NHS Fife acknowledges and agrees with the importance of regular and timely review of policy statements and aims to review policies within the timescales set out.
New policies will be subject to a review date of no more than one year from the date of the first issue.
Reviewed policies will have a review date set that is relevant to the content (advised by the author) but will be no longer than three years.
If a policy is past its review date, the content will remain extant until the policy review is complete, and the new version is published.
To improve the security and protect the confidentiality of information, including personal data, NHS Fife has adopted a clear desk policy for papers and removable storage media and a clear screen policy for information processing systems, to reduce the risk of unauthorised access, loss of, and damage to information during and outside regular working hours or when working areas are left unattended.
This document forms part of the overall Information Security policy for NHS Fife.
This policy applies to all staff, contractors and volunteers working within NHS Fife.
3.1 All Staff
It is the responsibility of all staff to ensure the Confidentiality, Availability and Integrity of data belonging to NHS Fife and to comply with the requirements of the General Data Protection Regulations (GDPR) and Caldicott recommendations and this Clear Screen / Clear Desk policy.
All staff must take personal responsibility for the security of the data in their care.
3.2 Line Managers
Line Managers are responsible for ensuring that their staff clearly understand and adhere to this policy.
4 OPERATIONAL SYSTEM
4.1 Clear Desk Policy
NHS Fife recognises that material left exposed (e.g. on a desk, printer or cupboard top) is more susceptible to damage, disclosure or theft, particularly outside office hours.
Where appropriate, paper and computer media must be stored out of sight in cabinets and furniture when not in use, predominantly outside working hours.
Personal data or critical business information must be locked away (ideally in a fire-resistant safe or cabinet) when not required, especially when the office is vacated.
All removable data storage, computing devices (e.g. USB sticks, diskettes, handhelds containing confidential or sensitive data) must be stored in a secure location when not in use.
Adequate secure storage is available to support the Clear Desk policy.
4.2 Clear Screen Policy
The Clear Screen policy mitigates the risk that an unlocked computer provides unauthorised access to NHS Fife’s information systems. There is also a potential for sensitive data to be viewed if left on the screen.
An IT clear screen measure has been implemented on NHS Fife computer screens (desktop computers, mobile devices, terminals and laptops).
It has been implemented through the deployment of a password-protected screen-saver. This is activated automatically after a period without user activity of at most 15 minutes. Note that longer timeouts are permitted where there is a clinical need and the PC is in a secure area, i.e. theatres.
Personal computers, mobile devices, computer terminals and printers must not be left logged on when unattended. Users must protect their IT access by a key lock, passwords, or other controls when not in use by locking their PC, e.g., the Ctrl+Alt+Del, then Enter facility or MS Windows key+L.
5 RISK MANAGEMENT
To mitigate the risks to NHS Fife (including GP Practices) Data, Information, and IT infrastructure, the following strategies and techniques shall be implemented.
It is the responsibility of each Line Manager to ensure this policy is deployed within their area of responsibility.
NHS Fife Staff shall be trained to respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to sensitive data; and abide by legislation, policies, procedures, and guidelines regarding access, use, or disclosure of information.
The unauthorised disclosure of NHS Fife data in any medium is expressly forbidden, as is the access or use of any NHS Fife data for one’s gain or profit or to satisfy one’s curiosity or that of others.
Concerning the Health & Social Care Partnership (H&SCP), the Integrated Joint Board (IJB) will continue to monitor the efficacy of the existing H&SCP Risk Management Strategy and arrangements and regularly review these to ensure they take into account legislative and operational requirements.
Should the above risk mitigations not be implemented, and a breach of legislation occurs, the following impact may follow:
• Disciplinary action against staff;
• Legal action against NHS Fife;
• Legal action against the person(s) involved in the breach.
6. RELATED DOCUMENTS
GP/D3 Data Protection and Confidentiality Policy
GP/I5 Information Security Policy
GP/E6 Email Policy
GP/I3 Internet Policy
GP/I6 IT Change Management Policy
GP/M5 Mobile Device Management Policy
GP/O2 Online Communication Policy
GP/P2 Password Policy
Computer Misuse Act (1990)
Data Protection Act (2018)
General Data Protection Regulations (GPDR)
Network and Information Systems (NIS) Regulations
Human Rights Act (1998)
Freedom of Information (Scotland) Act (2002)
NHS Scotland eHealth Mobile Data Protection Standard (2008)
NHSS Information Security Policy Framework July 2015