Download - INFORMATION GOVERNANCE INFORMATION SECURITY POLICY

INFORMATION GOVERNANCE

INFORMATION SECURITY POLICY

Policy Manager Policy Group Information Governance Officer

(Information Security Management)

Information Governance Committee

Policy Established Policy Review Period/Expiry Last Updated July 2016 August 2021 August 2019

This policy does / does not apply to Medical/Dental Staff

(delete as appropriate)

UNCONTROLLED WHEN PRINTED

Information Security Policy Version Control

Version Number

Purpose/Change Author Date

1.0 First Draft Pollycarp Batwaula

July 2016

Circulated to Information Governance Committee

Pollycarp Batwaula

July 2016

Approved by Information Governance Committee

July 2016

Passed to Finance and Resources Committee for adoption

August 2016

Adopted by Finance & Resources Committee

August 2016

1.1 Update to reflect the new Information Security Policy Framework 2018

Pollycarp Batwaula

August 2019

Endorsed by Information Governance and Cyber Assurance Committee

September 2019

Adopted by Audit and Risk Committee

November 2019

Document Control Document: Information Security Policy Version: 1.1 Version Date: August 2019 Policy Manager: Information Governance Officer (ISM) Page 1 of 34 Review Date: August 2021

Tables of Contents

1. INTRODUCTION _______________________________________________________ 2

2. LEADERSHIP AND COMMITMENT _________________________________________ 3

2.1. ROLES AND RESPONSIBILITIES ______________________________________ 3

2.2. SENIOR INFORMATION RISK OWNER (SIRO) ___________________________ 3

2.3. INFORMATION ASSET OWNER (IAO) __________________________________ 4

2.4. INFORMATION ASSET ADMINISTRATOR (IAA) ___________________________ 4

2.5. CLINICAL MANAGERS, HEADS OF DEPARTMENT AND GENERAL MANAGERS 5

3. INFORMATION SECURITY OBJECTIVES ___________________________________ 5

4. INFORMATION SECURITY MANAGEMENT SYSTEM __________________________ 7

4.1. SCOPE ___________________________________________________________ 7

4.2. PLANNING ________________________________________________________ 8

4.3. RESOURCES ______________________________________________________ 8

4.4. STAFF AWARENESS AND COMMUNICATIONS __________________________ 9

4.5. DOCUMENTATION __________________________________________________ 9

5. INFORMATION RISK ASSESSMENT _______________________________________ 9

6. INFORMATION SECURITY RISK TREATMENT _______________________________ 9

7. PERFORMANCE EVALUATION __________________________________________ 10

8. INTERNAL AUDIT _____________________________________________________ 10

9. MANAGEMENT REVIEW AND IMPROVEMENT ______________________________ 11

11. APPENDIX 5 POLICY APPROVAL CHECKLIST __________________________ 12

12. APPENDIX 6 EQUALITY IMPACT ASSESSMENT _________________________ 14


1. Introduction

The aim of the NHS Tayside (NHST) Information Security Policy is to set out how the organisation will address the requirements of the

NHS Scotland Information Security Policy Framework (ISPF) 2018, that incorporates legal and compliance requirements for the Network and Information Systems Directive 2018 (NIS Directive) and the security elements of the General Data Protection Regulation 2018 (GDPR),

https://www.healthca.scot/wp-content/uploads/2019/05/Information-Security-Policy-Framework-ISPF.pdf so that the risks relating to the confidentiality, integrity and availability of all types of written, spoken and computer information are managed.

Managing information risk is a core responsibility of the Chief Executive Officer for each legal entity (the Board).

There are of course information risks which impact across both Boards and healthcare services and it is the responsibility of the Chief Executive Officer of NHSS and ultimately the Cabinet Secretary for Health and Sport to set out the common information security components that must be in place in each Board so that information risks are managed in a consistent and effective way and are in line with the national strategies and risk appetite. Scottish Government is the Competent Authority (CA) responsible for regulatory decisions and enforcement under NIS Directive 2018.

The common components (which include specific controls, NHSS standards resources, processes and leadership) are aligned as closely as possible with International Standards ISO-27001 and ISO-27002.

NHS Tayside (NHST) is committed to conforming to ISO-27001 as far as practicable so as to create the necessary trust that is required by an ever wider network of information sharing partners such as central and local government, who wish to gain assurance that the information security management system which operates in all NHS Boards are all broadly equivalent. Additionally, NHST will address information security and cyber resilience actions of the Scottish Government Public Sector Action Plan (PSAP) that include Cyber Essentials certification. Assurance reporting will be provided at standing committee level of NHS Tayside’s compliance with the requirements of the ISPF.

