IGT Policy Bundle
advertisement
IGT Policy Bundle Optical Practice [Insert practice name] IG Lead [Insert name of IG Lead] Policy Bundle Date [Insert Date of Policy implementation] Policy Review Date [Insert Date of Policy review] Contents Please note: Clicking on the requirement number will jump to that requirement. Page 4 Requirement 114 Description Work plan & IG Lead 5 115 IG Policy 7 116 Contract Clauses 8 117 Staff training 9 209 Offshore transfers 11 212 Patient consent 14 213 Patient awareness 15 214 Confidentiality and data protection assurance 19 304 Information security assurance 20 316 Asset register 21 317 Physical security 22 318 Mobile Computing 24 319 Business data continuity 27 320 Incident reporting 30 321 Information security assurance 32 322 Information security assurance 2 Introduction This document contains all of the relevant policies for compliance with IGT Level 2. Completion of the policies will enable you to list the Optical Confederation bundle as the evidence for all levels. This document can then be printed and retained on file as evidence. It should be read in conjunction with: I. Introduction to the NHS Information Governance Requirements for Optical practices. This document provides a detailed description and guidance on each of the requirements and is intended for contractors and companies. II. Information Governance Training Booklet for Optical Practice Staff This document is intended as a training tool for optical practice staff to meet the requirements of the IG Toolkit. 3 Document name: Date created: Author: Approved by: [Insert Company Name]: Information Governance Work Plan Requirement 114: Information Governance Work Plan Requirement Baseline rating Work to be undertaken to meet Level 2 114 (IG Lead) 115 (IG Policy) 116 (Contract Clauses) 117 (Staff Training) 209 (Offshore transfers) 212 (Patient Consent) 213 (Patient Awareness) 214 (Confidentiality and Data Protection assurance) 304 (Information Security Assurance) 316 (Asset Register) 317 (Physical Security) 318 (Mobile Computing) 319 (Business Continuity) 320 (Incident Reporting) 321 (Information Security Assurance) 322 (Information Security Assurance) 4 Staff member responsible for Task Target date for completion of task Document name: Date created: Author: Approved by: [Insert Company Name]: Information Governance Policy Requirement 115: Information Governance Policy 1. Purpose of Policy This policy sets out the procedures and management accountability and structures that have been put in place within the Optical practice to safeguard the movement of personal data in the Optical practice. 2. Underpinning Procedures The following procedures have been put in place to support the confidential handling of information within the Optical practice and the sharing of this information with other organisations: Staff Confidentiality Code of Conduct (sets out the standards expected of staff in maintaining the confidentiality of patient information); Staff Access Control and Password management SOP (sets out procedures for the management of access to computer-based information systems); Data Transfer SOP (sets out procedures around the secure transfer of data, collecting consent and maintaining confidentiality within the Optical practice including the use of safe havens); Incident management SOP (sets out the procedures for responding to a security breach); Business Continuity SOP (sets out the procedures in the event of system failure); Portable Device Staff Guidelines (provides guidance for staff use on the use of portable devices). 3. Staff Duties and Responsibilities All staff, whether permanent, temporary or contracted are responsible for ensuring that they remain aware of the requirements incumbent upon them for ensuring compliance on a day to day basis. These includes maintaining confidentiality of data, ensuring secure storage of data and being aware of situations where disclosure may be required or may not be required. 5 4. Accountability and Responsibility for this Policy The designated Information Governance Lead in the Optical practice is responsible for overseeing day to day Information Governance issues; developing and maintaining policies, standards, procedures and guidance, coordinating Information Governance in the Optical practice, raising awareness of Information Governance and ensuring that there is ongoing compliance with the policy and its supporting standards and guidelines. The Optical practice contractor (owner) is responsible for ensuring that sufficient resources are available to support the implementation of Information Governance procedures in order to ensure compliance with legal and professional requirements and the NHS Information Governance requirements. 4. Monitoring this Policy This policy will be reviewed at least annually. 5. Sanctions Breach of this policy could lead to disciplinary action. Depending on the circumstances this could range from remedial training to dismissal. 6 Document name: Date created: Author: Approved by: [Insert Company Name]: Confidentiality code of conduct Requirement 116: Confidentiality code of conduct Staff members listed below have the example contract clause either added to their contract of employment or have signed a separate confidentiality clause. Staff Member Access to Patient Records & Data Confidentiality Clause signed Staff Confidentiality Agreement 1. I agree not to disclose, either during or after the termination of my employment, to anyone other than in the proper course of my employment any information of a confidential nature. 2. I understand that breach of this agreement may lead to dismissal without notice and may result in prosecution or an action for civil damages under the Data Protection Act 1998. 3. I agree to abide by the standards set out in the staff confidentiality code of conduct. 4. I have read, understand and agree to the terms and conditions set out above. 