Information Risk and Security - Information Risk...Risk Assessment Matrix (Breaches, Near-Misses and...

Information Risk

and Security: Information Governance (“IG”) Policy

(This document should be read in conjunction with the Data Protection and Information Sharing Policy and the relevant Informatics policies)

FINAL 4.0, Feb 2018

■ ■ ■

Information Risk and Security

Document No: IG.P05

Version No: 4.0 (FINAL)

Author: Information Governance Officer Policy Date: February 2018

Page 2 Review Date: February 2021

SUMMARY

This Policy:

Ensures that all managers and staff are aware of and comply with the Trust’s

statutory obligations and responsibilities, including those under the Data Protection

Act (DPA), and the new General Data Protection Regulations (GDPR).

Encourages a consistent and proactive information risk management framework in

which data risks will be identified, considered and addressed, in order to provide

assistance and improve the quality of decision-making throughout the Trust, and

help to safeguard the Trust’s information assets.

Outlines the requirements of ‘privacy by design’ to ensure that this is a key

consideration in the early stages of any project and then throughout its lifecycle,

and also to ensure that processes for completing and reviewing Privacy Impact

Assessments are managed in a consistent and controlled way.

Sets out of the requirements for information risk management, including the role

and responsibilities of the Senior Information Risk Owner (SIRO), Information Asset

Owners (IAOs) and Information Asset Administrators (IAAs), and the processes for

maintaining the Trust’s Information Asset Register (IA).

DOCUMENT DETAILS

Author(s): Information Governance Officer

Date: February 2018 [FINAL 4.0)

Next Review Date: February 2021, or sooner if legislation requires

Ratifying Body/Committee: Information Governance Steering Group (IGSG)

Chair: Senior Information Risk Owner (SIRO)

Date Originally Ratified: 29 August 2014

Target Audience: All Staff

Date Equality Impact

Assessment Completed: February 2018 (also see issue dates below)

DOCUMENT HISTORY

Date of Issue

Version No.

Next Review Date

Date Approved

Director Responsible for Change

Nature of Change

Feb 2018 Final 4.0 Feb 2021 12 Mar 2018 SIRO/Caldicott

Guardian Scheduled

policy review.

Implications of the GDPR.

Dec 2016 Final 3.2 Dec 2017 09 Feb 2017 SIRO/Caldicott

Guardian Annual policy

review


Document No: IG.P05




Date of Issue

Version No.

Next Review Date

Date Approved

Director Responsible for Change

Nature of Change

Oct 2015 Final 3.0 Aug 2017 30 Oct 2015 SIRO/Caldicott

Guardian Updated IAR

and PIA Process

Apr 2015 Final 2.0 Aug 2017 29 May

2015

SIRO/Caldicott

Guardian Addition of TNA

and change to audit process

Aug 2014 Final 1.0 Aug 2017 29 Aug 2014 SIRO/Caldicott

Guardian New Policy

The purpose of this policy is to ensure that there is a consistent, fair and transparent approach in its

application across Poole Hospital NHS Foundation Trust (hereafter referred to as the “Trust” or the

“organisation”). All managers and staff (at all levels) are responsible for ensuring that they are viewing

and working to the current version of this policy. If this document is printed in hard copy or saved to

another location, it must be checked that the version number in use matches with that of the live policy

on the intranet. All policies are published on the staff intranet and communication is circulated to all

staff when new policies or changes to existing policies are released. Managers are encouraged to use

team briefings to aid staff awareness of new and updated policies and procedures.


Document No: IG.P05




TABLE OF CONTENTS

1. RELEVANT TO .............................................................................................................. 5

2. PURPOSE ..................................................................................................................... 5

3. GENERAL PRINCIPLES ................................................................................................ 6

Legislations, Regulations and Guidance ................................................................. 6

Information Risk and Security ................................................................................... 7

Staff Responsibilities ................................................................................................... 9

4. DEFINITIONS RELATING TO INFORMATION RISK AND SECURITY ............................. 10

4.1. Information Assets ........................................................................................ 10

4.2. Risk Terminology ........................................................................................... 11

5. MANAGEMENT OF INFORMATION ASSETS.............................................................. 12

5.1. Information Asset Register (IAR) .................................................................. 12

5.2. Senior Information Risk Owner (SIRO) ......................................................... 12

5.3. Information Asset Owners (IAOs) ................................................................ 13

5.4. Information Asset Administrators (IAAs) ...................................................... 14

6. PRIVACY IMPACT ASSESSMENTS (PIAs) ................................................................... 15

6.1. Privacy by Design ......................................................................................... 15

6.2. Privacy Impact Assessments (PIAs) ............................................................. 16

7. DATA RISK ASSESSMENTS AND RATINGS ................................................................. 17

7.1. Risk Assessment Matrix (Breaches, Near-Misses and PIAs) ........................ 17

7.2. Criticality Assessment Matrix (PIAs) ............................................................. 19

8. DATA BREACHES AND NEAR-MISSES ....................................................................... 20

8.1. Reporting and Recording ........................................................................... 20

8.2. Action, Investigation and Remediation ..................................................... 21

8.3. Serious Incidents Requiring Investigation ................................................... 21

8.4. Notifying Data Subjects ............................................................................... 22

9. DATA SECURITY AND PROTECTION STANDARDS .................................................... 23

10. IMPLEMENTATION AND REVIEW .............................................................................. 25

10.1. Consultation and Implementation ............................................................. 25

10.2. Policy Review Arrangements ...................................................................... 26

10.3. Monitoring Effectiveness .............................................................................. 26

TABLE OF APPENDICES

APPENDIX A: EQUALITY IMPACT ASSESSMENT ................................................................... 27


Document No: IG.P05




THE POLICY

1. RELEVANT TO

1.1. All medical and non-medical individuals at all levels within Poole Hospital

NHS Foundation Trust (“the Trust”) are expected to comply with this policy,

including: individuals directly employed by the Trust (substantive/

permanent, fixed-term, bank/locum, etc); and individuals working within

but not directly employed by the Trust (volunteers, students, agency,

secondees, etc); hereafter referred to collectively as “staff”.

