General Policy
Digital & Information
GP/H6
Information Security Manager
Information Security Manager and Technical Services Manager for Digital and Information
Director of Finance
01 November 2011
14 January 2022
01 December 2025
6

General Note

NHS Fife acknowledges and agrees with the importance of regular and timely review of policy statements and aims to review policies within the timescales set out.

New policies will be subject to a review date of no more than 1 year from the date of first issue.

Reviewed policies will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.

If a policy is past its review date then the content will remain extant until such time as the policy review is complete and the new version published.

1 FUNCTION

To manage and prevent unacceptable risks arising to the organisation and other NHS information assets using unapproved or unsafe home working facilities.
All staff who are permitted to use equipment of the organisation at home or who may use their personal computing resources (please refer to GP/E7 Non NHS Fife Equipment Policy) to connect to networked services of the organisation are subject to the requirements of this NHS Fife policy and procedure.

2 LOCATION

This policy is applicable to all staff, contractors and volunteers working for NHS Fife and Fife GP Practices.

3 RESPONSIBILITY

3.1 Technical Services Manager – Digital and Information

The Technical Services Manager – Digital and Information is responsible for implementing the information security requirements in the NHS Fife network and other I.T. infrastructure. This also includes the supply and configuration of all computing equipment provided by the organisation, the provision of network connectivity and support for approved services. All equipment is subject to PAT testing before being issued to staff.

It is the responsibility of the Technical Services Manager – Digital and Information to ensure that the organisation infrastructure is maintained in a technically secure manner that would reasonably prevent a security breach arising from a home worker’s location.

The GP/E7 Non-NHS Equipment Policy must be applied where a home worker requests that their personal computing resources be used for the business purposes of the organisation.

3.2 Information Security Manager (ISM)

The Information Security Manager will provide guidance to the home worker on all relevant security policies and responsibilities.

When a home working agreement is possible the purpose, terms and conditions should be formally reviewed and agreed by the home worker. A reference copy of this agreement must be provided to the home worker. All such home working agreements should be reviewed periodically for their continued applicability with ISM and relevant line manager.

Steps should then be taken to define, agree and implement the environmental security controls deemed necessary. The Information Security Manager will maintain records of all such assessments, surveys, related decisions, agreements and implementation plans.

All incidents involving the use of home working facilities must be reported to the Information Security Manager immediately and in accordance with the organisations GP/S8 Digital and Information Incident Management Policy

3.3  Digital and Information Infrastructure Manager

The Digital and Information Infrastructure Manager is only responsible for supporting the remote access solutions but not private/personal equipment or even the configuration of their personal network or internet connection.

3.4  Information Governance and Security Department

3.4.1 Staff Training

The Information Governance and Security Department is responsible for the provision of adequate training for home workers to ensure that they are aware of their responsibilities regarding the Caldicott principles and the Data Protection Act/GDPR while working with personal or confidential data.

Home working staff should also be trained in:
• the use of for any additional or special tools or functions that underpin the security of their home working, including provided remote access software.
• the deletion of cached information from internet browsers used to access web-based services.
• backing up data for safekeeping in case there is an event that causes data loss.

3.4.2 Risk Assessment

The home worker’s proposed working environment(s) should be considered and where necessary reviewed by health & safety team, and any perceived Information Governance and Security risks assessed to help inform consideration of home working options. The findings of this consideration or survey process and any associated risks should be documented, so that appropriate control measures may be reviewed.

Where the proposed home working arrangements involve the use of personal or shared computing resources, it must be noted the IG risks of doing so may outweigh any operational advantage of home working. For all home working scenarios, consideration of risks must be made and should take account of the potential to:
• accidentally breach patient confidentiality;
• disclose other sensitive data of the organisation to unauthorised individuals;
• loss or damage to personal data;
• damage the organisation’s infrastructure and e-services through spread of un-trapped malicious code such as viruses;
• create a hacking opportunity through an unauthorised internet access point;
• misuse data through uncontrolled use of removable media such as digital memory sticks and other media;
• cause other operational or reputational damage;
 
It is the responsibility of the home worker to maintain their home working environment in conformance with the organisation policies and agreement permitting their home working. Where a home worker requires clarification or guidance, they should consult the Information Security Manager or General Manager – Digital and Information.