7 Document name: Date created: Author: Approved by: [Insert Company Name]: Staff training log Requirement 117: Staff training log The following people from this Optical practice have seen the following documentation and guidance, have undertaken relevant training and confirm here their understanding of the responsibilities they carry for the proper handling of confidential patient information. Documentation and Guidance IG Policy Confidentiality Code of Conduct (which include guidelines for collecting patient consent) Data Transfer SOP Portable Devices Guidelines (for staff with portable devices) Information Governance Incident Management SOP Optical practice Information Governance Leaflet Terms and Conditions for the issue of Smartcards - Form RA01 o Even those without a Smartcard should be aware of the permissible uses o of a Smartcard and the security requirements around its issue and use. Access Control and Password Management SOP Business Continuity Training Optical Confederation Training Booklet for Optical practice Staff [NB: The IG Training Booklet for Optical practice staff includes a staff signature list on the back cover which could alternatively be used to record completion of staff training] Staff Member Signature 8 Date Document name: Date created: Author: Approved by: [Insert Company Name]: Offshore transfers (209) Requirement 209: Offshore transfers Requirements Organisations are responsible for the security and confidentiality of personal information they process. Processing may include the transfer of that information to countries outside of the UK, and where person identifiable information is transferred, organisations must comply with both the Data Protection Act 1998 and the Department of Health guidelines. Department of Health Guidelines Organisations must also comply with the following guidelines issued by the Department of Health: 1. Person identifiable information must not be transferred outside of the UK unless appropriate assessment of risk has been undertaken (see paragraph 10) and mitigating controls put in place. 2. The organisation should review the flows of person identifiable information identified for requirement 308 or requirement 322, dependent on organisation-type, to understand whether information transferred to external organisations flows outside of the UK. 3. Information about overseas transfers of information must be included within the organisation’s Data Protection notification to the Information Commissioner and should ideally be included within the organisation’s Information Governance policy or equivalent document. 4. Decisions on whether to transfer person identifiable information must only be taken by a senior manager or senior care professional that has been authorised to take that decision. 5. Organisations will need to obtain an assurance statement from third parties that process the personal data of their service users or staff overseas. This assurance may be within the contract between the two organisations or within other terms of processing. 9 Data Protection Act Principles 1. Whilst compliance with the eighth Principle is crucial, organisations must also consider all the other Data Protection Principles before making an overseas transfer of person identifiable data. 2. Of particular importance is the first Principle, which in most cases will require that individuals are properly informed about the transfer of their information to a country outside the UK. Determining Whether the Requirement can be marked ‘Not Relevant’ 1. Organisations acting purely as a data processor on behalf of a data controller should only be processing personal data in accordance with their contractual agreement with the data controller. Therefore, it is the data controller who is responsible for assessing their organisation against this requirement. Data processors must still comply with the other Data Protection principles. 2. Those organisations which act as data controllers, joint data controllers or data controllers in common must assess themselves against this requirement and ensure any overseas transfers of information are notified to the Information Commissioner. 3. Where an organisation has determined that it makes no transfers of personal information to non-UK countries this should be documented for audit purposes and the 'not relevant' attainment level option should be selected. 10 Document name: Date created: Author: Approved by: [Insert Company Name]: Offshore transfers (212 & 322) Requirement 212 & (322): Patient Consent & Data Transfer This document outlines the procedures that should be followed where sensitive or person identifiable information is being transferred to or from the optical practice. These procedures are in place to help prevent unauthorised access to information, loss of information, unauthorised disclosure of information or breach of legislation. These procedures apply to all staff working in the optical practice. 1. Maintaining Confidentiality of Data Received (Safe Havens) The term safe haven is a term used to explain either a secure physical location or the agreed set of administrative arrangements that are in place within the optical practice to ensure confidential personal information is communicated safely and securely. Consulting rooms or staff only areas will be considered the optical practice’s ‘safe-haven’ and is the location for patient information to be securely received, for example faxes containing patient sensitive information should be sent to a fax machine in a staff only area. All post for the optical practice should be opened in the in staff only areas or consulting rooms. A. When paper-based information is received it should be stored securely, as soon as practical, for example: (i) (ii) Information moved from the front counter to the staff only area Manual patient records such should be placed in filling cabinets which are lockable when not attended. B. Computers should not be located where their usage can be observed to avoid unauthorised access: (iii) Be careful where you site your computer screen: ensure any confidential information cannot be accidentally or deliberately seen by visitors or staff who do not have authorised access. Be especially careful with computer screens in the consultation area. (iv) Always keep your password confidential and do not write it down. Do not