1.2. This policy covers all computer and non-computer based information

systems purchased, developed and managed by, or on behalf of, the

Trust. This policy is applicable to all areas of the Trust and adherence

should be included in all contracts for outsourced or shared services -

there are no exclusions. Further definitions can be found in Section 4.

1.3. This policy should be read in conjunction with other relevant policies,

procedures and guidance, including the:

Adverse Incident Reporting and Management Policy

Corporate Records and Archiving Policy

Data Protection and Information Sharing Policy

Data Security Statement (Information Governance Confidentiality & IT)

Duty of Candour Policy

Informatics (IT) Policies and Procedures

Risk Management Strategy

Serious Incident Policy

Subject Access and Other Information Rights Policy

CPA Introduction to Cyber Security

DH&SC Data Security and Protection Requirements 2017/18

IGA Records Management Code of Practice

Network and Information Systems Guidance Collection

NHS Digital Cyber and Data Security Policy and Good Practice

Privacy Notices (Patient/Service User and Staff Information)

2. PURPOSE

2.1. This policy ensures that all managers and staff are aware of and comply

with the Trust’s statutory obligations and responsibilities, including those

under the Data Protection Act (DPA), and the new General Data

Protection Regulations (GDPR) which takes effect from May 2018.

2.2. The purpose of this policy is to provide a consistent information risk

management framework in which data risks will be identified, considered

and addressed.

https://www.careprovideralliance.org.uk/guidance.html

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/675420/17-18_statement_of_requirements_Branded_template_final_22_11_18-1.pdf

https://digital.nhs.uk/information-governance-alliance

https://www.ncsc.gov.uk/guidance/nis-guidance-collection

https://www.digital.nhs.uk/cyber-security/policy-and-good-practice-in-health-care

https://www.poole.nhs.uk/about-us/information-governance/privacy-notice.aspx

https://www.poole.nhs.uk/about-us/information-governance/privacy-notice.aspx


Document No: IG.P05




2.3. This policy aims to encourage pro-active information risk management, in

order to provide assistance and improve the quality of decision-making

throughout the Trust, and help to safeguard the Trust’s information assets.

2.4. This policy outlines the requirements of ‘privacy by design’ to ensure that

privacy and data protection is a key consideration in the early stages of

any project, and then throughout its lifecycle, and also to ensure that

processes for completing and reviewing Privacy Impact Assessment are

managed in a consistent and controlled way.

2.5. The Trust, and individual members of staff, have a legal obligation to

comply with all appropriate legislation in respect of information handling,

and information risk and security. This policy does not allege to cover all

situations; therefore the responsibility lies with staff/departments to ensure

that the confidentiality/security of information is maintained whilst under

their ownership and to seek advice from senior management or the

Information Governance Department as necessary.

3. GENERAL PRINCIPLES

Legislations, Regulations and Guidance

3.1 The Data Protection Act (DPA) is the main piece of UK legislation which

governs the use of personal data which identifies living individuals. The

General Data Protection Regulation (GDPR) takes effect from 25 May

2018 and will replace the 1995 data protection directive which originated

the DPA. This policy has been revised to reflect the Trust’s obligations

under the new EU GDPR and the updated DPA in the UK.

3.2 The principles of data protection legislation specify that appropriate

technical and organisational measures must be in place to secure

against unauthorised or unlawful processing of information, and to

protect information from accidental loss, destruction or damage. In

practice, this means that the Trust must ensure that:

3.2.1 Security measures are designed and organised to fit the nature of

the information being held and the level of harm that may result

from a breach;

3.2.2 Staff are clear about their responsibilities relating to information risk

and security, as well as those of the Senior Information Risk Owner

(SIRO), Information Asset Owners (IAOs) and Administrators (IAAs);

3.2.3 Appropriate physical and technical security is in place for all

information, backed up by robust policies and procedures, and

reliable, knowledgeable and well-trained staff;

3.2.4 Breaches can be dealt with swiftly, effectively and consistently.


Document No: IG.P05




3.3 There are other rules and regulations which specify how information

should be handled. These include, but are not limited to:

Access to Health Records 1990

Access to Medical Reports Act 1998

Civil Contingencies Act 2004

Code of Practice on Confidential Information 2014

Common Law Duty of Confidentiality

Computer Misuse Act 1990

Confidentiality NHS Code of Practice

Crime and Disorder Act 1998

Criminal Justice and Immigration Act 2008

Freedom of Information Act 2000

HMG: Information Sharing by Practitioners in Safeguarding Services

HSCIC Guide to Confidentiality 2013

Human Rights Act 1998 (Article 8)

Information Security NHS Code of Practice

International Information Security Standard: ISO/IEC 27002: 2005

NHS Care Record Guarantee for England

Mental Capacity Act 2005

Records Management Code of Practice 2016

Regulations and Investigatory Powers Act 2000

Social Care Record Guarantee for England

3.4 Failure to meet the requirements of this policy, which reflect the Trust’s

obligations under data protection legislation, exposes the organisation to

enforcement action and fines of either:

up to €10,000,000 or 2% of annual turnover (whichever is higher), for

breaches in the lower tier (including record keeping, contracting and

security clauses); or

up to €20,000,000 or 4% of annual turnover (whichever is higher), for

breaches in the higher tier (including non-compliance with ICO orders,

data subjects’ rights, international transfers, and the basic principles of

data protection legislation – including consent requirements).


3.5 Information is a vital asset, both in terms of the clinical management of

individual patients and the efficient management of services and

resources. It plays a key part in clinical governance, service planning and

performance management. It is of paramount importance to ensure that

corporate and sensitive personal information about individuals is secure,

held confidentially and appropriately protected when shared to support

the provision of healthcare for patients.

