Data Security Policy

 

BACK TO MAIN INDEX

 

To attain a copy of the full policy, please contact the surgery.

Author
  • Fionnuala O'Donnell (NHS Ealing CCG & The Argyle Surgery)
  • Phillip Martin (North West London Collaboration of Clinical Commissioning Groups)
Contributors
  • Abhilash Abraham (North West London Collaboration Of Clinical Commissioning Groups)
  • Laurie Slater (North West London Collaboration Of Clinical Commissioning Groups & Brook Green Surgery)
  • Abbie Wallace (North West London Collaboration Of Clinical Commissioning Groups)
  • Hannah Greenwood (North West London Collaboration Of Clinical Commissioning Groups)
  • Ernest Norman-Williams (North West London Collaboration Of Clinical Commissioning Groups)
  • Christine Dunne (North West London Collaboration Of Clinical Commissioning Groups)
Date of issue 03/2021
 

Aims and objectives

  • To ensure practice has systems and processes in place to ensure data security of patient and staff confidential information
  • To demonstrate practice compliance with data protection and security toolkit
 

Accountability

Data Controller Role

"Under the GDPR the data controller is the organisation that ‘determines the purposes and means of the processing of personal data’. In other words, the data controller has overall control of the data and decides how, why, what, when, where and for how long data are to be processed. GP practices are data controllers for the data they hold about their patients. Although almost all practices will have data that are processed on their behalf by third parties, for example their IT system suppliers, it is the practice as data controller that has the responsibility for compliance under the Regulation."

(BMA guidance)

The partners of the practice are the data controllers (Dr Ali Al-Rufaie and Dr Bavani Dharmawardene).

Caldicott Guardian Role

A Caldicott Guardian is a senior person responsible for protecting the confidentiality of people's health and care information and making sure it is used properly. All NHS organisations and local authorities providing social services must have a Caldicott Guardian who is required to be registered on the publicly available National Register of Caldicott Guardians.

The practice Caldicott guardian is (Dr Bavani Dharmawardene).

Data Protection Officer

GP Practices are considered Public Authorities under the provisions set out within schedule 1 Freedom of Information Act 2000. This is due to the processing of Personal Confidential data for the NHS. GDPR specifies that all Public Authorities are required to appoint a Data Protection Officer (DPO).

The activities of the DPO within General Practice are detailed within the Information Governance Alliance GDPR guidance note for GPs.

The DPO for the practice is NWL DPO Service.

Registration with ICO

The practice is registered with the ICO. The practice registration number is Z7287734.

 

Records Management

All staff who create, receive and use records have record management responsibilities.  Staff who make entries in medical records should do so in accordance with record keeping standards. (The Good Practice Guidelines for GP Electronic Clinical Records provides a useful resource).  It is each individual staff member’s responsibility to keep up to date with and adhere to relevant legislation, case law and national guidance.  Records management guidance will be provided at induction and at relevant intervals thereafter.  Any queries should be directed to Caldicott Guardian or Practice Manager.

For a summary indicating how different types of records are managed, please contact the surgery.

 

Data Security

Physical security

This includes (but is not limited to):

  • Lockable doors, windows and cupboards
  • Clear desk procedures: The practice has a clear desk policy which means that any patient identifiable information in paper form must be scanned or shredded at the end of the session and NOT left on desks.  There is a weekly sweep carried out by the admin team and any paperwork left lying on desks will be highlighted to the relevant clinician and repeated breaches will be dealt with under the disciplinary policy.
  • Identification ID: all staff is issued with an ID badge and lanyard and this must be worn at all times.  Any suspicious behaviour by people not wearing ID badges should be challenged appropriately.
  • The practice has code locks in the following locations (insert locations)

Technical security

This includes but is not limited to:

  • Role based access: Having access based on your role to only access the information you need for the role.
  • Least privilege: Have the minimum amount of rights to access systems to carry out your role.
  • Smartcard enabled access
  • Using NHS mail to NHS mail only for patient identifiable data.  Practices should record their policy for emailing non NHS mail addresses e.g. to patient with their consent if this happens.
  • Encryption Both of data at rest (where it is stored) and in motion.
  • o    The local IT team provide laptops for remote working and these are included on the practice asset register and encrypted by the IT team. If practices use any kit not provided by IT team, the practice should detail the process for ensuring this is encrypted.
  • o    With the exception of information that is classified for public release, all information that leaves NW London CCG’s physical locations must be encrypted (e.g. laptops, File Transfer Protocols (FTP), PDAs etc.).
  • All encryption algorithms and products must be formally approved for use within NW London CCG’s by the Information Security Manager, and comply with currently available and internationally recognized standards for use by Financial Services Institutions (e.g. AES 256 bit, SSL 128 bit)
    • Only NW London CCG’s approved standard algorithms and products may be used.
    • Appropriate measures must be taken to prevent the unauthorised disclosure of encryption keys and digital certificates. Staff who have their own log in are reminded not to share their passwords.
    • Encryption keys must be changed immediately if there is any suspicion that they may have been compromised.
    • Where encryption keys are transmitted over communications lines, they keys themselves must be sent in encrypted form using encryption of at least equal strength to that used to create the keys being transmitted.
  • Pseudonymisation techniques - the practice uses strategic IDs rather than patient identifiable information where necessary for example to verify claims.
  • Using test data (where appropriate) for example using test patient in training scenarios.
  • Staff training
  • Audits

Working from mobile devices

Staff may work from home with the prior agreement of the partners.  Those staff authorised to work from home should be issued with a practice laptop which is encrypted and has secure VPN access.  The practice does not take any responsibility for staff using their own devices to work from home and the staff member should ensure that their own device is encrypted and secure.

