Information Governance Pauline Nordoff-Tate – Information Assurance Manager Dr. Andrew Loughney– Caldicott Guardian David Walliker – Senior Information Risk Owner (SIRO)

What is Information Governance and Data Security? Good information underpins good care. Patient and service user safety is supported when the confidentiality of personal information is maintained, its integrity is protected against loss or damage and the information is accessible by those who are authorised. Everyone who uses health and care services should be able to trust that their personal sensitive information is protected. People should be assured that those involved in their care, and in running and improving the services, are using such information appropriately and respecting patient choices where allowed. Information Governance

What is Information Governance and Data Security? Information Governance is about how Health & Social care organisations and their employees must handle sensitive information. Technology and systems must be designed with privacy in mind to ensure that safe and effective use of information that does not pose an unacceptable risk to our hospital or our patients. We all have a duty to protect public information in a safe and secure manner Information Governance

General Data Protection Regulations (GDPR) On 25th May 2018 the General Data Protection Regulation (GDPR) came into force, this was designed to modernise laws and protect the personal information of individuals. As well as putting new obligations on organisations collecting personal data, GDPR also gives individuals a lot more power to access the information held about them. One of the biggest and most talked about elements of GDPR has been the increase in the level of fines that can be imposed on organisations that have serious breaches. These fine can now be up to €20 million which has increased from £500,000 Information Governance

The Six Principles of the General Data Protection Regulations All data shall be processed lawfully, fairly and in a transparent manner. All data shall be processed for specified, explicit and legitimate purposes. All data shall be adequate, relevant necessary for it purpose. All data shall be accurate. All data shall be not be kept for any longer than is necessary. All data shall be processed to ensure security against unauthorised or unlawful processing and against loss, destruction and damage. Information Governance

Types of Information In a hospital setting we come into contact with various types of personal information about people. It is important to be able to identify these different types of information so that they can be appropriately protected when they are used and shared. The two categories of information and examples are identified below: Personal Data Name D.O.B Address RQ6 Number NHS Number Sensitive Data Race or Ethnic Origin Religion Sexual Orientation Medical History Trade Union Membership Information Governance

The Caldicott Principles The Caldicott principles must be used when accessing and using Patient Identifiable Information (PII) or confidential information and which must be maintained by all healthcare organisations. Justify the purpose of using confidential information Only use it when absolutely necessary Use the minimum information required Allow access on a strict need-to-know basis Always understand your responsibility Understand and comply with the law The duty to share information can be as important as the duty to protect patient confidentiality Information Governance

Incident Reporting (Datix) All incidents should be reported on the Trust Incident reporting system (Datix) on the Staff Intranet. Report incidents on Datix within 48 hours. Personal data should not be included on the Datix. If advice is needed when completing an Information Governance incident, contact the IG Team (ext: 3671) Information Governance

Cyber & Data Security Malware Malicious software (Malware) can reside on your computer and evade detection, making it easier for someone to be active on your system without you noticing. Malware can make computers run slowly or perform in unusual ways. If you suspect that your computer is not performing as it normally does, contact the IT department on 5499. Computer Security You should lock your PC or device as soon as you stop using it. All mobile phones, laptops, PCs and tablets whether personal or not, should have a password set. If you see a colleague’s device open and unlocked, lock it for them and gently remind them to do so in future. Tip: Press the Windows key + L on your keyboard to quickly lock your laptop or PC. Information Governance

Password Management Password Security Tips: It is important to use strong passwords on all of your devices to prevent unauthorised access. You should also use different passwords for personal and work related accounts. Passwords should not be written down on sticky notes or bits of paper. Password Security Tips: Use separate words, Capital letters and add numbers or symbols Change passwords on a regular basis (90 days or less) Avoid using personal dates or names Tip: Example Strong Password: Fan5Crisps!Dog Information Governance

Forward suspicious emails to: Phishing Phishing is the biggest and easiest form of social engineering. Criminals use phishing emails and websites to scam people on a regular basis. They are hoping that users will click on fake links to sites or open attachments so that they can steal data or install malicious software. The aim of phishing emails is to force users to make a mistake for, example, by imitating a legitimate company’s emails or by creating a time-limited or pressurised situation. Common Phishing Identifiers: Misspellings - custmers Generic and not user focused – Dear Customer Link or file to download Time pressure – must be done in 24hours Forward suspicious emails to: Email.unsolicited@rlbuht.nhs.uk Information Governance

Social Engineering & Tailgating Social Engineering involves phone calls from people pretending to be someone else to gain information. A Social Engineer might call and pretend to be a fellow employee, for example from the IT dept. or a supplier. Tailgating involves someone following another person/people through a door into a restricted area. Authorised people should have an ID badge on display Information Governance

Social Media Revealing any information about your organisation on social media can be valuable to a social engineer. Criminals can use the information available on social media for social engineering. The data from social media can be used to find out what department the person works in, other people they work with and most likely where the person lives. Information Governance

Email Usage Staff must not send any Personal Identifiable Data (PID) or Commercially Sensitive Data insecurely. Emails sent within the trust (internal) are automatically secure but external email addresses are not. Should you need to send information to external recipients you will need to encrypt your emails. Information Governance

Email Usage RLBUHT – RLBUHT – Secure  Staff must not send out any Personal Identifiable Data (PID) or commercially sensitive data insecurely. Here are some of do’s and don’ts RLBUHT – RLBUHT – Secure  RLBUHT – another Trust – NOT Secure  RLBUHT – NHS.net Mail (vice versa) – NOT Secure  NHS.net Mail – NHS.net Mail – Secure  NHS.net Mail – following domains: .gsi.gov.uk; gse.gov.uk; gsx.gov.uk; pnn.police.uk; csjm.net; scn.gov.uk; gcsx.gov.uk; mod.uk  Information Governance

PGP – Email Encryption Within Outlook select Tags Select Sensitivity Drop-down Change Normal to Confidential Select Close Send as normal Recipient gets re-directed to RLBUHT portal Recipient enters passphrase. Information Governance

Information Security – A Serious Matter The Trust has systems in place for monitoring and auditing access and their use of by staff. Email and Internet monitoring (Data Loss Prevention & Websense). Failure to comply with legal obligations or organisational policy & guidelines could mean disciplinary and legal action being taken. Information Governance

Subject Access Requests Individuals have the right to access personal and sensitive information stored and processed in any form Patients can request access to their health record without cost and within one month. Staff can request access to their personal record without cost and within one month. Any requests should be sent to SAR@rlbuht.nhs.uk Tip: Staff should not view their own medical records or patients unless they are involved in their care. Information Governance

What is a Freedom of Information (FOI) Request A request for official information held by Public Bodies such as hospital trusts. Public have a right to access/ view all non-personal public authority information. Purpose is to promote openness & accountability. Requests must be made in writing. There are Exemptions. Law requires that any FOI request must receive a response within 20 working days. All FOI requests should be sent to the FOI Team FOI@rlbuht.nhs.uk as soon as they are received. Information Governance

James Forshaw - Information Security Officer – EXT 3671 Daniel Kay - Information Security Officer – EXT 3671 0151 706 3671 0151 706 2677 Information.Assurance@rlbuht.nhs.uk