General Note

NHS Fife acknowledges and agrees with the importance of regular and timely review of policy statements and aims to review policies within the timescales set out. New policies will be subject to a review date of no more than 1 year from the date of first issue.

Reviewed policies will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.

If a policy is past its review date, then the content will remain extant until either such time as the policy review is complete and the new version published, or there are national policy or legislative changes.

1. Introduction

This policy forms part of the overall Information Security and management processes in place for NHS Fife.

2.  Aim, Purpose and Outcomes

2.1 To ensure that INFORMATION SECURITY is maintained by:

• Ensuring that confidentiality, integrity and availability of personal and sensitive information is maintained
• Ensuring that information is available to authorised users
• Ensuring that information is not disclosed to unauthorised people
• Preventing unauthorised modification or destruction of information

2.1.2 The policy also advises staff of their obligations to maintain information confidentiality, integrity, and availability. 

2.1.3 This policy forms part of Digital & Information’s Information Security Management System (ISMS) and should be read in conjunction with all linked Information Security policies. 

2.1.4 This policy has been written in line with the best practice for information security standards and the policy will be reviewed to meet future changes to this standard.

2.1.5 This policy has been written to comply with current relevant legislation including but not limited to, NIS Regulations 2018, Data Protection Act 2018 and the Public Records (Scotland) Act 2011.

3. Scope

3.1 This Policy applies to:

3.1.1 This policy is intended for all NHS Fife staff and to maintain robust information security across the organisation.

3.1.2 In the interests of clarity all references to ‘staff’ includes:

• all staff within NHS Fife
• all volunteer staff directly engaged with NHS Fife operations
• all 3^rd party employees directly engaged in service provision or embedded with NHS Fife departments
• all staff who are employed, engaged or partners within each GP practice (contracted to NHS Fife).

3.2 Who are the Stakeholders:

3.2.1 All staff and patients of NHS Fife. NHS Fife takes care to ensure personal information is only accessible to authorised people. NHS Fife staff have a legal and contractual duty to keep personal health information secure and confidential. In order to find out more about current data protection legislation and how we process this information, please visit the Data Protection Notice on our website at https://www.nhsfife.org/ .

4. Principal Content

4.1 Overview

4.1.1 The purpose of information security is to ensure business continuity and manage risk by minimising the likelihood and impact of security incidents. Information security enables information to be shared while ensuring the protection of information assets.

4.1.2 This Information Security Policy establishes a framework to ensure the Confidentiality, Integrity, and Availability (CIA) of all information assets managed by NHS Fife. It safeguards patient data, clinical systems and all other sensitive or business information processed, stored, or transmitted by the organisation

4.1.3 This policy sets out clear management direction in accordance with business requirements, legislation, regulations, standards and guidance. It demonstrates management support for, and commitment to, information security through issuing this policy for user acceptance and compliance, as well as associated information security policies related policies, procedures and guidelines, including user education and awareness across NHS Fife.

4.2 Applicability

4.2.1 This policy applies to all types of data electronic information, paper based, and verbal communications processed on NHS Fife systems, networks, device applications owned, managed or accessed by the organisation.

4.2.2 NHS Fife directs that all NHS Fife information assets are safeguarded against breaches of confidentiality, integrity and availability. To achieve this, the following attributes will, at all times be in place with respect to matters relating to information assurance:

• Information Security Policy, objectives, activities and improvements will be aligned with the business objectives and organisational culture of NHS Fife.
• A risk-based approach to Information Security will be maintained enabling informed decisions on information security initiatives and ensuring that budget and resources are focussed appropriately. These security initiatives will meet the following objectives:
  • prevention of incidents via the identification and reduction of risks;
  • detection of incidents before damage can occur;
  • recovery from incidents via containment and repair of damage and prevention of reoccurrence.

