Policy Type General Policy

Policy Category Digital & Information

Policy Number GP/M4

Author Digital and Information Endpoint Infrastructure Manager

Reviewer Information Security Manager

Signatory Associate Director of Digital & Information

Implementation Date 01 June 2009

Last Review Date 14 February 2022

Next Review Date 12 December 2024

Version Number 3

General Note

NHS Fife acknowledges and agrees with the importance of regular and timely review of policy/procedure statements and aims to review policies within the timescales set out.

New policies/procedures will be subject to a review date of no more than 1 year from the date of first issue.

Reviewed policies/procedures will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.

If a policy/procedure is past its review date then the content will remain extant until such time as the policy/procedure review is complete and the new version published, or there are national policy or legislative changes.

1. FUNCTION

This policy supports the NHS Fife Information Security Policy. This document forms part of the overall Information Security policy for NHS Fife.

It outlines the framework with which NHS Fife stores and handles and transports physical removable media (including the security measures employed around the use of Handheld Computers and Peripheral Devices, any handheld Information Technology (I.T.) Devices e.g. memory stick, PDA, Smartphone, etc.) and also how it disposes of media securely at the end of its lifecycle.

2. LOCATION

This policy is applicable to all staff and contractors working with NHS Fife

3. RESPONSIBILITY

3.1 All Staff

Within Information exchange policies and procedures where formal information exchange protocols are required to assure data confidentiality and integrity, the following should be checked (see ISO27001, A.8.3 Media handling):

• management responsibilities for controlling and notifying transmission, dispatch and receipt are clear and robust
• procedures for notifying sender, transmission, dispatch and receipt are clear and robust
• minimum technical standards for packaging and transmission are clear
• courier identification standards are clear
• responsibilities and liabilities in the event of loss of data are clear and robust
• use of an agreed labelling system for sensitive or critical information, ensuring that the meaning of the labels is immediately understood and that the information is appropriately protected, exist
• information and software ownership and responsibilities for data protection, software copyright compliance, and similar considerations technical standards for recording and reading information and software, exist
• any special controls that may be required to protect sensitive items, such as cryptographic keys (see ISO27001, A.10.1 Cryptographic controls), are in place

Similar standards may be applied to the exchange of information in “hard copy”, so that the manual exchange of confidential information is subject to the Data Protection Act 2018.

3.2 Exchange agreements

The level of confidentiality attached to information in transit must be agreed, so that relevant security standards may be applied. Information sharing protocols must be developed and agreed between the parties.

3.3 Digital and Information Department

3.3.1 Advice given by the Digital and Information Department

If the Digital and Information Team is asked for advice on transmission of data, such advice will be based on current legislation, guidance and NHS Fife policies and will be provided by the Information Security Manager.

3.3.2 Advice Given by the Information Service Department

If the Information Services department is asked for advice on the storing and use of data on media, such advice will be based on current legislation, guidance and NHS Fife policies and will be provided by the Data Protection Officer & Caldicott Coordinator.

4. OPERATIONAL SYSTEM

4.1 Email

NHS Fife accepts that NHS M365 is the only method by which Personal Identifiable information can be securely sent by email. NHS Fife has migrated all its email users to NHS M365.

Where patient-identifiable information must be transmitted to external organisations, there is a much greater risk of unencrypted emails being intercepted with a consequent breach of patient confidentiality.

Only NHS M365 accounts may be used to send patient identifiable information to external recipients who use the secure email addresses, see GP/E5 Email Policy.

It is not acceptable to send personal identifiable information out with NHS Fife by another route.

4.2 Handheld Computers and Peripheral Devices

In accordance with the GP/I5 Information Security Policy and to comply with the Data Protection Act and Caldicott recommendations, person-identifiable information shall be stored on a handheld device only when this is absolutely necessary. Where it is necessary to store such information, the following conditions apply:

• the device must be owned by NHS Fife
• password authentication must be applied
• data must be encrypted
• it shall be stored only for the time period when it is actively being used;
it shall be deleted immediately after use;
• only the minimum amount of person-identifiable information, necessary for the current purpose, shall be stored
• the person's name shall be stored only when absolutely necessary
• measures must be taken to maximise the physical security of the handheld device
• personal PDAs, mobile devices and peripherals that have not been authorised by the Digital and Information Department for the storage or processing of Patient Identifiable or other NHS sensitive data should not be connected to a SWAN/NHS M365/ NHS Fife owned connected system.