Home PCs/Laptops

It may be necessary for staff to use their own device to access NHS Mail from home from time to time and the practice issues the following advice to all staff:

  • Up to date Antivirus Software must be installed
  • Encryption software should be installed
  • Patient Identifiable Information should never be stored on a local machine.

Mobile Device

  • Any staff member accessing NHS mail on their mobile phone should inform the practice manager.
  • Any staff member who accesses NHS mail on their mobile phone must keep the mobile up to date with any software updates as advised by the mobile provider.
  • Any staff member who accesses NHS mail on their phone should take appropriate precautions to ensure mobile phone is secure and not accessible to others.
 

Network security

  • All additions or modifications to the physical network or network equipment must be requested through the local IT service desk.
  • All equipment that can communicate outside of the practice network such as modems, firewalls, wireless systems etc. are subject to assessment by the IT service desk and have configuration standards reviewed and approved.
  • Any Patient Identifiable information which is stored on the practice network drive (e.g for patient audits etc) must be kept in a separate folder with appropriate access privileges so that only the staff that need to see the data have access.  
  • The practice has a records retention schedule (appendix 2).  This also applies to data stored on shared network drives and the practice has a process for reviewing data held on shared drives and deleting and archiving data as appropriate.
  • There is a management drive on the shared folder accessible only to authorised users; restricted or confidential information is not stored on shared network drives.
  • Servers, operator consoles, network and communication equipment are located (insert location).  The practice ensures that there is no unauthorised access to this room. Network cables are well protected as far as possible in walls, false ceilings or raised floors.
  • Connecting modems /third party telephone devices etc. to Practice network or other network devices is only done in a controlled manner by the Practice Manager following appropriate approvals from practice IT lead and/or IT service desk.
  • The local IT team is responsible for regular penetration testing of the network from both internal and external points.
  • Application installation, upgrades and patches to software currently installed is performed by IT service desk
  • All network segments that are adjacent to the internet or untrusted networks must be subject to real time monitoring to detect and prevent intrusions and malicious actions which may compromise NWL- CCG’s networks and information. For example access given to third party companies e.g. telephony companies should be agreed with the IT service desk before it is procured and installed.  The IT Service desk monitors real time intrusions to the networks to ensure the security of the network.
  • Practice staff are trained on information governance at induction and annually thereafter and will not give out IP addresses to unauthorised personnel.
  • The IT team ensures that firewalls are configured on a “default deny” basis with the minimum connectivity that is needed for business and essential support purposes.
  • Mechanisms must exist to enforce the logical segregation of networks with different classifications according to the principles below.  These are documented by the IT team and are subject to formal change control.
  • Any junction between a trusted, untrusted or semi-trusted network must be segregated by a Stateful firewall device approved by Information Security.
  • By definition, a trusted and an untrusted network may not be directly connected, but must be segregated by either a DMZ that is semi-trusted or two approved firewalls.
  • Services and information offered externally to NWLCCGs must be hosted in a DMZ that is segregated by a firewall from NWLCCGs internal resources.
  • All changes to firewalls and other perimeter devices must be independently reviewed and approved by Information Security Manager on the basis of risk prior to implementation
  • Firewalls or related access control systems must be subject to independent security review at least once per calendar year.  The practice firewall and routers are provided by NWL IT, and this will be done automatically by the IT team.
  • Firewall logs must be archived away from the device and retained for at least 18 months.
  • Wherever practical, firewalls are to be segregated from other network or server equipment and configured with the minimum set of services possible for their core functions as a firewall. This is a mandatory requirement of firewalls connected to the Internet.
  • The practice has a hardware and software asset register that is kept up to date
  • The practice complies with NWL CCG IT department maintaining up to date anti-virus protection on all the practice hardware
  • Any portable devices are checked for malware and antivirus software before being used at the practice.
 

Staff Training

When staff starts with a new organisation, it is during their induction period when they can be at their most vulnerable. They may not understand the organisation’s systems, policies and procedures, its cultures or norms.

The induction should help staff understand their obligations under the National Data Guardian’s data security standards in their organisation. It should cover the following areas:

  • The importance of data security in the health system
  • The NDG data security standards particularly the three standards relating to personal responsibility (standard 1, 2 and 3)
  • Using and sharing personal information in accordance with data protection legislation
  • Common law duty of confidentiality
  • The applicable laws (GDPR, FOI etc.) knowing when and how to share and when not to share
  • National Data Opt out model
  • Understanding what social engineering is
  • Safe use of social media and email
  • Dangers of malicious software
  • How to protect information
  • Knowing how to spot and report data security breaches and incidents

All staff must complete mandatory information governance and GDPR training on an annual basis. The percentage rate of staff completing this will be monitored and followed up to ensure compliance. All staff are aware that there may be spot checks to check knowledge of their responsibilities to protect information.

 

To attain a copy of the full policy, please contact the surgery.