INFORMATION HANDLING AND CLASSIFICATION POLICY

FEBRUARY 2020

This Policy supersedes all previous policies for Data Protection

2

Policy title Information Handling and Classification Policy

Policy reference

COR72

Policy category Corporate Policies

Relevant to All Staff

Date published February 2020

Implementation date

Date last reviewed

Next review date

February 2023

Policy lead Mahwish Noor, Information Governance Manager

Contact details Email: Information.Request@candi.nhs.uk

Telephone: 020 3317 7100

Accountable Director

Jeffrey Boateng, Director of Clinical Information Management

Approved by (Group):

Information Governance Steering Group

Approved by (Committee):

Audit and Risk Committee

Document history

Date Version Amendments

September 2019

1 New

Membership of the Policy development/ review team

Information Governance Manager

Consultation

Members of the Information Governance Steering Group

Summary 1. Sets out the Trust‟s approach to Information Handling and Classification.

2. The different types of information classifications and controls.

3. Why appropriate information handling controls are necessary to facilitate

effective patient care.

DO NOT AMEND THIS DOCUMENT

Further copies of this document can be found on the Foundation Trust Intranet.

3

SUMMARY: INFORMATION HANDLING AND CLASSIFICATION POLICY

Purpose of this policy

This Policy sets out the Trust‟s approach to information handling and classification. Different

types of information carry varying degrees of sensitivity and need to be handled accordingly.

The proper classification of information assets is vital to ensure appropriate and

proportionate controls to keep information secure.

Adherence to this Policy will provide the Trust with assurance that correct information

classification and handling methods are being applied in order to facilitate effective patient

care.

Who it applies to

All Trust staff as well as Third Parties and Suppliers, involved in the receipt, handling or

sharing of information held by the Trust, including personal identifiable information.

What it includes in detail

The Policy sets out the defined approach to demonstrate good practice in marking

records for all types of information which may be handled, shared, stored, and

disposed of, in all media, by the Trust. This includes; ICT systems; paper records,

telephone and voice conversations, photographs; recording tapes, CCTV footage;

entry passes and medical records.

Where the Trust holds information on behalf of another organisation with its own

classification system, contractual agreement shall be reached as to which handling

policy shall apply.

The overall policy on restrictive marking is set by the Cabinet Office and is called the

Government Security Classification Scheme (GSCS). It applies across all

government, including the NHS, and relevant partners. The GSCS provides three

levels of security classification, these are:

o OFFICIAL. The majority of information that is created or processed shall be

security classified as OFFICIAL. This includes routine business operations

and services, some of which could have damaging consequences if lost,

stolen or disclosed inappropriately.

o A limited subset of OFFICIAL information could have more damaging

consequences (for individuals, the NHS or the Government generally) if it

were lost, stolen or published in the media. Where information is identified as

such, it shall still be managed within the OFFICIAL classification tier but shall

attract additional measures (generally procedural or personnel) to reinforce

the „Need-to-Know‟ (NTK). In such cases where there is a clear and justifiable

requirement to reinforce the NTK, assets shall be conspicuously marked

OFFICIAL – SENSITIVE.

4

Important points for all staff

All Employees, contractors and users with access to the Trust‟s equipment and information (electronic, paper and other records) are responsible for ensuring the safety and security of Trust equipment and the information that they use or manipulate.

All Employees shall take personal responsibility to apply the GSCS principles and the NHS Code of Practice for the protective marking of the Trust‟s documentation and other data media. This includes personal information that is required to be protected under Data Protection or other legislation.

All Employees must respect and abide by the relevant statutory obligations and protections, including the Data Protection Act 2018, GDPR, Freedom of Information Act 2001, the Official Secrets Acts, and the Public Records Act. Access to information is limited to a need to know basis in line with the Caldicott Principles.

All Employees who handle sensitive assets must understand the impact of these legal frameworks and how it relates to their role.

Accidental or deliberate compromise, loss or misuse of classified information by Employees may lead to internal disciplinary action and may constitute a criminal offence. Incidents shall be reported and handled in accordance with the Information Security Incident Management Policy.

Staff who have not received the correct levels of security clearance set out in the Security Vetting Policy should under no circumstances receive access to protectively marked documents.

Information Asset Owners (IAOs) are responsible for identifying any sensitive information within their data holdings and for putting in place appropriate business processes to ensure that information is handled appropriately.

