information handling and classification policy …
TRANSCRIPT
INFORMATION HANDLING AND CLASSIFICATION POLICY
FEBRUARY 2020
This Policy supersedes all previous policies for Data Protection
2
Policy title Information Handling and Classification Policy
Policy reference
COR72
Policy category Corporate Policies
Relevant to All Staff
Date published February 2020
Implementation date
Date last reviewed
Next review date
February 2023
Policy lead Mahwish Noor, Information Governance Manager
Contact details Email: [email protected]
Telephone: 020 3317 7100
Accountable Director
Jeffrey Boateng, Director of Clinical Information Management
Approved by (Group):
Information Governance Steering Group
Approved by (Committee):
Audit and Risk Committee
Document history
Date Version Amendments
September 2019
1 New
Membership of the Policy development/ review team
Information Governance Manager
Consultation
Members of the Information Governance Steering Group
Summary 1. Sets out the Trust‟s approach to Information Handling and Classification.
2. The different types of information classifications and controls.
3. Why appropriate information handling controls are necessary to facilitate
effective patient care.
DO NOT AMEND THIS DOCUMENT
Further copies of this document can be found on the Foundation Trust Intranet.
3
SUMMARY: INFORMATION HANDLING AND CLASSIFICATION POLICY
Purpose of this policy
This Policy sets out the Trust‟s approach to information handling and classification. Different
types of information carry varying degrees of sensitivity and need to be handled accordingly.
The proper classification of information assets is vital to ensure appropriate and
proportionate controls to keep information secure.
Adherence to this Policy will provide the Trust with assurance that correct information
classification and handling methods are being applied in order to facilitate effective patient
care.
Who it applies to
All Trust staff as well as Third Parties and Suppliers, involved in the receipt, handling or
sharing of information held by the Trust, including personal identifiable information.
What it includes in detail
The Policy sets out the defined approach to demonstrate good practice in marking
records for all types of information which may be handled, shared, stored, and
disposed of, in all media, by the Trust. This includes; ICT systems; paper records,
telephone and voice conversations, photographs; recording tapes, CCTV footage;
entry passes and medical records.
Where the Trust holds information on behalf of another organisation with its own
classification system, contractual agreement shall be reached as to which handling
policy shall apply.
The overall policy on restrictive marking is set by the Cabinet Office and is called the
Government Security Classification Scheme (GSCS). It applies across all
government, including the NHS, and relevant partners. The GSCS provides three
levels of security classification, these are:
o OFFICIAL. The majority of information that is created or processed shall be
security classified as OFFICIAL. This includes routine business operations
and services, some of which could have damaging consequences if lost,
stolen or disclosed inappropriately.
o A limited subset of OFFICIAL information could have more damaging
consequences (for individuals, the NHS or the Government generally) if it
were lost, stolen or published in the media. Where information is identified as
such, it shall still be managed within the OFFICIAL classification tier but shall
attract additional measures (generally procedural or personnel) to reinforce
the „Need-to-Know‟ (NTK). In such cases where there is a clear and justifiable
requirement to reinforce the NTK, assets shall be conspicuously marked
OFFICIAL – SENSITIVE.
4
Important points for all staff
All Employees, contractors and users with access to the Trust‟s equipment and information (electronic, paper and other records) are responsible for ensuring the safety and security of Trust equipment and the information that they use or manipulate.
All Employees shall take personal responsibility to apply the GSCS principles and the NHS Code of Practice for the protective marking of the Trust‟s documentation and other data media. This includes personal information that is required to be protected under Data Protection or other legislation.
All Employees must respect and abide by the relevant statutory obligations and protections, including the Data Protection Act 2018, GDPR, Freedom of Information Act 2001, the Official Secrets Acts, and the Public Records Act. Access to information is limited to a need to know basis in line with the Caldicott Principles.
All Employees who handle sensitive assets must understand the impact of these legal frameworks and how it relates to their role.
Accidental or deliberate compromise, loss or misuse of classified information by Employees may lead to internal disciplinary action and may constitute a criminal offence. Incidents shall be reported and handled in accordance with the Information Security Incident Management Policy.
Staff who have not received the correct levels of security clearance set out in the Security Vetting Policy should under no circumstances receive access to protectively marked documents.
Information Asset Owners (IAOs) are responsible for identifying any sensitive information within their data holdings and for putting in place appropriate business processes to ensure that information is handled appropriately.
