Introduction

This policy has been designed to provide a framework of control and safeguards for the security of the information and systems used within Kingsbury Road Surgery.  General practice has a legal obligation to comply with all appropriate legislation in respect of Data, Information and IT Security. It also has a duty to comply with guidance issued by the Department of Health, other advisory groups to the NHS and guidance issued by professional bodies.

Information systems form a major part of the efficiency of a modern general practice. Adequate security procedures are critical in ensuring the Confidentiality, Integrity and Availability of these systems.

It is important that a general practice has an information security policy to provide management direction and support on matters of information security and confidentiality in general practice.

The Information systems used by the practice are valuable assets to the practice. The assets comprise equipment, software and data, essential to the effective and continuing operation of the practice.

Much of the data held at the practice is of a confidential nature, and it is necessary for all information systems to be protected against any events, accidental or malicious, which may put at risk the information we hold.

This policy applies to all information systems used by, or for, the practice. ‘Information systems’ include both computer-based systems and, non-computer-based systems. All staff are required to adhere to this policy.

This policy is in addition to the requirements specified within the NHSnet General Practice Code of Connection.

Purpose and Scope of Policy

The purpose of this policy is to protect, to a consistently high standard, all information assets. The policy covers security which can be applied through technology but also, it encompasses the behaviour of the people who manage information in the line of day to day running of the practice. It aims :

• To bring to the attention of all managers and staff, their responsibilities under the requirements of relevant legislation, including Data Protection Act 2018 and Human Rights legislation and guidance, and the importance of ensuring the confidentiality of personal and sensitive data.
• To ensure that the practice complies with current legislation and EU Directives, meets its statutory obligations and observes standards of good practice.
• To minimise the risk of security breach and prosecution.
• To meet the requirements for connection to the NHS network.

Information security is to ensure an appropriate level of:

• Confidentiality: Information is obtained, held and disclosed lawfully and data access is confined to those with specified authority to view and/or change the data.
• Integrity: Information shall be complete and accurate. All system assets and networks shall be operating correctly according to specification. This means that everyone involved is required to maintain the integrity of all the data within the practice by:
  • Taking care over input
  • Checking that the correct record is on the screen before updating
  • Learning how the systems should be used and keeping up-to-date with changes which may affect how it works
  • Reporting apparent errors to the Information lead – Dr P S Jhittay

Staff Responsibilities

All members of staff are required to preserve the security of the assets and information of the practice and bring any concerns that threaten this security to the attention of the Information lead.

All staff are responsible for information security and therefore must understand and comply with this policy and associated guidance. Failure to do so may result in disciplinary action. In particular all staff should understand:

• What information they are using, how it should be protectively handled, stored and transferred
• What procedures, standards and protocols exist for the sharing of information with others
• How to report a suspected beach of information security within the practice
• Their responsibility for raising any information security concerns with the Practice Manager

Contracts with external contractors that allow access to the practice’s information systems must be in operation before access is allowed. These contracts must ensure that the staff or sub-contractors of the external organisation comply with all appropriate security policies.

Each member of staff must be aware of his/her responsibilities when using information that is personal and be aware that it may only be used in accordance with the Data Protection Act 2018.

Staff must also be aware that clinical information within a general practice is governed by the Common Law Duty of Confidentiality and Caldicott good practice principles.

Information security is primarily about people but is facilitated by the appropriate use of technology.

Use of Telephone, Internet & Email & Social Media

All staff have been provided with and have access to the OHP staff handbook which sets out their responsibilities in relation to use of telephone, internet, email and social media. The staff responsibilities are as follows:

You are likely to be provided with access to a telephone, internet and email for the proper performance of your duties. The use of practice telephones, internet and email for non-work-related matters is not allowed unless in the event of a genuine emergency or with the prior permission of a manager. Personal mobile phones should only be used in your own time.

Email and internet facilities must not be used for accessing or downloading non-work-related material. Anything containing material that could reasonably be perceived to be defamatory, discriminatory, obscene or pornographic must not be viewed, sent or forwarded on. Accessing, storing, displaying or sending such material is likely to amount to gross misconduct.

All email communications should be drafted with care, just as you would a letter on paper. Emails must not contain any derogatory comments which if viewed by the subject could give rise to offence or upset.

You should have no expectation of privacy in any email sent or received or in your use of the internet or telephone. Regular monitoring of internet, email and telephone usage will take place to ensure that these rules are being fully complied with.

The use of social media whilst at work is not permitted unless expressly authorised as part of your duties. You also need to exercise caution in your use of social media outside work. You must not post anything which could breach confidentiality or damage the reputation of OHP, whether intentionally or otherwise and whether in OHP’s time or your own. It is not permissible for you to post any comment which could be considered offensive if viewed by a fellow member of staff, a patient or other third party. Breach of this policy is likely to constitute a gross misconduct offence.

Security Control of Assets and Risk Assessment

In order to make the best use of resources, it is important to ensure that each Information system is secured to a level appropriate to the measure of risk associated with it. A risk assessment will be carried out for each of the practice’s information systems and measures put in place to ensure each system is secured to an appropriate level.

Responsibilities and procedures for the management and operation of all computers and networks should be established, documented and supported by appropriate operating instructions. All ICT assets, (hardware, software, application or data) shall have a named Information Asset Owner (IAO) who shall be responsible for the information security of that asset.

It is important to ensure that all staff and assets are secure to prevent unauthorised access, damage and interference to the daily workings of the practice.

