meet national
target >2 quarters.
Red light
>9 days extended
hospital stay.
Fatality. Permanent
disability.
National media >3
days of coverage.
Questions in the
House
Criminal
prosecution – no
defence. Executive
officer fined or
imprisoned
4
Moderate
Repeated failures
to meet internal
standards or follow
protocols
£50K - £500K
2% - 4% off
planned. Fail to
meet national
target 2 quarters.
Amber light
>3 days absence. 3-
8 days extended
hospital stay.
RIDDOR or MDA
reportable. Semi-
permanent harm.
National media <3
days coverage.
Department
executive action
Class action.
Criminal
prosecution.
Prohibition notice
3
Minor
Single failure to
meet internal
standards or follow
protocol
£5K - £50K
Claim below
excess
1% off planned. Fail
to meet national
target 1 quarter
Cuts/bruises. <3
days absence. <2
days extended
hospital stay
Regulator concern.
Local press <7 days
of coverage
Civil action – no
defence.
Improvement
notice.
2
Negligible None, or minor
non-compliance None or <£5k None or N/A
None or minor
cuts/bruises
None or within unit.
Local press <1 day
coverage
None or minor out-
of-court settlement
1
Information Risk and Security
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 20 Review Date: February 2021
8. DATA BREACHES AND NEAR-MISSES
8.1. Reporting and Recording
8.1.1. Staff provide the Trust’s first line of defence against information
loss and theft, and therefore all staff must be able to spot
common activities where information could be lost, and know
what to report. A breach does not necessarily need to involve the
loss or disclosure of personal information in order to be treated as
a data security incident. These are the different categories that
breaches and incidents can fall into:
Breaches of the data protection principles / confidentiality law
Identifiable data lost in transit
Lost or stolen hardware
Lost or stolen paperwork
Data disclosed in error
Data uploaded to website in error
Non-secure disposal – hardware
Non-secure disposal – paperwork
Technical security failing
Corruption or inability to recover data
Unauthorised access or disclosure
Technology-related / cyber incidents
Phishing email
Denial of service attack
Social media disclosure
Website defacement
Malicious damage to systems
Cyber bullying
8.1.2. All data breaches and near-misses must be formally reported as
soon as possible via Datix. Where the breach involves the
inappropriate destruction or alteration, loss/theft or unauthorised
disclosure (or access to) data, the Information Governance
Department must be informed immediately (ideally via
telephone) to assess the severity of the breach and support with
identifying the remedial action required.
8.1.3. Data protection legislation draws a distinction between a “data
controller” and a “data processor” in order to recognise that not
all organisations involved in the processing of personal data have
the same degree of responsibility. All contracts with third parties
should have clear clauses and expectations regarding the
reporting of data breaches. In the case of any data breach, the
identified data controller must be notified as soon as possible.
Information Risk and Security
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 21 Review Date: February 2021
8.1.4. The Trust is required to document all data breaches and near-
misses, including details of the breach itself, its effects and the
remedial action taken. This information is centrally recorded within
the Trust’s adverse incident reporting system (Datix).
8.1.5. Wards and departments will also conduct an information risk and
security audit as part of their annual Workplace Assessment of
Safety & Health (“WASH”), and any areas of concern are
followed up by the Information Governance Department. Further
guidance can be found in the Trust’s Data Protection and
Information Sharing Policy.
8.2. Action, Investigation and Remediation
8.2.1. It is important to deal with breaches quickly, effectively and
appropriately. A strategy for dealing with the breach should be
formulated as soon as possible, in conjunction with the
Information Governance Department and any other appropriate
departments (such as IT, HR etc), which should include:
a) a recovery plan (including damage limitation);
b) assessing the risks associated with the incident;
c) informing the appropriate people/organisations that the
incident has occurred; and
d) reviewing and updating information security to avoid further
incidents.