• Information security will be promoted at all levels of the business through promotion of security culture, awareness and accountability.
• NHS Fife leadership will actively support information assurance initiatives, ensure they remain abreast of the risks to information assets and champion the continual improvement of information security principles and best practice.
• An effective Information Security Policy and corresponding security operating procedures will be maintained ensuring that:
  • all information assets are protected against unauthorised access and disclosure;
  • confidentiality of information will be assured at all times;
  • integrity of information will be maintained at all times;
  • business requirements for availability will be met;
  • breaches of security both actual and suspected are reported and investigated;
  • classification and ownership of information assets will be applied; and
  • regulatory and legislative requirements will be met, including compliance with current data protection legislation

5. Roles Responsibilities

5.1 Chief Executive

5.1.1 Final responsibility for the secure operation of all systems used to process information in NHS Fife is vested in the Chief Executive. This responsibility is delegated to all staff developing, introducing, managing and using information systems in accordance with this policy. The Chief Executive is ultimately responsible for accepting the residual risks evaluated by the information risk management process.

5.2 Caldicott Guardian

5.2.1 The responsibility for protecting the confidentiality of personally identifiable information rests with the NHS Fife Caldicott Guardians.

5.2.2 This is an advisory role and the conscience of the organisation, and a focal point for patient confidentiality and information sharing issues.

5.3 Senior Information Risk Owner

5.3.1 A Senior Information Risk Owner (SIRO) has overall responsibility for NHS Fife's information risk policy.

5.3.2 The SIRO is accountable and responsible for information risk across the organisation. They ensure that everyone is aware of their personal responsibility to exercise good judgement, and to safeguard and share information appropriately.

5.3.3 Director of Digital & Information

5.3.4 The Director of Digital & Information has the responsibility to ensure that:

• The NHS Fife IT infrastructure is implemented in accordance with this policy.
• Changes to the infrastructure are subject to security risk assessment and in accordance with GP/I6 Change Management policy.
• Digital & Information staff work within a clear framework which promotes Information Security, and that this framework is documented and regularly reviewed within the department.

5.3.5 Head of Information Governance & Security

The Head of Information Governance & Security will provide strategic leadership for Information Governance across NHS Fife, providing assurance to the NHS Board regarding the performance of NHS Fife in line with governance and accountability structures. They are responsible for leading and developing Information Governance and Data Protection management within the broad national and local frameworks, which includes the confidentiality and safety of patient and staff information.

5.3.6 Data Protection Officer (DPO)

The DPO is responsible for ensuring that:

• A register of all NHS Fife information assets is maintained. The register will record the data owners and identify those assets that are confidential or sensitive as defined in Data Protection legislation and Caldicott guidelines.
• Ensuring that NHS Fife lodges a full, correct and up-to-date notification in its name with the Information Commissioner to comply with current data protection legislation.
• Advising on and monitoring data protection practices in NHS Fife.
• Assisting the organisation with their responsibilities in relation to data protection.
• Undertaking regular audits of how personal information is handled is carried out.

5.3.7 Information Security Manager

The Information Security Manager for NHS Fife is responsible for:

• Ensuring that all Information Security Policies are implemented and enforced throughout the NHS Fife.
• Ensuring that System Security Policies (SSP) and Secure Operating Procedures (SOP) are in place and maintained for all new and existing IT systems.
• Determining the level of security required for any new IT implementations.
• Ensuring that all 3^rd party connections or NHS Fife local methods of remote connectivity comply with the Scottish Wide Area Network (SWAN) code of connection.
• Ensuring regular risk assessments are performed on IT systems and the appropriate controls are identified to manage risk to acceptable levels.
• Monitoring and reporting the state of IT security within NHS Fife.
• Developing and enforcing procedures to maintain Information security.
• Ensuring compliance with relevant legislation and NHS Scotland Information security guidance.
• Developing IT Security awareness training material to ensure that all staff are aware of their responsibilities and accountability for information security.
• Monitoring, recording, investigating and reporting actual or potential IT security breaches.
• Auditing external service providers for access to IT systems and data.

5.3.8 Digital & Information Operations Department

The Digital & Information Operations Department has the responsibility to ensure that:

• IT systems are held in secure areas that provide protection from unauthorised access and environmental threats such as fire, flood and loss of power.
• IT systems used to store NHS Fife data are recorded and any movements tracked to ensure that theft or loss is detected.
• All information is securely removed and appropriately destroyed (in consultation with the corporate records manager) before equipment is re-allocated or sent for secure disposal/destruction.
• Protection against malicious code (e.g. viruses, malware, etc) is operated on all workstations, servers and data exchange systems.
• All incoming data (including data held on IT media, e-mail and Internet downloads) is scanned on opening for malicious code.
• Back-up and recovery procedures are in place to assist in contingency arrangements to support business continuity.
• Interaction with external IT systems is recorded and monitored. This includes the monitoring of e-mail and other data streams up-loaded to, or downloaded from, any NHS Fife system.
• Back-ups of IT systems are kept in a secure place and procedures are in place to ensure that systems can be recovered in accordance with business needs.

