Information Management Governance Policy€¦ · The Information Governance Secretary is...

Information Management Governance Policy

Prepared by: (signature of author) Endorsed by: (Manager)

Name: S Parsons Name: S Martin

Title: Information Systems Manager Title: Chief Operations Officer

Date: 09/05/2018 Date: 09/05/2018

____________________________________________________

____________________________________________________ Information Management Governance Policy 2

Contents

1 Introduction .................................................................................................................................. 4

1.1 Purpose of this document ........................................................................................................ 4

1.2 Scope of this document............................................................................................................ 4

1.3 Audience ................................................................................................................................... 5

2 Legislation ..................................................................................................................................... 6

3 Roles and responsibilities ............................................................................................................. 7

3.1 Information Management Governance Committee ................................................................ 7

3.2 Information Management Governance Committee Chair ....................................................... 7

3.3 Data Stewards .......................................................................................................................... 7

3.3.1 Appointment of Data Stewards ..................................................................................... 8

3.4 Data Custodian ......................................................................................................................... 8

3.4.1 Appointment of Data Custodians................................................................................... 8

3.5 Information Governance Secretary .......................................................................................... 9

3.6 Authorised Users ...................................................................................................................... 9

3.7 All staff...................................................................................................................................... 9

4 Information classification framework ........................................................................................ 10

4.1 Classification framework ........................................................................................................ 10

4.2 Classification labelling ............................................................................................................ 12

4.3 Derivative information ........................................................................................................... 13

4.4 Filing and naming conventions .............................................................................................. 13

5 Information management .......................................................................................................... 14

5.1 Information collection ............................................................................................................ 14

5.2 Information use ...................................................................................................................... 16

5.3 Information disclosure ........................................................................................................... 17

5.4 Delegation of access ............................................................................................................... 18

5.5 Review of access permissions ................................................................................................ 18

5.6 Information storage ............................................................................................................... 19

5.6.1 Physical (paper) information ........................................................................................ 19

5.6.2 Electronic information ................................................................................................. 19

5.7 Retention of information ....................................................................................................... 21

____________________________________________________


5.8 Information archival ............................................................................................................... 21

5.9 Information disposal .............................................................................................................. 21

5.10 Information integrity .............................................................................................................. 22

6 Risk management ....................................................................................................................... 24

6.1 Risk assessment framework ................................................................................................... 24

6.2 Data breach and response ..................................................................................................... 26

7 Compliance and policy review .................................................................................................... 27

7.1 Compliance assessments........................................................................................................ 27

7.2 Audit logs ................................................................................................................................ 27

7.3 Policy review .......................................................................................................................... 27

8 Education and training ................................................................................................................ 28

8.1 Education and training ........................................................................................................... 28

8.2 New starters ........................................................................................................................... 28

9 Additional Resources .................................................................................................................. 29

Appendix 1 ......................................................................................................................................... 30

A. Information collection process .............................................................................................. 30

B. Information access process .................................................................................................... 32

C. Information disclosure process .............................................................................................. 34

D. Risk reporting procedure ....................................................................................................... 36

E. Data breach response process ............................................................................................... 38

Appendix 2 ......................................................................................................................................... 40

A. Summary RACI ........................................................................................................................ 40

Appendix 3 ......................................................................................................................................... 41

A. Acronyms ................................................................................................................................ 41

B. Glossary of Terms ................................................................................................................... 41

Appendix 4 ......................................................................................................................................... 43

A. Template response to organisations inappropriately submitting data to WAPHA ............... 43

____________________________________________________


1 INTRODUCTION

The WA Primary Health Alliance (WAPHA) is a planning and commissioning body dedicated to building a robust and patient centred primary health and social care system to ensure improved health equity for all Western Australians. WAPHA operates WA’s three Primary Health Networks (PHNs); Perth North, Perth South and Country WA; with the objective to increase the efficiency and effectiveness of primary care services for patients and improve coordination of care. Information is one of WAPHA’s most valuable organisational assets, enabling effective planning and commissioning through data driven insights.

1.1 Purpose of this document

The purpose of this Information Management Governance Policy is to document the way in which WAPHA’s information is managed in order to effectively protect and best utilise information assets. This Policy document is to ensure:

• Alignment to WAPHA’s Information Management Strategy;

• Alignment with relevant legislation, policies, procedures and standards;

• Confidence in the data used to inform decisions;

• Effective assurance and control of data management processes;

• Clear roles and responsibilities in relation to information management; and

• Protection of the data through documented policies and procedures, and ongoing

communication, education and monitoring.

1.2 Scope of this document

The scope of this Policy covers the actions to secure, manage and distribute WAPHA information and any data stored and transmitted regardless of storage location, format or medium. In alignment with the Australian Institute of Health and Welfare1, this Policy will used the following definitions of data and information collections:

• Data: ‘factual information used as a basis for reasoning, discussion or calculation.’ Data

can be stored in structured formats (e.g. databases), semi-structured formats (e.g.

spreadsheets) and non-structured formats (e.g. documents).

1 Australian Institute of Health and Welfare – Data Governance Framework, 2014

____________________________________________________


• Information Collections: Individual sets of data may be called ‘data collections’, ‘data

assets’ or ‘data holdings’. Data comprising a data collection may come from various

sources. They may be: collected or created internally by an organisation; obtained from, or

held on behalf of, single or multiple external organisations or governments; or merged from

a number of other data collections.

This Policy applies to all WAPHA personnel; employees, contractors, students, volunteers and agency personnel. This Policy also applies to external organisations and their personnel who have been granted access to WAPHA Information and Communications Technology (ICT) infrastructure, services and information assets. This document covers the following:

• Roles and responsibilities;

• Information classification framework;

• Information management;

• Risk management framework for IM;

• Compliance;

• Communication and training;

• Additional resources; and

• High level processes for key IM activities.

Together these elements comprise WAPHA’s IM Governance Policy, the roles responsible for key information management processes, the classification levels of information and how compliance is monitored. Information protection must be commensurate with the sensitivity of the information and be in accordance with the classifications defined in the Information Classification Framework section of this Policy and in accordance with the WAPHA ICT Security Policy. This Policy does not cover the protocols related to ICT infrastructure and cyber security framework.