3.6 Without effective security, information assets may become unreliable and

untrustworthy, may not be accessible where or when needed, or may be

compromised by unauthorised third parties. All NHS organisations, and

http://www.legislation.gov.uk/ukpga/1990/23/section/3

http://www.legislation.gov.uk/ukpga/1988/28/pdfs/ukpga_19880028_en.pdf

https://www.legislation.gov.uk/ukpga/2004/36/contents

https://digital.nhs.uk/cop

http://webarchive.nationalarchives.gov.uk/+/http:/www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/Browsable/DH_5803173

http://www.legislation.gov.uk/ukpga/1990/18/contents

https://www.gov.uk/government/publications/confidentiality-nhs-code-of-practice




https://www.gov.uk/government/publications/safeguarding-practitioners-information-sharing-advice

https://digital.nhs.uk/codes-of-practice-handling-information


https://digital.nhs.uk/article/1201/Information-security-management-NHS-code-of-practice

http://www.iso27001security.com/html/27002.html

https://digital.nhs.uk/article/311/Registration-Authorities-and-Smartcards


https://www.gov.uk/government/publications/records-management-code-of-practice-for-health-and-social-care


http://webarchive.nationalarchives.gov.uk/20130513181910/http:/www.nigb.nhs.uk/pubs/screngland


Document No: IG.P05




those who supply or make use of NHS information, have an obligation to

ensure that there is adequate provision for the security management of

the information resources that they own, control or use. This is set out in

the NHS Code of Practice on Information Security Management 2007.

3.7 The Trust also has a legal obligation to ensure that appropriate security

management arrangements are in place for the protection of patient

records and key information services, to meet the statutory requirements

set out within data protection legislation (see 3.1-3.2) and to satisfy its

obligations under the Civil Contingencies Act 2004.

3.8 The Trust recognises that organisations and their information systems and

networks are faced with security threats from a wide range of sources,

including vandalism, fire and flood. Dependence on information systems

and services means the Trust is more vulnerable to security threats. The

interconnecting of public and private networks and sharing of information

resources increases the difficulty of achieving access control.

3.9 The Trust places great importance on minimising any possible or potential

risk to information security whilst safeguarding the interests of patients and

staff, as well as protecting the position of the Trust itself. Information

security is characterised as the preservation of:

confidentiality – ensuring that information is accessible only to

those authorised to have access;

integrity – safeguarding the accuracy and completeness of

information and ensuring that all systems, assets and networks

operate correctly, according to specification;

availability – ensuring that authorised users have access to

information and associated assets when required.

3.10 The Trust acknowledges that information risk and security management is

an essential element of broader information governance and an integral

part of good management practice. The intention is to embed

information risk management in a very practical way into business

processes and functions – such as through key approval and review

processes / controls – rather than imposing it as an extra requirement.

3.11 Information risk is inherent in all administrative and business activities;

everyone working for or on behalf of the Trust continuously manages

information risk. Information risk management is not solely about

eliminating risk, but also to provide the structural means to identify,

prioritise, and manage the risks involved in all Trust activities. This involves a

balance between the cost of managing and treating information risks

against the anticipated potential benefits that will be derived.

3.12 The Trust is committed to maintaining and developing an infrastructure for

information, and ensuring that all information assets have an appropriate

level of security. Information risk and security management is integrated

http://systems.hscic.gov.uk/infogov/codes/securitycode.pdf


Document No: IG.P05




into the Trust’s overall corporate risk management process. The Trust has

established a comprehensive information security assurance framework in

line with mandatory data security and protection requirements, under the

leadership of the Senior Information Risk Owner (SIRO), and embedded in

the directorate structures via the Information Asset Owners (IAOs) and

Information Asset Administrators (IAAs).

3.13 The Trust has in place an Information Asset Register (IAR) which is

maintained by the Information Governance Department using Privacy

Impact Assessments (PIAs) provided by IAOs and IAAs. The PIA acts as a

risk assessment for each asset and records all data sets and data flows.

3.14 The Trust has processes in place to develop and maintain appropriate

plans for the speedy restoration of all critical IT systems. All systems will

have threats and vulnerabilities assessed to determine how critical they

are to the Trust. Individual work areas will have procedures in place to

maintain essential services in the event of IT system failure. The Trust has

established business continuity and disaster recovery plans for all critical

information systems and networks. Please also see the Trust’s Business

Continuity Policy and the IT Trust-Wide Business Continuity Plan.

3.15 All risks associated with any aspect of information governance are

entered onto the Trust’s risk register and managed locally to reduce them

to the lowest possible level. The Trust’s adverse incident reporting system

(Datix) is used to report, monitor and investigate all breaches of

confidentiality and information security, as well as the lessons learnt and

grading of breaches.

Staff Responsibilities

3.16 Every member of staff is personally responsible for taking precautions to

ensure the security of information, both whilst it is in their possession and

when it is being transferred from one person or organisation to another. If

staff are unsure about sharing information, they should refer to the Data

Protection and Information Sharing Policy, the NHS Confidentiality Code

of Practice, or take advice from their line manager, the Information

Governance Department or the Caldicott Guardian, as appropriate.

3.17 Staff who manage or lead on projects/service changes are also

responsible for completing Privacy Impact Assessments (PIA), and

additional responsibilities apply to Information Asset Owners (IAOs – see

5.3) and Information Asset Administrators (IAAs - 5.4).

3.18 To ensure that staff are effectively informed about what is required of

them in relation to information risk and security, this policy has been

produced to identify the legal requirements and provide an

understanding of what the Trust requires staff to do to keep personal

information safe and secure. This policy is highlighted during the Trust’s

induction programme, within all information governance training sessions


Document No: IG.P05




and materials, and should be covered by line managers during local

induction. This policy is also specifically referred to within the Trust’s Privacy

Impact Assessment template and supporting guidance.

3.19 Failure to comply with data protection legislation can lead to

enforcement action from the ICO, including monetary penalty notices

(see 3.4), claims for compensation and/or criminal prosecution. It is the

responsibility of every individual member of staff to be familiar with this

policy (and all other related policies) to ensure the confidentiality, security

and integrity of information is maintained whilst under their ownership. Any

failure by a member of staff to follow the processes outlined in this policy

may result in initiation of the Trust’s Staff Disciplinary Procedure.

