20110301 Information Security Policy - kingstonccg · Fiona Hegarty Head of Adult Services, Provider Services Sundus Hashim Associate Director of Public Health Kay Lynn Corporate

Kingston Primary Care Trust Information Security Policy

31.03.09 Page 1 of 25 Version 1.0

Information Security Policy

POLICY NUMBER IG 010 VERSION 1 APPROVAL/RATIFYING COMMITTEE/S DATE Information Governance Steering Group 3rd March 2009

Integrated Governance Committee 13th March 2009 PLANNED IMPLEMENTATION DATE March 2009

PLANNED REVIEW DATE March 2011 EXTENDED REVIEW DATE September 2011

ACCOUNTABLE DIRECTOR Celia McGruer

Director of Professional and Clinical Development (Senior Information Risk Owner)

LEAD POLICY AUTHOR Karen Marsden

Information Manager (Information Security Officer and Data Protection Officer)


31.03.09 Page 2 of 25 Version 1.0

Record of Amendments

Date of Amendment

Version No Page No(s) Paragraph No(s)


31.03.09 Page 3 of 25 Version 1.0

Policy Development Membership of Policy Development Group Name Job Title Karen Marsden Information Manager Celia McGruer Director of Professional & Clinical Development Jill Pearse Head of Information & Performance, Information

Governance Lead Ed Montgomery Head of IT Awadh Amar Information Governance Support Officer Evelyn Dsane Senior HR Manager Consultation This policy was distributed to the following people during the consultation phase. Name Job Title Lin Phillips Customer Services Manager RBK Fiona Hegarty Head of Adult Services, Provider Services Sundus Hashim Associate Director of Public Health Kay Lynn Corporate Affairs Manager Moira Ford Strategic Programme Manager, Provider Services Siobhan Clarke Managing Director, Provider Services Penny Taylor Director of Performance Jonathan Hildebrand Director of Public Health Brenda Hobson Head of Human Resources Helen Matthews Primary Care Huma Stone KCI Ellen Harris RiO Alistair Smith IT Service Desk Team Leader Peer Review Peer reviewed for specialist content and required policy components by by: Jill Pearse, Head of Information & Performance (Information Governance Lead)


31.03.09 Page 4 of 25 Version 1.0

Information Security Policy Contents

1 Introduction ........................................................................................................... 5

2 Principles .............................................................................................................. 5

3 Equality Impact Assessment ................................................................................. 5

4 Aim........................................................................................................................ 6

5 Objectives ............................................................................................................. 6

6 Scope.................................................................................................................... 6

7 Responsibilities ..................................................................................................... 7

8 Legislation............................................................................................................. 8

9 Policy Framework.................................................................................................. 9

10 Laptop Security ................................................................................................... 12

11 Removable Media ............................................................................................... 14

12 Implementation and Training............................................................................... 16

13 Audit and Review ................................................................................................ 17

Annex 1 Related Policies and Documents ................................................................. 18

Annex 2 Guidance and Codes of Practice.................................................................. 19

Annex 3 - References and sources of information .................................................... 20

Annex 4: Confidentiality agreement for contractors and third party suppliers............ 21


31.03.09 Page 5 of 25 Version 1.0

1 Introduction 1.1 NHS Kingston (“the organisation”) places a very high importance on the

security of information that it maintains and processes. Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in corporate governance, clinical governance, service planning and performance management.

1.2 This top-level information security policy is a key component of the

organisation’s overall information security management framework and should be considered alongside more detailed information security documentation including, system level security policies, security guidance and protocols or procedures.

1.3 It is the duty of the organisation and its staff to keep information safe, secure

and confidential at all times. Failure to do so could lead to legal action, loss of confidence in & adverse publicity for the organisation.

