INFORMATION GOVERNANCE INFORMATION SECURITY POLICY

Microsoft Word - prod_262372-2(Information Security Management)
Information Governance Committee
Policy Established Policy Review Period/Expiry Last Updated July 2016 August 2021 August 2019
This policy does / does not apply to Medical/Dental Staff
(delete as appropriate)
UNCONTROLLED WHEN PRINTED
Version Number
July 2016
Pollycarp Batwaula
July 2016
July 2016
August 2016
August 2016
1.1 Update to reflect the new Information Security Policy Framework 2018
Pollycarp Batwaula
August 2019
September 2019
November 2019
Document Control Document: Information Security Policy Version: 1.1 Version Date: August 2019 Policy Manager: Information Governance Officer (ISM) Page 1 of 34 Review Date: August 2021
Tables of Contents
1. INTRODUCTION _______________________________________________________ 2
2.2. SENIOR INFORMATION RISK OWNER (SIRO) ___________________________ 3
2.3. INFORMATION ASSET OWNER (IAO) __________________________________ 4
2.4. INFORMATION ASSET ADMINISTRATOR (IAA) ___________________________ 4
2.5. CLINICAL MANAGERS, HEADS OF DEPARTMENT AND GENERAL MANAGERS 5
3. INFORMATION SECURITY OBJECTIVES ___________________________________ 5
4. INFORMATION SECURITY MANAGEMENT SYSTEM __________________________ 7
4.1. SCOPE ___________________________________________________________ 7
4.2. PLANNING ________________________________________________________ 8
4.3. RESOURCES ______________________________________________________ 8
4.5. DOCUMENTATION __________________________________________________ 9
6. INFORMATION SECURITY RISK TREATMENT _______________________________ 9
7. PERFORMANCE EVALUATION __________________________________________ 10
8. INTERNAL AUDIT _____________________________________________________ 10
11. APPENDIX 5 POLICY APPROVAL CHECKLIST __________________________ 12
12. APPENDIX 6 EQUALITY IMPACT ASSESSMENT _________________________ 14
1. Introduction
The aim of the NHS Tayside (NHST) Information Security Policy is to set out how the organisation will address the requirements of the
NHS Scotland Information Security Policy Framework (ISPF) 2018, that incorporates legal and compliance requirements for the Network and Information Systems Directive 2018 (NIS Directive) and the security elements of the General Data Protection Regulation 2018 (GDPR),
https://www.healthca.scot/wp-content/uploads/2019/05/Information-Security-Policy-Framework- ISPF.pdf so that the risks relating to the confidentiality, integrity and availability of all types of written, spoken and computer information are managed.
Managing information risk is a core responsibility of the Chief Executive Officer for each legal entity (the Board).
There are of course information risks which impact across both Boards and healthcare services and it is the responsibility of the Chief Executive Officer of NHSS and ultimately the Cabinet Secretary for Health and Sport to set out the common information security components that must be in place in each Board so that information risks are managed in a consistent and effective way and are in line with the national strategies and risk appetite. Scottish Government is the Competent Authority (CA) responsible for regulatory decisions and enforcement under NIS Directive 2018.
The common components (which include specific controls, NHSS standards resources, processes and leadership) are aligned as closely as possible with International Standards ISO-27001 and ISO- 27002.
NHS Tayside (NHST) is committed to conforming to ISO-27001 as far as practicable so as to create the necessary trust that is required by an ever wider network of information sharing partners such as central and local government, who wish to gain assurance that the information security management system which operates in all NHS Boards are all broadly equivalent. Additionally, NHST will address information security and cyber resilience actions of the Scottish Government Public Sector Action Plan (PSAP) that include Cyber Essentials certification. Assurance reporting will be provided at standing committee level of NHS Tayside’s compliance with the requirements of the ISPF.
The objectives of NHS Tayside’s Information Securit y Policy are to preserve:
Confidentiality - Access to data and information shall be confined to those with appropriate authority.
Integrity - Data and information shall be complete and accurate. All systems, assets and networks shall operate correctly, according to specification.
Availability - Data and information shall be available and delivered to the right person, at the time when it is needed.
Accountability - Information that is delivered cannot be repudiated by the sender.
The aim of this policy is to establish and maintain the security and confidentiality of information, information systems, applications and networks owned or held by NHS Tayside:
Ensuring that all members of staff are aware of and fully comply with the relevant legislation as described in this and other policies.
Describing the principles of security and explaining how they shall be implemented in the organisation.
Introducing a consistent approach to security, ensuring that all members of staff fully understand their own responsibilities.
Creating and maintaining within the organisation a level of awareness of the need for Information Security as an integral part of the day to day business.
Protecting information assets under the control of the organisation.
The policy applies to NHST information assets, whether spoken or written, data that is stored on servers or related components, printed matter or displayed data which is owned or under NHST management.
Specific policy objectives include:
To provide a set of rules, measures and procedures aimed at ensuring confidentiality, integrity and availability throughout the NHST in line with NHST standards and obligations.