4. DEFINITIONS RELATING TO INFORMATION RISK AND SECURITY

4.1. Information Assets

4.1.1. The following are examples of information assets:

Databases and data files

System information and documentation

Research information

Operations and support procedures

Audit data

Manuals and training materials

Contracts and agreements

Business continuity plans

Back-up and archive data

Applications and System Software

Data encryption utilities

Development and Maintenance tools

Computing hardware including Servers, PCs, Laptops, PDA,

mobile communications devices and removable media

Environmental services necessary for the safe operation of

Information assets e.g. power and air-conditioning

People skills and experience

Shared services, including networks and printers

Paper records, including patient case notes and staff records.

This above list is illustrative only and should be considered when

identifying, recording and assessing the risk of information assets.

4.1.2. Minimum security standards will be incorporated into all assets.

New operational software must be quality assured. System test

and live data should be separated and adequately protected.

All changes to systems, including externally commissioned

systems, must pass through a formal change control procedure.

Further advice is available within the Trust’s IT Security Policy or

from the Trust’s IT Security Manager (via the IT Service Desk).


Document No: IG.P05




4.2. Risk Terminology

Key Terms Description

Breach Any event or circumstance that led to unintended

or unexpected harm, loss or damage.

Near-Miss Any event or circumstance which was avoided but

had the potential to lead to unintended or

unexpected harm, loss or damage.

Serious Incidents

Requiring Investigation (SIRI)

Any breaches where the consequences are so

significant or the potential for learning is so great that a heightened level of response is required.

Risk The chance of something happening or a hazard

being realised, which will have an impact on

objectives. It is measured in terms of consequence and likelihood.

Consequence The outcome of an event or situation, expressed

qualitatively or quantitatively, being a loss, injury,

disadvantage or gain. There may be a range of

possible outcomes associated with an event.

Likelihood A measure of the probability that the

consequence will occur, as a qualitative

description or synonym.

Risk Management The systematic application of management

policies, procedures and practices to the tasks of

identifying, analysing, assessing, treating and

monitoring risk.

Risk Assessment The overall systematic process of determining the

level of risk that an event/set of events poses in

combination with the likelihood of its occurrence.

Risk Rating The ‘score’ that a risk is given following risk

assessment using a risk matrix.

Control An activity (action) which reduces the

consequence and/or likelihood

Risk Mitigation The process of introducing specific measures

(controls) to minimise or eliminate risks. Risk

mitigation measures can be directed towards

reducing the severity of risk consequences,

reducing the likelihood of the risk occurring, or reducing the organisations exposure to the risk.

Further definitions are available in the Trust’s Risk Management Strategy

and the Adverse Incident Reporting and Management Policy.


Document No: IG.P05




5. MANAGEMENT OF INFORMATION ASSETS

5.1. Information Asset Register (IAR)

5.1.1. The Trust’s information assets are recorded on a central

Information Asset Register (IAR), which is maintained by the

Information Governance Department. The IAR helps managers

and the Trust to identify who is responsible for what assets, and

where data routinely goes to and/or comes from.

5.1.2. The IAR is populated, updated and maintained using information

provided by Information Asset Owners (IAOs – see 5.3) and

Administrators (IAAs – see 5.4) via the Trust’s Privacy Impact

Assessment (PIA) process. A PIA is required when a new or

updated system/process is proposed which will or could

potentially introduce new (or make changes to the existing) data

management processes, or when an existing information asset is

identified which is not currently recorded on the IAR. See Section

6 for full details about PIAs and the process involved.

5.1.3. The IAR gives the Trust the knowledge it needs to support with

identifying and managing the risks and security of information

assets. An IAO or IAA can request to see an extract of the IAR

showing their assets at any time by contacting the Information

Governance Department.

5.2. Senior Information Risk Owner (SIRO)

5.2.1. The Senior Information Risk Owner (SIRO) is an Executive Director

who takes overall ownership of the Trust’s Information Risk and

Security Policy, and acts as champion for information risk on the

Board. The current SIRO is the Trust’s Finance Director.


Document No: IG.P05




5.2.2. The SIRO implements and leads the Information Governance risk

assessment and management processes within the Trust and

advises the Board on the effectiveness of information risk

management across the Trust. The SIRO is responsible for:

o ensuring that information assets are identified, that a register

of assets is maintained, and that each major asset has an

assigned owner and administrator;

o coordinating and overseeing the development and

implementation of the Information Risk and Security Policy;

o ensuring that systems, policies, processes and standards are in

place to ensure rigorous information governance across the

Trust;

o ensuring that the Board is adequately briefed, and providing a

focal point for the resolution and discussion of information risk

issues, advising on information security and risk management

strategies and providing periodic reports and briefings on

progress.

5.3. Information Asset Owners (IAOs)

5.3.1. An Information Asset Owner (IAO) is a nominated manager/senior

member of staff who takes responsibility for individual information

assets, in terms of security, user access, risk assessment and

business continuity. They are supported by an Information Asset

Administrator (IAA), per asset (this can be the same person).

5.3.2. Within the Trust, IAOs are usually Directors, Heads of Department

or Directorate Managers, however the level of authority required


Document No: IG.P05




for an asset will depend on the type of asset and the information

it contains. For example, a Trust-wide business critical patient

information system may have a Director, whereas a department-

level statistics spreadsheet may have a Department Manager.

5.3.3. The responsibilities of an IAOs are outlined in the IAO Job

Summary available on the intranet. As an example, they are

responsible for:

o ensuring that all information assets are appropriately owned,

managed and recorded on the Information Asset Register

(IAR);

o supporting the Senior Information Risk Owner (SIRO) in

managing the risks associated with all information assets, and

providing the SIRO with reports and risk assessments as

required;

o ensuring that a Privacy Impact Assessment (PIA) is completed

for all new and amended information assets, and this is

regularly reviewed;

o ensuring that business continuity strategies and plans are in

place and tested for all critical information assets.

5.4. Information Asset Administrators (IAAs)

5.4.1. An Information Asset Administrator (IAA) is a nominated

administration, clerical or operational member of staff who takes

responsibility for individual information assets, in terms of security,

user access, risk assessment and business continuity. They support

allocated IAOs with information assets.