1.4 This policy is intended to inform all staff of their responsibilities and help them

meet these requirements. 2 Principles 2.1 This policy is based on the following principles: The organisation will:

establish and maintain policies for the effective and secure management of its information assets and resources

promote effective confidentiality and security practice to its staff through policies, procedures and training

monitor and investigate all reported instances of actual or potential breaches of confidentiality and security

2.2 The organisation has a comprehensive range of policies supporting the

information governance agenda (Annex 1); reference must be made to these alongside this policy. Legal and professional guidance must also be followed (Annex 2).

3 Equality Impact Assessment

This policy has been screened to ensure there is no discrimination on the basis of age, gender, race or disability.


31.03.09 Page 6 of 25 Version 1.0

4 Aim

The aim of this policy is to establish and maintain the security and confidentiality of information, information systems, applications and networks owned or held by the organisation by:

Ensuring that all members of staff are aware of and fully comply with the

relevant legislation as described in this and other policies. Describing the principles of security and explaining how they shall be

implemented in the organisation. Introducing a consistent approach to security, ensuring that all members of

staff fully understand their own responsibilities. Creating and maintaining within the organisation a level of awareness of the

need for Information Security as an integral part of the day-to-day business. Protecting information assets under the control of the organisation.

5 Objectives

The objectives of this Information Security Policy are to preserve:

Confidentiality - Access to data shall be confined to those with appropriate authority.

Integrity – Information shall be complete and accurate. All systems, assets and networks shall operate correctly, according to specification.

Availability - Information shall be available and delivered to the right person, at the time when it is needed.

6 Scope 6.1 This policy applies to all of the organisation’s information, information systems,

networks, application systems and users. 6.2 It applies to all forms of information, including but not limited to that stored on

computers, transmitted across networks, printed on paper or other media, stored on tapes or disks or other electronic media.

6.3 This policy applies to any device that connects to the corporate servers and

network or that access the organisation’s information, including PCs, printers, photocopiers, laptops, other portable devices, smart phones and removable media.

6.4 This policy applies to all Staff. The term “staff” is used in this document to refer

to all of the organisation’s employees, Non-Executive Directors, contractors, sessional, locum and bank staff, volunteers and those on a work experience programme.


31.03.09 Page 7 of 25 Version 1.0

7 Responsibilities

7.1 Chief Executive Ultimate accountability for information security rests with the Chief Executive, but on a day-to-day basis the Senior Information Risk Owner [SIRO] shall be responsible for managing and implementing the policy and related procedures.

7.2 Line Managers 7.2.1 Line Managers are responsible for ensuring that their permanent and temporary

staff and contractors are aware of: The information security policies applicable in their work areas Their personal responsibilities for information security How to access advice on information security matters

7.2.2 Line managers shall be individually responsible for the security of their physical environments where information is processed or stored

7.3 All Staff 7.3.1 All staff shall comply with information security procedures including the

maintenance of data confidentiality and data integrity. Failure to do so may result in disciplinary action.

7.3.2 Each member of staff shall be responsible for the operational security of the information systems they use (e.g. using passwords and logging on and off).

7.3.3 Each system user shall comply with the security requirements that are currently in force, and shall also ensure that the confidentiality, integrity and availability of the information they use is maintained to the highest standard.

7.3.4 Users of laptops shall be responsible for the security of the laptop and the

information stored on it. They shall take all reasonable care to mitigate the risk of damage, theft, loss or misuse.

7.3.5 All staff shall report information security incidents, as defined in the Incident

Reporting Policy, to their line manager in accordance with incident reporting procedures.

7.3.6 All staff shall be required to sign a general statement of confidentiality on commencement of employment.

7.4 External contractors and third party service providers 7.4.1 Contracts with agencies, external contractors and third party service providers

that allow access to the organisation’s information systems shall be in operation before access is allowed.


31.03.09 Page 8 of 25 Version 1.0

7.4.2 Third party service suppliers 7.4.2.1 Third party service suppliers shall be required to

have a valid information governance statement of compliance with NPfIT. This shall be checked through the Connecting for Health IG Toolkit website prior to any contract being signed.

Sign a third party service provider confidentiality agreement as in annex 4.