To ensure that information is protected from unauthorised access, disclosure, modification or loss and that above all confidentiality of patient data is not compromised.
To meet its legal and other requirements and to satisfy obligations to the NHS, patients and staff, NHST must use effective security measures to safeguard its information.
In consultation implement such security measures as appropriate, updating whenever necessary.
To set out the potential consequences of non-compliance with the provisions of this policy.
To make direct reference to supporting Policy and Guidance documents.
1. Governance
NHS Tayside Board shall demonstrate leadership and commitment with respect to information security management by ensuring that th e NHS Tayside Information Security Policy, Security Objectives and Information Securit y Management System (ISMS) are established, supported at Board-level and deliver l egal compliance.
Leadership and Commitment ensures that:
• There is effective organisational security management led at board level and articulated clearly in corresponding policies.
• The approach and policy relating to the security of networks and information systems
supporting the delivery of essential services are set and managed at board level.
• Regular board discussions on the security of network and information systems take place, based on timely and accurate information and informed by expert guidance.
• The importance of effective information security management and of conforming to the
information security management system requirements is communicated.
1.1. Roles and Responsibilities
Ultimate responsibility for the secure operation of all systems used in NHS Tayside rests with the Chief Executive. The responsibility is delegated to all staff involved or using information and information systems.
Specific roles are:
1.2. Senior Information Risk Owner (SIRO)
The role of senior information risk owner (SIRO) in NHS Tayside is carried out by the Board Secretary with responsibility for this delegated through the Chief Executive.
This senior level post is charged with ensuring that:
• the Board-level information security policy, security objectives and information security management system (ISMS) are established
• resources needed for the effective operation of the ISMS are available and is supported by top management
• a Board-level information security policy that is appropriate to the needs of both the organisation and aligned with the NHSS information security policy framework is developed
• performance of the ISMS is reported to the Board at regular intervals
The role of SIRO relies on Information Asset Owners (IAO) to manage information risks at an operational and system level in NHS Tayside, these roles are described in the NHS Tayside Information Security Policy.
1.3. Information Security Officer/Manager (ISO) rol e
This is a designated permanent role of Board Information Security Officer/Manager that encompasses all Information risks and not just ‘IT Security’.
1.4. Security of Networks and Information Systems O fficer
Board-level individual with overall accountability for the security of networks and information systems and drives regular discussion at board-level
1.5. Information Asset Owner (IAO)
An Information Asset Owner is:
• a senior individual involved in running the relevant business – the Business Owner
• a senior individual with responsibility for ensuring that risks and vulnerabilities associated with the Information Assets they manage are monitored
• a senior individual who has the authority to make decisions concerning the asset at the highest level
• responsible for identifying, understanding and addressing risk to the information assets they “own”
• not necessarily the creator or the primary user of the asset, but they must understand its value to the organisation
• accountable to the SIRO for providing assurance on the security and use of their information assets
1.6. Information Asset Administrator (IAA)
This role within each service area or department is responsible for:-
acting as liaison between their service area or department and eHealth and IG
preparing a System Security Policy (SSP) and risk management document and Information Governance documents for systems within their remit
ensuring that all user responsibilities in respect of information security are understood and properly exercised
managing access to particular systems and information and maintain records of authorised system users
administering user security procedures requiring central control including the administration of user credentials
reviewing and monitoring day-to-day security control and incidents and identifying unauthorised and unusual use
advising system users on security procedures including briefing new staff
maintaining records of security incidents and reporting them to the IAO and IG Manager/IG Governance Officer (Information Security Management)
periodically reviewing error or incident logs and report frequent occurrences to the IG Manager/IG Governance Officer (Information Security Management)
accountable to the IAO for providing assurance on the operational security and use of their information assets
1.7. Clinical Managers, Heads of Department and Gen eral Managers
Managers will support the IAO in ensuring that the information systems relied on in their area are effectively managed and operated.
Managers must ensure that their staff are provided with information systems training as appropriate.
Managers must ensure that where the administration of departmental systems has been delegated to a member of their staff that;
the role and scope of the IAA should be agreed with the relevant parties
that the appointee undergoes relevant training
that procedures and protocols are developed, documented and implemented by the IAA that are in line with the requirements of this policy.
The application of the above structure, at all levels, represents arrangements to accommodate substantial systems with wide-ranging coverage.