The objectives of NHS Tayside’s Information Securit y Policy are to preserve:

� Confidentiality - Access to data and information shall be confined to those with appropriate authority.

� Integrity - Data and information shall be complete and accurate. All systems, assets and networks shall operate correctly, according to specification.

� Availability - Data and information shall be available and delivered to the right person, at the time when it is needed.

� Accountability - Information that is delivered cannot be repudiated by the sender.

� The aim of this policy is to establish and maintain the security and confidentiality of information, information systems, applications and networks owned or held by NHS Tayside:

� Ensuring that all members of staff are aware of and fully comply with the relevant legislation as described in this and other policies.

� Describing the principles of security and explaining how they shall be implemented in the organisation.

� Introducing a consistent approach to security, ensuring that all members of staff fully understand their own responsibilities.

� Creating and maintaining within the organisation a level of awareness of the need for Information Security as an integral part of the day to day business.

� Protecting information assets under the control of the organisation.

The policy applies to NHST information assets, whether spoken or written, data that is stored on servers or related components, printed matter or displayed data which is owned or under NHST management.

https://www.healthca.scot/wp-content/uploads/2019/05/Information-Security-Policy-Framework-ISPF.pdf

https://www.healthca.scot/wp-content/uploads/2019/05/Information-Security-Policy-Framework-ISPF.pdf


Specific policy objectives include:

� To provide a set of rules, measures and procedures aimed at ensuring confidentiality, integrity and availability throughout the NHST in line with NHST standards and obligations.

� To ensure that information is protected from unauthorised access, disclosure, modification or loss and that above all confidentiality of patient data is not compromised.

� To meet its legal and other requirements and to satisfy obligations to the NHS, patients and staff, NHST must use effective security measures to safeguard its information.

� In consultation implement such security measures as appropriate, updating whenever necessary.

� To set out the potential consequences of non-compliance with the provisions of this policy.

� To make direct reference to supporting Policy and Guidance documents.

1. Governance

NHS Tayside Board shall demonstrate leadership and commitment with respect to information security management by ensuring that th e NHS Tayside Information Security Policy, Security Objectives and Information Securit y Management System (ISMS) are established, supported at Board-level and deliver l egal compliance.

Leadership and Commitment ensures that:

• There is effective organisational security management led at board level and articulated clearly in corresponding policies.

• The approach and policy relating to the security of networks and information systems

supporting the delivery of essential services are set and managed at board level.

• Regular board discussions on the security of network and information systems take place, based on timely and accurate information and informed by expert guidance.

• The importance of effective information security management and of conforming to the

information security management system requirements is communicated.

1.1. Roles and Responsibilities

Ultimate responsibility for the secure operation of all systems used in NHS Tayside rests with the Chief Executive. The responsibility is delegated to all staff involved or using information and information systems.

Specific roles are:

1.2. Senior Information Risk Owner (SIRO)

The role of senior information risk owner (SIRO) in NHS Tayside is carried out by the Board Secretary with responsibility for this delegated through the Chief Executive.

This senior level post is charged with ensuring that:

• the Board-level information security policy, security objectives and information security management system (ISMS) are established

• resources needed for the effective operation of the ISMS are available and is supported by top management

• a Board-level information security policy that is appropriate to the needs of both the organisation and aligned with the NHSS information security policy framework is developed

• performance of the ISMS is reported to the Board at regular intervals


The role of SIRO relies on Information Asset Owners (IAO) to manage information risks at an operational and system level in NHS Tayside, these roles are described in the NHS Tayside Information Security Policy.

1.3. Information Security Officer/Manager (ISO) rol e

This is a designated permanent role of Board Information Security Officer/Manager that encompasses all Information risks and not just ‘IT Security’.