1.3 Audience

This document contains key information for all WAPHA staff and in particular those responsible for making data-related decisions. Further, it provides guidance to the organisations and agencies that provide data to, or receive data from WAPHA, as well as its partners, stakeholders and end-users of WAPHA data and information.

____________________________________________________


2 LEGISLATION

All data containing personal information is managed in accordance with the Information Privacy

Principles from Section 14 of the Privacy Act 1988 (Cth).

Other relevant legislation includes:

• Freedom of Information Act 1992 (WA)

• National Health Act 1953 (Cth)

• Health Services Act 2016 (WA)

https://www.oaic.gov.au/privacy-law/privacy-act/

https://www.slp.wa.gov.au/legislation/statutes.nsf/main_mrtitle_353_homepage.html

http://www.austlii.edu.au/au/legis/cth/consol_act/nha1953147/

https://www.slp.wa.gov.au/legislation/statutes.nsf/main_mrtitle_13761_homepage.html

____________________________________________________


3 ROLES AND RESPONSIBILITIES

This section outlines a number of roles in relation to Information Management and outlines the responsibilities for each. A full RACI breakdown is provided in Appendix 2 (Responsible, Accountable, Consulted and Informed).

3.1 Information Management Governance Committee

The Information Management Governance (IMG) Committee is responsible for directing the effective and efficient management of the WAPHA information assets in alignment with organisational priorities. They are responsible for ensuring the appropriate security measures are developed, endorsed, instituted and monitored. For more details of the Committee, refer to the IMG Committee Terms of Reference. Other responsibilities include:

• Appointment of Data Stewards;

• Management of Extreme and High rated risks;

• Authorising the disclosure and access of Highly Sensitive and high value information assets

to external entities; and

• Issuing external communications related to Data breaches.

3.2 Information Management Governance Committee Chair

The IMG Committee Chair is responsible for providing leadership and direction to the Committee and for ensuring that the Committee fulfils its responsibilities of aligning Information Management with WAPHA’s priorities.

3.3 Data Stewards

Data Stewards are responsible for a data source/information collection to be developed, maintained and utilised in accordance with the strategic priorities of the organisation. This includes authorising access, use and disclosure of data from the collection for clearly defined purposes that align with organisational priorities and statutory obligations as outlined in the Information Management section of this Policy. Responsibilities include:

• Setting the strategic direction for the data collection and ensuring that development of an

information collection is aligned and delivered to serve organisational objectives;

• Ensuring, prior to the release of information, that any risks with potential to damage

WAPHA, an external party or individual, have been considered;

• Ensuring the use, disclosure and access to information meets any legislative and

contractual arrangements under which WAPHA operates;

• Nominating and endorsing a Data Custodian;

• Authorising access and disclosure for the data source/collection;

____________________________________________________


• Informing relevant parties in the event of a data breach;

• Management of ‘Moderate’ rated IM risks;

• Maintaining a high level of business knowledge in order to assess risks and stakeholder

sensitivities pertaining to information and provide risk mitigation direction; and

• Developing business cases for the establishment of new information systems or

collections.

3.3.1 Appointment of Data Stewards The Information Management Governance Committee is responsible for appointing all Data Stewards. Specific competencies include business knowledge, data management knowledge, facilitation and negotiation, and communication.

3.4 Data Custodian

Data Custodians are responsible for the day-to-day management of a data source/information collection. Responsibilities include:

• Identifying existing or overlapping information sources;

• Establishing information collection procedures and maintaining quality standards;

• Documenting data elements within data sources;

• Applying relevant classifications and labels to information;

• Preserving the integrity and security of the information by ensuring appropriate storage;

• Establishing protocols relating to and ensuring the access, use and disclosure of

information in accordance with the relevant classification, legislation and contractual

requirements, and Data Steward directives;

• Ensuring the safe and secure transmission and/or access to information for authorised

users;

• Archiving relevant records;

• Conducting or arranging the conduction of periodic audit and compliance assessments;

• Communicating the information value and classification when the information is disclosed

to another entity; and

• Maintaining a comprehensive understanding of the information source in order to address

queries of access, validity and application to requests.

3.4.1 Appointment of Data Custodians Data Custodians are responsible for the day-to-day management, as well as ongoing operation and support for given information collection(s). The establishment of an individual with which users

____________________________________________________


can direct queries for each information collection facilitates greater trust and usage rates of information, thereby driving WAPHA’s strategic priority to function as a data driven organisation. The role of Data Custodian of information collections must be assigned to a position, rather than an individual, to ensure any individual in the relevant position, be it acting or substantive, is able to exercise the responsibilities of the role. It is the responsibility of the Data Steward to assign data custodianship to the appropriate position based on the following criteria:

• Competence, skills and authority to discharge the custodianship responsibilities;

• Understanding of the relevant legislative requirements and policy frameworks; and

• Understanding of the business needs of information users.

Following the assignment of or change in custodianship duties the relevant information set and

collection details (title, description, position of Data Steward and Data Custodian etc.) are added

or updated in the WAPHA Information Register by the Information Governance Secretary.

3.5 Information Governance Secretary

The Information Governance Secretary is responsible for maintaining effective IMG related records and administration. Responsibilities include:

• Preparation and circulation of the IMG Committee meeting agenda;

• Documenting IMG Committee minutes and sending to IMC members; and

• Maintaining the Information Register.

3.6 Authorised Users

Authorised Users are those persons granted access to information collections. Authorised Users are responsible for ensuring the appropriate use of data in accordance with the accompanying agreements, policies and guidelines. They are responsible for ensuring that WAPHA information assets are used only for the purpose for which it was approved, and maintaining confidentiality and security of the information in accordance with the Information Classification Framework, and associated policies and procedures.

