+ All Categories
Home > Documents > Information Governance Refresher Data Security Awareness

Information Governance Refresher Data Security Awareness

Date post: 24-Feb-2022
Category:
Upload: others
View: 4 times
Download: 0 times
Share this document with a friend
21
Information Governance Refresher Data Security Awareness This module has been designed to: Help Trust staff use and share information in a lawful and secure way. Promote good practice that should be adapted to the working environment. By the end of this module you will understand: The principles and terminology of information governance (IG). Basic data security / cyber security terminology. The importance of data security to patient/service user care. That law and national guidance requires personal information to be protected. And be able to: Explain your responsibilities when using personal information. Identify some of the most common data security risks and their impact. Identify near misses and incidents and know what to report. Distinguish between good and poor practice when using personal information. Apply good practice in the workplace. 1
Transcript

Information Governance Refresher –

Data Security Awareness

This module has been designed to:

– Help Trust staff use and share information in a lawful and secure way.

– Promote good practice that should be adapted to the working environment.

By the end of this module you will understand:

– The principles and terminology of information governance (IG).

– Basic data security / cyber security terminology.

– The importance of data security to patient/service user care.

– That law and national guidance requires personal information to be protected.

And be able to:

– Explain your responsibilities when using personal information.

– Identify some of the most common data security risks and their impact.

– Identify near misses and incidents and know what to report.

– Distinguish between good and poor practice when using personal information.

– Apply good practice in the workplace.

1

Safe data, safe care

• Data Security has always been important.

• More complex now technology is so central to delivery of health and care.

• Use technology so that it does not pose unacceptable risks to the Trust, its staff, or its patients.

• We all have a duty to protect people’s information in a safe and secure manner.

• Good information underpins good care. Patient and service user safety is supported by confidentiality, Integrity and accessibility.

• Patients / service users must feel assured that their information is used appropriately.

• You can help with this by following the good practice set out in this module.

2

Technology enables us to

deliver a better quality of

care

Information can be shared

more quickly

Powerful analysis can be

performed to improve the

future of care

Confidentiality, Integrity, Availability

• Confidentiality is about privacy and ensuring information is only accessible to those with a proven need to see it.

• Integrity is about information stored in a database being consistent and un-modified.

• Availability is about information being there when it’s needed to support care.

3

Types of information

4

In health and care settings, there are various types of personal information. It is important to be able to identify these different types of information so that they can be appropriately protected when they are used and shared.

In health and care settings, you might see:

• Confidential information - is disclosed in confidence to staff who are providing health and care – patients expect that this information will be treated confidentially. It can include names and addresses, as well as a person’s sensitive personal information. Other information can also be confidential information, such as employee references and some commercial information (for example, about the organisation).

• Sensitive Information - all health and care information is sensitive, but patients and service users may consider particular types of information to be highly sensitive, for example, information relating to their mental or sexual health, religion, or ethnicity.

• Personal information – information about someone is 'personal' when it identifies an individual. It may be about living or deceased people, including patients, service users and members of staff.

• A person’s name and address are clearly personal information when presented together, but an unusual name may, by itself, might enable an individual to be identified.

Personal information may be recorded in hard copy or digital form – for example, photographs, videos/DVDs, whiteboards, health and care records, personnel files, on a computer – or it may be information simply known by others (such as the care team).

• Pseudonymised information - is information in which an individual’s identity is disguised by using a unique identifier (that is, a pseudonym). This does not reveal their ‘real world’ identity, but allows the linking of different data sets for the individual concerned.

• Anonymised information - this information does not identify an individual and cannot reasonably be used to determine their identity. Anonymisation requires the removal of name, address, full post code and any other detail or combination of details that might support identification, either by itself or when used with other available information.

Anonymised information does not identify a person, so it cannot be personal or confidential.

The Value of Information

It is important to comply with the law to protect personal information, because health and care

information is valuable.

• Poor security can cause personal, social and reputational damage.

Some of the common ways that information is lost:

– Paper records dropped in corridors or left in meeting rooms

– Emails or faxes sent to the wrong address/number

– Computers or mobile phones stolen or lost

– Clicking on links to fake websites (phishing)

– Insecure storage or disposal of information

5

Common law duty of confidentiality

• Information that individuals disclose in confidence should not be used or shared further without a lawful reason: The lawful reasons are: – Where there is a statutory basis or legal duty to disclose information.

– Where there is a an overriding public interest justification.

– The consent of the individual.