3.5  Line Manager

The Line Manager is responsible for:
• Approving Home Working and requesting support from the Digital and Information Infrastructure team to enable the member of staff work from home.
• Ensuring only NHS Fife, Digital and Information Infrastructure approved equipment is supplied to facilitate home working in line with the GP/M5 Mobile Device Management Policy.
• Ensuring staff are trained in the use of any additional special tools or functions that underpin the security of their home working, including provided remote access software.

Ensuring staff receive information governance training from the Digital and Information Information Governance and Security department. 

3.6  NHS Staff working at Home

It is the home worker’s responsibility to ensure that they have received the necessary training from the Information Governance and Security department so that they are fully aware of their information governance and security responsibilities to the organisation.

Failure by staff to observe and maintain their home working agreement may result in their home working facility being withdrawn.

Once all necessary steps have been satisfied the home working arrangements agreed may be made operational. Please note that other NHS IG codes of practice and good practice guidance for information governance security management, the use of data encryption tools, malware protection software and for the security of permitted removable media remain applicable and should be followed.

Audit spot checks may be considered by the organisation to ensure this home working policy is complied with and the agreement with the home worker should clearly specify that this may occur. Any compliance issues will be reported to the line managers concerned and may be handled through staff disciplinary processes or contractual arrangements.

4 OPERATIONAL SYSTEM

A home risk assessment survey may be required when an individual requests one and who regularly works from home, (defined as at least 6 times during a year), has access to:
• Documents protectively marked as ‘confidential’ or above in accordance with Information Governance;
• other commercially or otherwise sensitive documents;
• any sensitive person identifiable information about patients or staff;
• person identifiable information about patients or staff deemed non sensitive but still significant in terms of quantity (defined as 50+ records)
• anonymised information about patients or staff unless the anonymisation technique has been approved by the organisation’s Caldicott Guardian;
• Staff working at home shall take account of the GP/D1 Display Screen Equipment Policy;

5 RISK MANAGEMENT

To mitigate the risks to NHS Fife’s (including GP Practices) Data, Information and IT infrastructure, the following strategies and techniques’ shall be implemented:

It is the responsibility of each Line Manager to ensure this policy is deployed within their area of responsibility.

NHS Fife Staff shall be trained to respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to sensitive data; and to abide by legislation, policies, procedures, and guidelines with respect to access, use or disclosure of information.

The unauthorised disclosure of NHS Fife Data in any medium, is expressly forbidden, as is the access or use of any NHS Fife Data for one’s own personal gain, or profit, or to satisfy one’s personal curiosity or that of others.

With regard to the Health & Social Care Partnership (H&SCP), the Integrated Joint Board (IJB) will continue to monitor the efficacy of the existing H&SCP Risk Management Strategy and arrangements, and regularly review these to ensure they take into account legislative and operational requirements.

Should the above risk mitigations not be implemented and a breach of legislation occurs the following impact may follow:
• Disciplinary action against staff;
• Legal action against NHS Fife;
• Legal action against the person(s) involved in the breach;

6 RELATED DOCUMENTS

6.1 GP/I5 Information Security Policy
6.2 GP/D3 Information Governance and Data Protection
6.3 GP/B2 IT Remote Access Policy
6.4 GP/E6 Email Policy
6.5 GP/I3 Internet Policy
6.6 GP/I6 IT Change Management Policy
6.7 GP/M5 Mobile Device Management Policy
6.8 GP/O2 Corporate Communications Policy
6.9 GP/P2 Password Policy
6.10 GP/D1-1 Display Screen Equipment Risk Assessment Procedure

7 REFERENCES

7.1 Data Protection Act (2018)
7.2 General Data Protection Regulations (GPDR)
7.3 Network and Information Systems (NIS) Regulations
7.4 Computer Misuse Act (1990)
7.5 Civil Contingencies Act (2004)
7.6 Human Rights Act (1998)
7.7 Freedom of Information (Scotland) Act (2002)
7.8 NHSIS I.T. Security Manual
7.9 NHSS Information Security Policy Framework