3.7 All staff

It is the responsibility of all WAPHA staff to familiarise themselves with the relevant practices and legal requirements to ensure the security and integrity of information within their possession (Appendix 4 and 5 particularly). All members of staff must ensure that information (in electronic or non-electronic format) is classified appropriately and to apply the relevant security procedures pertaining to that classification at all times. Staff are encouraged to discuss any classifications they believe to be inaccurate with the relevant Data Steward. All staff must familiarise themselves with the relevant policies, standards, processes and legislation.

____________________________________________________


4 INFORMATION CLASSIFICATION FRAMEWORK

Information assets are a valuable resource that must be actively managed to enable WAPHA’s commissioning activities as well as compliance with applicable legislation, confidentiality and privacy requirements. Information security methods must be commensurate with the sensitivity of the information. Information with higher levels of sensitivity must be treated with protection not afforded to publicly available information due to the serious damage that unauthorised disclosure could cause to WAPHA or external parties, including members of the public. An information classification facilitates the identification of such information sources and the relevant controls necessary to protect them. This section outlines the framework to be used for the classification of information WAPHA collects, stores, uses and discloses to meet its operational and strategic priorities.

4.1 Classification framework

The classification of information (as set out in the diagram below) considers sensitivity and risk to ensure the necessary minimum security controls are in place when an information asset is added to WAPHA’s information collection.

Public

Protected (Internal)

Sensitive

Highly Sensitive

Figure 1: Information Classification Framework Hierarchy

____________________________________________________


Table 1: Information Classification Framework Descriptions

Classification Description

Highly Sensitive Information should have restricted access within WAPHA. Contains personally identifiable information (patient and/or clinician), research or enterprise information that if released could result in a significant damage to WAPHA, be it reputational or contractual, or to external organisations or an individual. Access and disclosure of information must be controlled and will only be granted to an individual or group through the approval of the relevant Data Steward in order to perform one’s duties or through legislative requirements. Examples:

• High risk information sources • Identifiable patient/clinician data • Selected service provider contracts • Selected clinic/practice data

Sensitive Information containing hospital/practice/clinic identifiable information (not patient/clinician identifiable) and non-public information, including aggregated patient or provider information, research or organisational information. Disclosure could result in moderate reputational damage to WAPHA, external organisations or an individual. Examples:

• Moderate risk information sources • Aggregated patient/clinician data • Service Provider contracts

Protected (Internal)

Information that is available to employees and authorised non-employees but not generally publically available. Disclosure could cause minor or little direct impact to WAPHA, external organisations or individuals, but could raise concerns around data security within WAPHA. Examples:

• Minor risk information sources • WAPHA policies and procedures • Planning documentation • Training manuals and documentation • Internal communications • Contact details

____________________________________________________


Classification Description

Public Information approved as suitable for public dissemination or deemed public by legislation or routine disclosure. Release of such information would have no adverse impact. Examples:

• Negligible risk information sources • Public health information • Public reports • Marketing material • Press announcements

Information should be classified by the relevant Data Custodian before being entered into WAPHA information systems and collections, as outlined in the Information Collection section of this document.

4.2 Classification labelling

Classification labels are used to facilitate the confidentiality and security of sensitive information. Clearly visible information classifications on the document or data set reduces the risk of mishandling and inappropriate disclosure. Considerations relating to labelling include that:

• Information assets classified as either Highly Sensitive or Sensitive must always be clearly

labelled within the document content or document name.

• The Data Custodian is responsible for labelling information with the appropriate

classification.

• It is recognised that some types of information will require special handling requirements

in addition to those associated with the relevant classification. Such information sources

are to be marked with a security caveat in addition to the classification, outlining necessary

controls and conditions of use.

The information classification marking requirements are outlined below in Table 2 below.

____________________________________________________


Table 2: Information classfication labelling framework

Classification Marking requirements

Highly Sensitive Information must be clearly labelled either at the top or bottom of each page and within the file name. Hardcopy information should be clearly labelled at the top or bottom of each page.

Sensitive Information must be clearly labelled either at the top or bottom of each page and within the file name. Hardcopy information should be clearly labelled at the top or bottom of each page.

Protected (Internal) Documents and media should be labelled when distributing or sharing with an entity external to WAPHA.

Public Label these documents as ‘Public’ for easy reference.

4.3 Derivative information

In the event that WAPHA employees or authorised third parties generate or create new data sets based upon one or more existing information collections, it will be necessary to consider the classification of this new data set. This ‘derivative information’ could include, but not be limited to, an extract from a single source, a restatement of existing data, or a combination of existing information sources. Derivative information must be treated as a new information source, and the creators of derivative information must be aware of the risk associated with creating this new dataset. The classification of the dataset could feasibly differ from the source information collection and must be considered on a standalone basis. Combining datasets has the potential to increase the sensitivity of the data, whilst an extract of a Sensitive dataset could reduce the sensitivity if certain was not included in the extract. In all instances, the Data Custodian(s) of the source information collection(s) will need to be consulted. The Custodian(s) will need to oversee the classification and labelling of the new data set, in accordance with the Information Classification Framework and processes established elsewhere in this Policy.

4.4 Filing and naming conventions

Information filing and naming must be undertaken by the relevant Data Custodian in accordance with the WAPHA Naming Convention in order to ensure consistent conventions throughout the information collection. A folder is to carry the classification label of the highest level of security classification of information it holds. If the information to be added to a folder exceeds the security classification of the information to be added then the Data Custodian must change the marking of the folder to be consistent with the information to be added.

____________________________________________________


5 INFORMATION MANAGEMENT

WAPHA collects, accesses, stores, uses and discloses large volumes of data in order to support its commissioning of services, much of which is sensitive personal health information. Information is critical to WAPHA’s business functions and must be collected and disclosed with consideration of the business relevance, quality, cost and security of information. This section outlines the policy for managing and handling information, including collection, use, disclosure, access, retention and disposal.