Document No: IG.P05




5.4.2. Within the Trust, IAAs are usually administration or operational

staff, however the level of authority required for an asset will

depend on the type of asset, the information that it contains and

the authority level of the IAO. For example, a Trust-wide business

critical patient information system may have a Deputy Director or

Department Head, whereas a department-level statistics

spreadsheet may have an Administrator or Secretary.

5.4.3. IAAs are responsible for supporting the relevant IAO(s) with

meeting their responsibilities (See 5.3 above). Full details of an

IAA’s responsibilities are outlined in the IAA Job Summary.

6. PRIVACY IMPACT ASSESSMENTS (PIAs)

6.1. Privacy by Design

6.1.1. ‘Privacy by design’ is an approach to projects that promotes

privacy and data protection compliance from the start. This

approach is a requirement of data protection legislation and

therefore the Trust must ensure that privacy and data protection is

a key consideration in the early stages of any project, and then

throughout its entire lifecycle.

6.1.2. Core privacy considerations should be integrated into existing

project management and risk management methodologies and

policies. The procedures described in this policy are in place to

ensure that all new (and updated/reviewed) projects, processes

and systems introduced to the Trust comply with confidentiality,

privacy and data protection requirements.

6.1.3. Taking a ‘privacy by design’ approach is an essential tool in

minimising privacy risks and building trust. Designing projects,

processes, products or systems with privacy in mind at the outset

can lead to benefits which include:

Potential problems are identified at an early stage, when

addressing them will often be simpler and less costly;

The Trust is more likely to meet its legal obligations and avoid

breaches of the GDPR and DPA;

Actions are less likely to be privacy intrusive and have a

negative impact on individuals; and

Increased awareness of privacy and data protection across

the Trust.

6.1.4. Privacy Impact Assessments (PIAs) are an integral part of taking a

‘privacy by design’ approach, and is the tool that the Trust uses to

identify, and where possible reduce, the information governance

risks of projects, processes and systems within the organisation. A


Document No: IG.P05




PIA can reduce the risks of harm to individuals through the misuse

of their personal information and can also help to design more

efficient and effective processes for handling personal data.

6.1.5. All staff who manage or lead on projects/service changes are

also responsible for completing PIAs as required, and additional

responsibilities apply to Information Asset Owners (IAOs – see 5.3)

and Information Asset Administrators (IAAs - 5.4).

6.2. Privacy Impact Assessments (PIAs)

6.2.1. Data protection legislation dictates that a Privacy Impact

Assessment (PIA) is mandatory where the data processing is “likely

to result in a high risk to the rights and freedoms” of the data

subject(s). This is particularly relevant where there is any

automated processing (including profiling) or where the

processing involves any special categories of data (such as

health or social care information). The ICO has also published

a Code of Practice on the requirements for conducting PIAs.

6.2.2. The Trust takes the approach that a PIA should be completed

whenever a new or updated system/process is proposed which

will or could potentially introduce new (or make changes to the

existing) data management processes. This is intertwined with

other processes such as IT Requests for Change. PIAs are also

used by the Trust to register all information assets onto the

Information Asset Register (see 5.1 for further details).

6.2.3. The PIA process is most effective when started at an early stage of

a project, preferably when the project is being designed and

scoped. A condensed version of the PIA is completed by

potential external stakeholders/providers and third parties as part

of any tender process. A full PIA must then be completed for the

preferred provider once the contract has been awarded, in

conjunction with the relevant project manager and Information

Asset Owner (see 5.3). The PIA should be updated throughout the

project as changes are considered and decisions contemplated.

6.2.4. The completed PIA is used as a formal data risk assessment, and

should be assigned two risk ratings:

a) Data processing rating based on the categories and volume of

data, and the impact on the rights of the data subjects. This is

assessed using the risk matrix in 7.1 of this policy); and

b) Criticality rating based on the system usage requirements. This

should feed into business continuity and disaster recovery

plans, both at a local and Trust-wide level, as appropriate. This

is assessed using the risk matrix in 7.2 of this policy).

http://ico.org.uk/for_organisations/data_protection/topic_guides/~/media/documents/library/Data_Protection/Practical_application/pia-code-of-practice-final-draft.pdf


Document No: IG.P05




6.2.5. Any information security risks identified as part of the PIA will be

managed on a formal basis via the Trust’s adverse incident

reporting procedures, and relevant risks will be recorded within

the Trust’s risk register. Measures should be put in place to ensure

each asset is secured to an appropriate level, and action plans

must be in place to demonstrate effective management of risks.

6.2.6. The PIA should also record all data sets and data flows, which will

then feed into the Information Asset Register, and provides

assurance that the Trust completes ongoing data mapping.

6.2.7. PIAs should be completed by appropriate individuals with

sufficient knowledge of the asset/system/process, and must be

approved by the relevant Information Asset Owner prior to being

sent to the Information Governance Department for review.

6.2.8. As part of the PIA process, it may be necessary for the project

lead/Information Asset Owner/etc to liaise with any third party

organisations to gain appropriate assurance of compliance, and

(where appropriate), seek the views of data subjects or their

representatives on the intended processing.

6.2.9. Depending on the risk rating and content of the assessment, it

may be necessary for the PIA to be reviewed and authorised by

the Senior Information Risk Owner (SIRO), Caldicott Guardian

and/or the Information Governance Steering Group (IGSG). The

Information Governance Department will make this decision and

discuss any reasons with the Project Lead and Information Asset

Owner, as appropriate.

6.2.10. It is the responsibility of the Project Lead and/or Information Asset

Owner (as appropriate) to ensure that PIAs are reviewed on a

regular basis, the frequency of which is proportionate to the risk

rating of the system (see Section 7 below).

7. DATA RISK ASSESSMENTS AND RATINGS

7.1. Risk Assessment Matrix (Breaches, Near-Misses and PIAs)

In alignment with the Trust’s Risk Management Strategy, all information

risks are assessed using a 5x5 risk assessment matrix.

The tables over leaf should be used to grade all breaches and near-

misses recorded via Datix (see 8.1), and to provide a ‘data processing’

rating for assets via Privacy Impact Assessments (see 6.2).