1.4. Security of Networks and Information Systems O fficer

Board-level individual with overall accountability for the security of networks and information systems and drives regular discussion at board-level

1.5. Information Asset Owner (IAO)

An Information Asset Owner is:

• a senior individual involved in running the relevant business – the Business Owner

• a senior individual with responsibility for ensuring that risks and vulnerabilities associated with the Information Assets they manage are monitored

• a senior individual who has the authority to make decisions concerning the asset at the highest level

• responsible for identifying, understanding and addressing risk to the information assets they “own”

• not necessarily the creator or the primary user of the asset, but they must understand its value to the organisation

• accountable to the SIRO for providing assurance on the security and use of their information assets

1.6. Information Asset Administrator (IAA)

This role within each service area or department is responsible for:-

� acting as liaison between their service area or department and eHealth and IG

� preparing a System Security Policy (SSP) and risk management document and Information Governance documents for systems within their remit

� ensuring that all user responsibilities in respect of information security are understood and properly exercised

� managing access to particular systems and information and maintain records of authorised system users

� administering user security procedures requiring central control including the administration of user credentials

� reviewing and monitoring day-to-day security control and incidents and identifying unauthorised and unusual use

� advising system users on security procedures including briefing new staff

� maintaining records of security incidents and reporting them to the IAO and IG Manager/IG Governance Officer (Information Security Management)

� periodically reviewing error or incident logs and report frequent occurrences to the IG Manager/IG Governance Officer (Information Security Management)

� accountable to the IAO for providing assurance on the operational security and use of their information assets


1.7. Clinical Managers, Heads of Department and Gen eral Managers

Managers will support the IAO in ensuring that the information systems relied on in their area are effectively managed and operated.

Managers must ensure that their staff are provided with information systems training as appropriate.

Managers must ensure that where the administration of departmental systems has been delegated to a member of their staff that;

� the role and scope of the IAA should be agreed with the relevant parties

� that the appointee undergoes relevant training

� that procedures and protocols are developed, documented and implemented by the IAA that are in line with the requirements of this policy.

The application of the above structure, at all levels, represents arrangements to accommodate substantial systems with wide-ranging coverage.

However, the tasks and responsibilities still have to be taken on when operating smaller systems, procedures and processes. This may require some alteration to the structure to allow for practicalities.

2. Information Security Objectives

NHS Tayside shall establish high level Information Security Objectives for the entire organisation.

The Information Security Objectives shall be aligned with:

� NHS Tayside eHealth Strategy, so that the Information security function and ISMS support our strategic aims

� NHSS/SG Information Security Policy Framework

� NHSS/SG Information Governance Improvement Plan

� the set of specific, measurable actions relating to information security to be undertaken at national level over a defined period as part of NHSS eHealth Programme

� NHS Tayside specific actions that need to be undertaken, the planning, resources, time-scale, persons responsible and how/when results to be evaluated

NHS Tayside’s Information Security Objectives are:

Information Security Policy

� To provide management direction and support for information security in accordance with the business requirements and relevant laws and regulations.

Organisation of Information Security

� To establish a management framework and initiate and control the implementation and operation of information security within the organisation.

� To ensure the security of teleworking and mobile devices

Human Resource Security

� To ensure that employees and contractors understand their responsibilities and suitable for the roles for which they are considered.

� To ensure that employees and contractors are aware of and fulfil their information security responsibilities.

� To protect the organisation’s interests as part of the process of changing or terminating employment.


Asset Management

� To identify organisational assets and define appropriate protection responsibilities.

� To ensure that information receives an appropriate level of protection in accordance with its importance to the organisation.

Access Control

� To ensure authorised user access and to prevent unauthorised access to systems and services.

� To make users accountable for safeguarding their authentication information.

� To prevent unauthorised access to systems and applications.

Cryptographic Controls

� To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information

Physical and Environmental Security

� To prevent unauthorised physical access, damage and interference to the organisation’s information and information processing facilities.

� To prevent loss, damage, theft or compromise of assets and interruption to the organisation’s operations.

Operations Security

� To ensure correct and secure operations of information processing facilities.

� To ensure that information and information processing facilities are protected against malware.

� to protect against loss of data

� To record events and generate evidence

� To ensure the integrity of the operational systems

� To prevent the exploitation of technical vulnerabilities

� To minimise the impact of audit activities on operational systems

Communications Security

� To ensure the protection of information in networks and its supporting information processing facilities.

Information Transfer

� To maintain the security of information transferred, within an organisation and with any external entity.

System Acquisition, Development and Maintenance

� To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.

� To ensure that information security is designed and implemented within the development lifecycle of information systems.

� To ensure the protection of data used for testing

Supplier Relationships

� To ensure protection of the organisation’s assets that is accessible by suppliers.

� To maintain an agreed level of security and service delivery in line with supplier agreements.