5.1 Information collection

Collection is the creation, acquisition or capture of the information required by WAPHA in order to support business, operational and legislative requirements. Knowing what to collect and the methods for collating information into the information collection is critical in maintaining standardisation and security of WAPHA’s information resources. This section outlines the methods for:

• Formalising the establishment of new information collections;

• Ensuring new information collections are aligned to WAPHA’s priorities and cognisant of

existing organisational information sources;

• Preventing the uncontrolled collection of information; and

• Ensuring the effective, efficient and accurate collection of information.

The following two key principles are intended to facilitate the collection of relevant, quality information for the purpose of developing WAPHA’s strategic and operational objectives and minimising the effort allocated to collecting and managing unnecessary information. Table 3: Key principles of information collection

Principle Description

Fit for purpose Information should only be collected when there is a legitimate business purpose which is aligned to WAPHA’s strategic and operational priorities. The process should not generate duplicate information sources, and should serve to maximise the usefulness of information in relation to WAPHA’s business needs. WAPHA’s Information Register provides a listing of WAPHA’s information sources and should be used to facilitate the detection of duplication or gaps.

Effective and efficient

WAPHA should seek the minimum data requirement to make a material difference with minimal collection effort. Cost should be considered before commencing the development of new information collections, with consideration into alternative methods of information acquisition.

____________________________________________________


Table 4 outlines requirements for the effective and secure collection of WAPHA’s information resources. For further details concerning the process of collection, storage and disclosure of WAPHA’s information assets refer to

____________________________________________________


Appendix . Table 4: Information collection requirements

Requirement Description

Data governance All information collections must be assigned a Data Steward and Data Custodian. Data Stewards are appointed by the Information Management Committee while Data Custodians are nominated and endorsed by the relevant Data Steward.

Approval for collection

All new information collections must have gained the relevant approval before being entered in the WAPHA system. For additions to existing information sources this requires approval from the relevant Data Steward, while the approval for new information collections requires approval from the Information Governance Committee.

Classification All new information sources must be classified according to the Information Classification Framework before being entered into WAPHA information systems. Refer to page 10 for further information concerning the Information Classification Framework

Security Following classification, information must be afforded the applicable protection to prevent unauthorised access, use or disclosure throughout its lifecycle. Refer to the Information management section for further information concerning the applicable protection and controls.

Information Register Following addition to WAPHA systems, the information must be logged in the Information Register with the associated information descriptors.

Notice to subjects When collecting personal information, in accordance with the Privacy Act 1988, WAPHA are required by law to provide notice to subjects about the types of information collected and the intended uses of this information.

Compliance with agreements of information use

Information collected from some third parties, including State and Federal governments, will be subject to the requirements of use, disclosure, security, privacy and intellectual property as outlined in the relevant third party agreement. All access and disclosure of third party information is to be strictly managed in accordance with the contract or agreement.



____________________________________________________


5.2 Information use

Information use refers to the communication or handling of information within WAPHA and applies to all information owned, created, collected, managed, stored and disseminated. For example a Data Custodian sharing information with another WAPHA employee is classified as use, as is the act of an employee undertaking analysis on information. This section outlines the adequate controls and practices which need to be adhered to by all users of WAPHA’s information resources. The core principles of information use are as follows:

• Need to know - Data Custodians must ensure users are granted the minimum

requirements for information use to undertake their business role or for approved

purposes;

• Specific and authorised - the information must not be used by person(s) other than the

specified authorised person(s);

• Approved disclosure - authorised persons must not disclose information to any other

person(s) without prior approval from the Data Custodian;

• Specified use - the information must only be used for the purpose specified. Changes to

the purpose of the information use must first be approved by the Data Custodian;

• Secure and controlled use - the information must be protected by the appropriate security

and controls at all times as required by the relevant classification; and

• Duration of access - the information must not be kept for longer than approved without

additional approval from the Data Custodian.

In order to ensure that information within WAPHA is readily available to Authorised Users in a

secure and controlled location, it is recommended that Data Custodians develop an Information

Use Model outlining:

• Who is permitted to use a given information source (by role, position or working group, not

by individual names);

• The purpose for which the information may be used;

• Additional restrictions or requirements pertaining to the use of an information source; and

• Duration and level of access permitted to different users (read only, read/write,

administration access).

____________________________________________________


5.3 Information disclosure

Information disclosure refers to the process of sharing information outside of WAPHA. Whether that be the release of information to an external entity or publishing documents for external consumption. Sharing information with contracted third parties is not classified as information disclosure but rather falls under information use. This section sets out how information under the control of WAPHA is readily available to only those parties as determined by legislative and contractual requirements. WAPHA may disclose information to related companies, agents or contractors who provide products and services to WAPHA or on behalf of WAPHA. In providing information to these parties WAPHA will ensure that all use is for the express purpose for which it was disclosed and in alignment to WAPHA’s strategic and operational priorities. Subject to law, the types of third parties which WAPHA may disclose information to include:

• WAPHA agents, contractors and external advisers;

• Other organisations with whom WAPHA has arrangements for the purpose of promoting

respective products and services; and

• Commonwealth and State government agencies and other funders.

Health information will not be disclosed for another purpose unless the disclosure is required or

authorised under law, a person has consented to the use or disclosure of their health information

for the purpose, for the use of research (de-identified data) or the disclosure is otherwise

permitted by the Privacy Act or Freedom of Information Act.

WAPHA’s information resources obtained through a Memorandum of Understanding (MOU), Data

Sharing Agreement (DSA) or other contract or agreement must always be disclosed in accordance

with the directives of the agreement.

It is the responsibility of the IMG Committee to authorise the disclosure of Highly Sensitive

information and information which is considered of significant value to WAPHA. It is the

responsibility of the Data Steward to authorise the disclosure all other information and to ensure

accordance with all relevant requirements. Once authorised it is the responsibility of the Data

Custodian to ensure the agreement of disclosure has outlined ownership of the information,

storage and security, disclosure arrangement, retention period, audit requirements, access

arrangements and disposal of data after the agreement expires before being approved by the Data

Steward.

____________________________________________________


5.4 Delegation of access

The information access procedure ensures the right information is readily available to the appropriate users of WAPHA’s information whilst maintaining the necessary security and controls for sensitive information. The process for authorising access is dependent on the applicant and the classification of the information being accessed. The detailed process is set out in Appendix 1.