The Trust is also required to score all breaches against the HSCIC Serious

Incidents Requiring Review (SIRI) checklist – see 8.3.1 for details.

Information Risk and Security Policy

Document No: IG.P05




Risk Assessment Matrix LIKELIHOOD OF OCCURRENCE

1 2 3 4 5

Rare /

Exceptional

Unlikely Possible / Reasonable

Chance

Likely Almost

Certain IMPACT

5 Catastrophic Serious breach with the potential for ID theft, or over 1000

individuals affected. Damage to the NHS’ reputation,

national media coverage.

5 10 15 20 25

4 Major Serious breach with either particular sensitivity, eg sexual health details, or up to 1000 individuals affected. Damage

to the organisation’s reputation, local media coverage.

4 8 12 16 20

3 Moderate Serious breach of confidentiality, e.g. up to 100 individuals affected. Damage to the organisation’s reputation, low-key

local media coverage.

3 6 9 12 15

2 Minor Potential serious breach and risk assessed high, e.g.

unencrypted records of up to 20 individuals. Damage to the

organisation’s reputation, possible local media.

2 4 6 8 10

1 Negligible Minimal discernible effect on the organisation, media interest unlikely. Less than 5 individuals affected or risk

assessed as low, e.g. files were encrypted. Damage to staff

member’s reputation.

1 2 3 4 5

Risk Score Risk Category Definition Decision Min. Reviews

1 – 3 Very Low An acceptable level, subject to review Tolerate 6 – 12 months

4 – 7 Low An acceptable level, subject to review and possible action Tolerate or Treat 3 – 6 months

8 – 14 Moderate Unacceptable level, requires review and action Treat or Transfer At least quarterly

15 – 25 High Unacceptable level, requires urgent review and action Treat, Transfer or Terminate At least monthly

TOLERATE – accept the risk

TREAT – take actions to lessen the consequence of likelihood

TRANSFER – pass responsibility for the risk to another e.g. contractor or service provider.

TERMINATE – the risk is too high and the activity should not proceed or should be done differently.

Information Risk and Security Policy

Document No: IG.P05




7.2. Criticality Assessment Matrix (PIAs)

The table below should be used to provide a ‘criticality’ rating for assets via Privacy Impact Assessments (see 6.2). Each

category should be considered to assess the impact of the asset being unavailable (i.e. offline, unusable, etc) for 5

days. When all categories have been assessed, the maximum score on any one category is the overall final rating.

Category

Consequence Quality Finance Targets Safety Reputation Litigation Rating

Catastrophic Gross failure to

meet professional

standards

>£5M

>10% off planned.

Fail to meet

national target >2

quarters by >20%

Multiple fatalities.

Multiple permanent

injuries

Full Public Enquiry

Criminal

prosecution – no

defence. Executive

officer fined or

imprisoned

5

Major Failure to meet

national standards £500K - £5M

5% - 10% off

planned. Fail to

meet national

target >2 quarters.

Red light

>9 days extended

hospital stay.

Fatality. Permanent

disability.

National media >3

days of coverage.

Questions in the

House

Criminal

prosecution – no

defence. Executive

officer fined or

imprisoned

4

Moderate

Repeated failures

to meet internal

standards or follow

protocols

£50K - £500K

2% - 4% off

planned. Fail to

meet national

target 2 quarters.

Amber light

>3 days absence. 3-

8 days extended

hospital stay.

RIDDOR or MDA

reportable. Semi-

permanent harm.

National media <3

days coverage.

Department

executive action

Class action.

Criminal

prosecution.

Prohibition notice

3

Minor

Single failure to

meet internal

standards or follow

protocol

£5K - £50K

Claim below

excess

1% off planned. Fail

to meet national

target 1 quarter

Cuts/bruises. <3

days absence. <2

days extended

hospital stay

Regulator concern.

Local press <7 days

of coverage

Civil action – no

defence.

Improvement

notice.

2

Negligible None, or minor

non-compliance None or <£5k None or N/A

None or minor

cuts/bruises

None or within unit.

Local press <1 day

coverage

None or minor out-

of-court settlement

1


Document No: IG.P05




8. DATA BREACHES AND NEAR-MISSES

8.1. Reporting and Recording

8.1.1. Staff provide the Trust’s first line of defence against information

loss and theft, and therefore all staff must be able to spot

common activities where information could be lost, and know

what to report. A breach does not necessarily need to involve the

loss or disclosure of personal information in order to be treated as

a data security incident. These are the different categories that

breaches and incidents can fall into:

Breaches of the data protection principles / confidentiality law

Identifiable data lost in transit

Lost or stolen hardware

Lost or stolen paperwork

Data disclosed in error

Data uploaded to website in error

Non-secure disposal – hardware

Non-secure disposal – paperwork

Technical security failing

Corruption or inability to recover data

Unauthorised access or disclosure

Technology-related / cyber incidents

Phishing email

Denial of service attack

Social media disclosure

Website defacement

Malicious damage to systems

Cyber bullying

8.1.2. All data breaches and near-misses must be formally reported as

soon as possible via Datix. Where the breach involves the

inappropriate destruction or alteration, loss/theft or unauthorised

disclosure (or access to) data, the Information Governance

Department must be informed immediately (ideally via

telephone) to assess the severity of the breach and support with

identifying the remedial action required.

8.1.3. Data protection legislation draws a distinction between a “data

controller” and a “data processor” in order to recognise that not

all organisations involved in the processing of personal data have

the same degree of responsibility. All contracts with third parties

should have clear clauses and expectations regarding the

reporting of data breaches. In the case of any data breach, the

identified data controller must be notified as soon as possible.


Document No: IG.P05




8.1.4. The Trust is required to document all data breaches and near-

misses, including details of the breach itself, its effects and the

remedial action taken. This information is centrally recorded within

the Trust’s adverse incident reporting system (Datix).

8.1.5. Wards and departments will also conduct an information risk and

security audit as part of their annual Workplace Assessment of

Safety & Health (“WASH”), and any areas of concern are

followed up by the Information Governance Department. Further

guidance can be found in the Trust’s Data Protection and

Information Sharing Policy.

