Policy Type General Policy

Policy Category Digital & Information

Policy Number GP/D6

Author Information Security Manager

Reviewer Information Security Manager

Signatory Associate Director of Digital and Information

Implementation Date 01 June 2009

Last Review Date 14 February 2022

Next Review Date 17 January 2025

Version Number 4

General Note

NHS Fife acknowledges and agrees with the importance of regular and timely review of policy statements and aims to review policies within the timescales set out.

New policies will be subject to a review date of no more than 1 year from the date of first issue.

Reviewed policies will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.

If a policy is past its review date, then the content will remain extant until such time as the policy review is complete and the new version published.

1 FUNCTION

This policy supports the NHS Fife GP/I5 Information Security Policy. The purpose of this policy is to prevent unauthorised disclosure, modification, removal or destruction of NHS Fife information assets, and disruption to NHS Fife clinical and business activities.
This document forms part of the overall Information Security policy for NHS Fife.

1.1 Purpose

Except when specifically authorised after a risk assessment of the necessary clinical or business case, personal data, staff or other corporate records / information shall not be stored on local PCs, mobile devices including laptops, phones, USB memory sticks, portable hard drives, external hard drives or any other mobile device or media such as smart phones, CD or DVD (except for agreed backups).

In some cases, storing patient information on a mobile device may be unavoidable for the completion of work duties and the provision of care. Such cases shall be subject to:
• an approved Data Protection Impact Assessment (DPIA);
• meeting the security requirements of this policy; and
• an agreed backup strategy.

2 LOCATION

This policy is applicable to all staff, contractors and volunteers using NHS Fife’s IT infrastructure and its information processing systems.

3 RESPONSIBILITY

3.1 Chief Executive

It is the responsibility of the NHS Fife Chief Executive to accept and implement this policy and to ensure that the security controls identified by the Information Security Manager are implemented.

3.2 All Staff

It is the responsibility of all staff to comply with this and all other NHS Fife policies.

This is particularly relevant when staff are using their own equipment, IT devices and mobile phones in relation to work activities and information.

Failure to comply with this policy may endanger the information services of NHS Fife and may result in disciplinary action.

3.3 Digital and Information Department

The Technical Services Manager – Digital and Information is responsible for ensuring that:
• mobile devices have the appropriate data encryption capabilities in order to protect personal data stored on them.
• appropriate measures are in place to prevent unauthorised memory devices i.e. unencrypted memory sticks, being connected to computers, servers or laptops.

The Information Security Manager (ISM) is responsible for assuring that the data encryption functionality and procedures used to protect data have been implemented correctly, are of appropriate strength and fit for purpose.

3.4 Line Managers

It is the responsibility of Line Managers to ensure that all staff adhere to the contents of this policy.

Responsibility for taking any appropriate disciplinary action following a breach of this policy lies with the relevant Line Manager having taken advice from the Human Resources Department.

Line managers in collaboration with the Information Security Manager are responsible for the day-to-day management of the security of data within their work areas to ensure this policy is followed.

4 OPERATIONAL SYSTEM

4.1 Information Processing Systems

To comply with General Data Protection Regulations (GDPR) and the Network and Information Systems (NIS) regulations, the purchasing and implementing of information systems that process personal data shall be required to have a DPIA carried out to ensure that personal data is protected in transit and if necessary, at rest i.e. privacy by design.

The transmission of personal or commercially sensitive data shall be protected by encryption to the currently acceptable encryption protocol as defined by the Information Security Manager or Cyber Security Manager.

4.2 Data Encryption

This data encryption policy must be applied in conjunction with the organisation’s Mobile Device and Media Handling Policies.

All sensitive data stored on local drives of Laptops are covered by this policy.

All removable media for use on information systems owned or operated by NHS Fife are covered by this policy. Removable media include tapes, floppy discs, removable or external hard disc drives, optical discs DVD and CD-rom, solid state memory devices including memory cards and pen drives etc.

Currently approved cryptographic algorithms are for encryption - AES (FIPS 140-2) and should be used at recommended 256bit strength. These algorithms and bit strength are readily available within a range of commercially available off the shelf security products and services.

The use of freeware or shareware is not permitted and must be avoided. There is the risk of malware being incorporated into these products.

4.3 Data Security

Data intended for processing on removable media must be risk assessed, taking into account personal data, its sensitivity and the potential impact (distress and harm) if lost, stolen, corrupted, unavailable or otherwise compromised.

Staff should be trained in the use of encryption tools or application facilities provided, and for the handling of encrypted removable media.
Where encrypted removable media is to be shared, care must be taken to ensure that the intended recipient has the correct technical capability to de-crypt the data on receipt and this should be established in advance of any sharing of media.