The principles for the authorisation of access are:

• Approvals for all external entities, including contractors, who require access to WAPHA’s

information assets and systems, excluding Highly Sensitive information, must be

authorised by the relevant Data Steward;

• Approvals for all external entities, including contractors, who require access to Highly

Sensitive information must be authorised by the IMG Committee;

• WAPHA employee access to all Highly Sensitive information must be authorised by the

relevant Data Steward;

• WAPHA employee access to all Internal and Sensitive classified information must be

authorised by the relevant Data Custodian;

• Permission groups should be authorised by the Data Steward, with the Data Custodian

working with IT to establish the new permission group;

• It is the responsibility of the Data Custodian to set, enforce and review the period of access

for all users; and

• All access permissions must be granted in accordance with the Information use section of

this document.

5.5 Review of access permissions

Access permissions to an information system or collection are managed and reviewed by the Data Custodian. Access permissions will be granted with an automated expiry whereby systems will give permissions to an individual with a set expiry date. This minimises the administration of permissions while creating a safeguard in the system. The expiry should be set to the length of the individual’s engagement which requires the information access. Early exits from the engagement would still need to be manually updated. Likewise, extensions could be handled pre-emptively to avoid disruption. In addition, the Data Custodian should conduct routine checks of the permissions based on staffing changes and undertakes periodic reviews of permissions. Following the departure of a WAPHA employee or contractor, HR will contact the relevant IT support to ensure the cancellation of access rights to the WAPHA network as well as notify Data Custodians of individual systems and collections to ensure all access rights have been removed.

____________________________________________________


5.6 Information storage

Appropriate storage of information is crucial to enable both available information for the purpose of undertaking WAPHA’s operational duties and maintaining the appropriate security of information. The storage of information, be it electronic or physical, comprises of the location or medium of an information source throughout its lifecycle (as set out in Table 6).

5.6.1 Physical (paper) information WAPHA’s physical information must be appropriately stored in order to protect the information from unauthorised access and theft as well as damage. Storage of physical information assets must be consistent with the intended length of storage, value of the resource and the security and access requirements defined by its classification according to the Information Classification Framework. All electronic information which is printed is to maintain its classification.

5.6.2 Electronic information The majority of WAPHA’s information assets are electronically stored. Electronic information is vulnerable to loss, destruction, unauthorised copying and modification and as such its effective storage is necessary towards ensuring its integrity, reliability and usability. To ensure the effective storage of electronic information the storage requirements are:

• Electronic information is stored on appropriate and durable media to ensure the

information remains usable for as long as required.

• Electronic storage devices are subjected to regular integrity checks and periodically

refreshed to prevent information loss through media degradation or obsolescence.

• Backup files remain usable for as long as required.

Risk assessments are conducted on information prior to the selection of storage location and medium. For additional queries concerning the security and storage of information refer to the WAPHA ICT Security Policy.

____________________________________________________


Table 5: Storage requirements

CLASSIFICATION LEVEL / STORAGE MEDIUM

Highly Sensitive Sensitive Protected (Internal) Public

Electronic • WAPHA endorsed server based storage

• Shared network drives or databases requiring authorisation of access from a Data Custodian.

• Not to be stored on local hard drives

• WAPHA endorsed server based storage, not local PC hard drives



• WAPHA endorsed server based storage, not local PC hard drives



• No restrictions

Physical (paper) • Store in lockable storage or secure area when not in use

• Clear desk policy at all times

• Must only remove documents from WAPHA office if transferred directly from office to destination

• Store in lockable storage or secure area when not in use

• Clear desk policy at all times

• Exercise diligence when removing from WAPHA offices, avoid if possible

• Reasonable precautions to be taken to ensure non-employees do not have access

• In lockable cabinet when not in use

• Maintain clear desk policy

• May be publically displayed

Removable media • Removable devices are not encouraged for the storage or transfer of information

• WAPHA registered device with appropriate encryption and authentication processes

• Ensure media remains in possession of owner at all times if being used outside of WAPHA

• Information must be transferred to primary storage as soon as possible, contents of media to be deleted before and after use

• Removable devices are not encouraged for the storage or transfer of information

• WAPHA registered device with appropriate encryption and authentication processes

• Ensure media remains in possession of owner at all times if being used outside of WAPHA

• Information must be transferred to primary storage as soon as possible

• All devices should be scanned for malicious software

• To be used as temporary storage only

• Store and transfer in a secure manner with authorisation from relevant Data Custodian

• All devices should be scanned for malicious software

____________________________________________________


5.7 Retention of information

Personal data and other relevant information should be retained no longer than necessary for the intended purposes for which the data was collected (and in accordance with any instructions from the information provider where applicable), unless a longer retention period is required under applicable legal or regulatory requirements, or the retention framework of the agreement under which the information is collected. The Privacy Act 1988 requires that records containing personal information must be destroyed or permanently de-identified when no longer needed for any purpose for which the information may be used or disclosed. Some of WAPHA’s information collections have retention clauses conditional to the agreement of supply. Such information should be strictly retained for the period specified within the agreement and disposed of as directed. For example, under the Commonwealth PHN Funding Terms and Conditions, WAPHA is required to retain accurate records and accounts regarding each commissioned Activity including receipts, proof of purchase and invoices for at least 7 years after the Activity end date. It is the responsibility of the Data Custodian to ensure the retention of information for the necessary duration and following the expiry of a contracted term of retention, legislative holding period, or decrease in analytical value, the Data Custodian will be responsible for managing its disposal in accordance with the Information Disposal section of this Policy or as outlined within any agreement or contract under which the information was supplied.

5.8 Information archival

Information archiving is the process of moving information which is no longer actively used to a separate storage area for long-term retention. Archival information may be required for either future reference or retained for regulatory or contractual compliance. Archives serve as a way to protect the information from modification and minimise primary storage requirements. Information which has expired its period of analytical value but must be retained is to be archived in a separate storage location and managed by the associated Data Custodian and Data Steward. Archival information should be treated as read-only to ensure the protection and integrity of relevant material and unless otherwise required access should be restricted to the Data Custodian and Data Steward. It is the responsibility of the Data Custodian to transfer information to archival storage when appropriate, to apply the read-only restrictions and to limit access to the information.