Information Security Incident Management

� To ensure a consistent and effective approach to the management of information security incidents, including communications on security events and weaknesses.

Information Security - Business Continuity Manageme nt

� Information security continuity shall be embedded in the organisation’s business continuity management systems.

� To ensure availability of information processing facilities.

Compliance

� To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and or any security requirements.

� To ensure that information security is implemented and operated in accordance with the organisational policies and procedures.

3. Information Security Management System

NHS Tayside shall establish, implement, maintain and continually improve an Information Security Management System (ISMS).

‘System’ in this context does not mean an ‘IT system’ but rather the dynamic and continuing, circular business system: which starts with planning, then building, then acting, then checking then planning again.

3.1. Scope

NHS Tayside has business relationships with an array of partners, ranging from local authorities, health and social care partnerships, third sector, universities and commercial suppliers.

Although there should be information sharing agreements with partners/suppliers and they may share IT infrastructure and other computing resources, it would simply not be practical for NHS Tayside’s ISMS to cover all of this

Instead, NHS Tayside’s ISMS and associated policies will be defined to cover all the operations of NHS Tayside.

If NHS Tayside is to encompass the operations of other organisations (e.g. because of a shared service agreement with GPs or health and social care partnership) then this needs to be documented and resourced separately and accordingly.

Where two separate organisations enter into information sharing agreements both will need to agree on where one or more ISMS interface (and where any differences in information security policy might lead to differences in risk management).

Policy Coverage

This policy covers all aspects of operational information handling within NHS Tayside, including (but not limited to):

� Patient/Client/Service User information

� Staff related information

� Organisational information

This policy covers all aspects of operational information handling and processing, including (but not limited to):

� Structured record systems (paper and electronic)

� Transmission of information (Fax, Email, post and telephone)


This policy covers all information systems purchased, developed, managed or utilised by NHS Tayside, and any individual (directly employed or otherwise by NHS Tayside) accessing information ‘owned entirely or partially’ by NHS Tayside.

This policy applies to

� all information systems purchased, developed, managed, supplied under contract or utilised by NHS Tayside

� all data and information sources, networks and applications utilised by NHS Tayside

� all staff members of NHS Tayside, irrespective of location, carrying out their duties when employed or acting on behalf of NHS Tayside

3.2. Planning

Having established scope and contours of the ISMS NHS Tayside shall:

� Establish the factors that provide opportunities for the setting up and running of the ISMS and ensure that these are exploited (e.g. mature risk management processes in other areas such as finance or existing eHealth staff trained in ITIL or other methodology which use documented processes).

� Establish the risks that may prevent the ISMS from being established, working as intended and being able to achieve continual improvement (e.g. lack of resourcing, cultural issues, an organisational structure that has grown up organically or other factors that would prevent the smooth running of the ISMS machine).

� Consider how far the ISMS needs to work beyond the current information security function but requires interaction with resource elsewhere (eHealth, records management etc.)

� Take action to address these risks at executive level.

3.3. Resources

NHS Tayside shall determine and provide the resources needed for the establishment and continual improvement of the ISMS. NHS Tayside shall:

� Be clear that the roles in information security are part of a professional specialist discipline and career home (analogous to ICT, finance, procurement, statistics etc.) and not a generalist NHS administration role.

� As a minimum there should be the designated permanent role of Board Information Security Officer/Manager that encompasses all information risks (not just ‘IT Security’) and is of appropriate grade and standing.

� The appointed person(s) shall be competent and have the necessary specialist training and experience. If this is not possible on Day 1 then the Board SIRO needs to bear the risk and take action to ensure that the necessary competence is acquired as soon as possible (and for this to be documented).

� To provide on-going training and support for information security personnel (i.e. mentoring, resource to gain necessary professional accreditation and qualifications) and for this to be documented.

� To ensure that the personnel are able to participate fully in national-level communities such as National Centre for Cyber Security (NCSC) via CiSP registration, Scottish Government Cyber Resilience Team, IG and Information Security Fora, and governance structures (e.g. Public Benefit and Privacy Panel) and accreditation work (e.g. Scottish Wide Area Network and services used across Boards) so that national level information risks are addressed in an effective way.


3.4. Staff awareness and communications

NHS Tayside shall put in place the means to conduct internal and external communications and awareness relevant to its information security management system. The outcome should be:

� The Board-level information security management policy and associated security objectives will be freely available to all employees, interested parties and the wider public.