All Employees shall comply with the policies established by the Trust in order to ensure appropriate protection for the data to which they have access.
Additionally includes
The Trust is dependent on information in order to conduct its business, be it the delivery of
patient care, for corporate functions, or other purposes. The Trust shall conduct periodic
testing of information security handling procedures to maintain and improve Employee
awareness of the procedures and the actions required. This should include procedures with
Third Parties/Suppliers.
5
Contents
1. Purpose ......................................................................................................................... 6
2. Scope ............................................................................................................................ 6
3. Applicability .................................................................................................................... 6
4. Terminology ................................................................................................................... 7
5. Policy ............................................................................................................................. 7
Protective Markings ........................................................................................................ 7
Key Controls ................................................................................................................ 10
6. Roles and Responsibilities ........................................................................................... 10
7. Monitoring and Compliance ......................................................................................... 12
8. Related Policies ........................................................................................................... 12
6
1. Purpose
1.1. Camden and Islington NHS Foundation Trust (hereafter referred to as “the Trust”)
is dependent on information in order to conduct its business, be it the delivery of
patient care, for corporate functions, or other purposes.
1.2. This Policy sets out the Trust‟s approach to information handling and
classification, in keeping with legislative, regulatory and other obligations. Different
types of information carry varying degrees of sensitivity and need to be handled
accordingly. The proper classification of information assets is vital to ensure
appropriate and proportionate controls to keep information secure.
1.3. Adherence to this Policy will provide the Trust with assurance that correct
information classification and handling methods are being applied in order to
facilitate effective patient care.
2. Scope
2.2. This Policy sets out the defined approach to demonstrate good practice in marking
records for all types of information which may be handled, shared, stored, and
disposed of, in all media, by the Trust. Further information on record retention and
destruction, including timescales, is detailed in the Records Retention and
Destruction Policy.
2.3. This includes, but is not limited to:
Information Communications and Technology (ICT) systems;
paper records;
telephone and voice conversations;
photographs;
recording tapes;
CCTV footage;
entry passes;
medical records such as X-rays.
2.4. Where the Trust holds information on behalf of another organisation with its own
classification system, contractual agreement shall be reached as to which
handling policy shall apply.
3. Applicability
3.1. This Policy applies to all Trust staff, volunteers and students (hereafter referred to
as “Employees”) of the Trust. It applies to all Third-Party providers and Suppliers
who may hold information belonging to the Trust, including patient information.
Suppliers are expected to follow this approach unless specifically excluded or
where conditions have been applied within the procurement process.
7
4. Terminology
Term Meaning / Application
SHALL This term is used to state a mandatory requirement of this Policy
SHOULD This term is used to state a recommended requirement of this Policy
MAY This term is used to state an operational requirement of this Policy
5. Policy
Protective Markings 5.1. All information generated or processed by the Trust is subject to classification.
5.2. The overall policy on restrictive marking is set by the Cabinet Office and is called
the Government Security Classification Scheme (GSCS).1 It applies across all
government, including the NHS, and relevant partners. From 2014 onwards, all
information below SECRET level is to be classified OFFICIAL. Individuals are
expected to take more personal responsibility for thinking about the security of the
information they handle.
5.3. The Trust shall comply with the GSCS. There are four GSCS Principles:
5.1.1. GSCS Principle 1
5.1.1.1. All information that HMG needs to collect, store, process, generates
or share to deliver services and conduct government business has
intrinsic value and requires an appropriate degree of protection.
5.1.1.2. The GSCS provides three levels of security classification, these are:
• OFFICIAL. The majority of information that is created or processed shall
be security classified as OFFICIAL. This includes routine business
operations and services, some of which could have damaging
consequences if lost, stolen or disclosed inappropriately.
• A limited subset of OFFICIAL information could have more damaging
consequences (for individuals, the NHS or the Government generally) if
it were lost, stolen or published in the media. Where information is
identified as such, it shall still be managed within the OFFICIAL
classification tier but shall attract additional measures (generally
procedural or personnel) to reinforce the „Need-to-Know‟ (NTK). In such
cases where there is a clear and justifiable requirement to reinforce the
NTK, assets shall be conspicuously marked OFFICIAL – SENSITIVE.