5.9 Information disposal

The majority of WAPHA’s information resources will at some point expire their useable lifespan. Following the expiry of an agreement of retention or the passing of the useful duration of an information resource, it is a requirement to dispose of the information. Information disposal is the process of removing information in a way that renders it unreadable (physical information) or irretrievable (for electronic records).

____________________________________________________


The method of disposal for an information source is dependent on the classification of the information. For example, Highly Sensitive information requires more stringent disposal methods than public information due to the higher risk associated with its sensitivity. It is the responsibility of Data Custodians to manage the timely and secure disposal of information in accordance with the classification and any legal or contractual obligations. Refer to Table 6 below for further detail. The physical printing of a dataset or its transference to removable media represents a potential risk to WAPHA and should be seen as the temporary storage of information. Printed information and data held on removable media should be disposed of immediately after use, as summarised in Table 6. Table 6: Information disposal matrix

CLASSIFICATION LEVEL / MEDIUM

Highly Sensitive Sensitive Protected (Internal)

Public

WAPHA servers

• Secure locations cleared by the Data Custodian

Physical (paper) • WAPHA confidential bins

• Shredded with crosscut shredders if not in WAPHA office

• WAPHA confidential bins


• WAPHA confidential bins


• Appropriate for disposal through recycling

Removable media

• Device to be cleared prior to and immediately after use

• To undergo periodic sanitisation

• Sanitisation prior to transfer to another location







• No restrictions

5.10 Information integrity

High quality information is critical for WAPHA to enable effective data driven decision making. Information integrity refers to the accuracy, timeliness, comparability, usability and relevance of information. These dimensions pertain to the ability for information to be used for its intended purpose and as a result the inherent value they represent to WAPHA. It is the responsibility of the Data Custodian to undertake a quality assessment of an information resource at the time of initial collection and periodically throughout its retention period to ensure the integrity of the information is sufficient and remains consistent. The Data Custodian will work to improve information quality with the Data Steward. In order to determine the scope of the underlying root causes and address data quality issues, WAPHA’s information sources will be assessed relative to the following dimensions:

____________________________________________________


Table 7: Properties of information quality

Dimension Description

Accuracy The degree to which an information source is representative of reality.

Timeliness The degree to which an information source is current to the reality it is being used to assess.

Comparability The consistency and relationship of information over time. For instance, can it be linked to another information source over a period of time?

Usability The ease with which information can be understood and accessed.

Relevance The degree to which an information source represents the current and potential future needs of users.

____________________________________________________


6 RISK MANAGEMENT

6.1 Risk assessment framework

Given the importance of information to WAPHA’s functions the effective identification, management and mitigation of information related risks is critical to ensuring the continued availability of information and adherence to necessary legal and contractual requirements. The risk management processes within the Information Management Governance Policy are aligned with WAPHA’s organisational risk management plan. This section is not intended to detail the full risk management strategy, however it will reiterate the rationale behind undertaking risk management, the guiding principles of risk management, the reporting process, and the IM risk assessment framework. It is the responsibility of all members of staff to develop a risk aware culture to enable:

• Effective decision making and planning;

• Identification of opportunities and risks;

• Proactive rather reactive management of risk;

• Effective communication and reporting of risk;

• Stakeholder confidence and trust; and

• Compliance with key regulatory requirements.

The IM risk assessment framework outlines the plan to identify, manage and mitigate information related risks that can adversely affect WAPHA or other third parties. The framework consists of three categories of information related risks as outlined below: Table 8: IM risk categories

Category Description

Disclosure / Data Breach

An intentional or unintentional release of information outside the operational restrictions under which it is governed (see more in the section below)

Information access and handling

Unauthorised access or management of WAPHA’s information resources

Legal and contractual

Breaches of contract or legislative requirements under which information is required to operate

Risks are rated in terms of their likelihood of occurrence and the consequences of their realisation. The matrix below outlines the ratings based on likelihood and consequence.

____________________________________________________


Table 9: Risk rating framework

Risk rating

LIKELIHOOD CONSEQUENCE RATINGS

Insignificant Minor Moderate Major Catastrophic

Certain Moderate High High Extreme Extreme

Likely Moderate Moderate High High Extreme

Possible Low Moderate Moderate High Extreme

Unlikely Low Moderate Moderate High High

Rare Low Low Moderate Moderate High

The rating of an identified risk will inform the suggested time for mitigation as well as the authority under which it will be managed. Table 10: Risk rating framework

Rating Action required Authority

Low Manage by routine procedures. Data Custodian

Moderate Document management responsibility. Manage by periodic monitoring and improvement of controls.

Data Steward

High Detailed plan required to reduce/mitigate residual risk.

IMG Committee

Extreme

Detailed plan required. Suspend until residual risk is reduced to high or unless exposure authorised by the Chief Executive Officer on a case-by-case basis.

IMG Committee

Following the identification of a risk it is the responsibility of the Data Custodian to complete a Risk identification form before logging the risk in the Risk Register (refer to detailed process map in

____________________________________________________


Appendix 0). The rating of a risk will determine the approach to mitigating the risk.

6.2 Data breach and response

A data breach is an incident in which information is compromised, disclosed, copied, transmitted, accessed, removed, destroyed, stolen or used by unauthorised individuals, whether intentionally or accidentally. All information held in any format or medium that has been assigned a classification of Protected (internal), Sensitive or Highly Sensitive which is suspected to have been subjected to a data breach should be managed in accordance with this Policy. Data breaches must be dealt with on a case-by-case basis by making an assessment of the risks and issues involved, to decide the appropriate course of action. Responses and mitigation strategies should be commensurate with the severity of the breach. The Privacy Act 1988 (Cth) requires any individuals who may be affected by a data breach that is likely to result in serious harm to be notified. The key steps to consider when responding to a breach or suspected breach are as follows:

• Notify the relevant Data Custodian;

• Contain the breach and make a preliminary assessment;

• Evaluate the risk for individuals associated with the breach;

• Consider legal/contractual obligations to notify concerned parties; and

• Review the incident and take action to mitigate the risk and prevent future breaches.