5.3.9 Information Asset Owner 

The IAO is an individual within the Board that has been given formal responsibility for the security, maintenance and confidentiality of an asset(s) in their work area. Key responsibilities include, but are not limited to:

• Leading and fostering a culture that values, protects and uses information for the public good by ensuring that all asset usage aligns with NHS Fife policy and Data Protection Legislation.
• Knowing what information is held within each asset, and ensuring that information is kept secure and is only transferred in line with NHS Fife policy.
• An awareness of who has access to each asset and why this access is required to protect both personal and business critical information.
• Understanding and addressing risks to assets through the review and update of the relevant compliance documentation, in addition to the encouragement of incident reporting.
• Ensuring that assets are used for their intended purposes, ensuring that they comply with Access to Information requirements such as Freedom of Information and Data Subject Access Request (DSAR) processes.
• Ensuring compliance with good practice in relation to application and password control.
• Ensuring compliance with media and equipment disposal procedures in liaison with the Digital & Information Operations Department.

5.3.10 Functional, Service and Departmental Managers

Line managers are responsible for:

• Notifying the NHS Fife IT Service Desk of changes to staff personnel so that IT access can be provided and withdrawn in a controlled and auditable manner.
• Ensuring that all current and future staff are trained in their personal IT security responsibilities and adherence to this and related information Security Policies.
• Ensuring that any staff who use IT systems/media are trained in their secure use and disposal.
• Ensuring that no unauthorised staff are allowed to access any of NHS Fife IT systems.
• Determining which staff should be given authority to access specific IT systems. The level of access to IT systems will be based on job function need, irrespective of status.
• Implementing procedures to minimise NHS Fife exposure to fraud/theft/disruption of its IT and information assets.
• Ensuring that key documentation is maintained for all critical job functions to ensure Departmental business continuity in the event of staff unavailability is maintained.

5.3.11 All Staff

All staff, including contractors and service providers, who influence the use of NHS Fife information systems are responsible for:

• Conforming to the standards expected and described in this and any other associated information security policies.
• Reading and ‘signing up’ (accepting) to this and any other relevant information security policies which are relevant to their job role.
• Complying with specific information security responsibilities required of them as defined in their job description and within IT systems secure operating procedure documentation.
• Taking personal and professional responsibility for dealing securely with any information they have access to in the course of their duties.
• Ensuring their actions when using these assets fully conform to this and related policies, standards and legal requirements.
• Take all reasonable precautions to ensure no breaches of Information security result from their personal actions. This is also equally applicable for staff authorised to access and use NHS Fife Information systems remotely.
• Staff must report to the NHS Fife IT Service Desk any suspected or actual breaches of IT security.
• Fully complying with all NHS Fife Information Security Policies, Standards and Procedures.
• Notifying their Line Manager of all suspected or actual breaches of Information security.

Failure to observe this policy may result in disciplinary action according to local disciplinary procedures or legal proceedings being taken. Standard supplier contracts will also require contractors and other third parties to comply fully with the provisions of this and other NHS Fife Information Security policies.

5.3.12 Third Parties

NHS Fife and external organisations need to share information with each other and, in some cases, allow access to IT resources. Information sharing brings with it increased risk to the security of the data and the systems on which it is held.

• Before allowing third party access, a risk assessment will be carried out by the Information Security Manager to establish the level of risk and to recommend any necessary counter-measures before access can be authorised.
• Access to information assets by third parties will only be allowed when the appropriate security measures have been implemented and an agreement has been signed defining the terms for the sharing of data.
• A regular audit of external service providers in respect of their need for access to systems and data and their responsibilities regarding security and confidentiality will be carried out by the Information Security Manager.