7.4.3 Contractors 7.4.3.1 All contractors shall have a risk assessment completed BEFORE they are

given access to the organisation’s network services. It is the responsibility of the line manager to complete this assessment prior to completing a network access request. If the contractor is to have access to patient level data, staff data or other confidential or sensitive information the risk assessment shall include: Knowledge and awareness of information governance and confidentiality

– if this is in doubt they will be required to complete training [e.g. online Information Governance Toolkit training] prior to being given access.

CRB check – has a CRB check been completed? References – referees shall be asked to confirm that the contractor has,

to the best of their knowledge, complied with confidentiality and information governance best practice.

A template for the information security risk assessment is available on the Intranet.

8 Legislation 8.1 The organisation is obliged to abide by all relevant UK and European Union

legislation. The requirement to comply with this legislation shall be devolved to employees and agents of the organisation, who may be held personally accountable for any breaches of information security for which they may be held responsible. The organisation will comply with the following legislation and other legislation as appropriate:

The Data Protection Act (1998) The Data Protection (Processing of Sensitive Personal Data) Order 2000. The Copyright, Designs and Patents Act (1988) The Computer Misuse Act (1990) The Health and Safety at Work Act (1974) Human Rights Act (1998) Regulation of Investigatory Powers Act 2000 Freedom of Information Act 2000 Health & Social Care Act 2001


31.03.09 Page 9 of 25 Version 1.0

9 Policy Framework

9.1 Management of Security At board level, accountability for Information Security shall reside with the

Chief Executive. The organisation’s Information Security Officer shall be responsible for

implementing, monitoring, documenting and communicating security requirements for the organisation.

9.2 Information Security Awareness Training Information security awareness training shall be included in the staff

induction process. Information Governance and Confidentiality training will be provided by the

organisation as part of the mandatory training programme. Contractors accessing person identifiable information [P.I.D.] will be

required to provide evidence of awareness, or training on information security. Where necessary the line manager will require them to complete basic training1 before requesting access to P.I.D. systems.

9.3 Contracts of Employment Staff security requirements shall be addressed at the recruitment stage and

all contracts of employment shall contain a confidentiality clause. Information security expectations of staff shall be included within

appropriate job definitions.

9.4 Security Control of Assets Each IT asset, (hardware, software, application or data) shall have a named custodian who shall be responsible for the information security of that asset.

9.5 Access Controls Only authorised personnel who have a justified and approved business need shall be given access to restricted areas containing information systems.

9.5.1 User Access Controls

Access to information shall be restricted to authorised users who have an identified need to access the information.

9.5.2 Computer Access Control

Access to computer facilities shall be restricted to authorised users who have an agreed requirement to use the facilities.

9.5.3 Application Access Control

Access to data, system utilities and program source libraries shall be controlled and restricted to those authorised users who have a legitimate business need e.g. systems or database administrators. Authorisation to use an application shall depend on the availability of a licence from the supplier.

1 e.g. online Information Governance Training Toolkit (IGTT) modules on Password Management, Information Security Guidelines and Secure Transfers of Personal Data or TIGER information security module


31.03.09 Page 10 of 25 Version 1.0

9.6 Equipment Security In order to minimise loss of, or damage to assets, equipment shall be physically protected from threats and environmental hazards.

9.7 Computer and Network Procedures Management of computers and networks shall be controlled through standard documented procedures that have been authorised by the Information Governance Steering Group and the IT Department.

9.8 Information Risk Assessment 9.8.1 The core principle of risk assessment and management requires the

identification and quantification of information security risks in terms of the perceived value of the asset, severity of impact and the likelihood of occurrence.

9.8.2 Once identified, information security risks shall be managed on a formal basis in accordance with the Risk Management Policy. They shall be recorded within a risk register and action plans shall be put in place to effectively manage those risks. The risk register and all associated actions shall be reviewed at regular intervals by the Information Governance Steering Group and the Integrated Governance Committee. Any implemented information security arrangements shall also be a regularly reviewed by the Information Governance Steering Group and the Integrated Governance Committee. These reviews shall help identify areas of continuing best practice and possible weakness, as well as potential risks that may have arisen since the last review was completed.