Refer to the Data breach response process in Appendix 1 and the Risk assessment framework for further information.


____________________________________________________


7 COMPLIANCE AND POLICY REVIEW

7.1 Compliance assessments

Compliance assessments are undertaken to ensure all of WAPHAs sensitive information assets are accounted for and are being handled, stored and accessed in accordance with this Policy. The Data Custodian is responsible for conducting, or arranging compliance assessments for information sources under their custodianship. Information resources are to be assessed on a case-by-case basis as demanded by their classification and as deemed appropriate by the Data Custodian.

7.2 Audit logs

To maintain confidentiality and integrity of its information assets WAPHA will monitor access to identified information systems and collections through an audit logging process. The audit log ensures it is possible to maintain a ‘trail of evidence’ which can be used to investigate inappropriate or illegal access. Audit log access controls are also in place with explicit user authentication needed to view the audit log database. It is the responsibility of the Data Custodian to maintain the audit log and arrange the undertaking of an audit assessment with the IT service provider. Administrators will not read, write, modify or delete access to audit logs. Access restrictions to auditors or other independent roles reduces the risk of unauthorised access, modification and loss on the part of the administrator and also protects the administrator.

7.3 Policy review

This Policy was endorsed by the WAPHA IMG Committee on 9th May 2018. By its very nature this Policy is an evolving document that could be subject to change to maintain compliance with legislation and in line with WAPHA’s development. The Policy should be subject to regular review and modification as and when necessary and as a minimum:

• As part of an annual policy review;

• When there are significant changes to WAPHA’s information assets;

• When there are changes to the arrangements or laws which impact WAPHA’s operating

framework; or

• As deemed necessary by the IMG Committee, for example following a significant issue

relating to Information Management.

Any updates to this Policy should be overseen and then endorsed by the IMG Committee.

____________________________________________________


8 EDUCATION AND TRAINING

8.1 Education and training

To maintain the security and integrity of WAPHA’s information assets, it is important to ensure staff understand the key IM related risks and processes to safeguard against threats. In order to ensure a high level of information management awareness among staff, WAPHA will maintain an education and training program for staff, which includes:

• Compulsory IM awareness training for all WAPHA staff to ensure they fully understand

effective IM and its integral role in informing WAPHA’s operational and strategic

objectives;

• Keep an up-to-date record of who has completed the relevant training; and

• Repeat IM awareness training for staff on an annual basis.

8.2 New starters

New starters will be supplied with the following documents and materials upon starting:

• Information Management educational flyers;

• WAPHA Code of Conduct;

• WAPHA Information Management Governance Policy (this document);

• WAPHA Internet e-mail practice Policy;

• WAPHA Naming Conventions; and

• WAPHA Strategic Plan.

New staff will be required to undertake necessary on-boarding training within 2 months of commencing at WAPHA;

• Information Management awareness training; and

• ICT and Cyber educational training.

____________________________________________________


9 ADDITIONAL RESOURCES

Legislation, standards and guides • Australian Government Information Security Manual;

• Australian/International Records Management Standard ISO/AS 15489;

• Criminal Code Act 1913;

• Freedom of Information Act 1992;

• Health Services Act 2016;

• Information Privacy Principles (under Commonwealth Privacy Act 1988);

• ISO/IEC 27001 Information Security Management; and

• National Health Act 1953

Internal documents

• IMG Committee Terms of Reference;

• WAPHA Code of Conduct;

• WAPHA ICT Security Policy;

• WAPHA Internet e-mail practice Policy;

• WAPHA Naming Conventions; and

• WAPHA Strategic Plan 2015-2018.

____________________________________________________


APPENDIX 1

A. Information collection process

____________________________________________________


____________________________________________________


B. Information access process

____________________________________________________


____________________________________________________


C. Information disclosure process

____________________________________________________


____________________________________________________


D. Risk reporting procedure

____________________________________________________


____________________________________________________


E. Data breach response process

____________________________________________________


____________________________________________________


APPENDIX 2

A. Summary RACI

WA

PH

A E

xecutiv

e

IMG

Com

mitt

ee

IM S

ecre

tary

Data

Ste

ward

Data

Custo

dia

n

HR

Auth

orised U

ser

Netw

ork

Adm

inis

trato

r

All

Sta

ff

Information collection

Determine organisational need for information C A R

Business case development I R A C

Business case approval R A C I

Executive approval R A C I I

Establishment of project groups R A I I

Establishment of method for information transfer R A

Initial quality assessment I R A

Assign classification and apply classification label C R A

Assign administration rights C R A

Document data elements R A

Update Information Register R I A I

Notify users of new information R A I

Information storage

Ensure privacy and security of information I R A

Request the creation of new directories I R A

Approve additional directories R A I

Establish new directories I C C I R A

Store information C R A I

Information archival C R A I

Information access and use

Complete Data access request form on WALLACE I R A R A

Approval of access to Public, Internal or Sensitive information I C R A

Approval of internal access to Highly Sensitive information I R A C

Approval of external entity access to Public, Internal or Sensitive information I R A C

Approval of external entity access to Highly Sensitive information I R A C I

Inform Authorised users of the requirements of use, storage, disclosure and disposal R A

Create additional permission groups A R

Permit access I I R A

Set period of access to information C R A

Document Authorised users and associated access periods R R A

Information disclosure

Pass information request to Information Management Secretary A R R R

Pass information request to relevant Data Custodian R A R

Liaise with requestor to ascertain information requirements A R

Approval for the disclosure of Public, Internal and Sensitive information I R A C

Approval for the disclosure of Highly Sensitive information R A C I

Develop contract/MOU outlining conditions of disclosure C A R

Prepare information for disclosure I R A

Arrange and execute secure transfer of information C R A

Information disposal

Ensure the disposal of information is in alignment with information classification requirements A R