All Employees shall comply with the policies established by the Trust in order to ensure appropriate protection for the data to which they have access.

Additionally includes

The Trust is dependent on information in order to conduct its business, be it the delivery of

patient care, for corporate functions, or other purposes. The Trust shall conduct periodic

testing of information security handling procedures to maintain and improve Employee

awareness of the procedures and the actions required. This should include procedures with

Third Parties/Suppliers.

5

Contents

1. Purpose ......................................................................................................................... 6

2. Scope ............................................................................................................................ 6

3. Applicability .................................................................................................................... 6

4. Terminology ................................................................................................................... 7

5. Policy ............................................................................................................................. 7

Protective Markings ........................................................................................................ 7

Key Controls ................................................................................................................ 10

6. Roles and Responsibilities ........................................................................................... 10

7. Monitoring and Compliance ......................................................................................... 12

8. Related Policies ........................................................................................................... 12

6

1. Purpose

1.1. Camden and Islington NHS Foundation Trust (hereafter referred to as “the Trust”)

is dependent on information in order to conduct its business, be it the delivery of

patient care, for corporate functions, or other purposes.

1.2. This Policy sets out the Trust‟s approach to information handling and

classification, in keeping with legislative, regulatory and other obligations. Different

types of information carry varying degrees of sensitivity and need to be handled

accordingly. The proper classification of information assets is vital to ensure

appropriate and proportionate controls to keep information secure.

1.3. Adherence to this Policy will provide the Trust with assurance that correct

information classification and handling methods are being applied in order to

facilitate effective patient care.

2. Scope

2.2. This Policy sets out the defined approach to demonstrate good practice in marking

records for all types of information which may be handled, shared, stored, and

disposed of, in all media, by the Trust. Further information on record retention and

destruction, including timescales, is detailed in the Records Retention and

Destruction Policy.

2.3. This includes, but is not limited to:

Information Communications and Technology (ICT) systems;

paper records;

telephone and voice conversations;

photographs;

recording tapes;

CCTV footage;

entry passes;

medical records such as X-rays.

2.4. Where the Trust holds information on behalf of another organisation with its own

classification system, contractual agreement shall be reached as to which

handling policy shall apply.

3. Applicability

3.1. This Policy applies to all Trust staff, volunteers and students (hereafter referred to

as “Employees”) of the Trust. It applies to all Third-Party providers and Suppliers

who may hold information belonging to the Trust, including patient information.

Suppliers are expected to follow this approach unless specifically excluded or

where conditions have been applied within the procurement process.

7

4. Terminology

Term Meaning / Application

SHALL This term is used to state a mandatory requirement of this Policy

SHOULD This term is used to state a recommended requirement of this Policy

MAY This term is used to state an operational requirement of this Policy

5. Policy

Protective Markings 5.1. All information generated or processed by the Trust is subject to classification.

5.2. The overall policy on restrictive marking is set by the Cabinet Office and is called

the Government Security Classification Scheme (GSCS).1 It applies across all

government, including the NHS, and relevant partners. From 2014 onwards, all

information below SECRET level is to be classified OFFICIAL. Individuals are

expected to take more personal responsibility for thinking about the security of the

information they handle.

5.3. The Trust shall comply with the GSCS. There are four GSCS Principles:

5.1.1. GSCS Principle 1

5.1.1.1. All information that HMG needs to collect, store, process, generates

or share to deliver services and conduct government business has

intrinsic value and requires an appropriate degree of protection.

5.1.1.2. The GSCS provides three levels of security classification, these are:

• OFFICIAL. The majority of information that is created or processed shall

be security classified as OFFICIAL. This includes routine business

operations and services, some of which could have damaging

consequences if lost, stolen or disclosed inappropriately.

• A limited subset of OFFICIAL information could have more damaging

consequences (for individuals, the NHS or the Government generally) if

it were lost, stolen or published in the media. Where information is

identified as such, it shall still be managed within the OFFICIAL

classification tier but shall attract additional measures (generally

procedural or personnel) to reinforce the „Need-to-Know‟ (NTK). In such

cases where there is a clear and justifiable requirement to reinforce the

NTK, assets shall be conspicuously marked OFFICIAL – SENSITIVE.