• A decision to disclose information without consent should be made by senior staff, or referred to the Information Governance team or the Data Protection Officer .

• Please read the Information Disclosure Policy for

further guidance.

6

The Caldicott Principles

• Principle 1: Do you have a justified purpose for using confidential information?

• Principle 2: Is it absolutely necessary to do so?

• Principle 3: Are you using the minimum information required?

• Principle 4: Are you allowing access to this information on a strict need-to-know

basis only?

• Principle 5: Do you understand your responsibility and duty to the subject with

regards to keeping their information secure and confidential?

• Principle 6: Do you understand the law and are you complying with the law

before handling the confidential information?

• Principle 7: Do you understand that the duty to share information can be as

important as the duty to protect confidentiality?

7

Confidentiality – Good practice

We all have a legal duty to respect the privacy and to use personal information appropriately. The main aspects of

confidentiality good practice are:

Informing people - You should inform patients and staff that you are accessing and using their information.

Clearly explain how you will use personal information – for example, on the website, in a leaflet or on a poster.

Give people a choice about how their information is used and tell them whether that choice will affect the services

offered to them.

Meet expectations – only use personal information in ways that people would reasonably expect.

Sharing information for care with the right people can be just as important as not disclosing to the wrong person.

– Check that the individual understands what information will be shared and has no concerns.

– Ensure that data protection, record keeping and security best practices are met

– Respect individuals objections to any proposed information sharing

Sharing information for non-care In many cases, you should obtain consent if you want to use someone's personal

information for non-care purposes. However, if there is a risk of immediate harm to the patient/service user or to

someone else, and you cannot find an appropriate person with whom to discuss the information request, you should

share the information.

At the first opportunity afterward, you should inform the person responsible for Information Governance in your

organisation so they can follow up the legal basis for sharing.

Ask: Find out who is responsible for managing information sharing requests in your organisation.

Advice: Discuss the request with this person.

Action: Provide the information only when authorised to do so.

8

Data Protection

9

Under data protection legislation, individuals have rights in relation to their information which include:

• To be told what their personal information is being used for.

• To see and/or have a copy of their personal information.

• To have inaccuracies corrected.

• To have objections to processing considered in some circumstances.

Good Practice

• Follow your organisation’s policies and procedures.

• There should be no surprises - handle people’s information as you’d expect others to handle your personal information.

• Be open, honest and clear about:

o Why you need personal information.

o What you intend to do with it.

o Who you may share it with.

o How the individual can obtain a copy.

Remember - patients and staff have a right to see information recorded about them. So make sure you:

• Record clearly so that others can rely on your entries.

• Be accurate and keep information up-to-date.

• Follow your organisation’s rules when disposing of personal information.

• Note the impact of the General Data Protection Regulation (GDPR).

The Freedom of Information Act 2000

The Trust, as a public authority, has to comply with the Freedom of Information Act.

The Act allows anyone from anywhere in the world to make a written request for information held by a public body.

The Act only applies to information that already exists in a recorded form, therefore you do not have to create new

information in order to respond to a request.

Handling Freedom of Information (FOI) requests

What you need to know:

• FOI requests is a technical skill that should be managed by trained staff. You should not try to handle a request

yourself unless you have been trained to do so.

• Many requests for information will simply be ‘business as usual’ (BAU) requests. If in doubt, ask.

You do have some responsibilities:

• The FOI Team is responsible for managing requests in the Trust.

• You may be asked by the FOI Team to provide information in response to a request – you will be given a deadline

for this.

• Send any FOI requests to the FOI Team immediately, to comply with the statutory 20 working day turnaround.

– Contact details are: Email: [email protected] or Tel: 01793 605675

10

Record keeping - Good practice

11

Poor quality information presents a risk to patients,

service users, staff members and the organisation. It is

vital that:

• Records are accurate and up to date.

• You know ‘what and why’ needs recording in the correct system/record.

• Information is checked.

• Errors are reported.

• Information is recorded and complete.

• Information is recorded at the time events occur.

• Patient records include NHS number.

• Duplicate records are not created.

Seek help if you are uncertain.

Social engineering

Those who want to steal data may use tricks to manipulate people to give access to valuable information. This is

called social engineering.

• On the phone: A social engineer might call and pretend to be a fellow employee or a trusted outside authority

(such as law enforcement or an auditor).

• In the office: A very common tactic used by social engineers is asking to have the door held, or claiming to have

mislaid their door pass.