8.2.2. All breaches and near-misses should be fully investigated, and
staff should be able to identify any lessons which can be learnt
and any measures which can be put in place to avoid the
breach happening again. This might involve a change in process
or equipment, or introducing additional data security or check
mechanisms. Other possible remediation options can be
discussed with the Information Governance Department.
8.3. Serious Incidents Requiring Investigation
8.3.1. The Information Governance Department will review and grade
all data breaches which are recorded in Datix. This assessment is
based on the latest guidance available, and takes into
consideration a number of factors, including the number of
individuals affected, and the volume and type of data breached.
Data breaches will be graded as either:
Level 2 (Serious Incident Requiring Investigation (SIRI))
Level 1 (Actual breach but below SIRI threshold – medium risk)
Level 0 (Actual breach but below SIRI threshold – low risk)
Near-Miss (there was a potential breach but it was avoided)
Information Risk and Security
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 22 Review Date: February 2021
Not Applicable (the incident was reported in Datix but relates
to a breach by a third party which does not involve the Trust)
8.3.2. Data protection legislation requires that any data breach which
results in a high risk to an individual’s rights or freedoms must be
reported to the Information Commissioner’s Office, NHS Digital
and the Department of Health. These incidents will be graded as
SIRI Level 2 by the Information Governance Department, and
formally reported via the Incident Reporting Tool from NHS Digital.
8.3.3. The initial notification of a SIRI must happen within 72 hours of the
Trust becoming aware of the breach, and thereafter updates can
be provided as available. The initial 72 hour reporting period
begins when the breach is identified by staff, not when the
Information Governance Department are informed, so it is
imperative that staff report breaches without undue delay.
8.3.4. As a minimum, the Trust must provide the following information as
part of its formal report on SIRI Level 2 breaches:
A description of the nature of the breach;
The categories of personal data affected;
Approximate number of data subjects affected;
Approximate number of personal data records affected;
Name and contact details of the Data Protection Officer;
Likely consequences of the breach;
Any measures that have been or will be taken to address the
breach, including mitigation; and
The information relating to the data breach, which may be
provided in phases.
8.4. Notifying Data Subjects
8.4.1. Where the breach is graded as a Level 2 SIRI (i.e. the breach is
likely to result in high risk to the rights and freedoms of the data
subject), the Trust must inform the affected data subjects without
undue delay, unless the Trust can demonstrate that:
It has “implemented appropriate technical and
organisational protection measures, and those measures
were applied to the personal data affected by the personal
data breach, in particular those that render the personal
data unintelligible to any person who is not authorised to
access it, such as encryption”; or
It has “has taken subsequent measures which ensure that the
high risk to the rights and freedoms of data subjects is no
longer likely to materialise”; or
Information Risk and Security
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 23 Review Date: February 2021
Any communication to the data subjects on an individual
basis “would involve disproportionate effort”. If this situation
occurs, the Trust is expected to issue general public
communications “whereby the data subjects are informed in
an equally effective manner”.
8.4.2. As part of the Trust’s Duty of Candour requirements and its
commitment to promote a culture of being open and
transparent, it is encouraged that data subjects should be
notified of all data breaches involving their information, regardless
of whether it was externally reportable.
8.4.3. Where it is expected/agreed that data subjects are to be
contacted, this communication must describe the nature of the
breach in clear and plain language, and should include the
information specified 8.3.4. A template letter is available on the
intranet, and further guidance can be sought from the
Information Governance Department, as required. Copies of all
communications should be recorded in Datix.
9. DATA SECURITY AND PROTECTION STANDARDS
From April 2018, a new ‘Data Security and Protection Toolkit (DSP Toolkit) will
replace the current Information Governance Toolkit. The new DSP Toolkit will
reflect a revised mandatory framework for all health and care organisations in
order to demonstrate that they are meeting their statutory obligations on data
protection and security, and that they are effectively implementing the ten
data security standards, recommended as part of the Caldicott 3 Review by
Dame Fiona Caldicott (National Data Guardian for Health and Care). Third
party organisations contracted to provide services under the NHS Standard
Contract must also comply with these requirements.