However, the tasks and responsibilities still have to be taken on when operating smaller systems, procedures and processes. This may require some alteration to the structure to allow for practicalities.
2. Information Security Objectives
NHS Tayside shall establish high level Information Security Objectives for the entire organisation.
The Information Security Objectives shall be aligned with:
NHS Tayside eHealth Strategy, so that the Information security function and ISMS support our strategic aims
NHSS/SG Information Security Policy Framework
NHSS/SG Information Governance Improvement Plan
the set of specific, measurable actions relating to information security to be undertaken at national level over a defined period as part of NHSS eHealth Programme
NHS Tayside specific actions that need to be undertaken, the planning, resources, time-scale, persons responsible and how/when results to be evaluated
NHS Tayside’s Information Security Objectives are:
Information Security Policy
To provide management direction and support for information security in accordance with the business requirements and relevant laws and regulations.
Organisation of Information Security
To establish a management framework and initiate and control the implementation and operation of information security within the organisation.
To ensure the security of teleworking and mobile devices
Human Resource Security
To ensure that employees and contractors understand their responsibilities and suitable for the roles for which they are considered.
To ensure that employees and contractors are aware of and fulfil their information security responsibilities.
To protect the organisation’s interests as part of the process of changing or terminating employment.
Asset Management
To identify organisational assets and define appropriate protection responsibilities.
To ensure that information receives an appropriate level of protection in accordance with its importance to the organisation.
Access Control
To ensure authorised user access and to prevent unauthorised access to systems and services.
To make users accountable for safeguarding their authentication information.
To prevent unauthorised access to systems and applications.
Cryptographic Controls
To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information
Physical and Environmental Security
To prevent unauthorised physical access, damage and interference to the organisation’s information and information processing facilities.
To prevent loss, damage, theft or compromise of assets and interruption to the organisation’s operations.
Operations Security
To ensure correct and secure operations of information processing facilities.
To ensure that information and information processing facilities are protected against malware.
to protect against loss of data
To record events and generate evidence
To ensure the integrity of the operational systems
To prevent the exploitation of technical vulnerabilities
To minimise the impact of audit activities on operational systems
Communications Security
To ensure the protection of information in networks and its supporting information processing facilities.
Information Transfer
To maintain the security of information transferred, within an organisation and with any external entity.
System Acquisition, Development and Maintenance
To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.
To ensure that information security is designed and implemented within the development lifecycle of information systems.
To ensure the protection of data used for testing
Supplier Relationships
To ensure protection of the organisation’s assets that is accessible by suppliers.
To maintain an agreed level of security and service delivery in line with supplier agreements.
Information Security Incident Management
To ensure a consistent and effective approach to the management of information security incidents, including communications on security events and weaknesses.
Information Security - Business Continuity Manageme nt
Information security continuity shall be embedded in the organisation’s business continuity management systems.
To ensure availability of information processing facilities.
Compliance
To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and or any security requirements.
To ensure that information security is implemented and operated in accordance with the organisational policies and procedures.
3. Information Security Management System
NHS Tayside shall establish, implement, maintain and continually improve an Information Security Management System (ISMS).
‘System’ in this context does not mean an ‘IT system’ but rather the dynamic and continuing, circular business system: which starts with planning, then building, then acting, then checking then planning again.
3.1. Scope
NHS Tayside has business relationships with an array of partners, ranging from local authorities, health and social care partnerships, third sector, universities and commercial suppliers.
Although there should be information sharing agreements with partners/suppliers and they may share IT infrastructure and other computing resources, it would simply not be practical for NHS Tayside’s ISMS to cover all of this
Instead, NHS Tayside’s ISMS and associated policies will be defined to cover all the operations of NHS Tayside.
If NHS Tayside is to encompass the operations of other organisations (e.g. because of a shared service agreement with GPs or health and social care partnership) then this needs to be documented and resourced separately and accordingly.
Where two separate organisations enter into information sharing agreements both will need to agree on where one or more ISMS interface (and where any differences in information security policy might lead to differences in risk management).
Policy Coverage
This policy covers all aspects of operational information handling within NHS Tayside, including (but not limited to):