• Online: Social networking sites have opened a whole new door for social engineering scams. Criminals are

stealing passwords, hacking accounts and posing as friends on social media for financial gain.

Criminals have set up call centres that make calls to health organisations or social care providers. They ask for your

username, password, email address or other details about where you work. They may ask you to click on a malicious

web or email link. The IT department will not need to ask these types of questions.

Stay vigilant and challenge suspicious behaviour – request proof of identification

Data Security

12

Email phishing and malware

Email though efficient has risks:

• Criminals use email attachments and links to trick people into providing information.

• Email attachments may be executable files that contain malicious software (malware).

This is known as phishing and the emails aim to force you to make a mistake.

• If you receive an email requesting sensitive information that looks as though its from a colleague - double check by

phoning the colleague.

• Do not open links or attachments in unsolicited emails.

• Do not install any new software unless authorised.

• Select the email, right-click it and mark it as junk.

• Block suspicious email domains.

Remember - macros are a series of actions that a program such as Microsoft Excel may perform to work out some formulas,

but they can be programmed to install malware.

Report suspicious emails to the IT department

Malicious software (malware) can:

• Be on your computer and evade detection.

• Make your computer run slowly or perform in unusual ways.

The IT department will:

• Ensure that you have up-to-date antivirus software installed.

• Assist if you suspect your computer is not performing as it normally does.

13

Data Security - Good practice

Setting passwords

• Use strong passwords on all your devices to prevent unauthorised access - use different passwords for each

account.

• Follow simple guidelines to create strong passwords, e.g. at least 8 characters in length, a mix of uppercase and

lowercase letters, include special (non-alphabetical) characters such as $,&,* etc. Any service/system that uses the

PC/Windows logon name and password will require this, but it is strongly recommended that this is used for other

Trust systems.

Locking Devices

• Lock your device as soon as you stop using it.

• Set passcodes on mobile phones, laptops, PCs and tablets.

• If you see a colleague's device open and unlocked, lock it for them and gently remind them to do so in future.

• On corporate mobile devices - activate the lock function.

Tip: select the Windows Key + L on your keyboard to quickly lock your laptop or PC.

Untrusted Websites

• Be vigilant when you visit a website that is declared "untrusted".

• If a web browser states that you are about to enter an untrusted site, be very careful – it could be a fake phishing

website that has been made to look genuine.

• A browser may display a red padlock or a warning message stating ‘Your connection is not private’."

14

Data Security - Good practice

15

Mobile Devices

• Read, understand and comply with the Trust’s policy for IT Equipment usage.

• Store your mobile IT equipment, such as laptops or tablets securely when not in use.

• Report any lost or stolen equipment to the IT department immediately and follow the Trust’s

incident reporting procedure.

• Ensure that digital assets and passes are handed back if you are leaving the organisation.

• Use work-provided devices for personal use in accordance with Trust policy.

Don’t:

• Use your own device for business purposes unless authorised to do so.

• Connect your device to unknown or untrusted networks – for example, public Wi-Fi hotspots.

• Allow unauthorised personnel, friends or relatives to use your work-provided device.

• Attach unauthorised equipment of any kind to your work-provided IT equipment.

• Remove or copy personal information, including digital information (such as by email, on a USB

stick), off-site without authorisation.

• Leave digital assets where a thief can easily steal, for example in your car.

• Install unauthorised software or download software or data from the internet.

• Disable the antivirus protection software – this will be updated on a regular basis.

Good practice - Confidential Information

Doors

• Take care to close doors behind you and don’t prop them open if they are fire doors, or there is restricted access.

• Don’t be afraid to challenge anyone in your area not showing an ID badge, or that you don’t recognise – staff should implement a sign-in procedure for visitors and escort them whilst they are on the premises.

Disposal

• Take special care to securely dispose of: – Paper records that contain confidential information.

– IT equipment.

• Follow the Trust’s processes for secure disposal.

Clear Desks

• Do not leave information in unsecure locations.

• Leave paperwork and files secure before you leave for the day.

• Having a clear desk means reduced potential for leaving sensitive information unattended, reducing the risk of a breach.

16

Breaches and incidents

The section covers:

Identifying breaches and incidents, reporting breaches and incidents, avoiding breaches and incidents.

Covers two categories:

– A breach of Data Protection legislation and/or confidentiality law.

– Technology-related incidents.

The top three most reported incidents related to breaches are:

– Information sent to the wrong place – this may be a letter, or a fax or an email.