Disposal of expiring information (exceeding useful lifespan or retention period) A R I

Risk management

Identifying and reporting risks I I A R R

Undertake preliminary risk assessment I R A

Complete risk identification form I R A

Preliminary risk mitigation plan I R A

Undertake full risk assessment R A R

Issue risk rating R A

Establishment of mitigation plans for risk rated: Low I C R A

Establishment of mitigation plans for risk rated: Moderate I R A C

Establishment of mitigation plans for risk rated: Extreme, High R A C I

Monitor actions and outcomes R A C I

Update IM risk register R A

Data breach and response

Notify data custodian(s) I R R A

Undertake containment measures I R A R R

File Data Breach Incident Form Part A C R R A

File Data Breach Incident Form Part B R A

Conduct breach assessment I R A

Notify Network Administrator I R A I

Conduct system integrity assessments I I R A

Review and plan mitigation strategy R A C

Issue internal communications I R A C

Issue external communications if required I R A C

Review Policies and Procedures I A R

Update IM risk register I R A

Management

Appointment of Data Stewards I R A

Appointment of Data Custodians I R A

Organising compulsory IM awareness training for all staff A C R R I

Provide new staff with necessary IM materials I R R A

Notify Netwrok Administrator and Data Custodians of outgoing staff R A

Remove access permissions for outgoing staff R A R

Compliance

Conducting compliance checks R A R

Audit logging R A R

Maintenance of the audit log R A C

Description

____________________________________________________


APPENDIX 3

A. Acronyms

Term Definition

AIHW Australian Institute of Health and Welfare

DOH Department of Health

ICT Information and Communications Technology

IMG Information Management Governance

PHN Primary Health Network

RACI Responsible, Accountable, Consulted, Informed

WAPHA Western Australian Primary Health Alliance

B. Glossary of Terms

Term Definition

Authorised User A user that is granted access to data or information based on functional needs and are responsible for ensuring the appropriate use in accordance with the accompanying agreements, policies and guidelines.

Data Raw or processed facts and statistics collected into a single repository. Interchangeable with ‘information’ in most circumstances.

Data Breach A data breach is an incident, in which information is compromised, disclosed, copied, transmitted, accessed, removed, destroyed, stolen or used by unauthorised individuals, whether accidentally or intentionally.

Data Classification Categorises the data according to confidentiality and security required.

Data Collection The process of acquiring data from a source, or reference to the collected data itself.

Data Custodian The Data Custodian is responsible for the day-to-day management of a data source/collection.

Data Steward Data Stewards are responsible for a data source/collection to be developed, maintained and utilised in accordance with the strategic priorities of the organisation.

Derivative information

Information which has been created or generated through the extraction, combination, paraphrasing or restatement of another information source(s)

Governance Refers to WAPHA’s rules, responsibility, accountability and structure over information management.

Information Data that has been processed in a meaningful way to enable users to make decisions.

____________________________________________________


Term Definition

Information Access Refers to the process of requesting authorisation, facilitating use, and the review of permissions.

Information Archival The process of moving information which is no longer actively used to a separate storage area for long-term retention

Information Classification

Categorises the information according to the confidentiality and security.

Information Collection

Individual sets of data may be called ‘data collections’, ‘data assets’ or ‘data holdings’. Data comprising an information collection may come from various sources.

Information Disclosure

The process of sharing information outside of WAPHA.

Information Disposal

The means by which information should be disposed, based on its classification.

Information Management

The process of collection, classification, access, storage, retention and disposal of data or information.

Information Retention

The period for which information is legally allowed to be kept. Post the retention period, information must be disposed of according to policy.

Information Use The handling, access, and analysis of information over its lifetime.

Publication Release of data externally in hard or soft copy through any media to parties outside of WAPHA.

Risk A possible event that would negatively impact the organisation. It has an associated likelihood and impact.

Risk Assessment The process of assessing a risk for the likelihood of its occurrence, the impact of its consequence, and appropriate procedures.

Risk Authority The owner of a risk who is responsible for monitoring and mitigation

Risk Management The objective of the governing body to manage the risks to the organisation, to minimise their negative impact if they were to occur.

Sanitisation A method of data destruction which renders target data unrecoverable through the process of multiple overwrites.

____________________________________________________


APPENDIX 4

A. Template response to organisations inappropriately submitting data to WAPHA

Note: This template should be used in the event a commissioned service provider provides WAPHA with identifiable data. In the event identifiable data is submitted via tender process, modify [entries] accordingly. Subject: Data Breach: Data Inappropriately Provided to WAPHA Body: This email contains Personal Information which is a data breach in accordance with Clause [insert clause no as applicable] of the [agreement name] Agreement. As a result of this breach WAPHA requests that [provider name], as a matter of priority:

1. Review the circumstances and identify the cause of the breach and any other persons or organisations to whom the Personal Information has been provided (who are not lawfully permitted to receive the Personal Information);

2. Ensure that any other persons or organisations to whom this Personal Information has been provided identified in 1 above are advised to destroy the Personal Information;

3. Ensure any individuals, in the event serious harm is likely, have been notified and dealt with appropriately;

4. Ensure subcontractors or service providers effected by the breach have been notified and dealt with appropriately;

5. Identify and put in place, mitigating strategies to prevent a breach from occurring again; and

6. Provide WAPHA a report containing the above information, including time frames in which each action will be completed.

WAPHA has endeavoured to destroy all copies of the reports submitted with Personal Information from its systems. As such, it would be most appreciated if the invoice could be re-submitted without the Personal Information. WAPHA further encourages review of the OAIC webpage to determine whether this breach requires formal reporting: https://www.oaic.gov.au/privacy/notifiable-data-breaches/report-a-data-breach/.

https://www.oaic.gov.au/privacy/notifiable-data-breaches/report-a-data-breach/

https://www.oaic.gov.au/privacy/notifiable-data-breaches/report-a-data-breach/

Date post:	24-Jul-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times