The practice must carry out a risk assessment which assesses whether adequate measures are in place. If adequate measures are not in place, appropriate action must be taken to reduce the level of risk.

Effective security measures are essential for protection against a risk of an event occurring, or to reduce the impact of such an event. Such events may be accidental or a deliberate act of sabotage.

A range of security measures can be deployed to address:

• The threat of something damaging the Confidentiality, Integrity or Availability of information held on systems or manual records
• The impact that such a threat would have if it occurred
• The chance of such a threat occurring

Computer system Security

Management of computers and networks is controlled through standard documented procedures. Where we engage with third parties we stipulate our privacy expectations. They are under a strict duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

In order to minimise loss of, or damage to, all assets, equipment shall be; identified, registered and physically protected from threats and environmental hazards.

Assets and equipment must not be removed from the premises or lent to anyone without the permission of Dr P S Jhittay or the Practice Manager.

Practice systems must only be used for approved purposes authorised by Dr P S Jhittay.

Only suitably qualified or experienced staff should undertake maintenance work on, or make changes to, the practice systems.

Only authorised software may be installed and it must only be used in accordance with the software licence agreement.

Adequate documentation should be produced or made available for users as appropriate.

To maintain the integrity and availability of practice systems, backups of practice software and information must be taken regularly.

All information security incidents, near misses, and suspected weaknesses are to be reported to Dr P S Jhittay and the Practice Manager. It will be the responsibility of either Dr P S Jhittay or the Practice Manager to contact Leanne Hoye ( Data Protection Officer) to discuss if the incident needs further reporting e.g. as an “Adverse Incident”.

Passwords

Each individual is responsible for keeping their own password secure, and must ensure it is neither disclosed to nor used by anyone else, under any circumstances. Staff must only access systems using their own login and password. All staff are accountable for any activity carried out under their login and password, and this is audited.

Passwords must be adequate to provide the first line in defence to unauthorised access to data or systems.

Passwords should be a minimum of 8 characters in length with a mixture of letters and numbers and have an expiry date.

Passwords must be changed regularly.

Control of Access to Information

Access is controlled on the basis of service requirements. Access to information shall be restricted to users who have an authorised business need to access the information and as approved by the relevant Information Asset Owner.

Access must be granted to, and revoked from, information systems in a controlled manner.

The user list must be reviewed regularly.

Leavers and those no longer requiring access for their duties must be removed from the system immediately.

Access to ICT facilities shall be restricted to authorised users who have a business need to use the facilities.

Access to data, system utilities and program source libraries shall be controlled and restricted to those authorised users who have a legitimate business need e.g. systems or database administrators.

Authorisation to use an application shall also depend on the availability of a license from the supplier.

Protection from malicious software

Unless completely isolated, computer systems are continually at risk from virus infection. Viruses may be received as:

• an e-mail message or as an attachment to a message
• a macro within a word or spreadsheet document
• an infected program that has been downloaded
• an addition to removable media e.g. CD’s

The practice shall use software countermeasures and management procedures to protect itself against the threat of malicious software. All staff shall be expected to co-operate fully with this policy. Users shall not install software on the practice’s property without permission from the Information Lead. Users breaching this requirement may be subject to disciplinary action.

If a virus is suspected, prompt action is essential: inform the Security lead immediately.

Removable media

Removable media of all types that contain software or data from external sources, or that have been used on external equipment, require the approval of the Information lead before they may be used on the practice systems. Such media must also be fully virus checked before being used on the practice’s equipment. Users breaching this requirement may be subject to disciplinary action.

Monitoring System Access and Use

An audit trail of system access and staff data use shall be maintained and reviewed on a regular basis. The practice will put in place routines to regularly audit compliance with this and other policies. In addition it reserves the right to monitor activity where it suspects that there has been a breach of policy. The Regulation of Investigatory Powers Act (2000) permits monitoring and recording of employees’ electronic communications (including telephone communications) for the following reasons:

• Establishing the existence of facts,  Investigating or detecting unauthorised use of the system
• Preventing or detecting crime
• Ascertaining or demonstrating standards which are achieved or ought to be achieved by persons using the system (quality control and training)
• In the interests of national security
• Ascertaining compliance with regulatory or self-regulatory practices or procedures
• Ensuring the effective operation of the system.

Any monitoring will be undertaken in accordance with the above act and the Human Rights Act and any other applicable law.

New information systems

The practice shall ensure that all new information systems, applications and networks include a Data Protection Impact Assessment (see ICO guidance and contact Leanne Hoye – data Protection Officer for advice) and are approved by the Information lead before they commence operation.

Monitoring

Compliance with this policy will be monitored via the Security Lead/Practice Manager, together with independent reviews on a periodic basis.

Training

Training will be provided to staff on induction and refreshed every year to ensure they are aware of their confidentiality obligations in line with this policy.

Useful Links

• Data Protection Act 2018: www.legislation.gov.uk
• General Medical Council’s updated GDPR guide to confidentiality: www.gmc-uk.org
• Article 8 of the Human Rights Act (1998) refers to an individual’s “right to respect for their private and family life, for their home and for their correspondence”. This means that public authorities should take care that their actions do not interfere with these aspects of an individual’s life: www.legislation.gov.uk
• The Computer Misuse Act (1990) makes it illegal to access data or computer programs without authorisation and establishes three offences: www.legislation.gov.uk
• The NHS Confidentiality Code of Practice (2003), updated Nov 2010, outlines for main requirements that must be met in order to provide patients with a confidential service: www.webarchive.nationalarchives.gov.uk