6. Operational System

6.1 Confidentiality of IT Systems 

This will be maintained by ensuring that:

• Only authorised NHS Fife staff will be granted access to information systems and that access will be restricted to the information required for the person’s job function i.e. only on a “need-to-know” basis, which can be applied through the rule of “least privilege”.
• Where multiple staff share access to an NHS Fife Information System, each member of staff will be provided with a unique identifier. All transactions on such systems must be attributable and auditable to the user who conducts the transactions. In circumstances where such systems do not provide an auditable trail of use, measures should be put in place to manually audit user transactions. Segregation of duties and the associated access required will also provide a layered approach to maintaining confidentiality.
• Passwords must be defined in line with the National Cyber Security Centre (NCSC) guidelines, in accordance with GP/P2 Password Policy and kept confidential, at all times.
• Access to NHS Fife information systems from external IT networks and other types of communication link will only be permitted on an exception basis and be subject to an additional layer of security, in line with national and NHS Scotland remote connectivity standards and regulations.
• NHS Fife controls and monitors internal access to external networks and reserves the right to disconnect immediately, and if necessary, permanently, any member of staff or organisation attempting to breach this or any other NHS Fife Information Security Policy.

6.2 Integrity of IT Systems 

This will be maintained by ensuring that:

• All NHS Fife information assets will operate in accordance with IT systems manufacturer specifications.
• Updating, patching and other change activities that could affect the integrity of information must be restricted to authorised staff needing to do so as part of their job function, in line with Caldicott principles on access to confidential information and managed through GP I6 Change Management Policy.

6.3 Availability of IT Systems 

This will be maintained by ensuring that:

• Regular backups are taken of all IT systems and stored in a secure manner.
• The ability to recover archived data for operational use is regularly tested.
• Physical backup media (where used) is held in a physically secure offsite location.
• Business continuity/disaster recovery plans are in place.

6.4 Mobile Computing

This policy applies fully in situations where NHS Fife deploys mobile memory devices. NHS Fife will provide other standards, guidelines and policies specific to the secure use of such devices. The use of personal mobile devices is recognised as an ever more complex area to secure. To manage, only devices and/or applications considered acceptable for use on personal devices are authorised. Indiscriminate use of personal devices for use for processing personal and business data is not authorised. This is covered in more detail in GP/M5 Device Management and GP/E7 Non-NHS Fife Equipment Policies.

6.5 System Development

Staff who authorise the development or purchase of information systems will be responsible for ensuring that the specification conforms to the purpose for which the systems are required. Developers or procurers of information systems, including service providers, will be responsible for ensuring that systems produce results as specified and provide adequate means of security:

• New Information systems being considered for procurement by NHS Fife must follow the process defined in GP/I4 – NHS Fife Digital Solutions Procurement Policy and include adequate security measures that are clearly documented in the Business Case and defined in the requirements specification. All new implementations must adhere to data protection legislation and assured through the Architecture Review Board.
• The testing of all applications must be documented, and attention paid to all aspects of security. Under no circumstances will operational data be provided for use in application development or testing outside of the NHS Fife secure IT environment.
• All new systems must have, among other system specific documents, a System Security Policy (SSP), Data Protection Impact Assessment (DPIA) and may require an Operational Support Guide (OSG). The SSP must address the different aspects of:
• physical, personnel and document security principles;
• communications security
• hardware and software security measures
• administrative and procedural security rules
• detailed architectural designs
• The SSP may also incorporate the risk assessment for new systems.
• The OSG is to document the day-to-day operation and support requirements for any given implementation.

6.6 Software & Internet Applications

All software applications for core use in NHS Fife must be assured. The process surrounding this is ever evolving owing to the “availability” of data in environments uncontrolled by NHS Fife, specifically public facing internet services. The manner in which new software or applications are accessed must be understood to ensure there are no unintended consequences such as a data breaches. When considering a platform, software apps, web applications, knowing where and how that resource is accessed is a key requirement - Are they available to;

• Corporate managed devices (e.g. desktops, laptops mobiles etc) and/or
• Corporate unmanaged devices (e.g. bespoke equipment, non-centrally managed mobiles) and/or
• unmanaged/personal devices (e.g. personal mobiles, desktops, laptops).