� Board level policies and guidance will be available to all staff and interested parties digitally (e.g. via the Intranet).

� There is a form of mandatory induction for all new personnel in regard to NHS Tayside information security policy and that this is followed.

� There is a process to enable information security updates, advice and other content to be available in a timely manner.

3.5. Documentation

NHS Tayside shall hold documented information relating to the design and effective running of its ISMS.

� To be held in a digital format in the Board approved corporate records management system.

� For information relating to the ISMS to be held as one or more discrete functions within a file plan/business classification scheme and managed according to NHS Tayside’s records retention schedules.

� To be easily accessible to persons requiring them to support the smooth running of the ISMS, kept up to date and subject to the security and access permissions commensurate with the sensitivity.

4. Information Risk Assessment

NHS Tayside shall identify key assets and their owners and document in a high-level Information Asset Register (IAR). Impact on assets needs to be assessed in terms of confidentiality, integrity and availability.

NHS Tayside shall use the NHSS Information security risk assessment template and associated process and the national impact levels. This will ensure that repeated information security risk assessments produce consistent valid and comparable results across all Boards. In particular:

� The business context must be fully understood prior to assessment.

� Risk owners, and owner of assets must be identified.

� Plausible worst case scenarios and business impact must be understood and documented - according to the national impact scale 1-5 - if overall risks to confidentiality, integrity and availability materialise.

� Vulnerabilities and likelihood must be assessed.

� Overall risk analysis must use the criteria above.

� Analysed risks must be prioritised and summarised into a format that can be easily understood for risk owners to agree subsequent risk treatment.

Perform information security risk assessments at planned intervals when significant changes are proposed to occur or where recommended in wake of significant information security incidents. Such assessments can be at organisational-level, function-level, project or service specific level.

5. Information Security Risk Treatment

NHS Tayside shall define and use consistently an information security risk treatment process that:

� Selects appropriate information security risk options for the information risk assessment results.

� Determine all the controls that are necessary to treat the information security options.

� Ensure that all the Reference control objectives and control types cited in ISO-27001 are considered and verify that none have been omitted.


� Ensure that the relevant NHSS National-level mandatory controls and standards are implemented including that of the Scottish Wide Area Network (SWAN).

� Ensure that significant incidents are reported as per national policy so that lessons learned reports feed into treatment plans.

� Ensure that the formal process of NHSS national accreditation is followed in regard to systems/services that require it. It is the responsibility of the NHS Tayside or other organisations using the systems/services to complete the risk management and accreditation document set for the NHSS-wide accreditor.

� Consider all controls in NHSS National Guidance and implement as far as practicable.

� Consider all the controls cited in ISO-27002 that support ISO-27001.

� Produce a statement of applicability that contains the necessary controls and justification for inclusions, exclusions and whether actually implemented.

� Consider any other control objectives and types over and above those in ISO-27001/2 that have applicability to the Board.

� Formulate an information security risk treatment plan.

� Obtain the risk owners’ formal approval of the information security risk treatment plan and acceptance of the residual information security risks. Where non-NHSS organisations and suppliers are involved the Board shall seek agreement on which party is responsible for discharging the different components of the treatment plan.

NHS Tayside must implement the agreed information security treatment plans and retain document evidence.

6. Performance evaluation

NHS Tayside shall routinely evaluate the information security performance and the effectiveness of the information security management system and be clear about:

� What is to be monitored and measured including security processes, controls and analysis of incidents.

� The methods for evaluating so that there are comparable and reproducible results.

� The personnel who undertake the evaluation and how this communicated to the SIRO so that any necessary action can be taken.

7. Internal audit The Information Governance and Cyber Assurance committee has agreed that the impact assessment will be carried out by internal audit and internal work group comprising IG&CA Team, Risk Management, eHealth, TCOE and the Business Unit. NHS Tayside shall conduct internal audits at planned intervals that provide information on whether the information security management system conforms to the requirements of ISMS as planned and implemented.

The audit shall:

� Work according to an agreed frequency (e.g. annual).

� Define the scope of the audit and criteria.

� Persons carrying out audits are qualified, objective and impartial.

� Such an audit can be incorporated into the internal audit function covering other areas such as finance.


8. Management review and improvement

The SIRO in conjunction with the executive management team should review the Board’s information security management system at planned intervals to ensure its continuing suitability and effectiveness. This will be measured against the Board-level and NHSS Information Security Policy Framework. Such review will include consideration of:

� Status of actions from previous management reviews.