9.9 Information security events and weaknesses All information security events and suspected weaknesses are to be reported to the Information Security Officer. All information security events shall be investigated to establish their cause and impacts with a view to avoiding similar events.

9.10 Classification of Sensitive Information 9.10.1 A consistent system for the classification of information within the NHS

organisations enables common assurances in information partnerships, consistency in handling and retention practice when information is shared with non-NHS bodies. [NB. New guidance is being developed that is aimed to achieve consistency of information handling practice throughout the NHS].

9.10.2 The organisation shall implement appropriate information classifications

controls, based upon the results of formal risk assessment and guidance contained within the IG Toolkit to secure their NHS information assets.

9.10.3 The classification NHS Confidential shall be used for patients’ clinical records, patient identifiable clinical information passing between NHS staff and between NHS staff and staff of other appropriate agencies. In order to safeguard confidentiality, the term “NHS Confidential” shall not be used on correspondence to a patient in accordance with the Confidentiality: NHS Code of Practice. Documents so marked shall be held securely at all times in a locked room to which only authorised persons have access. They shall not be


31.03.09 Page 11 of 25 Version 1.0

left unattended at any time in any place where unauthorised persons might gain access to them. They should be transported securely in sealed packaging or locked containers. Documents marked NHS Confidential not in a safe store or in transport should be kept out of sight of visitors or others not authorised to view them.

9.10.4 The classification NHS Restricted shall be used to mark all other sensitive information such as financial and contractual records. It shall cover information that the disclosure of which is likely to: adversely affect the reputation of the organisation or it’s officers or cause

substantial distress to individuals; make it more difficult to maintain the operational effectiveness of the

organisation; cause financial loss or loss of earning potential, or facilitate improper gain

or disadvantage for individuals or organisations; prejudice the investigation, or facilitate the commission of crime or other

illegal activity; breach proper undertakings to maintain the confidence of information

provided by third parties or impede the effective development or operation of policies;

breach statutory restrictions on disclosure of information; disadvantage the organisation in commercial or policy negotiations with

others

NHS Restricted documents should also be stored in lockable cabinets

9.11 Protection from Malicious Software The organisation shall use software counter-measures and management procedures to protect itself against the threat of malicious software. All staff shall be expected to co-operate fully with this policy.

9.12 Monitoring System Access and Use An audit trail of system access and data use by staff shall be maintained and reviewed on a regular basis.

9.13 Accreditation of Information Systems The organisation shall ensure that all new information systems, applications and networks include a security plan and are approved by the Head of IT, Information Security Officer & Information Governance Lead before implementation.

9.14 System Change Control Changes to information systems, applications or networks shall be reviewed and approved by the Head of IT as part of the IT Services change management process.


31.03.09 Page 12 of 25 Version 1.0

9.15 Software Installation The organisation shall ensure that all information products are properly licensed and approved by the Head of IT. Users shall not install software on the organisation’s property without permission from the Head of IT. Users breaching this requirement may be subject to disciplinary action.

9.16 Business Continuity and Disaster Recovery Plans The organisation shall ensure that business impact assessment, business continuity and disaster recovery plans are produced for all mission critical information, applications, systems and networks.

9.17 Reporting The Information Security Officer shall keep the Information Governance Steering Group informed of the information security status of the organisation by means of regular reports to the Information Governance Steering Group

10 Laptop Security

Corporate laptops are often the biggest data security threat for a company.

Laptops contain highly sensitive information, but are extremely vulnerable to theft or loss.

The risks associated with laptops taken outside the secure NHS environment

are subject to unauthorised access or tampering. Stolen or lost laptops may also result in loss of important data. Laptops taken abroad may be exposed to special risks for example confiscated by police or customs officials.

A lost laptop may also result in the loss of sensitive or patient identifiable data.