Patient/Client/Service User information
Staff related information
This policy covers all aspects of operational information handling and processing, including (but not limited to):
Structured record systems (paper and electronic)
Transmission of information (Fax, Email, post and telephone)
This policy covers all information systems purchased, developed, managed or utilised by NHS Tayside, and any individual (directly employed or otherwise by NHS Tayside) accessing information ‘owned entirely or partially’ by NHS Tayside.
This policy applies to
all information systems purchased, developed, managed, supplied under contract or utilised by NHS Tayside
all data and information sources, networks and applications utilised by NHS Tayside
all staff members of NHS Tayside, irrespective of location, carrying out their duties when employed or acting on behalf of NHS Tayside
3.2. Planning
Having established scope and contours of the ISMS NHS Tayside shall:
Establish the factors that provide opportunities for the setting up and running of the ISMS and ensure that these are exploited (e.g. mature risk management processes in other areas such as finance or existing eHealth staff trained in ITIL or other methodology which use documented processes).
Establish the risks that may prevent the ISMS from being established, working as intended and being able to achieve continual improvement (e.g. lack of resourcing, cultural issues, an organisational structure that has grown up organically or other factors that would prevent the smooth running of the ISMS machine).
Consider how far the ISMS needs to work beyond the current information security function but requires interaction with resource elsewhere (eHealth, records management etc.)
Take action to address these risks at executive level.
3.3. Resources
NHS Tayside shall determine and provide the resources needed for the establishment and continual improvement of the ISMS. NHS Tayside shall:
Be clear that the roles in information security are part of a professional specialist discipline and career home (analogous to ICT, finance, procurement, statistics etc.) and not a generalist NHS administration role.
As a minimum there should be the designated permanent role of Board Information Security Officer/Manager that encompasses all information risks (not just ‘IT Security’) and is of appropriate grade and standing.
The appointed person(s) shall be competent and have the necessary specialist training and experience. If this is not possible on Day 1 then the Board SIRO needs to bear the risk and take action to ensure that the necessary competence is acquired as soon as possible (and for this to be documented).
To provide on-going training and support for information security personnel (i.e. mentoring, resource to gain necessary professional accreditation and qualifications) and for this to be documented.
To ensure that the personnel are able to participate fully in national-level communities such as National Centre for Cyber Security (NCSC) via CiSP registration, Scottish Government Cyber Resilience Team, IG and Information Security Fora, and governance structures (e.g. Public Benefit and Privacy Panel) and accreditation work (e.g. Scottish Wide Area Network and services used across Boards) so that national level information risks are addressed in an effective way.
3.4. Staff awareness and communications
NHS Tayside shall put in place the means to conduct internal and external communications and awareness relevant to its information security management system. The outcome should be:
The Board-level information security management policy and associated security objectives will be freely available to all employees, interested parties and the wider public.
Board level policies and guidance will be available to all staff and interested parties digitally (e.g. via the Intranet).
There is a form of mandatory induction for all new personnel in regard to NHS Tayside information security policy and that this is followed.
There is a process to enable information security updates, advice and other content to be available in a timely manner.
3.5. Documentation
NHS Tayside shall hold documented information relating to the design and effective running of its ISMS.
To be held in a digital format in the Board approved corporate records management system.
For information relating to the ISMS to be held as one or more discrete functions within a file plan/business classification scheme and managed according to NHS Tayside’s records retention schedules.
To be easily accessible to persons requiring them to support the smooth running of the ISMS, kept up to date and subject to the security and access permissions commensurate with the sensitivity.
4. Information Risk Assessment
NHS Tayside shall identify key assets and their owners and document in a high-level Information Asset Register (IAR). Impact on assets needs to be assessed in terms of confidentiality, integrity and availability.
NHS Tayside shall use the NHSS Information security risk assessment template and associated process and the national impact levels. This will ensure that repeated information security risk assessments produce consistent valid and comparable results across all Boards. In particular:
The business context must be fully understood prior to assessment.
Risk owners, and owner of assets must be identified.
Plausible worst case scenarios and business impact must be understood and documented - according to the national impact scale 1-5 - if overall risks to confidentiality, integrity and availability materialise.
Vulnerabilities and likelihood must be assessed.
Overall risk analysis must use the criteria above.
Analysed risks must be prioritised and summarised into a format that can be easily understood for risk owners to agree subsequent risk treatment.