� Changes in external and internal issues which are relevant.

� Non-conformities in the ISMS and preventative/corrective actions.

� Monitoring and measurement of results.

� Audit results.

� Results of high-level or significant risk assessment and risk treatment plans.

� Feed-back from interested parties including patients.

� Significant security incident reports at Board and national level.

The outputs of the management review shall include decisions related to continual improvement, opportunities and any changes needed to the information security management system.

The Board, acting through the CEO, SIRO and senior management team will react when nonconformity occurs - over and above any regular audit and management review - and take action to deal with it including change to the information security management system.

The Board recognises the circular nature of the ISMS: to plan, action, check and plan again so as to make continual improvement.


10. Appendix 5 Policy Approval Checklist

This form must be completed by the Policy Manager a nd this checklist must be completed and forwarded with the policy to the Executive Team, Cl inical Quality Forum or Area Partnership

Forum for approval and to the appropriate Committee for adoption.

POLICY AREA: Information Governance

POLICY TITLE: Information Security Policy

POLICY MANAGER: Information Governance Officer (Information Security Management)

Why has this policy been developed?

To comply with NHSS Information Security Policy Framework 2018

NHS Tayside has a legal obligation to comply with the Data Protection Act 2018.

This policy sets out the framework in which NHS Tayside will operate to ensure compliance with that Data Protection Act 2018, Network and Information Systems Directive 2018, and the security elements of GDPR.

Has the policy been developed in accordance with or related to legislation? – Please give details of applicable legislation.

Data Protection Act 2018

GDPR

Network and Information Systems Regulation 2018

Freedom of Information (Scotland) Act 2002.

Has a risk control plan been developed and who is the owner of the risk? If not, why not?

No

Who has been involved/consulted in the development of the policy?

NHST Information Governance Committee.

This revised policy to be available through Staffnet.

Has the policy been Equality Impact Assessed in relation to:-

Has the policy been Equality Impact Assessed not to disadvantage the following groups:-

Age

Disability

Gender Reassignment

Pregnancy/Maternity

Race/Ethnicity

Religion/Belief

Sex (men and women)

Sexual Orientation

Please indicate Yes/No for the following:

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

People with Mental Health Problems

Homeless People

People involved in the Criminal Justice System

Staff

Socio Economic Deprivation Groups

Carers

Literacy

Rural

Language/Social Origins

Please indicate Yes/No for the following:

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes


Does the policy contain evidence of the Equality Impact Assessment Process?

Yes. Equality & Diversity Impact Assessment included in papers to IG Committee and Finance & Resources Committee.

Is there an implementation plan? Immediate.

Which officers are responsible for implementation? Responsibilities are set out in this policy and are supplementary to those set out in the Information Governance Policy.

When will the policy take effect? Immediate

Who must comply with the policy/strategy? All NHS Tayside staff.

How will they be informed of their responsibilities? Notification of approval will be sent to all NHS Tayside employees through Staffnet and routine communication channels, Vital Signs and Spectra.

Is any training required? The policy indicates that there is awareness and training material available on Staffnet. This is material has been publicised separately.

If yes, attach a training plan Online modules available.

Are there any cost implications? Yes

If yes, please detail costs and note source of funding Online Learning environment and module development.

Who is responsible for auditing the implementation of the policy?

See responsibilities for implementation, as above

What is the audit interval? As above

Who will receive the audit reports? As above

When will the policy be reviewed and provide details of policy review period (up to 5 years)

Two years after approval or following significant changes in legislation, guidance and/or service provision

Information Security Officer

POLICY MANAGER: Information Governance Officer (ISM) DATE: August 2019

ADOPTION COMMITTEE TO CONFIRM: Finance & Resources Committee


11. Appendix 6 Equality Impact Assessment

EQUALITY IMPACT ASSESSMENT

Manager Information Governance Officer (ISM)

Group Information Governance and Cyber

Assurance Committee

Established July 2016

Last updated July 2016

Review / Expiry July 2018

August 2019 August 2021

UNCONTROLLED WHEN PRINTED


Section 1 Part A – Overview Name of Policy, Service Improvement, Redesign or St rategy: Information Security Policy Lead Director of Manager: Board Secretary What are the main aims of the Policy, Service Impro vement, Redesign or Strategy? The aim of this policy is to establish and maintain the security and confidentiality of information, information systems, applications and networks owned or held by NHS Tayside. Description of the Policy, Service Improvement, Red esign or Strategy – What is it? What does it do? Who does it? And wh o is it for?