This will often be considered more serious than the loss of the physical asset.

Risk assessments must be considered where large amounts of NHS data are held. The impact of the lost data must be measured in the risk assessment stage. Note that deleted files should be assumed to persist on the laptops hard disk.

10.1 Laptop registration Unless authorised by the Head of IT and Caldicott Guardian, laptop devices should not be used to store any patient identifiable data or confidential information. All laptops should be uniquely identified by using ID tags and registered in the organisation’s records as information governance security-relevant items. Users of laptops shall be responsible for the security of the laptop and the information stored on it. They shall take all reasonable care to mitigate the risk of damage, theft, loss or misuse.


31.03.09 Page 13 of 25 Version 1.0

10.2 Management of laptop security functionality It is the Head of IT’s responsibility to ensure that the laptop user is fully aware of the installation and configuration of laptop security functionality, including access control, encryption and tamper resistance.

10.3 Data security The risk of data being stolen can be minimised by:

Implementing strong and secure password policy.

Modern strong password techniques meet a number of requirements for complexity that offers more protection against unauthorised access. A strong password prevents unauthorised access and minimises the risk of the loss and misuse of sensitive or confidential information. Passwords should not be less than 7 characters and should comprise alphanumeric characters. A strong password is a combination of upper case, lower case, alphanumeric characters and special symbols. Passwords shall not be disclosed to anyone under any circumstances or visible to others. The organisational screensavers will be activated after 15 minutes of inactivity, this locks any workstation requiring password authentication to unlock the session.

Encrypt important data.

Data encryption is a vital part of an overall security policy. Keeping sensitive data secure requires consideration and preparation. All laptops shall be encrypted prior to issue. However it should be noted that data is only protected by encryption when the laptop is powered off and not whilst in normal use.

Regular backups of all data.

All sensitive data should be backed up on a regular basis. Saving the data on the network servers ensures that data is not lost if the laptop is lost or stolen.

10.4 Security accreditation The Head of IT or equivalent shall regularly review the organisation’s laptop estate to ensure that they continue to meet these requirements and that the residual level of risk from their use is acceptable.

10.5 Authorisation Regardless of a laptop’s ownership, the use of any equipment outside the organisation’s premises for the processing of information must be authorised by the relevant Director or Head of Department (see Remote and Mobile Working Policy).

10.6 Physical security Every user of any of the organisation’s laptops must use reasonable care against physical theft or loss, or unintentional exposure to unauthorised access. It is also recommended that laptops, even when protected by disk encryption,


31.03.09 Page 14 of 25 Version 1.0

should not be left in the care of any person who is not trusted to protect the information it contains. The users must also avoid displaying or leaving the laptop unattended in an insecure environment (for example the back of a car). The users must also ensure that displaying any sensitive information in public places is avoided.

10.7 Remote Access Remote access from a laptop to the organisation’s information systems must be achieved in accordance with the organisation’s NHS IG Statement of Compliance, NHS IG guidance, Remote and Flexible Working Policy and any defined requirements for the protection or use of the NHS information service(s) concerned.

10.8 Data Storage and use Specific authorisation is required where sensitive data, including that relating to patients, is stored on the laptop. Information of this nature should be kept to the minimum required for its effective use in order to minimise the risks and impacts should a breach occur.

10.9 Incident Reporting Loss of the laptops should be reported in accordance with the incident reporting policy.

10.10 Secure Disposal and Reuse Data stored on the organisation’s laptops should be securely erased before the laptop is reassigned for another purpose or disposed off when redundant. Failure to securely erase data may result in that data being available to the new owner/user of the laptop. NHS information governance guidance is available from NHS Connecting for Health for this purpose.

10.11 Limiting the risk of stolen data To minimize the risk of stolen data being inappropriately used the users must:

Implement a secure password and change it regularly. Regular password changes make it very difficult for a thief to log on to a stolen laptop.

All important data within an organisation should be encrypted. Keep an up-to-date backup of all data to ensure that work isn’t lost if a

laptop goes missing. Follow the guidelines and policies on the organisation’s intranet.

