Information Governance Jym Bates Head of Information Assurance

What Is Information Governance? Data Protection Data Protection Freedom Of Information Freedom Of Information Information Security Information Security

Relevant Policies Data Protection Act 1998 (and subsequent Special Information Notices) Data Protection Act 1998 (and subsequent Special Information Notices) Human Rights Act 1998 Human Rights Act 1998 Access to Health Records act 1990 (where not superseded by the Data Protection Act 1998) Access to Health Records act 1990 (where not superseded by the Data Protection Act 1998) Computer Misuse Act 1990 Computer Misuse Act 1990 Copyright, Designs and Patents Act 1988 (as amended by the Copyright, Designs and Patents Act 1988 (as amended by the Copyright (Computer Programs) Regulations 1992). Copyright (Computer Programs) Regulations 1992). Crime & Disorder Act 1998 Crime & Disorder Act 1998 Electronic Communications Act 2000 Electronic Communications Act 2000 Regulation of Investigatory Powers Act 2000 (& Lawful Business Regulation of Investigatory Powers Act 2000 (& Lawful Business Practice Regulations 2000 Practice Regulations 2000 Freedom of Information Act 2000 Freedom of Information Act 2000 Gender Recognition Act 2004 Gender Recognition Act 2004

Ownership of s Ownership of s Addressing s Addressing s Personal s Personal s Freedom of information Freedom of information Attachments Attachments Spam Spam Why it occursWhy it occurs Actions to takeActions to take

Internet Use Personal access Personal access Out of working hoursOut of working hours Monitoring - Disciplinary Action Monitoring - Disciplinary Action Not to be viewed Not to be viewed Adult/Sexually explicit topicAdult/Sexually explicit topic HackingHacking Alcohol & TobaccoAlcohol & Tobacco SpywareSpyware Intolerance & HateIntolerance & Hate Criminal ActivityCriminal Activity GamblingGambling Personals & DatingPersonals & Dating Tasteless & OffensiveTasteless & Offensive Glamour & Intimate ApparelGlamour & Intimate Apparel Illegal DrugsIllegal Drugs ViolenceViolence WeaponsWeapons Streaming Media DownloadsStreaming Media Downloads ChatChat

Data Protection Act Security of Person Identifiable Information (PII) Security of Person Identifiable Information (PII) Confidentiality Confidentiality Storage Storage Transfer Transfer

Principles of the Data Protection Act Fairly and lawfully processed Fairly and lawfully processed Processed for limited purposes Processed for limited purposes Adequate, relevant and not excessive Adequate, relevant and not excessive Accurate and up to date Accurate and up to date Not kept for longer than is necessary Not kept for longer than is necessary Processed in line with your rights Processed in line with your rights Secure Secure Not transferred to other countries without adequate protection Not transferred to other countries without adequate protection

Confidentiality Security risks Security risks Not following the clear desk policyNot following the clear desk policy Not logging off a PC when it is not being usedNot logging off a PC when it is not being used Talk e.g. the canteenTalk e.g. the canteen Telephone conversations e.g. open wardTelephone conversations e.g. open ward Patients seeing their own notesPatients seeing their own notes

Storage of PII - Electronic PII must not be stored on: - PII must not be stored on: - Unencrypted laptopsUnencrypted laptops Non Biometric USB memory sticksNon Biometric USB memory sticks CDROM / DVD unless encryptedCDROM / DVD unless encrypted External hard drives unless encryptedExternal hard drives unless encrypted Any home PCAny home PC Any PC not on central storageAny PC not on central storage

Storage of PII - Paper Medical notes must be held in Medical Records, in a locked office or in a locked notes trolley Medical notes must be held in Medical Records, in a locked office or in a locked notes trolley Any PII should always be locked in a filing cabinet or desk drawer unless it is in a secure office Any PII should always be locked in a filing cabinet or desk drawer unless it is in a secure office

Transfer of PII – Electronic Whenever possible PII should not be transferred Whenever possible PII should not be transferred should not be used unless it is encrypted should not be used unless it is encrypted PII should only be uploaded to secure web sites PII should only be uploaded to secure web sites For support please contact ISC Help Desk For support please contact ISC Help Desk

Transfer of PII – Paper / Letters Whenever possible PII should not be transferred Whenever possible PII should not be transferred Ensure that the correct information is being sent to the correct person Ensure that the correct information is being sent to the correct person Any letters containing PII should be clearly addressed ‘Private & Confidential’ and only this & the contact details should be visible Any letters containing PII should be clearly addressed ‘Private & Confidential’ and only this & the contact details should be visible Requests for tests etc must always be sealed in an envelope Requests for tests etc must always be sealed in an envelope Use of Fax Machines should be discouraged Use of Fax Machines should be discouraged

Transfer of PII – Medical Notes The location of medical records should always be entered on the PAS tracking system The location of medical records should always be entered on the PAS tracking system Medical records must always be sealed in an envelope Medical records must always be sealed in an envelope Staff should not ferry casenotes to other locations in their cars Staff should not ferry casenotes to other locations in their cars

Viruses A virus is a malicious code that can affect an individual PC or entire network A virus is a malicious code that can affect an individual PC or entire network The Trust has a comprehensive virus scanning and damage control system that starts up when a PC is turned on The Trust has a comprehensive virus scanning and damage control system that starts up when a PC is turned on Major sources are: - Major sources are: - Unsolicited sUnsolicited s Unlicensed softwareUnlicensed software

Passwords You must never let anyone use the password to your PC or any software you use You must never let anyone use the password to your PC or any software you use Do not keep lists of your passwords Do not keep lists of your passwords Regularly change your password Regularly change your password Passwords must contain at least one number, one lowercase letter and one uppercase letter. Passwords must contain at least one number, one lowercase letter and one uppercase letter.

Unlicensed Software The only software allowed on Trust PCs are the systems purchased by the trust The only software allowed on Trust PCs are the systems purchased by the trust You are not allowed to load any software onto a Trust PC You are not allowed to load any software onto a Trust PC Please contact ISC Help Desk if you require a programme for your work Please contact ISC Help Desk if you require a programme for your work

PII and Audit / Research Always review the need for PII. Could you just use an allocated patient identifier Always review the need for PII. Could you just use an allocated patient identifier The NHS number with no further PII is acceptableThe NHS number with no further PII is acceptable Do not pull off PII from a system unless you are allowed to do so. Do not pull off PII from a system unless you are allowed to do so. Requests for reports should go through ISC Help Desk or individual Business Information SpecialistsRequests for reports should go through ISC Help Desk or individual Business Information Specialists

Guidance Check the Trust’s Information Governance Policies on Synapse in Check the Trust’s Information Governance Policies on Synapse in xxxx.xxx.xx Telephone Telephone ( ) 62601( ) 62601