8.2. Action, Investigation and Remediation

8.2.1. It is important to deal with breaches quickly, effectively and

appropriately. A strategy for dealing with the breach should be

formulated as soon as possible, in conjunction with the

Information Governance Department and any other appropriate

departments (such as IT, HR etc), which should include:

a) a recovery plan (including damage limitation);

b) assessing the risks associated with the incident;

c) informing the appropriate people/organisations that the

incident has occurred; and

d) reviewing and updating information security to avoid further

incidents.

8.2.2. All breaches and near-misses should be fully investigated, and

staff should be able to identify any lessons which can be learnt

and any measures which can be put in place to avoid the

breach happening again. This might involve a change in process

or equipment, or introducing additional data security or check

mechanisms. Other possible remediation options can be

discussed with the Information Governance Department.

8.3. Serious Incidents Requiring Investigation

8.3.1. The Information Governance Department will review and grade

all data breaches which are recorded in Datix. This assessment is

based on the latest guidance available, and takes into

consideration a number of factors, including the number of

individuals affected, and the volume and type of data breached.

Data breaches will be graded as either:

Level 2 (Serious Incident Requiring Investigation (SIRI))

Level 1 (Actual breach but below SIRI threshold – medium risk)

Level 0 (Actual breach but below SIRI threshold – low risk)

Near-Miss (there was a potential breach but it was avoided)


Document No: IG.P05




Not Applicable (the incident was reported in Datix but relates

to a breach by a third party which does not involve the Trust)

8.3.2. Data protection legislation requires that any data breach which

results in a high risk to an individual’s rights or freedoms must be

reported to the Information Commissioner’s Office, NHS Digital

and the Department of Health. These incidents will be graded as

SIRI Level 2 by the Information Governance Department, and

formally reported via the Incident Reporting Tool from NHS Digital.

8.3.3. The initial notification of a SIRI must happen within 72 hours of the

Trust becoming aware of the breach, and thereafter updates can

be provided as available. The initial 72 hour reporting period

begins when the breach is identified by staff, not when the

Information Governance Department are informed, so it is

imperative that staff report breaches without undue delay.

8.3.4. As a minimum, the Trust must provide the following information as

part of its formal report on SIRI Level 2 breaches:

A description of the nature of the breach;

The categories of personal data affected;

Approximate number of data subjects affected;

Approximate number of personal data records affected;

Name and contact details of the Data Protection Officer;

Likely consequences of the breach;

Any measures that have been or will be taken to address the

breach, including mitigation; and

The information relating to the data breach, which may be

provided in phases.

8.4. Notifying Data Subjects

8.4.1. Where the breach is graded as a Level 2 SIRI (i.e. the breach is

likely to result in high risk to the rights and freedoms of the data

subject), the Trust must inform the affected data subjects without

undue delay, unless the Trust can demonstrate that:

It has “implemented appropriate technical and

organisational protection measures, and those measures

were applied to the personal data affected by the personal

data breach, in particular those that render the personal

data unintelligible to any person who is not authorised to

access it, such as encryption”; or

It has “has taken subsequent measures which ensure that the

high risk to the rights and freedoms of data subjects is no

longer likely to materialise”; or


Document No: IG.P05




Any communication to the data subjects on an individual

basis “would involve disproportionate effort”. If this situation

occurs, the Trust is expected to issue general public

communications “whereby the data subjects are informed in

an equally effective manner”.

8.4.2. As part of the Trust’s Duty of Candour requirements and its

commitment to promote a culture of being open and

transparent, it is encouraged that data subjects should be

notified of all data breaches involving their information, regardless

of whether it was externally reportable.

8.4.3. Where it is expected/agreed that data subjects are to be

contacted, this communication must describe the nature of the

breach in clear and plain language, and should include the

information specified 8.3.4. A template letter is available on the

intranet, and further guidance can be sought from the

Information Governance Department, as required. Copies of all

communications should be recorded in Datix.

9. DATA SECURITY AND PROTECTION STANDARDS

From April 2018, a new ‘Data Security and Protection Toolkit (DSP Toolkit) will

replace the current Information Governance Toolkit. The new DSP Toolkit will

reflect a revised mandatory framework for all health and care organisations in

order to demonstrate that they are meeting their statutory obligations on data

protection and security, and that they are effectively implementing the ten

data security standards, recommended as part of the Caldicott 3 Review by

Dame Fiona Caldicott (National Data Guardian for Health and Care). Third

party organisations contracted to provide services under the NHS Standard

Contract must also comply with these requirements.

The information in 9.1 – 9.3 below demonstrates the Trust’s commitment to the

requirements of the Data Security and Protection Requirements 2017/18.

9.1. Leadership Obligation One – People:

9.1.1. DSP Requirement #1: There must be a named senior executive to

be responsible for data and cyber security in the Trust.

This responsibility sits with the Trust’s Senior Information Risk Owner

(SIRO) and Finance Director, Mark Orchard.

9.1.2. DSP Requirement #2: In 2017/18, the Trust is required to achieve at

least level two on the current IG Toolkit. From 2018/19,

compliance will be measured against the new DSP Toolkit.

The Trust will endeavour to meet all requirements of the current

and any replacement toolkit, and this is closely monitored by the

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/675420/17-18_statement_of_requirements_Branded_template_final_22_11_18-1.pdf


Document No: IG.P05




Trust’s SIRO, Information Governance Department and the Audit

& Governance Committee, with regular assurance reports.

9.1.3. DSP Requirement #3: Prepare for the introduction of the General

Data Protection Regulation (GDPR) in May 2018.

The Trust is already working through an action plan to ensure its

readiness for the GDPR. This is closely monitored by the Trust’s

SIRO, Information Governance Department and the Audit &

Governance Committee, with regular assurance reports.

9.1.4. DSP Requirement #4: All staff must complete appropriate annual

data security and protection training.

The Trust has rolled out updated Information Governance and

Data Security Awareness Level 1 training for all staff. This is an

annual requirement for all staff and volunteers in the Trust. Further

details can be found in the Trust’s IG Training Plan and TNA.