Perform information security risk assessments at planned intervals when significant changes are proposed to occur or where recommended in wake of significant information security incidents. Such assessments can be at organisational-level, function-level, project or service specific level.
5. Information Security Risk Treatment
NHS Tayside shall define and use consistently an information security risk treatment process that:
Selects appropriate information security risk options for the information risk assessment results.
Determine all the controls that are necessary to treat the information security options.
Ensure that all the Reference control objectives and control types cited in ISO-27001 are considered and verify that none have been omitted.
Ensure that the relevant NHSS National-level mandatory controls and standards are implemented including that of the Scottish Wide Area Network (SWAN).
Ensure that significant incidents are reported as per national policy so that lessons learned reports feed into treatment plans.
Ensure that the formal process of NHSS national accreditation is followed in regard to systems/services that require it. It is the responsibility of the NHS Tayside or other organisations using the systems/services to complete the risk management and accreditation document set for the NHSS-wide accreditor.
Consider all controls in NHSS National Guidance and implement as far as practicable.
Consider all the controls cited in ISO-27002 that support ISO-27001.
Produce a statement of applicability that contains the necessary controls and justification for inclusions, exclusions and whether actually implemented.
Consider any other control objectives and types over and above those in ISO-27001/2 that have applicability to the Board.
Formulate an information security risk treatment plan.
Obtain the risk owners’ formal approval of the information security risk treatment plan and acceptance of the residual information security risks. Where non-NHSS organisations and suppliers are involved the Board shall seek agreement on which party is responsible for discharging the different components of the treatment plan.
NHS Tayside must implement the agreed information security treatment plans and retain document evidence.
6. Performance evaluation
NHS Tayside shall routinely evaluate the information security performance and the effectiveness of the information security management system and be clear about:
What is to be monitored and measured including security processes, controls and analysis of incidents.
The methods for evaluating so that there are comparable and reproducible results.
The personnel who undertake the evaluation and how this communicated to the SIRO so that any necessary action can be taken.
7. Internal audit The Information Governance and Cyber Assurance committee has agreed that the impact assessment will be carried out by internal audit and internal work group comprising IG&CA Team, Risk Management, eHealth, TCOE and the Business Unit. NHS Tayside shall conduct internal audits at planned intervals that provide information on whether the information security management system conforms to the requirements of ISMS as planned and implemented.
The audit shall:
Persons carrying out audits are qualified, objective and impartial.
Such an audit can be incorporated into the internal audit function covering other areas such as finance.
8. Management review and improvement
The SIRO in conjunction with the executive management team should review the Board’s information security management system at planned intervals to ensure its continuing suitability and effectiveness. This will be measured against the Board-level and NHSS Information Security Policy Framework. Such review will include consideration of:
Status of actions from previous management reviews.
Changes in external and internal issues which are relevant.
Non-conformities in the ISMS and preventative/corrective actions.
Monitoring and measurement of results.
Audit results.
Results of high-level or significant risk assessment and risk treatment plans.
Feed-back from interested parties including patients.
Significant security incident reports at Board and national level.
The outputs of the management review shall include decisions related to continual improvement, opportunities and any changes needed to the information security management system.
The Board, acting through the CEO, SIRO and senior management team will react when nonconformity occurs - over and above any regular audit and management review - and take action to deal with it including change to the information security management system.
The Board recognises the circular nature of the ISMS: to plan, action, check and plan again so as to make continual improvement.
10. Appendix 5 Policy Approval Checklist
This form must be completed by the Policy Manager a nd this checklist must be completed and forwarded with the policy to the Executive Team, Cl inical Quality Forum or Area Partnership
Forum for approval and to the appropriate Committee for adoption.
POLICY AREA: Information Governance
POLICY MANAGER: Information Governance Officer (Information Security Management)
Why has this policy been developed?
To comply with NHSS Information Security Policy Framework 2018
NHS Tayside has a legal obligation to comply with the Data Protection Act 2018.
This policy sets out the framework in which NHS Tayside will operate to ensure compliance with that Data Protection Act 2018, Network and Information Systems Directive 2018, and the security elements of GDPR.
Has the policy been developed in accordance with or related to legislation? – Please give details of applicable legislation.
Data Protection Act 2018
Network and Information Systems Regulation 2018
Freedom of Information (Scotland) Act 2002.
Has a risk control plan been developed and who is the owner of the risk? If not, why not?
No
Who has been involved/consulted in the development of the policy?
NHST Information Governance Committee.