share passwords. (v) Password protected screensavers should be used where possible. (vi) Laptop computers should be locked up when not in use. C. Ensure that confidential conversations are held where they cannot be overhead by members of the public. Ensure that sensitive medical issues are only discussed in the consultation area. 11 2. Only Transferring Data where Appropriate A. The personal information contained in transfers should be limited to those details necessary in order for the recipient to carry out their role. B. Before transferring data, consider whether there are any patient consent requirements that must be met before the transfer is made: A. A record of consent should be maintained where required, either on the relevant form where available (e.g. enhanced services forms etc.) or a record made on the PMS. B. A patient has the right to choose whether or not to agree to the use or disclosure of their personal information and the patient has the right to change their decision about a disclosure before it is made. If the patient indicates refusal to consent, they should be referred to the optometrist or practice manager who can discuss the risks if consent is withheld and consider whether there is a legal requirement for sharing or, if there is no legal requirement, whether it is in the public interest or the vital interests of the patient (or anyone else affected) to disclose information. C. Only staff authorised by the contractor should have responsibility for obtaining consent for non-healthcare purposes, for example research. D. If the patient has detailed questions about consent, they should be referred to the optometrist or practice manager. E. If circumstances change, relevant to the sharing of consent, for example if there is a change of recipient, consent should be reaffirmed. 3. Securely Transferring Data Consideration needs to be given to the mode of transfer and whether any specific controls are required to maintain the confidentiality of the data e.g. encryption on electronic transfers. A. Verbal Communication Be careful about leaving confidential messages on answer-phones (e.g. information about the patient’s eye health). It might not be heard only by the intended recipient. Be careful when taking messages off answer-phones. Ensure that the messages cannot be overheard inappropriately when being played back. When receiving calls requesting personal information: a) verify the identity of the caller, for example, where this is not a known contact, this can be done by taking the relevant phone number, double checking that it is the correct number for that individual / organisation and then calling the recipient back b) ask for the reason for the request, c) if in doubt about whether the information can be disclosed, tell the caller you will call them back, and then consult with your manager. Where information is transferred by phone, or face to face, care should be taken to ensure that personal details are not overheard by other people, including staff who do 12 not have a “need to know”. Where possible, such discussions should take place in private locations and not in public areas, for example staff room. Messages containing confidential / sensitive information should not be left on notice boards that could be accessed by non-authorised staff. B. Post Ensure envelopes are marked “Private & Confidential” Double check the full postal address of the recipient. Carefully consider the method for sending confidential information based on risk of loss. When necessary, ask the recipient to confirm receipt. C. Faxing If faxing personal or confidential information: a) double check the fax number, b) ensure that you mark the fax header “Private & Confidential”. Always identify a named person, not a team, who needs to receive the fax. If faxing personal information to an organisation that doesn’t have a ‘safe haven’ fax machine where information can be received securely, take extra precautions for example, let the recipient know when the fax will be sent, ask them to wait by the fax machine and confirm receipt. Most faxes will allow ‘report’ sheets to be generated which also confirm the transmission was okay. If a particular fax number is going to be used regularly, store the number in the fax machines memory where possible to reduce the risk of typing errors. Don’t send faxes to an organisation outside of their working hours where there is noone present to receive. D. Communication by email Transfer of personal information by email should be avoided other than where both sender and recipient are using an NHSmail account (nhs.net to nhs.net accounts) or the information is sent as an encrypted attachment If identifiable information must be sent other than via NHSmail, it MUST be encrypted to NHS standards The email header should make it clear that the information contains confidential information Other Forms of Information Exchange (e.g. text messages, e-mail, IP phones etc) [Specialist guidance should be inserted for other forms of data transfer in use in the optical practice.] 13 Document name: Date created: Author: Approved by: [Insert Company Name]: Patient leaflet Requirement 213: Patient leaflet An example patient leaflet is available for download from http://www.qualityinoptometry.co.uk/documents/19%20%20IGT%20Leaflet.docx 14 Document name: Date created: Author: Approved by: [Insert Company Name]: Staff confidentiality code Requirement 214: Staff confidentiality code Please note that this document should normally be read and understood prior to the contract of employment or other confidentiality agreement being signed. If there is anything that is not clear please contact your manager. 1. Purpose of Code This code sets out the standards expected of staff in maintaining the confidentiality of patient information. 2. Legal Framework Governing Confidentiality and Staff Responsibility All staff have a personal duty of confidence to patients and to his/her employer. The duty of confidence is conferred by common law, statute, for example the Data Protection Act 1998, contract of employment, and where applicable, professional registration. 