Data Security & Protection Policy
Policy Overview
The purpose of the Data Security & Protection Policy is to support the 7 Caldicott Principles, the 10 Data Security Standards, General Data Protection Regulation (2016), Data Protection Act (2018), the common law duty of confidentiality and all other relevant legislation. Data Protection is a fundamental right and the Practice will embrace the principles of data protection by design and default. The Practice is committed to adhering to the 10 National Data Security Guardian Standards (NDG) in order to ensure the protection and security of all Data which the Practice processes. This policy was developed in conjunction with the guidance outlined in NHS Digitals Information Security Policy, Data Protection Act 2018 and advice from the Information Commissioner’s Office following the General Data Protection Regulation (GDPR) which came into force on 25th May 2018.
Aims
This policy outlines the approach, methodology and responsibilities for preserving the confidentiality, integrity and availability of Fir Park Medical Centre information. It is the overarching policy for information security and supported by specific technical security, operational security and security management policies. It supports the 7 Caldicott principles and 10 data security standards. This policy covers:
- Information Security principles
- Governance – outlining the roles and responsibilities
- Supporting specific information security policies – Technical Security, Operational Security and Security Management.
- Compliance Requirements.
Scope
This policy applies to all those working within the Practice, in whatever capacity. A failure to follow the requirements of the policy may result in investigation and management action being taken, in line with the Practice’s disciplinary policy and procedure.
Both the Clinical & Operational Leads for Information Governance will ensure all staff are aware of the Data Security & Protection Policy at the earliest possible opportunity.
Roles and Responsibilities
Practice Staff
Information Security and the appropriate protection of information assets is the responsibility of all users and individuals are expected at all times to act in a professional and responsible manner whilst conducting business. All staff are responsible for the information security and remain accountable for their actions in relation to NHS and other UK Government information and information systems. It is mandatory that staff ensure they understand their role and responsibilities, and that failure to comply with this policy may result in disciplinary action. This will be reinforced by yearly mandatory training
Clinical Lead for Information Governance
The Clinical Lead for Information Governance is the practice’s registered Caldicott Guardian and is responsible for:
- Ensuring implementation of the Caldicott Principles and Data Security Standards with respect to Patient Confidential Data.
- Ensuring that the Practice processes satisfy the highest practical standards for handling patient information and provide advice and support to Practice staff as required.
- Ensuring that patient identifiable information is shared appropriately and in a secure manner. The Caldicott Guardian will liaise where there are reported incidents of person identifiable data loss or identified threats and vulnerabilities in Practice information systems to mitigate the risk.
In addition, they are responsible for information risk within the Practice and advise the Partners on the effectiveness of information risk management within the Practice. Operational responsibility for Information Security is delegated to the Operational Lead for Clinical Governance. All Information Security risks shall be managed in accordance with the Practices Risk Management Policy. The Clinical Lead for Information Governance (IG) for Fir Park Medical Centre is Dr Brindle.
Operational Lead for Information Governance
The Operational Lead for Information Governance is responsible for the day to day operational effectiveness of the Data Security and Protection Policy and its associated IG policies and processes. They must ensure that their staff are aware and adhere to the policy requirements. The Operational Lead for IG is responsible for:
- Understanding what information is held.
- Knowing what is added and what is removed.
- Understanding how information is moved.
- Knowing who has access and why.
Additional responsibilities include:
- Acting as Information Asset Owner (IAO) i.e. responsible for Information Assets within the practice.
- Awareness of information security risks, threats and possible vulnerabilities within the practice and complying with relevant policies and procedures to monitor and manage such risks.
- Provide a central point of contact for information security.
- Ensure the operational effectiveness of security controls and processes.
- Monitor and co-ordinate the operation of the Information Security Management System.
- Monitor potential and actual security breaches with appropriate expert security resource (provided by HIS Team).
- Supporting personal accountability of users within the practice for Information Security
- Ensuring that all staff under their management have access to the information required to perform their job function within the boundaries of this policy and associated policies and procedures.
The Operational Lead for Information Governance (IG) for Fir Park Medical Centre is Anita Corrigan.
Data Protection Officer (DPO)
The Data Protection Officer is responsible for ensuring the Practice remains compliant at all times with Data Protection, Privacy & Electronic Communications Regulations, Freedom of Information Act and the Environmental Information Regulations. The Data Protection Officer shall:
- Lead on the provision of expert advice to the Practice on all matters concerning the Data Protection Act, compliance, best practice and setting and maintaining standards.
- Inform and advise the organisation and its employees of their data protection obligations under the GDPR.
- Monitor the organisation’s compliance with the GDPR and internal data protection policies and procedures. This will include monitoring the assignment of responsibilities, awareness training, and training of staff involved in processing operations and related audits.
- Advise on the necessity of data protection impact assessments (DPIAs), the manner of their implementation and outcomes.
- Serve as the contact point to the data protection authorities for all data protection issues, including data breach reporting.
The DPO will be independent and an expert in data protection. The DPO will be the Practice’s point of contact with the Information Commissioner’s Office
The Data Protection Officer (DPO) for Fir Park Medical Centre is the Information Governance Team
Camilla Bhondoo
Mid-Mersey Digital Alliance
Alexandra Business Park
Court Building
Prescot Road
St Helens
WA10 3TP
Email: IG@midmerseyda.nhs.uk
Policy
The Data Protection & Security Policy outlines the approach, methodology and responsibilities for preserving the confidentiality, integrity and availability of the Practices’ information. It is the overarching policy for information security and supported by specific technical security, operational security and security management policies. It supports the 7 Caldicott principles and 10 data security standards. This policy covers:
- Information Security Principles.