Has the policy been Equality Impact Assessed in relation to:-
Has the policy been Equality Impact Assessed not to disadvantage the following groups:-
Age
Disability
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Homeless People
Staff
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Does the policy contain evidence of the Equality Impact Assessment Process?
Yes. Equality & Diversity Impact Assessment included in papers to IG Committee and Finance & Resources Committee.
Is there an implementation plan? Immediate.
Which officers are responsible for implementation? Responsibilities are set out in this policy and are supplementary to those set out in the Information Governance Policy.
When will the policy take effect? Immediate
Who must comply with the policy/strategy? All NHS Tayside staff.
How will they be informed of their responsibilities? Notification of approval will be sent to all NHS Tayside employees through Staffnet and routine communication channels, Vital Signs and Spectra.
Is any training required? The policy indicates that there is awareness and training material available on Staffnet. This is material has been publicised separately.
If yes, attach a training plan Online modules available.
Are there any cost implications? Yes
If yes, please detail costs and note source of funding Online Learning environment and module development.
Who is responsible for auditing the implementation of the policy?
See responsibilities for implementation, as above
What is the audit interval? As above
Who will receive the audit reports? As above
When will the policy be reviewed and provide details of policy review period (up to 5 years)
Two years after approval or following significant changes in legislation, guidance and/or service provision
Information Security Officer
ADOPTION COMMITTEE TO CONFIRM: Finance & Resources Committee
11. Appendix 6 Equality Impact Assessment
EQUALITY IMPACT ASSESSMENT
Assurance Committee
Section 1 Part A – Overview Name of Policy, Service Improvement, Redesign or St rategy: Information Security Policy Lead Director of Manager: Board Secretary What are the main aims of the Policy, Service Impro vement, Redesign or Strategy? The aim of this policy is to establish and maintain the security and confidentiality of information, information systems, applications and networks owned or held by NHS Tayside. Description of the Policy, Service Improvement, Red esign or Strategy – What is it? What does it do? Who does it? And wh o is it for?
The Policy describes the requirements of NHS Scotland Information Security Policy Framework (ISPF) 2018.
The policy is relevant to all employees in their handling of any data/information.
Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources throughout NHS Tayside. It plays a key part in clinical governance, service planning and performance management. It is, therefore, of paramount importance that information is protected from unauthorised access, disclosure, or loss and above all confidentiality of patient data is not compromised. What are the intended outcomes from the proposed Po licy, Service Improvement, Redesign or strategy? – What will happen as a resul t of it?- Who benefits from it and how?
To meet its legal and other requirements and to satisfy obligations to the NHS, patients and staff, NHST must use effective security measures to safeguard its information and confidentiality of patient data is not compromised.
Manage the risks relating to the confidentiality, integrity and availability of all types of written, spoken and computer information.
Name of the group responsible for assessing or cons idering the equality impact assessment? This should be the Policy Working Grou p or the Project team for Service Improvement, Redesign or Strategy. Equality Impact Assessment has been considered for this policy and the conclusion is that no further assessment is required for the following reason. The Data Protection Policy and the Network and Information Systems Regulations outline the framework that the organisation has in place for all employees to work within. Compliance with the policy does not impact directly on any individual person or group of people irrespective of whether they have any protected characteristic. The Information Governance and Cyber Assurance committee members are: Senior Information Risk Owner (SIRO) – Chair The SIRO is responsible for Information Governance in NHS Tayside and for ensuring that Information Governance arrangements are in place and managed throughout the organisation. Head of Information Governance and Cyber Assurance – Vice Chair The Head of Information Governance and Cyber Assurance has responsibility for Information Governance systems and processes and to provide the assurance for implementing Information Governance. Medical Director - Caldicott Guardian Provide direction and leadership in line with the Caldicott Guidelines regarding the use of clinical information within NHS Tayside. Chairman of the Local Medical Committee (LMC) / GP Sub Committee Employee Director Health Records Manager Head of Laboratory Services Representative from eHealth Representative from Human Resources Representative from Business Unit Representative from Finance Directorate Representative from Nursing and Midwifery and AHP Directorate Regular attendees: Information Governance Officer (Information Security Management) Corporate Records and Web Manager Information Governance Officer (Data Protection)
SECTION 1 Part B – Equality and Diversity Impacts Which equality group or Protected Characteristics d o you think will be affected Item Considerations of impact Explain the answer and if
applicable detail the impact Document any Evidence/Research/Data to support the consideration of impact
Further actions required
1.1 Will it impact on the whole population? Yes or No. If yes will it have a differential impact on any of the groups identified in 1.2. If no go to 1.2 to identify which groups