3. What is Considered Confidential Information? Personal information is data from which a living individual could be identified; this may include information such as name, age, address, and personal circumstances, as well as sensitive personal information regarding race, health, sexuality, etc. Information is confidential when it is personal information given to someone who has a duty of confidence (the optical practice staff) in the expectation that it will not be disclosed without the consent of the provider of the information. Personal information may be known or stored on any medium. Photographs, videos, etc are subject to the same requirements as information stored in health records, on a computer, or given verbally. 4. Keeping it Confidential: Following Optical Practice Procedures The following procedures have been put in place to support the confidential handling of information and should be followed by all staff: 15 Data Transfer SOP (sets out the procedures around the secure transfer of data, collecting consent and maintaining confidentiality within the optical practice including the use of safe havens); Incident Management SOP (sets out the procedures for responding to a security breach); Business Continuity SOP (sets out the procedures in the event of systems failure); Portable Device Guidelines (provides guidance for staff that use portable devices and removable media); Access Control and Password Management SOP (sets out procedures for the management of access rights to computer-based information systems). All staff need to ensure they are aware of the procedures that are relevant to their role and comply with them. Staff who have been issued with smartcards will need to comply with the smartcard guidelines (Requirement 304). 5. Passwords, smartcards and security All users will be assigned a level of access to the practice management system that is appropriate to their role. Personal passwords should be regarded as confidential and those passwords must not be communicated to anyone or written down. No employee should attempt to bypass or defeat the security systems or attempt to obtain or use passwords or privileges issued to other employees. Any attempts to breach security should be immediately reported to your line manager. 6. Use of Email and Web-based Services Email and internet usage should be restricted to work related issues. 7. Circumstances where Confidential Information can be disclosed The optical practice will inform service users, staff and any other data subject why, how and for what purpose personal information is collected, recorded and processed. This will be achieved by leaflets and information provided face to face in the course of a consultation. Personal information may be disclosed with patient consent where the disclosure is necessary for healthcare purposes and is undertaken by a health professional or a person owing an equivalent duty of confidentiality. Consent may be implied or explicit. 16 Explicit consent of the data subject is required where a disclosure of personal information is not directly concerned with the healthcare / treatment of a service user e.g. medical research, health service management, financial audit, personnel data or where disclosure is to a non-health care professional. Explicit consent may be given in writing or verbally. A basic explanation of what information is to be disclosed and why / what further uses may be made of it, must be provided to the data subject together with a description of the benefits that may result from the proposed sharing of information and any risks if consent is withheld. Personal information may be disclosed without consent in certain circumstances, for example where permitted by law, e.g. where public interest overrides the need to keep the information confidential. All requests for disclosure without the consent of the data subject, including requests from the police, should be referred to the optical practice Information Governance lead. 8. Dealing with Access to Health Records Requests issues Access to Health records requests should be dealt with by the IG Lead. Patients are charged a fee of £10 for Access to Health Records Requests plus any costs for reproducing the records (e.g. photocopying). The requested information must be provided within 40 days. The patient should be asked to provide their name, address, postcode and date of birth to ensure correct identification of the patient’s records. The patient request should be in writing. The patient should be asked to provide identification before the records are shared, for example their passport, full driving license. The patient should be asked to either collect the information in person from the optical practice or consent to the record being posted to them. 9. Offsite/Home Working Arrangements Patient identifiable information must not be removed from the optical practice. 10. Support For assistance with disclosure issues, please contact the Information Governance lead. 11. Abuse of Privilege and Breach of confidentiality It is strictly forbidden for employees to look at information about any patient including any information relating to their own family, friends and acquaintances unless they are directly involved in the patient’s care or with administration on behalf of the optical practice. Action of this kind will be viewed as a breach of confidentiality and may result in disciplinary action. 17 12. Possible Sanctions for breach of confidentiality Breach of this code could lead to disciplinary action. Depending on the circumstances this could range from remedial training to dismissal. Prosecution or an action for civil damages may also be taken under the Data Protection Act 1998. 