11 Removable Media

Removable media includes tapes, floppy disks, removable or external hard disk drives, optical disks DVD and CD-rom, and solid state memory devices (e.g. memory sticks and pen drives).

11.1 Security Procedures All staff will comply with the following Security Procedures [based on ISO 27002 section 10.7]


31.03.09 Page 15 of 25 Version 1.0

11.1.1 Identified and agreed business need Removable media shall only be used by staff and contractors who have an identified and agreed business need for them;

11.1.2 Sub-Contractors and temporary workers The use of removable media by sub-contractors or temporary workers must be risk assessed by the manager concerned and be specifically authorised by the Information Security Officer

11.1.3 Removable media drives Removable media drives, which include USB ports, shall not be routinely enabled for the removal of data and this is contained in the appropriate device configuration specification.

11.1.4 Need for removable media Each business area shall identify its need for removable media and the devices on which removable media are to be used;

11.1.5 Approved removable media Removable media that have been approved for use within the organisation are to be appropriately identifiable as such;

11.1.6 NHS information for business purposes Removable media shall only be used to store and share NHS information where this is required for a specific business purpose.

11.1.7 Removal and Destruction When the business purpose has been satisfied, the contents of removable media must be removed from that media through a destruction method that makes recovery of the data impossible. Alternatively the removable media and its data should be destroyed and disposed of beyond its potential reuse. In all cases the user of the removable media shall maintain a record of the action to remove data from or to destroy data in an auditable log file. The organisation may request a copy of these records for audit purposes.

11.1.8 Prior Agreement Removable media shall not be taken or sent off-site unless a prior agreement or instruction exists. The user shall be responsible for maintaining a record of all removable media taken or sent off-site, or brought into or received by the organisation. This record should also identify the data files involved. The organisation may request a copy of these records for audit purposes.

11.1.9 Physical Protection Removable media must be physically protected against their loss, damage, abuse or misuse when used, where stored and in transit.


31.03.09 Page 16 of 25 Version 1.0

11.1.10 Back-ups Data archives or back-ups taken and stored on removable media, either short-term or long-term, must be encrypted and take account of any manufacturer’s specification or guarantee and any limitations therein.

11.2 Incidents All incidents involving the use of removable media must be reported to the Information Security Officer immediately and in accordance with the organisation’s incident reporting procedures.

11.3 Responsibilities Any bulk extracts of confidential or sensitive data must be authorised by the

responsible Director for the work area. The Head of IT is responsible for identifying and implementing any device

configuration requirements that the organisation may require in order to comply with NHS IG security policy and standards. This includes data encryption capabilities.

Line Managers in collaboration with the Head of IT are responsible for the day-to-day management and oversight of removable media used within their work areas to ensure this policy is followed and records maintained as specified in 11.1.7 and 11.1.8 above

Line managers are responsible for the secure storage of all unallocated removable media as required by this procedure.

Staff who have been authorised to use removable media for the purposes of their job roles are responsible for the secure use of those removable media as required by this policy. Failure to comply with this removable media policy may endanger the information services of the organisation and may result in disciplinary or criminal action.

Staff involved in data extraction and data file creation must receive appropriate Information Governance training.

Staff must be aware of policy and procedure governing the work area including consequences of breach of policy.

12 Implementation and Training

12.1 Implementation

Staff will be made aware of this policy through round up and staff briefing. This policy, and any updates shall be made available on the organisation’s Intranet Managers will ensure that staff are made aware of this policy and any applicable updates or amendments

12.2 Training

All staff shall receive, as part of their induction, information on Information Governance.


31.03.09 Page 17 of 25 Version 1.0

Training on confidentiality will be available as part of the organisation’s mandatory training programme; the use of removable media will be included as part of this training. Line managers will ensure that individuals are clear about their responsibilities regarding Information Security and support staff with appropriate training. Training that is required for individual roles at a more detailed level is to be arranged at the discretion of the line manager.

