Information security is the process by which an authority protects its records and ensures they remain available. It is the means by which an authority guards against unauthorised access and provides for the integrity of the records. Robust information security measures are an acknowledgement that records represent a risk as well as an asset. A public authority should have procedures in place to assess and contain that risk
NHS Borders provides systems which maintain appropriate confidentiality security and integrity for all data including storage and use in line with NHS Scotland Information Assurance Strategy.
NHS Borders is responsible for ensuring that adequate physical controls are put in place to ensure the security and confidentiality of all health and business sensitive data, whether held manually or electronically.
The Board's IT Security Policy includes a section in relation to Information Security stating:
NHS Borders has a responsibility to its stakeholders to ensure its information assets are protected and its information services are used in a responsible manner. It is therefore prudent to implement an IT Security policy that clearly sets out your responsibilities and is part of NHS Borders' legal and regulatory obligations.
Adherence to the IT Security Policy and any subsidiary policies, standards and guidelines derived from it, is Mandatory.
The NHS Borders Policy principles with regard to IT Security are:
- We reduce the risk of exposure of NHS Borders business and patient information assets to loss, damage or misuse by means of efficient and cost effective risk measurement, risk management and countermeasure implementation.
- Everyone in NHS Borders, including contractors and external parties, is responsible for the security of NHS Borders' information. It is the responsibility of all managers to ensure that their staff abide by the letter and spirit of the policy.
- All NHS Borders legal and statutory obligations to protect its Information will be me.
In addition to the IT Security Policy, NHS Borders has a comprehensive Information Governance Code of Conduct that reminds all staff members of their responsibilities and legal duties to protect confidential information they have access to. It also makes them aware of the relevant procedures to ensure they do not inadvertently breach those requirements.
All staff, whether directly employed by NHS Borders or non-directly employed, as well as contracted staff, such as agency staff, volunteers, locums, students on work experience placements and service suppliers must adhere to the Board's Information Governance Code of Conduct and all related Information security policies. All new staff should be made aware of these policies through the induction process.
The IT Security Policy was approved by the Information Governance Committee in October 2012 and reviewed by the Information Governance Lead with no amendments in October 2014.
The Information Governance Code of Conduct was approved by the Information Governance Committee in April 2015
All new staff members, as described above, are required to sign a Confidentiality Statement and then re-sign every two years. This is incorporated in the Mandatory online training module.
Key electronic systems that process information have a Secure Operating Procedure document. This details the system manager and all procedures around permitting and rescinding access to the system.
A physical security self assessment check list is published on the Information Governance Intranet site and all managers are required to periodically review their areas against this.