18 Document name: Date created: Author: Approved by: [Insert Company Name]: Smart cards Requirement 304: Smart cards NA to this optical practice [ ] This document sets out the communication, monitoring and enforcement processes that are in place to ensure that staff members comply with the NHS national application smartcard terms and conditions of use (RA01 terms). Communication When staff received their EPS Release 2 Smartcard, they will have been made aware of the RA01 terms and conditions and their responsibilities regarding Smartcard usage. Over time, the terms and conditions may change and smartcard users will be asked to accept the changes through their computer software. If staff members need access to a current copy of the terms and conditions they can request this from the NHS England Area Team at any time. All staff members that have EPS Release 2 Smartcards are asked to sign a staff signature list to confirm that they have read the terms and conditions and understand their responsibilities regarding Smartcard usage. Annual reminders are issued to staff on the terms and conditions and staff responsibilities. Monitoring Monitoring to ensure that staff understand and are complying with the terms and conditions of smartcard usage is monitored through audit checks every 6 months. The standard optical practice IG audit checklist is used. Enforcement Staff members have been made aware that, where they have been issued with NHS Smartcards, they need to comply with the terms and conditions set down by the NHS for use of these cards. If staff members are found to not be complying, for example if this is identified through audit checks, the optical practice’s standard disciplinary procedures will be followed as outlined in the Staff Confidentiality Code. Depending on the circumstances, sanctions range from remedial training to dismissal. Prosecution or an action for civil damages may also be taken under the Data Protection Act 1998. 19 Document name: Date created: Author: Approved by: [Insert Company Name]: Information asset register Requirement 316: Information asset register Date Id Number Location Date Decommissioned Accessed patient data Note: If the device is no longer used enter the date it ceased to be used in the “date decommissioned” box. Accessed patient data is a yes or no answer. If a computer is used but cannot access patient data enter “no”, if it can access patient data enter “yes”. Examples may include optometrists personal smartphone or laptop. These may be used for other business purposes without being able to access patient data. 20 Document name: Date created: Author: Approved by: [Insert Company Name]: Physical security risk assessment Requirement 317: Physical security risk assessment 1: Are accessible windows protected with locks? Yes/No Risk Level: Action Plan: Red/Amber/Green 2: Are windows closed when the premises are closed? Yes/No Risk Level: Action Plan: Red/Amber/Green 3: Are external doors protected with locks? Yes/No Risk Level: Red/Amber/Green Action Plan: 4: Is there a burglar alarm? Yes/No Risk Level: Red/Amber/Green Action Plan: 5: Are screensavers in use on computers that are used to display information about patients? Yes/No Risk Level: Action Plan: Red/Amber/Green 6: Do computer system users have unique logon details? Yes/No Risk Level: Action Plan: Red/Amber/Green 7: Are laptops and other portable devices stored securely overnight? Yes/No Risk Level: Action Plan: Red/Amber/Green 8: Is back-up data stored securely? Yes/No Risk Level: Red/Amber/Green Action Plan: 9: Is IT equipment asset marked? Yes/No Risk Level: Red/Amber/Green Action Plan: 21 Document name: Date created: Author: Approved by: [Insert Company Name]: Mobile computing guidelines Requirement 318: Mobile computing guidelines NA to this optical practice [ ] N.B: If the optical practice does not use any mobile computing i.e. there are no laptops and smartphones, nor any portable device used to hold or transfer personal information (e.g. USB sticks and CDs/DVDs), ‘Level 2’ can be recorded but the optical practice should indicate that their policy is that they have no mobile computing devices and staff should not use mobile computing devices in their role. This can be recorded in the optical practice contractor IG workbook (Introduction to the NHS Information Governance Requirements for Optical Practices) . This document outlines the guidelines that should be followed by staff when using portable computer devices, mobile phones and removable media. Definitions: Portable Computer Devices – this includes laptops, notebooks, tablet computers, smartphones and mobile phones. Removable Data Storage Media – this includes any physical item that can be used to store and/ or move information and requires another device to access it. For example, CD, DVD, floppy disc, tape, or digital storage devices (flash memory cards, USB disc keys, and portable hard drives). Essentially anything you can copy, save and/or write data to which can then be taken away and restored on another computer. Scope This guidance applies to all optical practice staff including temporary staff. Only authorised staff should have access to portable computer devices and digital storage devices such as flash cards, USB disc keys and portable hard drives. Any member of staff allowing access to any unauthorised person deliberately or inadvertently may be subject to disciplinary action. Staff should not use unauthorised portable devices or digital storage device (such as personal phones) for storing or communicating information. 22 Use of Portable Computer Devices DO … Store portable equipment securely when not in use on site Store portable equipment securely when not in use off site Set up access controls, for example a personal password, where possible Ensure files containing personal or confidential data are adequately protected e.g. encrypted Ensure that smartphones are configured so that they lock after a maximum period of 5 minutes inactivity. Once locked the smartphone should be set to require password authentication to resume use. Install password protected screensavers on laptops Use and regularly update anti-virus software Take regular backups of the data stored on the portable equipment Obtain authorisation prior to the removal of portable equipment from the premises Be aware that software and any data files created by staff on optical practice portable computer devices are the property of the optical practice Report immediately any stolen portable equipment to the police and line manager Be aware