– Lost or stolen paperwork.

– Failure to apply appropriate technical and organisational measures to prevent unauthorised or unlawful processing and/or

accidental loss, destruction or damage to personal data.

Technology-related incidents:

Incidents may not always involve human error, they can sometimes include such things as:

Website defacement - an attack on a website that changes the content of the site or a webpage. It may also involve creating a

website with the intention of misleading users into thinking that it has been created by a different person or organisation.

Social media disclosure - the disclosure of confidential or sensitive information by an organisation’s employees through a social

media site.

Denial of service attack - an attempt to make a machine or network resource unavailable to its intended users.

Malicious damage to systems - what happens when a person intentionally sets out to corrupt or delete electronic files,

information or software programs.

17

Reporting Incidents

18

You have a responsibility to:

Know how to report data security incidents:

• If you know or suspect that an incident has taken place, register it in line with the Trust’s Information Security Incident

Reporting procedure.

• Notify the IG Team as soon as possible, so they can assess how serious the incident is and start an investigation.

Any incidents which are reported as a breach of confidentiality via the Trust’s incident reporting system will be

notified to the IG Team.

• Report suspected incidents and any ‘near misses’ - Lessons can often be learned from them – they can be closed or

withdrawn when the full facts are known.

Read the Trust’s Information Security Incident Reporting

Procedure

A data incident takes place or you suspect

that a breach of confidentiality has or

is likely to have occurred

Notify the right team about the incident

(Usually the IT dept or IG team)

In your notification you should include when,

where and what business activity you

were conducting when it happened.

Near misses where data was nearly lost or

where there was nearly a breach should also be

reported.

Postal breaches – most often occur when two letters are sent to the same patient, or a report is enclosed relating to the wrong patient. Remember that patients will be concerned that their information has been disclosed to another person and this may result in media attention and a potential financial penalty for the Trust should the patient choose to complain.

Please remember to:

• Address personal information to a named person.

• Consider using a signed for delivery service.

• Send case notes, or copies of case notes, in robust approved packaging using an approved courier or signed for service.

Email breaches – most often occur when emails are sent to the wrong person, or a mailing list is used which discloses the email addresses of all recipients.

Before emailing any external parties:

• Check whether it is acceptable to send personal and/or confidential information by email.

• Confirm the accuracy of the email addresses.

• Check that everyone on the copy list has a genuine ‘need to know’.

• Use the minimum identifiable information (e.g. NHS number).

• Check encryption requirements.

Where email needs to be sent to an unsecure recipient:

• Check that they understand and accept the risks, or

• If you can encrypt the email.

Avoiding breaches and incidents

19

Phone breaches – most often occur when staff inadvertently disclose information to a caller who may not have a need to know, for example, a bogus caller, or someone who the patient may not wish to have their information disclosed to.

Remember:

• always check the identity of the caller before disclosing personal information.

• It is not advisable to leave messages on voicemail or answerphone, unless you are sure that the phone is used solely by the person you are trying to contact.

• Check whether the information can be provided - if in doubt, tell the enquirer you will call them back.

Fax breaches – most often occur when faxes are sent to the wrong fax number. If it is absolutely necessary to send information by fax, if possible:

• Send the information to a ‘safe haven’, or phone the fax recipient to inform them you are going to send confidential information.

• Double check the fax number and use pre-programmed numbers.

• Use a fax cover sheet.

• Request confirmation that the fax was received.

• Remove the original document from the fax machine.

Avoiding breaches and incidents

20

Module summary

Having completed this session, you should understand the principles and terminology of information governance (IG), basic data security / cyber security terminology, the importance of data security to patient/service user care and that law and national guidance requires personal information to be protected.

You should be able to explain your responsibilities when using personal information, identify some of the most common data security risks and their impact, identify near misses and incidents and know what to report, distinguish between good and poor practice when using personal information and apply good practice in the workplace.

Further Information:

The Information Commissioner’s Office is the UK's independent body set up to uphold information rights. To find out more about them and the recently updated data protection regulations, please visit: https://ico.org.uk/

General enquiries relating to information governance can be made on 01793 605675 (ext 5675) or by email to: [email protected] Freedom of Information: Email: [email protected] Caldicott Guardian – Medical Director Tel: 01793 60 4182 Health Records Manager Tel : 01793 60 4717

The next step is to take an assessment on this module once you have read and understood all the material in the training slides. The final pass mark is 80% - Good Luck!

21


Recommended