- Governance – outlining the roles and responsibilities. (see section 3)
- Supporting specific information security policies – Technical Security, Operational Security and Security Management.
- Compliance Requirements.
Information Security Principles
The core information security principles are to protect the following information/data asset properties:
- Confidentiality (C) – protect information/data from breaches, unauthorised disclosures, loss of or unauthorised viewing.
- Integrity (I) – retain the integrity of the information/data by not allowing it to be modified.
- Availability (A) – maintain the availability of the information/data by protecting it from disruption and denial of service attacks.
In addition to the core principles of C, I and A, information security also relates to the protection of reputation; reputational loss can occur when any of the C, I or A properties are breached. The aggregation effect, by association or volume of data, can also impact upon the Confidentiality property.
For the NHS, the core principles are impacted, and the effect aggregated, when any data breach relates to patient medical data.
Supporting Policies
The Data Security & Protection Policy is developed as a pinnacle document which has further policies, standards and guides which enforce and support the policy. The supporting policies are grouped into 3 areas: Technical Security, Operational Security and Security Management and are shown in the diagram overleaf. The Data Security & Protection Policy is closely aligned to the NHS Information Governance Strategy and relies upon, and supports, the Practice’s Physical and Personnel Security policies.
Technical Security
The technical security policies detail and explain how information security is to be implemented. These policies cover the security methodologies and approaches for elements such as: Encryption Policy, cloud security policy, back-up policy.
Operational Security
The operational security policies detail how the security requirements are to be achieved. These policies explain how security practices are to be achieved for matters such as: acceptable use policy, mobile & remote working, business continuity policy and use of social media.
Security Management
The security management practices detail how the security requirements are to be managed and checked. These policies describe how information security is to be managed and assured for processes such as: Data breach and incident reporting polic
Framework of IG Policies
Fir Park Medical Centre maintain the following key policies to support effective Information Governance
Policy Owner - Mid Mersey Digital Alliance
- Network Security Policy
- Mobile Devices Policy
- Patch Test Policy
Policy Owner - Fir Park Medical Centre
- Code of Confidentiality & Data Protection Policy
- Information Governance Policy
- Remote Working Policy
- Third Party Confidentiality Policy
- Mobile Devices Policy
- Business Continuity Plan
- E-mail, Internet and Telecommunications Safety and Acceptable Use Policy
- Safe Haven Policy for the Secure Transfer of Personal Confidential Data Policy
- Information Security Incident Reporting Policy
- Information Security Policy
- Smartcard Policy
- Data Security & Protection Policy
- Data Breach Policy including Incident Reporting Procedure
- Patient Privacy Notice
- Privacy Notice Children
- Privacy Notice Information Leaflet for Children
- Staff Privacy Notice
- Clinical Lead for Information Governance Responsibilities
- Operational Lead for Information Governance Responsibilities
- Data Protection Impact Assessment
- Freedom of Information Act Policy
- Records Management Policy
- Data Quality Policy
- Subject Access Request Policy
- CHAIN SMS Protocol
Policy Owner – NHS Digital
- How We Use and Protect Your Personal Information - Patient Information Leaflet
Data Security Audit Procedures
Confidentiality audits will focus on controls within electronic records management systems and paper record systems; the purpose being to discover whether confidentiality has been breached, or put at risk through deliberate misuse of systems, or as a result of insufficient controls. Audits of security and access arrangements are to be conducted on a six-monthly.
Audits will be carried out as required by some or all of these methods unannounced spot checks to random work areas & discussion with individual staff members. These audits will be instigated by the Operational Lead for Information Governance.
Training and Awareness
All new staff are required to complete the Introduction to Information Governance training module via the online IG Training Tool, when they first join the organisation unless they have completed appropriate IG Training within the last year and can evidence this. In addition new staff are provided with an Information Governance User Handbook and sign a declaration confirming its receipt
The Practice also requires all existing staff to complete online IG Training annually; if they have previously completed the ‘Introduction to Information Governance’ they must complete the Refresher Module thereafter. This includes completion of an IG Training Record to ensure they have received appropriate training and address any outstanding training needs
Ad hoc training may be completed where an incident investigation requires this.
Review
This policy and associated strategy and procedures will be reviewed on an annual basis or earlier if appropriate, to take into account any changes to legislation that may occur, and/or national guidance. Policies are communicated to all staff via Intradoc and are available to all staff
Compliance Requirements
Legislation relevant to this policy; The Practice will comply with all relevant legislation; this includes but is not limited to:
- The Data Protection Act 2018
- The General Data Protection Regulation
- The NHS Confidentiality Code of Practice 2003
- Common Law Duty of Confidentiality
- Freedom of Information Act 2000
- Health & Social Care Act 2016
- Computer Misuse Act 1990
References
NHS Digital (2017) Information Security Policy UK
We use cookies to help provide you with the best possible online experience.
By using this site, you agree that we may store and access cookies on your device. Cookie policy.
Cookie settings.
Functional Cookies
Functional Cookies are enabled by default at all times so that we can save your preferences for cookie settings and ensure site works and delivers best experience.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.