that the security of your portable computer device is your responsibility and you should check your home and car insurance policies to ensure they cover for business use Ensure that portable devices are returned to the optical practice if you are leaving employment DO NOT … Use your own portable computer device or digital storage device such as flash cards, USB sticks and portable hard drives) for optical practice business unless authorised Leave portable equipment in places where vulnerable to theft Leave portable equipment visible in the car when travelling between locations Leave portable equipment in an unattended car Leave portable equipment unattended in a public place Install unauthorised software or download software / data from the internet Disable the virus protection software Use portable computer devices outside the optical practice premises without authorisation Allow unauthorised personnel/friends/relatives to use portable equipment in your charge Delay in reporting lost or stolen equipment, Attach unauthorised equipment to the network Remove personal information off site without authorisation Document name: [Insert Company Name]: Business continuity plan for data 23 Date created: Author: Approved by: Requirement 319: Business continuity plan for data 1. Introduction The profession of optometry and optical practices differ vastly from the professions of dentistry and pharmacy. As such, the Business Continuity Plan (BCP) should also differ vastly to those that are appropriate to the other professions. As such, in the context of Optometry, the BCP will concern itself only with ensuring the safeguarding of practice records. 2. Purpose The Business Continuity Plan is intended to help the optical practice overcome any unexpected incident to its premises, which may prevent the delivery of optometric services. The aim is to ensure the preservation of practice records in the event of an incident affecting its business. Where relevant the plan should be read in conjunction with the practice’s Incident Management Procedures. 3. Scope The plan is designed to enable the practice to resume activities whether the situation is one of full or partial loss of key assets. As such, it covers the protection of records only. 4. Responsibilities Under the Civil Contingencies Act 2004, the NHS Area Team organisation has a duty to ensure that those organisations delivering services on their behalf (i.e. contracted out services) or the capabilities that underpin those services, can be delivered to the extent required in the event of an emergency, e.g. flooding, pandemic flu, etc. However as optometry is contracted on a “paid per task” basis, with no stipulation on the minimum number of patient episodes, a more pragmatic approach needs to be taken. Optometric practices operate in a free market environment with no registration of patients to a particular practice or practitioner. As such patients are free to exercise choice and have an eye examination at any practice with a General Ophthalmic Services (GOS) contract. 24 Practices which hold community service contracts, (previously enhanced services) should notify the commissioner if the practice is unavailable for a significant time period so patients can be directed to alternative participating practices. 5. Loss of premises In the event of an incident that renders the practice unsafe or unusable for the purposes of GOS, arrangements should be made for the safe and secure recovery and storage of any practice computers or equipment which may hold patient sensitive data, and any patient records cards. Risk Assessment descriptors: Use the descriptors below to assess the Likelihood of a risk occurring Score 5 4 3 2 Descriptor Likelihood of occurrence Probable More likely to occur than not >50% chance >1 in 2 chance 1 Possible Unlikely Rare Negligible Reasonable Chance of occurring 50% to 5% 1 in 20 chance Unlikely to occur Will only occur in rare circumstances 0.5% to 0.05% 1 in 2000 chance Will only occur in exceptional circumstances 0.05% to 0.005% 1 in 20,000 5% to 0.5% 1 in 200 chance Risk Impact: Use the descriptors below to assess the Impact severity if a risk occurs Score 5 4 3 2 1 Descriptor Catastrophic Major Moderate Minor Insignificant Severity of Impact Permanent loss of core service or facility Sustained loss of service which has serious impact on delivery of patient care Some disruption in service with unacceptable impact on patient care. Non permanent loss of ability to provide a service Short term disruption to service with minor impact on patient care Interruption in a service which does not impact on the delivery of patient care or the ability to continue to provide a service. 25 Record the likelihood and impact of potential hazards and /or threats together with the recovery time frame options. Hazard or threat Likelihood Score Impact Score Loss of main premises Loss of computer systems/ essential data Loss of the telephone system Loss of essential supplies Loss of optical practice records Incapacity of staff Loss of electricity supply Loss of gas supply/gas heating Loss of water supply Loss of security systems 26 Option 1 Option 2 Option 3 (2 hours) (24 hours or more) (5 days or more) Document name: Date created: Author: Approved by: [Insert Company Name]: Incident reporting Requirement 320: Incident reporting Information security incidents are any event that has resulted or could have resulted in the disclosure of confidential information to an unauthorised individual, the integrity of the system or data put at risk or the availability of the information through the system being put at risk. Incidents may include theft, misuse or loss of equipment containing confidential information or other incidents that could lead to authorised access to data. 1. Procedures for Dealing with various types of Incident All staff should report any suspicious incidents to the IG Lead. Incidents should always be investigated immediately whilst there is still the possibility of collecting as much evidence as possible. Investigations should normally be co-ordinated by the IG Lead. The following procedures should be