No, NHS Tayside This policy applies to all NHS Tayside employees.
None
1.2 Which of the protected characteristic(s) or groups will be affected?
• Minority ethnic population (including refugees, asylum seekers & gypsies/travellers)
• Women and men • People in
religious/faith groups • Disabled people • Older people, children
Staff who are covered by any of the protected characteristics
and young people • Lesbian, gay, bisexual
and transgender people
criminal justice system
• Staff • Socio- economically
deprived groups Item Considerations of impact Explain the answer and if
1.3 Will the development of the policy, strategy or service improvement/redesign lead to
• Discrimination • Unequal opportunities • Poor relations
between equality groups and other groups
• Other
No
SECTION 2 – Human Rights and Health Impact. Which Human Rights could be affected in relation to article 2, 3, 5, 6, 9 and 11. (ECHR: European Conv ention on Human Rights) Item Considerations of impact Explain the answer and if
adequate nutrition, and safe drinking water
• Suicide • Risk to life of / from
others • Duties to protect life from
risks by self / others • End of life questions
None
2.2
On Freedom from ill - treatment (Article 3, ECHR) • Fear, humiliation • Intense physical or
mental suffering or anguish
• Prevention of ill- treatment,
• Dignified living conditions
Item Considerations of impact Explain the answer and if applicable detail the impact
Document any Evidence/Research/Data to support the consideration of impact
health law • Review of continued
justification of detention • Informing reasons for
detention
None
2.4 On a Fair Hearing (Article 6, ECHR) • Staff disciplinary
proceedings • Malpractice • Right to be heard • Procedural fairness • Effective participation in
proceedings that determine rights such as employment, damages / compensation
None
Item Considerations of impact Explain the answer and if
2.5 On Private and family life (Article 6, ECHR) • Private and Family life • Physical and moral
integrity (e.g. freedom from non-consensual treatment, harassment or abuse
• Personal data, privacy and confidentiality
• Sexual identity • Autonomy and self-
determination • Relations with family,
community • Participation in decisions
making supported participation and decision making, accessible information and communication to support decision making
• Clean and healthy environment
2.6 On Freedom of thought, conscience and religion (Article 9, ECHR) • To express opinions and
receive and impart information and ideas without interference
None
2.7 On Freedom of assembly and association (Article 11, ECHR) • Choosing whether to
belong to a trade union
None
None
2.9 Protocol 1 (Article 1, 2, 3 ECHR) • Peaceful enjoyment of
possessions
None
SECTION 3 – Health Inequalities Impact Which health and lifestyle changes will be affected ? Item Considerations of impact Explain the answer and if
3.1 What impact will the function, policy/strategy or service change have on lifestyles?
For example will the changes affect:
• Diet & nutrition • Exercise & physical
• Other
None
3.2. Does your function, policy or service change consider the impact on the communities?
Things that might be affected include:
• Social status • Employment
None
3.3 Will the function, policy or service change have an impact on the physical environment? For example will there be impacts on:
• Living conditions • Working conditions • Pollution or climate
change • Accidental
None
3.4 Will the function, policy or service change affect access to and experience of services? For example
• Healthcare • Social services • Education • Transport • Housing
None
3.5 In relation to the protected characteristics and groups identified:
• What are the potential impacts on health?
• Will the function,
policy or service change impact on access to health care? If yes - in what way?
• Will the function or
policy or service change impact on the experience of health care? If yes – in what way?
N/A
SECTION 4 – Financial Decisions Impact How will it affect the financial decision or propos al? Item Considerations of impact Explain the answer and if
• Is the purpose of the financial decision for service improvement/redesign clearly set out
• Has the impact of your financial proposals on equality groups been thoroughly considered before any decisions are arrived at
N/A
4.2 • Is there sufficient information to show that “due regard” has been paid to the equality duties in the financial decision making
• Have you identified methods for mitigating or avoiding any adverse impacts on equality groups
• Have those likely to be affected by the financial proposal been consulted and involved
N/A
5. Involvement, Consultation and Engagement (IEC) 1) What existing IEC data do we have?
• Existing IEC sources • Original IEC • Key learning
2) What further IEC, if any, do you need to undertake?
N/A
6. Have any potential negative impacts been identified?
• If so, what action has been proposed to counteract the negative impacts? (if yes state how)
For example: • Is there any unlawful
discrimination? • Could any community
get an adverse outcome?
• Could any group be excluded from the benefits of the
N/A
function/policy? (consider groups outlined in 1.2)
• Does it reinforce negative stereotypes?
(For example, are any of the groups identified in 1.2 being disadvantaged due to perception rather than factual information?)
Item Considerations of impact Explain the answer and if
gather further evidence/data?
N/A
outcomes be monitored?
9.. Recommendations
State the conclusion of the Impact Assessment
10. Completed function/policy • Who will sign this off? • When?
Performance and Resources Committee
Conclusion Sheet for Equality Impact Assessment
Positive Impacts
No
N/A
From the outcome of the Equality Impact Assessment what are your recommendations? (refer to questions 5 - 10) N/A
Is there an implementation plan?