1 Further information is available from: https://www.gov.uk/government/publications/government-
security-classifications
8
• SECRET. Very sensitive information that justifies heightened protective
measures to defend against a higher level of threat shall be marked as
SECRET. For example, where compromise could lead to the disruption
or loss of emergency and heath care capabilities, loss of public trust in
the NHS or significant loss of reputation to the NHS with significant
coverage by the national and international press. There is a significant
step up between OFFICIAL and SECRET.
• TOP SECRET. HMG‟s most sensitive information requiring the highest
levels of protection from the most serious threats shall be marked as
TOP SECRET. For example, where compromise could lead to the
complete breakdown of trust by the public in the NHS, a complete loss
of emergency and health care capabilities and total loss of reputation in
the NHS with widespread condemnation by both the national and
international press, or requiring a major government intervention and/or
a public inquiry.
5.1.1.3. It is recognised that only an extremely small number of organisations will
produce or have access to any information above OFFICIAL. Guidance
relating to SECRET and TOP SECRET is included in this Policy for the
sake of completeness.
5.1.2. GSCS Principle 2
5.1.2.1. Everyone who works with government (including staff, contractors
and service providers) has a duty of confidentiality and a
responsibility to safeguard any HMG information or data that they
access, irrespective of whether it is marked or not, and shall be
provided with appropriate training.
5.1.2.2. Accidental or deliberate compromise, loss or misuse of classified
information by staff may lead to internal disciplinary action and may
constitute a criminal offence. In general, people will face such
action only if they have been careless or reckless with information.
5.1.3. GSCS Principle 3
5.1.3.1. Access to sensitive information shall only be granted on the basis of
a genuine NTK and an appropriate personnel security control.
5.1.3.2. The compromise, loss or misuse of sensitive information could have
a significant impact on an individual, the NHS, or on Government
business more generally. Staff shall ensure that access to security
classified information is to be no wider than necessary for the
9
efficient conduct of Trust business and limited to those with a
business NTK.
5.1.4. GSCS Principle 4
5.1.4.1. Assets received from or exchanged from external partners must be
protected in accordance with any relevant legislative or regulatory
requirements, including any international agreements and
obligations.
5.1.4.2. Where information is received from external agencies, the Trust
shall ensure that it is protected in line with its security classification.
The Trust shall also ensure that all owned or held information is
correctly marked with the appropriate security classification in order
to ensure that if it is shared with partner organisations and external
agencies it will be afforded the correct level of protection.
5.4. There is no requirement to retrospectively reclassify or remark existing
information, data or systems with the new security classification markings. Unless
specified, staff should maintain current levels of control.
5.5. It is recommended that as a minimum, the four GSCS Principles listed above are
included in any security training carried out by organisations.
5.6. Under the NHS Code of Practice all patient information is to be treated as
CONFIDENTIAL. All documentation is held to be OFFICIAL; consequently, there
is no requirement to explicitly mark routine information with the OFFICIAL
classification.
5.7. In addition, the NHS Code of Practice defines descriptors applicable to data
produced by, or relevant to, the conduct of NHS business and activity, as follows:
• COMMERCIAL – to identify market-sensitive information, including that which
is subject to statutory or regulatory obligations that may be damaging to the
Trust;
• PERSONAL – to identify Personal Data (defined under the Data Protection
Act 2018), the release or loss of which could cause harm, distress or
detriment to the individual(s) to whom it relates; and
• LOCSEN – to identify information which is locally sensitive to the Trust itself
or to a recipient Trust or other organisation within the NHS.
10
Key Controls 5.8. Guidelines for the secure handling of information are set out in the Code of
Practice on Confidential Information.2
5.9. Key controls shall be applied in accordance with the sensitivity of the information
and in keeping with the Information Risk Management Policy. Controls may be
physical, procedural or technical.
5.10. Within the Trust, these controls are led by the Chief Information Security Officer
(CISO), supported by the Information Governance Manager/Data Security and
Protection Manager and guided at department level by the IAO, to include the
following:
• information shall be made available for all authorised purposes and protected
from unauthorised access;
• IAOs shall set the appropriate data classification and access as well as
retention details, in accordance with the Records Retention and Destruction
Policy;
• safeguards shall be deployed to ensure the Integrity of Information to assure
users that Information has not been tampered with or otherwise corrupted;
• controls to Personal Data to safeguard the data privacy rights of all individuals
on whom the Trust holds Personal Data, in accordance with the Data
Protection Regulation Policy;
• support and guidance are made available to enable everyone to manage
information securely;
• applicable legal and regulatory requirements are met;
• breaches of information security, actual or suspected, shall be investigated
and, if appropriate, suitable cost-effective measures shall be introduced to
prevent recurrence of incidents. Deliberate breaches of Information Security
Policies may result in disciplinary action being taken;
• where practicable active monitoring of systems shall be undertaken;
• Line Managers shall implement the Policy within their area of responsibility
and shall monitor the level of risk within their information systems in support of
the compliance process.