1 Further information is available from: https://www.gov.uk/government/publications/government-

security-classifications

8

• SECRET. Very sensitive information that justifies heightened protective

measures to defend against a higher level of threat shall be marked as

SECRET. For example, where compromise could lead to the disruption

or loss of emergency and heath care capabilities, loss of public trust in

the NHS or significant loss of reputation to the NHS with significant

coverage by the national and international press. There is a significant

step up between OFFICIAL and SECRET.

• TOP SECRET. HMG‟s most sensitive information requiring the highest

levels of protection from the most serious threats shall be marked as

TOP SECRET. For example, where compromise could lead to the

complete breakdown of trust by the public in the NHS, a complete loss

of emergency and health care capabilities and total loss of reputation in

the NHS with widespread condemnation by both the national and

international press, or requiring a major government intervention and/or

a public inquiry.

5.1.1.3. It is recognised that only an extremely small number of organisations will

produce or have access to any information above OFFICIAL. Guidance

relating to SECRET and TOP SECRET is included in this Policy for the

sake of completeness.

5.1.2. GSCS Principle 2

5.1.2.1. Everyone who works with government (including staff, contractors

and service providers) has a duty of confidentiality and a

responsibility to safeguard any HMG information or data that they

access, irrespective of whether it is marked or not, and shall be

provided with appropriate training.

5.1.2.2. Accidental or deliberate compromise, loss or misuse of classified

information by staff may lead to internal disciplinary action and may

constitute a criminal offence. In general, people will face such

action only if they have been careless or reckless with information.

5.1.3. GSCS Principle 3

5.1.3.1. Access to sensitive information shall only be granted on the basis of

a genuine NTK and an appropriate personnel security control.

5.1.3.2. The compromise, loss or misuse of sensitive information could have

a significant impact on an individual, the NHS, or on Government

business more generally. Staff shall ensure that access to security

classified information is to be no wider than necessary for the

9

efficient conduct of Trust business and limited to those with a

business NTK.

5.1.4. GSCS Principle 4

5.1.4.1. Assets received from or exchanged from external partners must be

protected in accordance with any relevant legislative or regulatory

requirements, including any international agreements and

obligations.

5.1.4.2. Where information is received from external agencies, the Trust

shall ensure that it is protected in line with its security classification.

The Trust shall also ensure that all owned or held information is

correctly marked with the appropriate security classification in order

to ensure that if it is shared with partner organisations and external

agencies it will be afforded the correct level of protection.

5.4. There is no requirement to retrospectively reclassify or remark existing

information, data or systems with the new security classification markings. Unless

specified, staff should maintain current levels of control.

5.5. It is recommended that as a minimum, the four GSCS Principles listed above are

included in any security training carried out by organisations.

5.6. Under the NHS Code of Practice all patient information is to be treated as

CONFIDENTIAL. All documentation is held to be OFFICIAL; consequently, there

is no requirement to explicitly mark routine information with the OFFICIAL

classification.

5.7. In addition, the NHS Code of Practice defines descriptors applicable to data

produced by, or relevant to, the conduct of NHS business and activity, as follows:

• COMMERCIAL – to identify market-sensitive information, including that which

is subject to statutory or regulatory obligations that may be damaging to the

Trust;

• PERSONAL – to identify Personal Data (defined under the Data Protection

Act 2018), the release or loss of which could cause harm, distress or

detriment to the individual(s) to whom it relates; and

• LOCSEN – to identify information which is locally sensitive to the Trust itself

or to a recipient Trust or other organisation within the NHS.

10

Key Controls 5.8. Guidelines for the secure handling of information are set out in the Code of

Practice on Confidential Information.2

5.9. Key controls shall be applied in accordance with the sensitivity of the information

and in keeping with the Information Risk Management Policy. Controls may be

physical, procedural or technical.

5.10. Within the Trust, these controls are led by the Chief Information Security Officer

(CISO), supported by the Information Governance Manager/Data Security and

Protection Manager and guided at department level by the IAO, to include the

following:

• information shall be made available for all authorised purposes and protected

from unauthorised access;

• IAOs shall set the appropriate data classification and access as well as

retention details, in accordance with the Records Retention and Destruction

Policy;

• safeguards shall be deployed to ensure the Integrity of Information to assure

users that Information has not been tampered with or otherwise corrupted;

• controls to Personal Data to safeguard the data privacy rights of all individuals

on whom the Trust holds Personal Data, in accordance with the Data

Protection Regulation Policy;

• support and guidance are made available to enable everyone to manage

information securely;

• applicable legal and regulatory requirements are met;

• breaches of information security, actual or suspected, shall be investigated

and, if appropriate, suitable cost-effective measures shall be introduced to

prevent recurrence of incidents. Deliberate breaches of Information Security

Policies may result in disciplinary action being taken;

• where practicable active monitoring of systems shall be undertaken;

• Line Managers shall implement the Policy within their area of responsibility

and shall monitor the level of risk within their information systems in support of

the compliance process.

