General Policy
Digital & Information
GP/M4
Digital and Information Endpoint Infrastructure Manager
Head of Digital Operations
Director of Digital & Information
01 June 2009
27 November 2025
27 November 2028
4

General Note

NHS Fife acknowledges and agrees with the importance of regular and timely review of policy statements and aims to review policies within the timescales set out. New policies will be subject to a review date of no more than 1 year from the date of first issue.

Reviewed policies will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.

If a policy is past its review date, then the content will remain extant until such time as the policy review is complete and the new version published, or if national policy or legislative changes are made

1.  FUNCTION

1.1 This policy supports the NHS Fife Information Security Policy. This document forms part of the overall Information Security policy for NHS Fife.

1.2 It outlines the framework with which NHS Fife stores and handles and transports physical removable media (including the security measures employed around the use of handheld computers and peripheral devices, any handheld digital devices e.g. memory stick, tablet, smartphone, etc.) and how it disposes of media securely at the end of its lifecycle.

2.  LOCATION

2.1 This policy is applicable to all staff and contractors working with NHS Fife.

3.  RESPONSIBILITY

3.1 All Staff

3.1.1 Within Information exchange policies and procedures where formal information exchange protocols are required to assure data confidentiality and integrity, the following should be checked (see Network & Information Systems Directive (NIS) Category 8 - Media Management:

  • Management responsibilities for controlling and notifying transmission, dispatch and receipt are clear and robust.
  • Procedures for notifying sender, transmission, dispatch and receipt are clear and robust.
  • Minimum technical standards for packaging and transmission are clear.
  • Courier identification standards are clear.
  • Responsibilities and liabilities in the event of loss of data are clear and robust.
  • Use of an agreed labelling system for sensitive or critical information, ensuring that the meaning of the labels is immediately understood, and that the information is appropriately protected, exist
  • Information and software ownership and responsibilities for data protection, software copyright compliance, and similar considerations technical standards for recording and reading information and software, exist
  • Any special controls that may be required to protect sensitive items, such as cryptographic keys are in place and sensitive information is encrypted on removable media.
  • All removable media is formally issued to individual users who are accountable for its use and safe keeping.
  • Users do not use unofficial media, such as USB sticks given away at conferences.

3.1.2 Similar standards may be applied to the exchange of information in “hard copy”, so that the manual exchange of confidential information is subject to the Data Protection Act 2018.

3.2 Exchange agreements

3.2.1 The level of confidentiality attached to information in transit must be agreed, so that relevant security standards may be applied. Information sharing protocols must be developed and agreed between the parties.

3.3 Digital and Information Department

3.3.1 Advice given by the Digital and Information Department

3.1.1.1 If the Digital and Information Team is asked for advice on transmission of data, such advice will be based on current legislation, guidance and NHS Fife policies and will be provided by the Information Security Manager, Cyber Security Manager, or other appropriate Section Manager.

3.3.2 Advice Given by the Information Service Department

3.3.2.1 If the Information Services department is asked for advice on the storing and use of data on media, such advice will be based on current legislation, guidance and NHS Fife policies and will be provided by the Data Protection Officer, Caldicott Coordinator, or other appropriate Information Governance Officer.

4.  OPERATIONAL SYSTEM

4.1 Email

  • NHS Fife accepts that NHS M365 is the only method by which Personal Identifiable information (PII) can be securely sent by email. NHS Fife has migrated all its email users to NHS M365.
  • Where patient-identifiable information must be transmitted to external organisations, there is a much greater risk of unencrypted emails being intercepted with a consequent breach of patient confidentiality.
  • Only NHS M365 accounts may be used to send patient identifiable information to external recipients who use the secure email addresses, see GP/E5 Email Policy
  • It is not acceptable to send personal identifiable information out with NHS Fife by any other route.

4.2 Handheld Computers and Peripheral Devices

4.2.1 In accordance with the GP/I5 Information Security Policy and to comply with the Data Protection Act and Caldicott recommendations, person-identifiable information shall be stored on a handheld device only when this is absolutely necessary. Where it is necessary to store such information, the following conditions apply:

  • The device must be owned by NHS Fife.
  • Password authentication must be applied.
  • Data must be encrypted.
  • It shall be stored only for the time period when it is actively being used,
  • then be deleted immediately after use.
  • Only the minimum amount of person-identifiable information, necessary for the current purpose, shall be stored.
  • The person's name shall be stored only when absolutely necessary.
  • Measures must be taken to maximise the physical security of the handheld device.
  • Personal PDAs, mobile devices and peripherals that have not been authorised by the Digital and Information Department for the storage or processing of Patient Identifiable or other NHS sensitive data should not be connected to a SWAN/NHS M365/ NHS Fife owned connected system.

4.3 Mobile Devices

4.3.1 The provision of NHS Fife mobile devices shall be subject to the following sections, specifically, removeable media.