13 Audit and Review

The Information Governance Steering Group will be responsible for overseeing the auditing and review of this policy.


31.03.09 Page 18 of 25 Version 1.0

Annex 1 Related Policies and Documents Current documents can be found on the Intranet Information Governance Policy Data Protection Policy Email and Internet usage Policy Policy Management Policy Safe Fax Procedure Kingston Overarching Information Sharing Protocol Data Sharing Protocol RBK Joint Policy and Procedure on Recording in Community Learning Disability Team Joint information sharing protocol Records Management Strategy Health Records Policy Policy and Guidance for Patient Health Record Keeping Freedom of Information Policy & EIR Registration Authority Policy for Choose & Book Communications Arrangements & toolkit Risk & Incident Reporting Remote and Mobile Working Policy


31.03.09 Page 19 of 25 Version 1.0

Annex 2 Guidance and Codes of Practice NHS Information Governance - Information Security Management: NHS Code of Practice April 07 http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_074142 Confidentiality NHS Code of Practice 2003 Records Management: NHS Code of Practice April 06 NHS Information Governance Toolkit (IGT) BS ISO 27001:2005 BS ISO 7799 -2: 2005 ISO/IEC 27002, 9.2.5 ISO/IEC 27002, 11.7.1 standard. Caldicott Guardian Manual 2006 Audit Programme – Mobile and Remote working.doc https://www.igt.connectingforhealth.nhs.uk/KnowledgeBaseNew/Audit%20Programme%20-%20Mobile%20and%20Remote%20Working.doc NHS Connecting for Health Infrastructure Security Good Practice Guidelines

http://nw.w.connectingforhealth.nhs.uk/infrasec/gpg


31.03.09 Page 20 of 25 Version 1.0

Annex 3 - References and sources of information Model Corporate InfoSec Policy Template 2007 V1.026_7_2007 Digital Information Policy, Department of Health, 30 November 2007 Sheffield Teaching Hospitals NHS Foundation Trust Information Security Policy


31.03.09 Page 21 of 25 Version 1.0

Annex 4: Confidentiality agreement for contractors and third party suppliers

1 General contractor clause (based on clause from Introduction to Data Protection in the NHS (E5127) and BS7799)

The Contractor undertakes:

To treat as confidential all information which may be derived from or be

obtained in the course of the contract or which may come into the possession of the contractor or an employee, servant or agent or sub-contractor of the contractor as a result or in connection with the contract; and

To provide all necessary precautions to ensure that all such information is

treated as confidential by the contractor, his employees, servants, agents or sub-contractors; and

To ensure that he, his employees, servants, agents and sub-contractors are

aware of the provisions of the Data Protection Act 1998 and BS7799 and that any personal information obtained from the Authority/Trust/Practice shall not be disclosed or used in any unlawful manner; and

To indemnify the NHS organisation (Authority/Trust/Practice) against any loss

arising under the Data Protection Act 1998 caused by any action, authorised or unauthorised, taken by himself, his employees, servants, agents or sub-contractors.

All employees, servants, agents and/or sub-contractors of the Contractor will be required to agree to and sign a confidentiality statement when they come to any of the Authority/Trust/Practice sites where they may see or have access to confidential personal and/or business information (see last page).


31.03.09 Page 22 of 25 Version 1.0

2 Supplier Code of Practice (based on example from Introduction to Data

Protection in the NHS (E127) and BS7799) The following Code of Practice applies where access is obtained to an NHS organisation’s personal data/information, as defined within the Data Protection Act 1998, for any purpose.

1 The access referred to in paragraph 1 above may include:-

a. Access to data/information on the NHS organisation’s premises b. Access to data/information from a remote site c. Examination, testing and repair of media (e.g. fixed disk assemblies) d. Examination of software dumps e. Processing using the organisation’s data/information

2 The Supplier must certify that his organisation is registered appropriately

under the Data Protection Act 1998 and legally entitled to undertake the work proposed.