Date post:	28-Jan-2022
Category:	Documents
Author:	others
View:	4 times
Download:	0 times

INFORMATION GOVERNANCE INFORMATION SECURITY POLICY

Documents

Information Security Governance Using a Risk-based …cdn.ttgtmedia.com/searchFinancialSecurity/downloads/Risk-Based... · Information Security Governance Using a Risk-based Approach

Fadi Mutlak - Information security governance

IT governance and Information System Security

INFORMATION SECURITY GOVERNANCE: A CALL … SECURITY GOVERNANCE: A CALL TO ACTION The road to information security goes through corporate governance. America cannot solve its

ENTERPRISE INFORMATION MANAGEMENT · Information Architecture • Information Governance • Information Lifecycle Management • Information Security • Usability • Findability

Information Security Governance and Compliance

Information Security, Business Continuity & IT Governance

Information Governance and Information Security Policy and … · 2018. 11. 15. · Governance and Information Security related matters. - To attend the Trust Information Governance

Information Security Governance: Guidance for Boards of Directors

DEFINING VALUE BASED INFORMATION SECURITY GOVERNANCE OBJECTIVES · Information security governance objectives, based on values of the stakeholders, are essential for a comprehensive

Achieving Information Security Governance though ISMS ... · Achieving Information Security Governance though ISMS ... Project Managers ... Achieving Information Security Governance

Information Security Governance and Management Framework

Best Practices for Information Security and IT Governance · 2019-09-27 · Best Practices for Information Security and IT Governance - 2 - Strengthen Your Security Posture. The leading

Data Governance & Information Security @ UH Governance & Information Security @ UH" Spring 2018" Systemwide Campus Brieﬁngs" " JT Ash, HIPAA Compliance Ofﬁcer! Sandra Furuto, Data

Information Security Governance and Benchmarking - …. Eijiroh Ohki.pdf · IS Governance and Benchmarking. Business and Information Security. Confidentiality. Integrity. Availability.

Information Security Governance

Italgo Information Security Governance

1. Information Security Governance & Risk Management.ppt