This is vital to assessing what risk they potentially pose to the organisation and its data. Broadly, categories are applied that encompasses those already available to install/download from software centre & managed play store, those available through unmanaged play stores/internet and project managed new implementations for business. Software application screening will include assessment of areas such as –

• Purpose and business need
• Hosting model (on premise, protected cloud, public cloud)
• Security (authentication, encryption, permissions, data storage)
• Risk (example scoring matrix to illustrate only)
  • Low – No PII or Health data, no integrations required.
  • Medium – Business data but non-critical information
  • High – PII/Health data and/or integrations with EHR systems.
• Privacy & Regulatory compliance (GDPR, UK DPA 2018 etc)

The above is for outline only, NHS Fife users should not consider any web or mobile application as approved for data processing unless a formal assurance process has been conducted and endorsed.

6.7 Compliance

NHS Fife staff will comply fully with all relevant legislation and give consideration to advisory instructions from NHS Scotland and the Scottish Government. A list of the principal legislation and formal administrative guidance on information security is provided in the reference list but in particular NHS Fife’s Information Security Management System (ISMS) will align to the NIS Regulations 2018 ensuring the compliance controls laid out in the Public Sector Cyber Resilience Framework v2.0 are the basis for a robust ISMS. Internal and external audits will be undertaken to monitor and validate security controls and compliance.

6.8 Unacceptable Use

Unacceptable and Inappropriate use exposes NHS Fife to risks including data breach, malware events, compromise of systems and services. Examples of unacceptable use of NHS Fife’s IT include –

• downloading or installing unauthorised software
• bypassing security NHS Fife security controls (e.g. disabling antivirus, firewalls, or encryption)
• accessing of inappropriate web content
• connecting unauthorised devices (e.g. personal USB Mass storage)
• sharing Login credentials
• Using NHS email or systems for personal gain (e.g. running a side business)
• excessive personal use of internet
• participating in political campaigns or lobbying using NHS Fife resources

Instances of unacceptable use will be investigated. Further detail and direction can be found in GP/A4 Acceptable Use Policy.

7. Risk management and business continuity

NHS Fife will complete risk assessment and management documentation for all information systems to ensure that threats and vulnerabilities are identified, and risk is minimised through the application of balanced security controls

NHS Fife will ensure suitable disaster recovery and contingency arrangements are in place. 

Recovery procedures will be developed for all IT operational systems and, where relevant, appropriate contingency plans will be documented and tested to ensure an acceptable level of service and control is maintained following a system failure. 

8. Policy distribution 

The Information Security Policy and all subsequent associated policies will be communicated to all members of staff in NHS Fife and to any appropriate third-party individuals or companies working on behalf of the organisation. The document will also be made available on the NHS Fife Webpage and through the Intranet (Stafflink). 

9. Review 

This Policy will be reviewed every three years or more frequently if appropriate to take into account changes to legislation that may occur, and/or guidance from the Scottish Government and/or the UK Information Commissioner. The review will be conducted in line with existing NHS Fife procedures.

10. Related documents

• GP/A4 – Acceptable Use Policy
• GP/I3 - Internet Policy
• GP/D3 – Information Governance and Data Protection Policy
• GP/O2 – Online Communications Policy
• GP/B2 – Remote Access Policy
• GP/C10 – Clear Desk Clear Screen Policy
• GP/R4 – Records Management Policy
• GP/D6 - Data Encryption Policy
• GP/M5 – Device Management Policy
• GP/E7 – Non-NHS Fife Equipment Policy
• GP/S8 – Incident Management Policy
• GP/V2 – Malware Protection Policy
• GP/I6 – Change Management Policy
• GP/I4 – NHS Fife Digital Solutions Procurement Policy

11. References  

The principal Acts of Parliament, Scottish Government circulars, and internal guidance documents relevant to this policy are: 

• General Data Protection Regulation (GDPR)
• Network and Information Systems Regulations 2018 (NIS Regulations)
• CEL 25 (2012) NHS Scotland Mobile Data Protection Standard
• Civil Contingencies Act 2004
• Computer Misuse Act 1990
• Copyright, Design and Patents Act 1988
• Data Protection Act 2018 (DPA)
• Freedom of Information (Scotland) Act 2002
• MEL 2000 (17) Data Protection Act 1998
• NHS FIFE Risk Management Strategy 2016
• Public Records (Scotland) Act 2011
• Regulation of Investigatory Powers (Scotland) Act 2000
• Scottish Government Records Management: NHS Code Of Practice (Scotland) Version 2.1 January 2012
• SG DL (2015) 17 Information Governance and Security Improvement Measures 2015-2017 (NHSS Information Security Policy Framework)
• The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000