The information in 9.1 – 9.3 below demonstrates the Trust’s commitment to the
requirements of the Data Security and Protection Requirements 2017/18.
9.1. Leadership Obligation One – People:
9.1.1. DSP Requirement #1: There must be a named senior executive to
be responsible for data and cyber security in the Trust.
This responsibility sits with the Trust’s Senior Information Risk Owner
(SIRO) and Finance Director, Mark Orchard.
9.1.2. DSP Requirement #2: In 2017/18, the Trust is required to achieve at
least level two on the current IG Toolkit. From 2018/19,
compliance will be measured against the new DSP Toolkit.
The Trust will endeavour to meet all requirements of the current
and any replacement toolkit, and this is closely monitored by the
Information Risk and Security
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 24 Review Date: February 2021
Trust’s SIRO, Information Governance Department and the Audit
& Governance Committee, with regular assurance reports.
9.1.3. DSP Requirement #3: Prepare for the introduction of the General
Data Protection Regulation (GDPR) in May 2018.
The Trust is already working through an action plan to ensure its
readiness for the GDPR. This is closely monitored by the Trust’s
SIRO, Information Governance Department and the Audit &
Governance Committee, with regular assurance reports.
9.1.4. DSP Requirement #4: All staff must complete appropriate annual
data security and protection training.
The Trust has rolled out updated Information Governance and
Data Security Awareness Level 1 training for all staff. This is an
annual requirement for all staff and volunteers in the Trust. Further
details can be found in the Trust’s IG Training Plan and TNA.
9.2. Leadership Obligation Two – Processes:
9.2.1. DSP Requirement #5: The Trust must act on advisories from the
Care Computer Emergency Response Team (CareCERT), where
relevant; confirm within 48 hours that plans are in place to act on
high severity advisories, and evidence this through CareCERT
Collect; and identify a primary point of contact for the receipt of
advisories and the coordination of any responses.
This element is managed by the Trust’s IT service. Further
information regarding the process for dealing with CareCERT
advisories is available from the IT Service Desk. Additional
guidance is also available via the CareCERT Information Sharing
Portal: https://nww.carecertisp.digital.nhs.uk/
9.2.2. DSP Requirement #6: A comprehensive business continuity plan
must be in place to respond to data and cyber security incidents.
Please see section 8 of this policy for details regarding the
procedures for dealing with data breaches. Further information
regarding the process for dealing with cyber breaches is also
available within the Trust’s IT Security Policy.
9.2.3. DSP Requirement #7: Staff across the Trust should report all data
security breaches and near misses, and relevant breaches must
be reported to CareCERT.
Please see section 8 of this policy for details regarding the
procedures for dealing with data breaches.
Information Risk and Security
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 25 Review Date: February 2021
9.3. Leadership Obligation Three – Technology:
9.3.1. DSP Requirement #8: The Trust must identify unsupported systems
and have a plan in place to remove, replace or actively mitigate
or manage the risks associated with unsupported systems.
This element is managed by the Trust’s IT service. Further
information is available from the IT Service Desk.
9.3.2. DSP Requirement #9: The Trust must undertake an on-site cyber
and data security assessment (if invited to do so by NHS Digital),
and then act on the outcome and any recommendations, and
share this with our commissioner (Dorset CCG).
Any such assessment will be managed by the IT Department
and/or Information Governance Department (as appropriate),
with overall monitoring by the Trust’s SIRO and the Audit &
Governance Committee, with outcome reports and action plans.
9.3.3. DSP Requirement #10: The Trust should ensure that any supplier of
IT systems and the system(s) provided have the appropriate
certification (depending on the system nature and criticality).