followed for particular breaches: A) Theft of equipment holding confidential information and unauthorised access to an area with unsecured confidential information: Check the asset register to find out which equipment is missing. Investigate whether there has been a legitimate reason for removal of the equipment (such as repair or working away from the usual base). If the cause is external inform the Police and ask them to investigate. If the cause is internal, establish the reason for the theft/ unauthorised access Consider the sensitivity of the data and the risk that it will be misused, to support assessing whether further action is appropriate (e.g. warning patients, informing the Police, PCT). Consider whether there is a future threat to system security and the need to take protective action e.g. change passwords Categorise and report the incident as described as per ‘recording and reporting’ requirements. B) Access to patient records by an authorised user who has no work requirement to access the record: Interview the person reporting the incident to establish the cause for concern. Establish the facts by; 27 o Asking the system supplier to conduct an audit on activities by the user concerned. o Interviewing the user concerned. Establish the reason for unauthorised access. Consider the sensitivity of the data and the risk to which the patient(s) have been exposed and consider whether the patient(s) should be informed. Take appropriate disciplinary action with staff and action with the patient(s) where appropriate. Categorise and report the incident as described as per ‘recording and reporting’ requirements. C) Inadequate disposal of confidential material (paper, PC hard drive, disks/tapes): This type of incident is likely to be reported by a member of the public, a patient affected, or a member of staff; Investigate how the data came to become inappropriately disposed. Consider the sensitivity of the data and the risk to which the patient(s) have been exposed and consider whether the patient(s) should be informed. Take appropriate action to prevent further occurrences. (e.g. disciplinary, advice/training, contractual) Take appropriate action with the patient(s) as appropriate Categorise and report the incident as described as per ‘recording and reporting’ requirements. D) Procedure for dealing with complaints about patient confidentiality by a member of the public, patient or member of staff: Interview the complainant to establish the reason for the complaint (Note, any complaint by a patient in relation to his NHS services must be investigated and handled in accordance with the Terms of Service) Investigate according to the information given by the complainant and take appropriate action. Take appropriate action with the patient(s) as appropriate Categorise and report the incident as described as per ‘recording and reporting’ requirements. E) Loss of data in transit e.g. when posting GOS 18 referral forms to the GP surgery or to the Hospital Eye Service. Investigate, as far as possible what has gone missing and where Consider the sensitivity of the data and the risk to which the patient(s) have been exposed and consider whether the patient(s) should be informed. 28 Take appropriate action to prevent further occurrences. (E.g. process (was the envelope correctly addressed, is there further safeguards that could be introduced). Take appropriate action with the patient(s) as appropriate Categorise and report the incident as described as per ‘recording and reporting’ requirements 2. Procedures for recording incidents A record of all incidents, including near-misses, should be made by completing a copy of the information security incident report form. Incidents should be classified in the log according to severity of risk to patients and the optical practice using the following incident classification system described below. For nearmisses, consider the likely impact if the breach had occurred. Incident Classification: Insignificant: Minor: Moderate: Major: Critical: Minimal discernible effect on patients or the optical practice. Minor breach, for example data lost but files encrypted, less than 5 patients affected. Moderate breach, for example unencrypted clinical records lost, up to 20 patients affected. Inconvenient to the optical practice but manageable. Potential for damage to the optical practice’s reputation. Serious breach, for example unencrypted clinical records lost, up to 1,000 patients affected or particular sensitivity. e.g. mental health status Serious breach in terms of volume of records, for example over 1,000 patients affected or particular sensitivity of records. Potential for damage to the optical practice’s reputation and/or local media coverage. Damage to the reputation of the NHS and the optical practice profession. Potential for national media coverage. 3. Procedures for reporting incidents Incidents should be reported to the optical practice Information Governance lead. The Information Governance lead will determine whether there is also a need to report the incident to others depending on the type and likely consequences of the incident, e.g. inform the Police, the PCT, the optical practice’s insurer etc. Although there is no legal requirement to do this, where there is high risk of harm to patients, it is considered best practice to also inform the Information Commissioner. 29 Document name: Date created: Author: Approved by: [Insert Company Name]: Information security assurance – role-based access Requirement 321: Information Security Assurance – Role Based Access Technical access controls are built into information systems by Optical practice IT system suppliers. To ensure data is safeguarded, this functionality must be complemented by operational and managerial controls put in place in the Optical practice. This document outlines the procedures for managing access to systems. 1. Scope of the procedure This procedure provides guidance on how staff access to the Patient Medication Record system is managed. 