The pass-phrase or decryption key used for encryption/decryption purposes must be sufficiently long and complex to protect the encrypted information from a password attack. The decryption pass-phrase or key must never be sent with encrypted removable media.

In all cases where data encryption is used, a full auditable record should be maintained of the media and data involved and its intended purposes including dates of encrypted file creation, transmission and destruction.

Audit spot checks will be conducted by the organisation to ensure this policy is complied with. Any compliance issues will be reported to the line manager concerned via Datix and may be handled through staff disciplinary processes or contractual arrangements.

All incidents involving loss of personal data or business data must be reported to the Information Governance Team via a Datix incident. This must be done promptly as serious breaches must be reported to the Information Commissioners Office (ICO) within 72 hours to comply with GDPR.

Personal Computers including Laptops, Tablets, Handheld Computers and smart phones shall have whole disk encryption applied.

4.4 Device Control

Only approved devices will be permitted to connect to the NHS Fife network.
Access of all other devices will be denied. Approved devices must be purchased and owned by NHS Fife or GP Practices.

The approval of devices can only be granted by the Digital & Information Cyber Team or the Information Security Manager.

Laptops/Tablets must be authenticated on the network periodically or they will be locked and rendered unusable.

All other devices such as portable hard drives, MP3 players or any other mobile device or media such as smart phones or cameras must be approved by the Information Security Manager.

Data Loss Protection software must be installed on all PCs (Laptops, Desktops, Notepads) to prevent data being downloaded onto unapproved devices.

4.5 Procurement of Encrypted Memory Sticks

The procurement of approved encrypted USB memory sticks must be via the NHS Fife Digital and Information Department.
Only approved encrypted USB memory sticks must be purchased to ensure that they comply with section 4.1 of this policy.

4.6 Removable Media

Export of unencrypted personal data onto removable media such as CD, SD cards, DVD or ZIP drives MUST be avoided unless for approved backup purposes and then they must be stored securely.

Any requests for this deviation must be authorised by the Information Governance Team. The user would be required to raise a Digital and Information service request.

4.7 External Hard Drives

Users must show a clinical or business requirement for the use of external hard drives and this must be approved by the Information Governance Team. They must be pre-encrypted and match the currently approved cryptographic algorithms or an IG approved process implemented to mitigate the risks to any personal data being processed.

4.8 Secure File Transfer

The approved methods of securely transmitting personal data are NHS M365 (up to 25 MB) and the SWAN Secure File Transfer (SFT) service.

The SFT provides the means of transferring larger files than NHS M365, up to 1GB, to non-NHS M365 accounts securely. The Digital and Information Service Desk should be contacted, if an account is required to make use of the SFT service.

5 RISK MANAGEMENT

To mitigate the risks to NHS Fife’s (including GP Practices) Data, Information and IT infrastructure, the following strategies and techniques shall be implemented:

It is the responsibility of each Line Manager to ensure this policy is deployed within their area of responsibility.

NHS Fife Staff shall be trained to respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to sensitive data; and to abide by legislation, policies, procedures, and guidelines with respect to access, use or disclosure of information.

The unauthorised disclosure of NHS Fife data in any medium is expressly forbidden, as is the access or use of any NHS Fife data for one’s own personal gain, or profit, or to satisfy one’s personal curiosity or that of others.

With regard to the Health & Social Care Partnership (H&SCP), the Integrated Joint Board (IJB) will continue to monitor the efficacy of the existing H&SCP Risk Management Strategy and arrangements, and regularly review these to ensure they take into account legislative and operational requirements.

Should the above risk mitigations not be implemented, and a breach of legislation occurs the following impact may follow:
• Disciplinary action against staff;
• Legal action against NHS Fife;
• Legal action against the person(s) involved in the breach

6 RELATED DOCUMENTS

6.1 GP/I5 Information Security Policy
6.2 GP/D3 Information Governance and Data Protection
6.3 GP/E6 Email Policy
6.4 GP/I3 Internet Policy
6.5 GP/I6 IT Change Management Policy
6.6 GP/M5 Mobile Device Management Policy
6.7 GP/O2 Corporate Communications Policy
6.8 GP/P2 Password Policy

7 REFERENCES

7.1 Computer Misuse Act (1990)
7.2 Data Protection Act (2018)
7.3 General Data Protection Regulations (GPDR)
7.4 Network and Information Systems (NIS) Regulations
7.5 Freedom of Information (Scotland) Act (2002)
7.6 Human Rights Act (1998)
7.7 NHSS Information Security Policy Framework July 2015
7.8 NHS Scotland I.T. Mobile Data Protection Standard (2008)

Data Encryption Policy