Information GovernanceInformation Governance

Jym BatesJym Bates

Head of Information Head of Information AssuranceAssurance

What Is Information What Is Information Governance?Governance?

Data ProtectionData Protection Freedom Of InformationFreedom Of Information Information SecurityInformation Security

Relevant PoliciesRelevant Policies Data Protection Act 1998 (and subsequent Special Information Data Protection Act 1998 (and subsequent Special Information

Notices)Notices) Human Rights Act 1998Human Rights Act 1998 Access to Health Records act 1990 (where not superseded by the Access to Health Records act 1990 (where not superseded by the

Data Protection Act 1998)Data Protection Act 1998) Computer Misuse Act 1990Computer Misuse Act 1990 Copyright, Designs and Patents Act 1988 (as amended by theCopyright, Designs and Patents Act 1988 (as amended by the Copyright (Computer Programs) Regulations 1992).Copyright (Computer Programs) Regulations 1992). Crime & Disorder Act 1998Crime & Disorder Act 1998 Electronic Communications Act 2000Electronic Communications Act 2000 Regulation of Investigatory Powers Act 2000 (& Lawful BusinessRegulation of Investigatory Powers Act 2000 (& Lawful Business Practice Regulations 2000Practice Regulations 2000 Freedom of Information Act 2000Freedom of Information Act 2000 Gender Recognition Act 2004Gender Recognition Act 2004

EmailEmail

Ownership of emailsOwnership of emails Addressing emailsAddressing emails Personal emailsPersonal emails Freedom of informationFreedom of information AttachmentsAttachments SpamSpam

• Why it occursWhy it occurs• Actions to takeActions to take

Internet UseInternet Use Personal accessPersonal access

• Out of working hoursOut of working hours Monitoring - Disciplinary Monitoring - Disciplinary

ActionAction Not to be viewedNot to be viewed

• Adult/Sexually explicit Adult/Sexually explicit topic topic

• HackingHacking• Alcohol & Tobacco Alcohol & Tobacco • SpywareSpyware• Intolerance & HateIntolerance & Hate

• Criminal Activity Criminal Activity • GamblingGambling• Personals & Dating Personals & Dating • Tasteless & OffensiveTasteless & Offensive• Glamour & Intimate Glamour & Intimate

Apparel Apparel • Illegal DrugsIllegal Drugs• Violence Violence • WeaponsWeapons• Streaming Media Streaming Media

DownloadsDownloads• ChatChat

Data Protection ActData Protection Act

Security of Person Identifiable Security of Person Identifiable Information (PII)Information (PII)

ConfidentialityConfidentiality StorageStorage TransferTransfer

Principles of the Data Protection Principles of the Data Protection ActAct

Fairly and lawfully processed Fairly and lawfully processed Processed for limited purposes Processed for limited purposes Adequate, relevant and not excessive Adequate, relevant and not excessive Accurate and up to date Accurate and up to date Not kept for longer than is necessary Not kept for longer than is necessary Processed in line with your rights Processed in line with your rights Secure Secure Not transferred to other countries Not transferred to other countries

without adequate protectionwithout adequate protection

ConfidentialityConfidentiality

Security risksSecurity risks• Not following the clear desk policyNot following the clear desk policy• Not logging off a PC when it is not being Not logging off a PC when it is not being

usedused• Talk e.g. the canteenTalk e.g. the canteen• Telephone conversations e.g. open wardTelephone conversations e.g. open ward• Patients seeing their own notesPatients seeing their own notes

Storage of PII - ElectronicStorage of PII - Electronic

PII must not be stored on: -PII must not be stored on: -• Unencrypted laptopsUnencrypted laptops• Non Biometric USB memory sticks Non Biometric USB memory sticks • CDROM / DVD unless encryptedCDROM / DVD unless encrypted• External hard drives unless encryptedExternal hard drives unless encrypted• Any home PC Any home PC • Any PC not on central storageAny PC not on central storage

Storage of PII - PaperStorage of PII - Paper

Medical notes must be held in Medical notes must be held in Medical Records, in a locked office or Medical Records, in a locked office or in a locked notes trolleyin a locked notes trolley

Any PII should always be locked in a Any PII should always be locked in a filing cabinet or desk drawer unless it filing cabinet or desk drawer unless it is in a secure officeis in a secure office

Transfer of PII – ElectronicTransfer of PII – Electronic

Whenever possible PII should not be Whenever possible PII should not be transferredtransferred

Email should not be used unless it is Email should not be used unless it is encryptedencrypted

PII should only be uploaded to secure PII should only be uploaded to secure web sitesweb sites

For support please contact ISC Help For support please contact ISC Help DeskDesk

Transfer of PII – Paper / LettersTransfer of PII – Paper / Letters Whenever possible PII should not be Whenever possible PII should not be

transferredtransferred Ensure that the correct information is Ensure that the correct information is

being sent to the correct personbeing sent to the correct person Any letters containing PII should be clearly Any letters containing PII should be clearly

addressed addressed ‘Private & Confidential’ ‘Private & Confidential’ and and only this & the contact details should be only this & the contact details should be visiblevisible

Requests for tests etc must always be Requests for tests etc must always be sealed in an envelopesealed in an envelope

Use of Fax Machines should be Use of Fax Machines should be discourageddiscouraged

Transfer of PII – Medical NotesTransfer of PII – Medical Notes

The location of medical records The location of medical records should always be entered on the PAS should always be entered on the PAS tracking systemtracking system

Medical records must always be Medical records must always be sealed in an envelopesealed in an envelope

Staff should not ferry casenotes to Staff should not ferry casenotes to other locations in their carsother locations in their cars

VirusesViruses

A virus is a malicious code that can A virus is a malicious code that can affect an individual PC or entire affect an individual PC or entire networknetwork

The Trust has a comprehensive virus The Trust has a comprehensive virus scanning and damage control system scanning and damage control system that starts up when a PC is turned onthat starts up when a PC is turned on

Major sources are: -Major sources are: -• Unsolicited emailsUnsolicited emails• Unlicensed softwareUnlicensed software

PasswordsPasswords

You must You must nevernever let anyone use the let anyone use the password to your PC or any software password to your PC or any software you useyou use

Do not keep lists of your passwordsDo not keep lists of your passwords Regularly change your passwordRegularly change your password Passwords must contain at least one Passwords must contain at least one

number, one lowercase letter and number, one lowercase letter and one uppercase letter.one uppercase letter.

Unlicensed SoftwareUnlicensed Software

The only software allowed on Trust The only software allowed on Trust PCs are the systems purchased by PCs are the systems purchased by the trustthe trust

You are not allowed to load any You are not allowed to load any software onto a Trust PCsoftware onto a Trust PC

Please contact ISC Help Desk if you Please contact ISC Help Desk if you require a programme for your workrequire a programme for your work

PII and Audit / ResearchPII and Audit / Research

Always review the need for PII. Could Always review the need for PII. Could you just use an allocated patient you just use an allocated patient identifieridentifier• The NHS number with no further PII is The NHS number with no further PII is

acceptableacceptable Do not Do not pull offpull off PII from a system unless PII from a system unless

you are allowed to do so. you are allowed to do so. • Requests for reports should go through ISC Requests for reports should go through ISC

Help Desk or individual Business Help Desk or individual Business Information SpecialistsInformation Specialists

GuidanceGuidance

Check the Trust’s Information Check the Trust’s Information Governance Policies on Synapse in Governance Policies on Synapse in

EmailEmail• InformationSecurity&xxxxxxxxxxxxxx@

xxxx.xxx.xx TelephoneTelephone

• (0161 20) 62601 (0161 20) 62601