The Policy describes the requirements of NHS Scotland Information Security Policy Framework (ISPF) 2018.

The policy is relevant to all employees in their handling of any data/information.

Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources throughout NHS Tayside. It plays a key part in clinical governance, service planning and performance management. It is, therefore, of paramount importance that information is protected from unauthorised access, disclosure, or loss and above all confidentiality of patient data is not compromised. What are the intended outcomes from the proposed Po licy, Service Improvement, Redesign or strategy? – What will happen as a resul t of it?- Who benefits from it and how?

To meet its legal and other requirements and to satisfy obligations to the NHS, patients and staff, NHST must use effective security measures to safeguard its information and confidentiality of patient data is not compromised.

Manage the risks relating to the confidentiality, integrity and availability of all types of written, spoken and computer information.


Name of the group responsible for assessing or cons idering the equality impact assessment? This should be the Policy Working Grou p or the Project team for Service Improvement, Redesign or Strategy. Equality Impact Assessment has been considered for this policy and the conclusion is that no further assessment is required for the following reason. The Data Protection Policy and the Network and Information Systems Regulations outline the framework that the organisation has in place for all employees to work within. Compliance with the policy does not impact directly on any individual person or group of people irrespective of whether they have any protected characteristic. The Information Governance and Cyber Assurance committee members are: Senior Information Risk Owner (SIRO) – Chair The SIRO is responsible for Information Governance in NHS Tayside and for ensuring that Information Governance arrangements are in place and managed throughout the organisation. Head of Information Governance and Cyber Assurance – Vice Chair The Head of Information Governance and Cyber Assurance has responsibility for Information Governance systems and processes and to provide the assurance for implementing Information Governance. Medical Director - Caldicott Guardian Provide direction and leadership in line with the Caldicott Guidelines regarding the use of clinical information within NHS Tayside. Chairman of the Local Medical Committee (LMC) / GP Sub Committee Employee Director Health Records Manager Head of Laboratory Services Representative from eHealth Representative from Human Resources Representative from Business Unit Representative from Finance Directorate Representative from Nursing and Midwifery and AHP Directorate Regular attendees: Information Governance Officer (Information Security Management) Corporate Records and Web Manager Information Governance Officer (Data Protection)



SECTION 1 Part B – Equality and Diversity Impacts Which equality group or Protected Characteristics d o you think will be affected Item Considerations of impact Explain the answer and if

applicable detail the impact Document any Evidence/Research/Data to support the consideration of impact

Further actions required

1.1 Will it impact on the whole population? Yes or No. If yes will it have a differential impact on any of the groups identified in 1.2. If no go to 1.2 to identify which groups

No, NHS Tayside This policy applies to all NHS Tayside employees.

None

Item Considerations of impact Explain the answer and if



1.2 Which of the protected characteristic(s) or groups will be affected?

• Minority ethnic population (including refugees, asylum seekers & gypsies/travellers)

• Women and men • People in

religious/faith groups • Disabled people • Older people, children

Staff who are covered by any of the protected characteristics


and young people • Lesbian, gay, bisexual

and transgender people

• People with mental health problems

• Homeless people • People involved in

criminal justice system

• Staff • Socio- economically

deprived groups Item Considerations of impact Explain the answer and if



1.3 Will the development of the policy, strategy or service improvement/redesign lead to

• Discrimination • Unequal opportunities • Poor relations

between equality groups and other groups

• Other

No


SECTION 2 – Human Rights and Health Impact. Which Human Rights could be affected in relation to article 2, 3, 5, 6, 9 and 11. (ECHR: European Conv ention on Human Rights) Item Considerations of impact Explain the answer and if



2.1

On Life (Article 2, ECHR) • Basic necessities such as

adequate nutrition, and safe drinking water

• Suicide • Risk to life of / from

others • Duties to protect life from

risks by self / others • End of life questions

None

2.2

On Freedom from ill -treatment (Article 3, ECHR) • Fear, humiliation • Intense physical or

mental suffering or anguish

• Prevention of ill-treatment,

• Investigation of reasonably substantiated allegations of serious ill-treatment

• Dignified living conditions

None


Item Considerations of impact Explain the answer and if applicable detail the impact