2. Authorising Access to the System The following individual(s) are responsible for ensuring staff in the Optical practice have appropriate access rights to the system where required: IG Lead. Note: Ideally, all users should be assigned an individual user ID with the access level set at the lowest level possible that still permits the staff member to undertake their role. However, there is a balance between security and usability of systems and it is recognised that individual staff logins may not be a practical option at this time, for example to control access to the PM system by Optical practice staff. Decisions on the extent of access controls applied should be taken by the Optical practice contractor based on the risks of unauthorised access, the nature of the data and the impact on Optical practice workload of any controls. 3. Managing Changes to Access Rights A. Joiners As part of normal induction processes new staff required to use the computer system will be issued with a user name, password and access rights appropriate to their role. B. Profile Changes Whenever there is a temporary or permanent significant change in the way a person works, a review of their access rights must be carried out. C. Leavers When staff members leave permanently, their profile should be removed. 30 D. Locums Locum staff should be given temporary log on details, the password for this log on should be changed once the locum has finished their contract of employment. E. Forgotten Passwords Any staff member who has forgotten their password should contact IG Lead. F. Misuse If any staff member suspects misuse for example if their password has been accidentally disclosed, this must be reported to the IG Lead. Depending on the severity of the allegation an investigation maybe required and appropriate disciplinary measures taken. 4. Procedures for staff in relation to logging in to the system Please mark any procedures which are implemented regarding passwords and login. Password must be changed after first login [ ] Password must contain at least 8 characters [ ] Password must contain a mix of alpha numeric characters [ ] Password must contain a mix of upper and lower case characters [ ] Passwords must be changed every 90 days [ ] Passwords cannot be reused [ ] Password can be changed at user request [ ] 5. Local Audit The management of access rights will be subject to internal audit to ensure that this procedure is being followed. The audit will be undertaken every 12 months and will be coordinated by the IG Lead. Areas considered in the audit: Are only staff regularly working in the Optical practice registered as active users on the system Is there any evidence of staff sharing their access rights 6. Requirements for periodic review of the procedure The procedure will be reviewed annually taking into consideration changed in national guidance and changes made to the technical access controls in systems by Optical practice system suppliers. 31 Document name: Date created: Author: Approved by: [Insert Company Name]: Information security assurance – data transfer Requirement 322: Information Security Assurance – Data Transfer Describe the nature of the information flow between the Optical practice and the external organisation, e.g. data item, format, transfer method Patient or Guardian Referral letter copies, Prescription copies, Patient Recall letters, patient record copies. NHS England NHS sight test vouchers and NHS optical vouchers Identify the type and risk level of breaches of confidentiality Describe the measures taken to mitigate the risk of breaches in confidentiality of information that is passed between the optical practice and the external organisation Low Information only sent to Confirmed patient address by mail. Low Forms sent by recorded delivery or delivered by practice staff member Low Forms sent by recorded delivery or delivered by practice staff member HES Referral letters Low Sent by post, fax to safe Haven, or email using NHS Mail or encrypted email. GP Referral letters Low Sent by post, fax to safe Haven, or email using NHS Mail or encrypted email. Low Sent by post, fax to safe Haven, or email using NHS Mail or encrypted email. Telephone if patient identity can be verified and consent obtained. Low Minimum data sent, order Number or surname identifier Used. CCG Payment forms for Community services Another optical practice Spectacle prescription copy, Contact lenses prescription Copy. Glazing lab Spectacle prescription 32 Wholesale supplier Contact lens prescription, Spectacle prescription Low Minimum data sent, order Number or surname identifier Used. Tertiary Ophthalmology Service Tertiary Ophthalmology Service Low Sent by post, fax to safe Haven, or email using NHS Mail or encrypted email. Review of compliance with Data Transfer Procedures (322/Level 2) Are envelopes containing personal information being marked ‘private & Confidential’? Confirmed that personal information is not being sent via email other than from NHS.net addresses to NHS.net addresses? When providing information over the telephone is the callers identify always confirmed? Confirmed that staff members are not copying any personal information to unencrypted memory sticks? Optical Practice Map of Information Flow The diagram below shows the standard map of data flow for optical practices. Patient or guardian NHS England CCG Optical practice HES GP Another optical practice Glazing Lab Wholesale supplier Tertiary Ophthalmology service 33 Telephone & Personal Conversations: Mapping can only be carried out on tangible information flows and where physical evidence of the information exists. If telephone calls are recorded or discussions transcribed to tapes etc. which are then routinely sent to different locations, these will count as data flows. The security and confidentiality of telephone and personal conversations is clearly very important but must be addressed through policies, procedures and staff training. Transfers within an Optical Practice Company: Transfers within an optical practice company do not need to be documented in this mapping exercise; however optical practice companies should ensure they meet their legal obligations including compliance with the Data Protection Act. 34