9.2. Leadership Obligation Two – Processes:

9.2.1. DSP Requirement #5: The Trust must act on advisories from the

Care Computer Emergency Response Team (CareCERT), where

relevant; confirm within 48 hours that plans are in place to act on

high severity advisories, and evidence this through CareCERT

Collect; and identify a primary point of contact for the receipt of

advisories and the coordination of any responses.

This element is managed by the Trust’s IT service. Further

information regarding the process for dealing with CareCERT

advisories is available from the IT Service Desk. Additional

guidance is also available via the CareCERT Information Sharing

Portal: https://nww.carecertisp.digital.nhs.uk/

9.2.2. DSP Requirement #6: A comprehensive business continuity plan

must be in place to respond to data and cyber security incidents.

Please see section 8 of this policy for details regarding the

procedures for dealing with data breaches. Further information

regarding the process for dealing with cyber breaches is also

available within the Trust’s IT Security Policy.

9.2.3. DSP Requirement #7: Staff across the Trust should report all data

security breaches and near misses, and relevant breaches must

be reported to CareCERT.

Please see section 8 of this policy for details regarding the

procedures for dealing with data breaches.

https://nww.carecertisp.digital.nhs.uk/


Document No: IG.P05




9.3. Leadership Obligation Three – Technology:

9.3.1. DSP Requirement #8: The Trust must identify unsupported systems

and have a plan in place to remove, replace or actively mitigate

or manage the risks associated with unsupported systems.


information is available from the IT Service Desk.

9.3.2. DSP Requirement #9: The Trust must undertake an on-site cyber

and data security assessment (if invited to do so by NHS Digital),

and then act on the outcome and any recommendations, and

share this with our commissioner (Dorset CCG).

Any such assessment will be managed by the IT Department

and/or Information Governance Department (as appropriate),

with overall monitoring by the Trust’s SIRO and the Audit &

Governance Committee, with outcome reports and action plans.

9.3.3. DSP Requirement #10: The Trust should ensure that any supplier of

IT systems and the system(s) provided have the appropriate

certification (depending on the system nature and criticality).


information is available from the IT Service Desk. This also links to

the Privacy Impact Assessment (PIA) process (see 6.2).

10. IMPLEMENTATION AND REVIEW

10.1. Consultation and Implementation

10.1.1. This policy has been drafted by the Information Governance

Department in accordance with the Trust’s statutory obligations

and responsibilities under the relevant legislation.

10.1.2. This policy will be ratified by the Information Governance Steering

Group (IGSG) prior to launch, publication and use within the

organisation. In accordance with the IGSG Terms of Reference,

minutes from all IGSG meetings are reviewed by the Hospital

Executive Group (HEG).

10.1.3. All policies are published on the staff intranet and communication

is circulated to all staff when new policies or changes to existing

policies are released. Staff will also be made aware of existing

policies, procedures and legislation via annual IG training.


Document No: IG.P05




10.2. Policy Review Arrangements

10.2.1. This policy will be reviewed by the Information Governance

Department on at least a three-yearly basis. An earlier review

may be instigated where there is a change in legislation or

practice, or new guidelines are published which impact on the

particulars of this policy.

10.2.2. Any major updates or changes to this policy will be ratified by the

Senior Information Risk Owner, Caldicott Guardian and/or the

IGSG (as appropriate) prior to implementation. The application

and use of this policy will be monitored by the Information

Governance Department and IGSG as part of its formal

arrangements.

10.3. Monitoring Effectiveness

10.3.1. All areas of the Trust are required to complete an annual

Information Risk and Security Audit to demonstrate their

compliance against current policies and procedures. These audits

will highlight if any information has been put at risk through

deliberate/inadvertent misuse of systems (electronic and paper),

or as a result of weak, non-existent or poorly applied controls. All

completed audits are reviewed by the Information Governance

Department, and follow-up action taken as necessary. Audit

statistics are provided to the IGSG on a regular basis.

10.3.2. The Trust will also monitor the effectiveness of this policy via the

use of Privacy Impact Assessments (See 6.2) and the review of

incidents and near-misses recorded within Datix (see Section 8).


Document No: IG.P05




APPENDICES

APPENDIX A: EQUALITY IMPACT ASSESSMENT

Date of Assessment February 2018

Assessor Details Information Governance Officer

Assessment Area Information Risk and Security Policy

Purpose, Aims and

Intended Outcomes

See Sections 1 and 2 of the policy for details regarding

the purpose, aims and intended outcomes of the policy.

Target Group(s) and

Impact/Influence

This policy is applicable to all staff and there is no

anticipated detrimental impact on any equality group.

This policy makes all reasonable provision to ensure

equal access to all staff. There are no statements,

conditions or requirements that disadvantage any

particular group of people.

Assessment of

Aspects/Activities

Relevant to Equality

Accessibility

All IG policies and guidance are accessible for all

managers and staff via the intranet and copies are

obtainable from the IG Team.

Consultation and Communication

This policy will be ratified by the IGSG prior to launch,

publication and use within the organisation. All policies

are communicated widely and openly across the

organisation, will be accessible to everyone via the

intranet and as required staff will be supported in their

application of the policy.

Implementation

The application of this policy supports the Trust’s duties

under the Equality Act 2010. The organisation will have

due regard for the need to eliminate unlawful

discrimination, promote equality of opportunity and

provide for good relations between all people of all

diverse groups.

Monitoring and Review

This policy will be reviewed by the IG Department on at

least a three-yearly basis, unless there is a change in

legislation or practice, or new guidelines are published

which necessities an earlier review. Any major updates

or changes will be ratified by the SIRO, Caldicott

Guardian and/or IGSG prior to implementation. The

application and use of this policy will be monitored by IG

and the IGSG as part of its formal arrangements.

Date post:	25-May-2018
Category:	Documents
Upload:	lenhan
View:	223 times
Download:	1 times

Information Risk and Security - Information Risk...Risk Assessment Matrix (Breaches, Near-Misses and...

Documents