This element is managed by the Trust’s IT service. Further
information is available from the IT Service Desk. This also links to
the Privacy Impact Assessment (PIA) process (see 6.2).
10. IMPLEMENTATION AND REVIEW
10.1. Consultation and Implementation
10.1.1. This policy has been drafted by the Information Governance
Department in accordance with the Trust’s statutory obligations
and responsibilities under the relevant legislation.
10.1.2. This policy will be ratified by the Information Governance Steering
Group (IGSG) prior to launch, publication and use within the
organisation. In accordance with the IGSG Terms of Reference,
minutes from all IGSG meetings are reviewed by the Hospital
Executive Group (HEG).
10.1.3. All policies are published on the staff intranet and communication
is circulated to all staff when new policies or changes to existing
policies are released. Staff will also be made aware of existing
policies, procedures and legislation via annual IG training.
Information Risk and Security
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 26 Review Date: February 2021
10.2. Policy Review Arrangements
10.2.1. This policy will be reviewed by the Information Governance
Department on at least a three-yearly basis. An earlier review
may be instigated where there is a change in legislation or
practice, or new guidelines are published which impact on the
particulars of this policy.
10.2.2. Any major updates or changes to this policy will be ratified by the
Senior Information Risk Owner, Caldicott Guardian and/or the
IGSG (as appropriate) prior to implementation. The application
and use of this policy will be monitored by the Information
Governance Department and IGSG as part of its formal
arrangements.
10.3. Monitoring Effectiveness
10.3.1. All areas of the Trust are required to complete an annual
Information Risk and Security Audit to demonstrate their
compliance against current policies and procedures. These audits
will highlight if any information has been put at risk through
deliberate/inadvertent misuse of systems (electronic and paper),
or as a result of weak, non-existent or poorly applied controls. All
completed audits are reviewed by the Information Governance
Department, and follow-up action taken as necessary. Audit
statistics are provided to the IGSG on a regular basis.
10.3.2. The Trust will also monitor the effectiveness of this policy via the
use of Privacy Impact Assessments (See 6.2) and the review of
incidents and near-misses recorded within Datix (see Section 8).
Information Risk and Security
Document No: IG.P05
Version No: 4.0 (FINAL)
Author: Information Governance Officer Policy Date: February 2018
Page 27 Review Date: February 2021
APPENDICES
APPENDIX A: EQUALITY IMPACT ASSESSMENT
Date of Assessment February 2018
Assessor Details Information Governance Officer
Assessment Area Information Risk and Security Policy
Purpose, Aims and
Intended Outcomes
See Sections 1 and 2 of the policy for details regarding
the purpose, aims and intended outcomes of the policy.
Target Group(s) and
Impact/Influence
This policy is applicable to all staff and there is no
anticipated detrimental impact on any equality group.
This policy makes all reasonable provision to ensure
equal access to all staff. There are no statements,
conditions or requirements that disadvantage any
particular group of people.
Assessment of
Aspects/Activities
Relevant to Equality
Accessibility
All IG policies and guidance are accessible for all
managers and staff via the intranet and copies are
obtainable from the IG Team.
Consultation and Communication
This policy will be ratified by the IGSG prior to launch,
publication and use within the organisation. All policies
are communicated widely and openly across the
organisation, will be accessible to everyone via the
intranet and as required staff will be supported in their
application of the policy.
Implementation
The application of this policy supports the Trust’s duties
under the Equality Act 2010. The organisation will have
due regard for the need to eliminate unlawful
discrimination, promote equality of opportunity and
provide for good relations between all people of all
diverse groups.
Monitoring and Review
This policy will be reviewed by the IG Department on at
least a three-yearly basis, unless there is a change in
legislation or practice, or new guidelines are published
which necessities an earlier review. Any major updates
or changes will be ratified by the SIRO, Caldicott
Guardian and/or IGSG prior to implementation. The
application and use of this policy will be monitored by IG
and the IGSG as part of its formal arrangements.