4.4 Removable Media

4.4.1 In order to comply with NIS Directive Category 8 – Media Management the following controls should be in place:

  • Where the use of removable media is required to support the business need, it is limited to the minimum media types and users needed.
  • Removable media is automatically scanned for malware when it is introduced to any system.
  • Any media brought into the organisation is scanned for malicious content before any data transfer takes place.
  • A secure baseline build and configuration is applied to all mobile devices.
  • The organisation has the ability to remotely wipe and/or revoke access from all mobile devices.
  • Mobile devices are catalogued, tracked and configured according to best practice for the platform, with appropriate technical and procedural policies in place.
  • The data held on mobile devices is minimised.
  • Some data may be automatically deleted off mobile devices after a certain period.
  • Procedures are implemented for the management of removable media in accordance with the classification scheme adopted by the organisation.

4.5 Person-Identifiable Information

4.5.1 In order to comply with the NHS Scotland Mobile Encryption Standards, the Data Protection Act 2018 and the recommendations of the Information Governance Group, person-identifiable information (PII) shall be stored in a mobile device only when this is absolutely necessary. Where it is necessary to store such information, the following conditions apply:

  • Password authentication must be applied.
  • Encryption must be applied.
  • PII shall be stored only for the time period when it is actively being used.
  • PII shall be deleted immediately after use.
  • Only the minimum amount of person-identifiable information, necessary for the current purpose, shall be stored.
  • The person’s name shall be stored only when absolutely necessary.
  • Measures shall be taken to maximise the physical security of the mobile devices /computer.
  • For work involving person-identifiable information from locations within NHS Fife, users will be required, wherever possible, to use the NHS Fife’s network and store data facilities.

4.6 Structured Data

4.6.1 Definition: Data that can be subdivided systematically and linked. For structured patient data transmitted outside of the organisation on a regular basis, the approved transmissions environment is SCI Gateway.

4.7 Physical Media in Transit

4.7.1 Reliable transport couriers should be used at all times. Packaging should be sufficient to protect the contents from any physical damage during transit and should be in accordance with manufacturers’ specifications.

4.7.2 A list of authorised couriers, and a procedure for their identification, should be established. Special measures should be adopted, where necessary, to protect sensitive information from unauthorised disclosure or modification, for example, locked containers. Special controls should be adopted, where necessary, to protect sensitive information from unauthorised disclosure or modification. Examples include:

  • Use of locked containers.
  • Delivery by hand.
  • Tamper-evident packaging (which reveals any attempt to gain access).
  • In exceptional cases, splitting of the consignment into more than one delivery and dispatch by different routes.

4.8 Safe Storage and Safe Disposal of Media

  • Storage of media prior to disposal must be stored in the secure storage area within each site.
  • Media must be disposed of in line with NHS Fife’s Condemnation of I.T. Equipment Procedure.
  • All condemned Digital and Information equipment is disposed of via third party contractor stated in the Condemnation of I.T. Equipment Procedure. The companies referred to in this Procedure are capable of recycling all WEEE categories and is fully licensed by SEPA.
  • All I.T. equipment that arrives at the plant is currently stored in a secure area until they are destroyed.
  • The whole site is in a secure compound surrounded by a security fence.
  • When media i.e. hard disks, are sent to third party companies for repair or restore of data the third-party company must sign up to the 3rd party permit to work ‘DECLARATION OF SECURITY & CONFIDENTIALITY’ statement.

5.  RISK MANAGEMENT

5.1 To mitigate the risks to NHS Fife’s (including GP Practices) Data, Information and IT infrastructure, the following strategies and techniques shall be implemented:

It is the responsibility of each Line Manager to ensure this policy is deployed within their area of responsibility.

5.2 NHS Fife Staff shall be trained to respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to sensitive data; and to abide by legislation, policies, procedures, and guidelines with respect to access, use or disclosure of information.

5.3 The unauthorised disclosure of NHS Fife data in any medium, except as required by an employee’s job responsibilities, is expressly forbidden, as is the access or use of any NHS Fife data for one’s own personal gain, or profit, or to satisfy one’s personal curiosity or that of others.

5.4 With regard to the Health & Social Care Partnership (H&SCP), the Integrated Joint Board (IJB) will continue to monitor the efficacy of the existing H&SCP Risk Management Strategy and arrangements, and regularly review these to ensure they take into account legislative and operational requirements.

5.5 Should the above risk mitigations not be implemented, and a breach of legislation occurs the following impact may follow:

  • Disciplinary action against staff.
  • Legal action against NHS Fife.
  • Legal action against the person(s) involved in the breach.

6.  RELATED DOCUMENTS (*Includes Forms/Monitoring documents used)

7.  REFERENCES

  • Computer Misuse Act (1990)
  • Data Protection Act (2018)
  • General Data Protection Regulations (GPDR)
  • Network and Information Systems (NIS) Directive (2018)
  • Freedom of Information (Scotland) Act (2002)
  • Human Rights Act (1998)
  • NHSS Information Security Policy Framework July 2015
  • NHS Scotland I.T. Mobile Data Protection Standard (2008)

7.1 Related Publications