4.3 Mobile Devices

The provision of NHS Fife mobile devices shall be subject to the following sections.

4.4 Person-Identifiable Information

In order to comply with the NHS Scotland Mobile Encryption Standards, the Data Protection Act 2018 and the recommendations of the Information Governance Group, person-identifiable information shall be stored in a mobile device only when this is absolutely necessary. Where it is necessary to store such information, the following conditions apply:
• password authentication must be applied
• encryption must be applied
• it shall be stored only for the time period when it is actively being used
• it shall be deleted immediately after use
• only the minimum amount of person-identifiable information, necessary for the current purpose, shall be stored;
• the person’s name shall be stored only when absolutely necessary
• measures shall be taken to maximise the physical security of the mobile devices /computer
• for work involving person-identifiable information from locations within NHS Fife, users will be required, wherever possible, to use the NHS Fife’s network and store data facilities.

4.5 Structured Data

Definition: Data that can be subdivided systematically and linked. For structured patient data transmitted on a regular basis the approved transmissions environment is SCI Gateway.

4.6 Physical media in transit

Reliable transport couriers should be used at all times. Packaging should be sufficient to protect the contents from any physical damage during transit and should be in accordance with manufacturers’ specifications.

A list of authorised couriers, and a procedure for their identification, should be established. Special measures should be adopted, where necessary, to protect sensitive information from unauthorised disclosure or modification, for example, locked containers. Special controls should be adopted, where necessary, to protect sensitive information from unauthorised disclosure or modification. Examples include:

• use of locked containers
• delivery by hand
• tamper-evident packaging (which reveals any attempt to gain access)
• in exceptional cases, splitting of the consignment into more than one delivery and dispatch by different routes. See ISO 27001, A.8.3.3 Physical media transfer.

4.7 Safe Storage and Safe Disposal of Media

Storage of media prior to disposal must be stored in the secure storage area within each site. Media must be disposed of in line with NHS Fife’s Condemnation of I.T. Equipment Procedure.

All condemned Digital and Information equipment is disposed of via third party contractor stated in the Condemnation of I.T. Equipment Procedure. The companies referred to in this Procedure are capable of recycling all WEEE categories and is fully licensed by SEPA.

All I.T. equipment that arrives at the plant is currently stored in a secure area until they are destroyed.

The whole site is in a secure compound surrounded by a security fence.
When media i.e. hard disks, are sent to third party companies for repair or restore of data the third party company must sign up to the 3rd party permit to work ‘DECLARATION OF SECURITY & CONFIDENTIALITY’ statement.

5. RISK MANAGEMENT

To mitigate the risks to NHS Fife’s (including GP Practices) Data, Information and IT infrastructure, the following strategies and techniques shall be implemented:
It is the responsibility of each Line Manager to ensure this policy is deployed within their area of responsibility.

NHS Fife Staff shall be trained to respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to sensitive data; and to abide by legislation, policies, procedures, and guidelines with respect to access, use or disclosure of information.
The unauthorised disclosure of NHS Fife data in any medium, except as required by an employee’s job responsibilities, is expressly forbidden, as is the access or use of any NHS Fife data for one’s own personal gain, or profit, or to satisfy one’s personal curiosity or that of others.

With regard to the Health & Social Care Partnership (H&SCP), the Integrated Joint Board (IJB) will continue to monitor the efficacy of the existing H&SCP Risk Management Strategy and arrangements, and regularly review these to ensure they take into account legislative and operational requirements.
Should the above risk mitigations not be implemented and a breach of legislation occurs the following impact may follow:
• Disciplinary action against staff;
• Legal action against NHS Fife;
• Legal action against the person(s) involved in the breach;

6. RELATED DOCUMENTS (*Includes Forms/Monitoring documents used)

GP/I5 Information Security Policy
GP/D3 Information Governance and Data Protection policy
GP/E6 Email Policy
GP/I3 Internet Policy
GP/I6 IT Change Management Policy
GP/M5 Mobile Device Management Policy
GP/O2 Corporate Communication Policy

7. REFERENCES

Computer Misuse Act (1990)
Data Protection Act (2018)
General Data Protection Regulations (GPDR)
Network and Information Systems (NIS) Regulations
Freedom of Information (Scotland) Act (2002)
Human Rights Act (1998)
NHSS Information Security Policy Framework July 2015
NHS Scotland I.T. Mobile Data Protection Standard (2008)

Related Publications
• GPM4 - Media Handling - EQIA

Media Handling Policy