6. Roles and Responsibilities

6.1. All Employees, contractors and users with access to the Trust‟s equipment and

information (electronic, paper and other records) are responsible for ensuring the

safety and security of Trust equipment and the information that they use or

manipulate.

6.2. All Employees shall take personal responsibility to apply the GSCS and the NHS

Code of Practice for the protective marking of the Trust‟s documentation and other

2 https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-

governance/codes-of-practice-for-handling-information-in-health-and-care/code-of-practice-on-confidential-information

11

data media. This includes personal information that is required to be protected

under Data Protection or other legislation.

6.3. All Employees must respect and abide by the relevant statutory obligations and

protections, including the Data Protection Act 2018, GDPR, Freedom of

Information Act 2001, the Official Secrets Acts, and the Public Records Act.

Access to information is limited to a need to know basis in line with the Caldicott

Principles.

6.4. All Employees who handle sensitive assets must understand the impact of these

legal frameworks and how it relates to their role.

6.5. Staff shall be supported by training as appropriate and as described in the

Information Governance Policy. This shall include the importance of handling

sensitive information assets correctly and applying document classification.

6.6. Assets received from or exchanged with external partners or Third Parties shall be

protected in accordance with any relevant legislative or regulatory requirements,

including any international agreements and obligations. Where information is

received from external agencies, the Trust shall ensure that it is protected in line

with its security classification.

6.7. Where removable media is deployed for the storage or transfer of information, it

shall carry a protective marking in keeping with the sensitivity of the data held

upon it. Details are contained in the Removable Media Policy.

6.8. Accidental or deliberate compromise, loss or misuse of classified information by

Employees may lead to internal disciplinary action and may constitute a criminal

offence. Incidents shall be reported and handled in accordance with the

Information Security Incident Management Policy.

6.9. Staff who have not received the correct levels of security clearance set out in the

Security Vetting Policy should under no circumstances receive access to

protectively marked documents.

6.10. Information Asset Owners (IAOs) are responsible for identifying any sensitive

information within their data holdings and for putting in place appropriate business

processes to ensure that information is handled appropriately. The role of the IAO

is set out in the Information Governance Policy. IAOs in turn should receive

appropriate training and guidance in order to enable them to discharge these

duties and should take into account the potential impact of compromise or loss of

data, as well as any specific statutory requirements.

6.11. All Employees shall comply with the policies established by the Trust in order to

ensure appropriate protection for the data to which they have access. Guidance

relating to the Data Protection Act and associated legislation is contained in the

Data Protection Regulations Policy.

12

7. Monitoring and Compliance

7.1. NHS Trusts are expected to provide a Declaration of Maturity regarding

information handling, to be included in their Annual Report. This should be

supported by regular monitoring led by the CISO with the IAOs and supported or

coordinated by the Information Governance Manager/Data Protection and Security

Manager.

7.2. The Trust shall conduct periodic testing of information security handling

procedures to maintain and improve Employee awareness of the procedures and

the actions required. This should include procedures with Third Parties/Suppliers.

7.3. This Policy shall be reviewed every three years or in response to significant

changes due to security incidents, variations of law and/or changes to

organisational or technical infrastructure.

7.4. This Policy is written by the Information Governance Manager/Data Protection and

Security Manager and is approved by the Senior Information Risk Owner (SIRO)

on behalf of the Board. Questions relating to its content or application should be

addressed to the Information Governance Manager/Data Protection and Security

Manager.

7.5. An Employee found to have breached this Policy may be subject to Trust‟s

disciplinary procedure and, in certain circumstances, legal action may be taken.

Failure of a supplier or contractor to comply with this Policy may result in the

immediate cancellation of a contract.

7.6. Where appropriate, breaches of the law shall be reported to the relevant

authorities.

8. Related Policies

8.1. Related policies referenced in this document are available on the intranet or by

request to the Employee‟s Line Manager and should be read in conjunction with this

Policy.