6. Roles and Responsibilities
6.1. All Employees, contractors and users with access to the Trust‟s equipment and
information (electronic, paper and other records) are responsible for ensuring the
safety and security of Trust equipment and the information that they use or
manipulate.
6.2. All Employees shall take personal responsibility to apply the GSCS and the NHS
Code of Practice for the protective marking of the Trust‟s documentation and other
2 https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-
governance/codes-of-practice-for-handling-information-in-health-and-care/code-of-practice-on-confidential-information
11
data media. This includes personal information that is required to be protected
under Data Protection or other legislation.
6.3. All Employees must respect and abide by the relevant statutory obligations and
protections, including the Data Protection Act 2018, GDPR, Freedom of
Information Act 2001, the Official Secrets Acts, and the Public Records Act.
Access to information is limited to a need to know basis in line with the Caldicott
Principles.
6.4. All Employees who handle sensitive assets must understand the impact of these
legal frameworks and how it relates to their role.
6.5. Staff shall be supported by training as appropriate and as described in the
Information Governance Policy. This shall include the importance of handling
sensitive information assets correctly and applying document classification.
6.6. Assets received from or exchanged with external partners or Third Parties shall be
protected in accordance with any relevant legislative or regulatory requirements,
including any international agreements and obligations. Where information is
received from external agencies, the Trust shall ensure that it is protected in line
with its security classification.
6.7. Where removable media is deployed for the storage or transfer of information, it
shall carry a protective marking in keeping with the sensitivity of the data held
upon it. Details are contained in the Removable Media Policy.
6.8. Accidental or deliberate compromise, loss or misuse of classified information by
Employees may lead to internal disciplinary action and may constitute a criminal
offence. Incidents shall be reported and handled in accordance with the
Information Security Incident Management Policy.
6.9. Staff who have not received the correct levels of security clearance set out in the
Security Vetting Policy should under no circumstances receive access to
protectively marked documents.
6.10. Information Asset Owners (IAOs) are responsible for identifying any sensitive
information within their data holdings and for putting in place appropriate business
processes to ensure that information is handled appropriately. The role of the IAO
is set out in the Information Governance Policy. IAOs in turn should receive
appropriate training and guidance in order to enable them to discharge these
duties and should take into account the potential impact of compromise or loss of
data, as well as any specific statutory requirements.
6.11. All Employees shall comply with the policies established by the Trust in order to
ensure appropriate protection for the data to which they have access. Guidance
relating to the Data Protection Act and associated legislation is contained in the
Data Protection Regulations Policy.
12
7. Monitoring and Compliance
7.1. NHS Trusts are expected to provide a Declaration of Maturity regarding
information handling, to be included in their Annual Report. This should be
supported by regular monitoring led by the CISO with the IAOs and supported or
coordinated by the Information Governance Manager/Data Protection and Security
Manager.
7.2. The Trust shall conduct periodic testing of information security handling
procedures to maintain and improve Employee awareness of the procedures and
the actions required. This should include procedures with Third Parties/Suppliers.
7.3. This Policy shall be reviewed every three years or in response to significant
changes due to security incidents, variations of law and/or changes to
organisational or technical infrastructure.
7.4. This Policy is written by the Information Governance Manager/Data Protection and
Security Manager and is approved by the Senior Information Risk Owner (SIRO)
on behalf of the Board. Questions relating to its content or application should be
addressed to the Information Governance Manager/Data Protection and Security
Manager.
7.5. An Employee found to have breached this Policy may be subject to Trust‟s
disciplinary procedure and, in certain circumstances, legal action may be taken.
Failure of a supplier or contractor to comply with this Policy may result in the
immediate cancellation of a contract.
7.6. Where appropriate, breaches of the law shall be reported to the relevant
authorities.
8. Related Policies
8.1. Related policies referenced in this document are available on the intranet or by
request to the Employee‟s Line Manager and should be read in conjunction with this
Policy.