Document any Evidence/Research/Data to support the consideration of impact


2.3 On Liberty (Article 5, ECHR) • Detention under mental

health law • Review of continued

justification of detention • Informing reasons for

detention

None

2.4 On a Fair Hearing (Article 6, ECHR) • Staff disciplinary

proceedings • Malpractice • Right to be heard • Procedural fairness • Effective participation in

proceedings that determine rights such as employment, damages / compensation

None





2.5 On Private and family life (Article 6, ECHR) • Private and Family life • Physical and moral

integrity (e.g. freedom from non-consensual treatment, harassment or abuse

• Personal data, privacy and confidentiality

• Sexual identity • Autonomy and self-

determination • Relations with family,

community • Participation in decisions

that affect rights • Legal capacity in decision

making supported participation and decision making, accessible information and communication to support decision making

• Clean and healthy environment

None





2.6 On Freedom of thought, conscience and religion (Article 9, ECHR) • To express opinions and

receive and impart information and ideas without interference

None

2.7 On Freedom of assembly and association (Article 11, ECHR) • Choosing whether to

belong to a trade union

None

2.8 On Marriage and founding a family • Capacity • Age

None

2.9 Protocol 1 (Article 1, 2, 3 ECHR) • Peaceful enjoyment of

possessions

None


SECTION 3 – Health Inequalities Impact Which health and lifestyle changes will be affected ? Item Considerations of impact Explain the answer and if



3.1 What impact will the function, policy/strategy or service change have on lifestyles?

For example will the changes affect:

• Diet & nutrition • Exercise & physical

activity • Substance use:

tobacco, alcohol or drugs

• Risk taking behaviours

• Education & learning or skills

• Other

None

3.2. Does your function, policy or service change consider the impact on the communities?

Things that might be affected include:

• Social status • Employment

(paid/unpaid) • Social/family support • Stress • Income

None





3.3 Will the function, policy or service change have an impact on the physical environment? For example will there be impacts on:

• Living conditions • Working conditions • Pollution or climate

change • Accidental

injuries/public safety • Transmission of

infectious diseases • Other

None

3.4 Will the function, policy or service change affect access to and experience of services? For example

• Healthcare • Social services • Education • Transport • Housing

None





3.5 In relation to the protected characteristics and groups identified:

• What are the potential impacts on health?

• Will the function,

policy or service change impact on access to health care? If yes - in what way?

• Will the function or

policy or service change impact on the experience of health care? If yes – in what way?

N/A


SECTION 4 – Financial Decisions Impact How will it affect the financial decision or propos al? Item Considerations of impact Explain the answer and if



4.1

• Is the purpose of the financial decision for service improvement/redesign clearly set out

• Has the impact of your financial proposals on equality groups been thoroughly considered before any decisions are arrived at

N/A

4.2 • Is there sufficient information to show that “due regard” has been paid to the equality duties in the financial decision making

• Have you identified methods for mitigating or avoiding any adverse impacts on equality groups

• Have those likely to be affected by the financial proposal been consulted and involved

N/A





5. Involvement, Consultation and Engagement (IEC) 1) What existing IEC data do we have?

• Existing IEC sources • Original IEC • Key learning

2) What further IEC, if any, do you need to undertake?

N/A




6. Have any potential negative impacts been identified?

• If so, what action has been proposed to counteract the negative impacts? (if yes state how)

For example: • Is there any unlawful

discrimination? • Could any community

get an adverse outcome?

• Could any group be excluded from the benefits of the

N/A


function/policy? (consider groups outlined in 1.2)

• Does it reinforce negative stereotypes?

(For example, are any of the groups identified in 1.2 being disadvantaged due to perception rather than factual information?)




7. Data & Research • Is there need to

gather further evidence/data?

• Are there any apparent gaps in knowledge/skills?

N/A

8. Monitoring of outcomes • How will the

outcomes be monitored?

• Who will monitor? • What criteria will you

use to measure progress towards the outcomes?

Information Governance and Cyber Assurance Committee Reporting

9.. Recommendations

N/A


State the conclusion of the Impact Assessment

10. Completed function/policy • Who will sign this off? • When?

Performance and Resources Committee

11. Publication

Staffnet NHS Tayside website


Conclusion Sheet for Equality Impact Assessment

Positive Impacts

(Note the groups affected)

Negative Impacts (Note the groups affected)

No

What if any additional information and evidence is required

N/A

From the outcome of the Equality Impact Assessment what are your recommendations? (refer to questions 5 - 10) N/A