General Note
NHS Fife acknowledges and agrees with the importance of regular and timely review of policy statements and aims to review policies within the timescales set out. New policies will be subject to a review date of no more than 1 year from the date of first issue.
Reviewed policies will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.
If a policy is past its review date, then the content will remain extant until such time as the policy review is complete and the new version published, or if national policy or legislative changes are made.
1. FUNCTION
1.1 The purpose and function of this policy is to protect NHS Fife business, sensitive and healthcare information. It is a fundamental security principle to ensure that all workspaces (shared or otherwise), digital screens and information repositories are kept clear of sensitive data when not in use. Under legislation, Public Records (Scotland) Act 2011 (PRSA), UK GPDR, and Freedom of Information (Scotland) Act (2002) (FOISA), NHS Fife has a duty to ensure that records are stored in secure environments and that the confidentiality of information is always safeguarded.
1.2 This document forms part of the overall Information Security policy for NHS Fife.
2. LOCATION
2.1 This policy applies to all employees, contractors, and third-party service providers who handle or process NHS Fife information. It is acknowledged that the accountability for arrangements of individual contractors may differ from those of NHS Fife employees, and therefore this policy should be accepted as best practice and used in conjunction with requirements from their own professional body.
3. RESPONSIBILITY
3.1 All Staff
3.1.1 It is the responsibility of all staff, contractors and volunteers to ensure the Confidentiality, Availability and Integrity of data belonging to NHS Fife and to comply with the legislative requirements and related documents that underpin this policy.
3.1.2 All staff must take personal responsibility to maintain their mandatory Information Governance training and for the security of the data in their care.
3.2 Line Managers
3.2.1 Line Managers are responsible for ensuring that their staff clearly understand and adhere to this policy.
4. OPERATIONAL SYSTEM
4.1 Clear Desk Policy
4.1.1 NHS Fife recognises that material left exposed (e.g. on a desk, printer or workstations) is more susceptible to damage, disclosure or theft, particularly outside office hours. Any loss or suspected theft is to be reported in accordance with GP/D3-A7 Lost and Stolen Records for Health and Corporate Records policy.
4.1.2 All paper records and computer media must be securely stored when not in use. Personal data or critical business information must be locked away (ideally in a fire and flood resistant facility i.e. room or cabinet) when not required for use, especially when the office is unoccupied.
4.1.3 All portable digital media that constitutes record storage, must be stored in a secure location when not in use. Digital media can include –
• USB Storage.
• Photographs, slides and other images (for business purposes
• Microfilm (i.e. fiche and film) and scanners.
• Audio and video tapes, cassettes, CD-ROM etc.
• Meeting recordings.
• Digital records – emails, word documents, spreadsheets, computer databases, output, and disks.
4.1.4 Subject to GP/R4 Records Management Policy, sensitive records are required to be disposed of using designated shredding facilities or secure disposal methods. To prevent the disclosure of personal data prior to, during or after the destruction of records, the NHS Fife Corporate Record Management department adhere to the NHS Fife Records Destruction Process, along with an NHS Fife Destruction Log. All NHS employees are required to capture the destruction of records, stating the reason for destroying and noting the date on which the records were destroyed and/ or sent for archival. Documenting this information will assist in the practice of other NHS Processes, such as Freedom of Information Requests and Subject Access Requests. Details on the full destruction process can be located in GP/R4 Records Management Policy.
4.1.5 Personal items should be limited as not obstruct access to essential documents or create unnecessary clutter.
4.2 Clear Screen Policy
4.2.1 The Clear Screen policy mitigates the risk that an unlocked computer provides unauthorised access to NHS Fife’s information systems. There is also a potential for sensitive data to be viewed, by unauthorised persons, if left on the screen.
4.2.2 To mitigate the risk of unauthorised access, computers, laptops, and other electronic devices must be locked or logged off when unattended,
4.2.3 Automatic lock, to account for any periods unattended, is the technical measure is implemented across NHS Fife endpoints. This is activated automatically after a period without user activity for 10 minutes. Longer timeouts are considered on a case-by-case basis where there is a clinical need and PC is in a secure area, i.e. theatres.
4.2.4 Users must protect their access by a key lock, passwords, or other controls when not in use by locking their PC, e.g., the Ctrl+Alt+Del, then Enter facility or MS Windows key+L.
5. RISK MANAGEMENT
5.1 To mitigate the risks to NHS Fife (including GP Practices) Data, Information, and IT infrastructure, the following strategies and techniques shall be implemented.
5.2 NHS Fife Staff shall be trained to respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to sensitive data; and abide by legislation, policies, procedures, and guidelines regarding access, use, or disclosure of information.
5.3 The unauthorised disclosure of NHS Fife data in any medium is expressly forbidden, as is the access or use of any NHS Fife data for one’s gain or profit or to satisfy one’s curiosity or that of others.
5.4 Concerning the Health & Social Care Partnership (H&SCP), the Integrated Joint Board (IJB) will continue to monitor the efficacy of the existing H&SCP Risk Management Strategy and arrangements and regularly review these to ensure they take into account legislative and operational requirements.
5.5 Should the above risk mitigations not be implemented, and a breach of legislation occurs, the following impact may follow:
• Disciplinary action against staff.
• Legal action against NHS Fife.
• Legal action against the person(s) involved in the breach.
5.6 Any suspected misuse or unauthorised access should be reported in accordance with NHS Fife’s GP/I9 Adverse Events Policy.
6. RELATED DOCUMENTS
• GP/D3 Information Governance & Data Protection Policy
• GP/D3-8 Lost and Stolen Records for Health and Corporate Records Procedure
• NHS Fife Records Management Plan
• GP/I5 Information Security Policy
• GP/R4 Records Management Policy
• GP/I9 Adverse Events Policy
• GP/A4 Acceptable Use Policy
• GP/S8 Digital & Information Incident Management Policy
• GP/M5 Device Management Policy
• GP/O2 Corporate Communications Policy
• GP/P2 Secure Use of Password Policy
7. REFERENCES
• Computer Misuse Act (1990)
• Data Protection Act (2018)
• UK General Data Protection Regulations (GPDR)
• Network and Information Systems (NIS) Regulations 2018
• Freedom of Information (Scotland) Act (2002)
• Public Records (Scotland) Act 2011