3 The Supplier must undertake not to transfer the personal data/information

out of the EEA unless such a transfer has been registered, approved by NHS Kingston and complies with the Information Commissioners guidance on Safe Harbours.

4 The work shall be done only by authorised employees, servants, or agents

of the contractor (except as provided in paragraph 12 below) who are aware of the requirements of the Data Protection Act 1998 of their personal responsibilities under the Act to maintain the security of the personal data/information.

5 While the data/information is in the custody of the contractor it shall be kept

in appropriately secure means.

6 Any data/information sent from one place to another by or for the contractor shall be carried out by secure means. These places should be within the suppliers own organisation or an approved sub-contractor.

7 Data/Information which can identify any patient or employee of the NHS

organisation must only be transferred electronically if previously agreed by the NHS Kingston. This is essential to ensure compliance with strict NHS controls surrounding the electronic transfer of identifiable personal data/information and hence compliance with the Data Protection Act 1998 and BS7799. This will also apply to any direct-dial access to a computer held database by the supplier or their agent.

8 The data/information must not be copied for any other purpose than that

agreed by NHS Kingston.


31.03.09 Page 23 of 25 Version 1.0

9 Where personal data/information is recorded in any intelligible form, it shall either be returned to NHS Kingston on completion of the work or disposed of by secure means and a certificate of secure disposal shall be issued to the NHS Kingston.

10 Where the contractor sub-contracts any work for the purposes in paragraph

1 above, the contractor shall require the sub-contractor to observe the standards set out in 3-11 above.

11 Wherever possible, equipment or software shall be maintained, repaired

and/or tested using dummy data that does not include the disclosure of any personal data/information.

12 NHS Kingston reserves the right to audit the supplier’s contractual

responsibilities or to have those audits carried out by a third party.

13 NHS Kingston will expect an escalation process for problem resolving relating to any breaches of security and/or confidentiality of personal information by the suppliers employee and/or any agents and/or sub-contractors.

14 Any security breaches made by the supplier’s employees, agents or sub-

contractors will immediately be reported to the NHS Kingston’s Caldicott Guardian.


31.03.09 Page 24 of 25 Version 1.0

Certification form: Name of supplier: _____________________________________ Address of supplier prime contractor: _____________________________________ _____________________________________ ______________________________________ ______________________________________ Telephone number: ______________________________________ E-mail details: ______________________________________ On behalf of the above organisation I certify as follows:

The organisation is appropriately registered under the Data Protection Act 1998 and is legally entitled to undertake the work agreed in the contract agreed with the NHS Kingston

The organisation will abide by the requirements set out above for handling any

of the personal data/information disclosed to my organisation during the performance of such contracts

Signed: ______________________________________ Name of Individual: _______________________________________ Position in organisation: _______________________________________ Date: ________________________________________


31.03.09 Page 25 of 25 Version 1.0

Agreement outlining personal responsibility concerning security and confidentiality of information (relating to patients, staff and the business of the

organisation) During the course of your time within the Authority/Trust/Practice buildings, you may acquire or have access to confidential information which must not be disclosed to any other person unless in pursuit of your duties as detailed in the contract between the Authority/Trust/Practice and your employer. This condition applies during your time within the Authority/Trust/Practice and after that ceases. Confidential information includes all information relating to the business of the Authority/Trust/Practice and it’s patients and employees.

The Data Protection Act 1998 regulates the use of all personal information and included electronic and paper records of identifiable individuals (patients and staff). The Authority/Trust/Practice is registered in accordance with this legislation. If you are found to have used any information you have seen or heard whilst working within the Authority/Trust/Practice you and your employer may face legal action. I understand that I am bound by a duty of confidentiality and agree to adhere to the conditions within the Contract between the Authority/Trust/Practice and my personal responsibilities to comply with the requirements of the Data Protection Act 1998. NAME OF ORGNAISATION:

CONTRACT DETAILS:

PRINT NAME:

SIGNATURE:

DATE: