INFORMATION SECURITY FOR STARTERS, MOVERS AND LEAVERS POLICY
FEBRUARY 2020
This Policy supersedes all previous policies for Data Protection
2
Policy title Information Security for Starters, Movers and Leavers Policy
Policy reference
COR73
Policy category Corporate Policies
Relevant to All Staff
Date published February 2020
Implementation date
Date last reviewed
Next review date
February 2023
Policy lead Mahwish Noor, Information Governance Manager
Contact details Email: [email protected]
Telephone: 020 3317 7100
Accountable Director
Jeffrey Boateng, Director of Clinical Information Management Sally Quinn, Director of HR and OD
Approved by (Group):
Information Governance Steering Group
Approved by (Committee):
Audit and Risk Committee
Document history
Date Version Amendments
September 2019
1 New
Membership of the Policy development/ review team
Information Governance Manager
Consultation
Members of the Information Governance Steering Group
Summary 1. The Trust’s Policy on boarding and off boarding Employees, and how this also
applies to Employees moving internally within the Trust.
2. How the Trust ensures that information management is not disrupted at any
point during the Employee lifecycle.
3. To ensure that starters, movers and leavers understand their collective
responsibilities towards safeguarding the Trust’s Information Assets.
DO NOT AMEND THIS DOCUMENT
Further copies of this document can be found on the Foundation Trust Intranet.
3
SUMMARY:INFORMATION SECURITY FOR STARTERS, MOVERS AND LEAVERS
POLICY
Purpose of this policy
This the policy underpins the Trust’s Information Governance Policy, Information Risk
Management Policy and relevant HR policies and aims to ensure that all individuals working
at or on behalf of the Trust have appropriate access to the information needed to deliver
patient care and the Trust’s objectives.
Who it applies to
Starters: All persons joining the Trust who require access to the Trust’s information which
may include user account and access on Trust’s Information Communication Technology
(IT) system(s).
Movers: Persons who are already part of the Trust who are transferring to a different role
within organisation.
Leavers: Someone who is leaving the Trust and no longer requires access to the Trust’s
information and/or IT system(s).
It also includes subcontractors and Third Parties who may be authorised to access Trust IT
systems and information in the course of their work.
What it includes in detail
All Trust workers (at or on behalf of) should understand their responsibilities in safeguarding
the Trust’s physical and digital information assets; ensure the appropriate confidentiality,
integrity and availability of those assets at all times; understand this as a personal, as well as
professional, commitment.
Important points for all staff
It is vital that Employees joining have appropriate access to the information needed to
deliver patient care and the Trust’s objectives. HR services shall ensure:
that the appropriate pre-employment checks and screening are undertaken. Where access to more sensitive information or information systems is required further vetting processes against standards shall be required
ensure that employees security risks are effectively managed through robust security processes to ensure actions are in accordance with the Trust’s legal obligations
provide a legally binding contract of employment. The contract of employment shall explicitly state all applicable roles, benefits and responsibilities bestowed on the employee by the Trust.
Appendix includes
C&I Equality Impact Analysis guidance.
4
Contents
1. Purpose ......................................................................................................................... 5
2. Scope ............................................................................................................................ 5
3. Applicability .................................................................................................................... 5
4. Terminology ................................................................................................................... 5
5. Policy ............................................................................................................................. 6
Roles and Responsibilities ............................................................................................. 6
Core Responsibilities: Starters ..................................................................................... 6
Core Responsibilities: Movers ...................................................................................... 8
Core Responsibilities: Leavers ..................................................................................... 9
Training and Awareness .............................................................................................. 10
Non-Compliance .......................................................................................................... 11
6. Monitoring and Evaluation ............................................................................................ 11
7. Related Policies ........................................................................................................... 12
5
1. Purpose
1.1. This Starters, Movers and Leavers Policy aims to ensure that all individuals
working at or on behalf of Camden and Islington NHS Foundation Trust (hereafter
referred to as “the Trust”):
have appropriate access to the information needed to deliver patient care and
the Trust’s objectives;
understand their responsibilities in safeguarding the Trust’s physical and
digital information assets;
ensure the appropriate confidentiality, integrity and availability of those assets
at all times;
understand this as a personal, as well as professional, commitment.
1.2. This Policy underpins the Trust’s Information Governance Policy, Information Risk
Management Policy and relevant HR policies.
2. Scope
2.1. This Policy covers all Starters, Movers and Leavers with access to the Trust’s
information assets. Information assets include all types of information – patient;
employee; financial; corporate and other - which may be created, handled, shared,
stored, and disposed of, in all types of media. This includes, but is not limited to,
ICT systems, telephone, paper and voice conversations, photographs and CCTV
footage.
2.2. The scope applies to the Trust’s assets wherever and whenever they are used,
including out-of-working hours and remotely.
3. Applicability 3.1. This Policy applies to:
Starters: All persons joining the Trust who require access to the Trust’s information which may include user account and access on Trust’s Information Communication Technology (ICT) system(s).
Movers: Persons who are already part of the Trust who are transferring to a different role within organisation.
Leavers: Someone who is leaving the Trust and no longer requires access to the Trust’s information and/or ICT system(s).
3.2. It also includes subcontractors and Third Parties who may be authorised to access
Trust ICT systems and information in the course of their work.
4. Terminology
6
Term Meaning / Application
SHALL This term is used to state a mandatory requirement of this Policy
SHOULD This term is used to state a recommended requirement of this Policy
MAY This term is used to state an operational requirement of this Policy
5. Policy
Roles and Responsibilities 5.1. The Head of Department and the Deputy Director of HR and OD are responsible
for implementing and overseeing compliance to this policy.
5.2. Managers and Information Asset Owners (IAO) are accountable, within their
respective areas of business responsibility, for ensuring this Policy is
implemented, managed, maintained and improved.
Core Responsibilities: Starters 5.3. It is vital that Employees joining have appropriate access to the information
needed to deliver patient care and the Trust’s objectives.
5.4. HR services shall (in adherence with Recruitments Policy):
5.4.1. Ensure that the appropriate pre-employment checks and screening are
undertaken. Where access to more sensitive information or information
systems is required, further vetting processes against standards shall be
required;
5.4.2. Ensure that Employees commence employment with the appropriate
paperwork and checks are completed and received;
5.4.3. Ensure that Employees security risks are effectively managed through
robust security processes to ensure actions are in accordance with the
Trust’s legal obligations;
5.4.4. Provide a legally binding contract of employment. The contract of
employment shall explicitly state all applicable roles, benefits and
responsibilities bestowed on the employee by the Trust. From an
information security perspective, it shall include the expected Employee
Code of Conduct, confidentiality clauses, required compliance to legal
requirements, policies and procedures, and the consequences of non-
compliance and subsequent information breaches;
5.4.5. Ensure that prior to recruitment the security responsibilities are outlined to
the candidates. This includes embedding these responsibilities
appropriately into each job description.
Recruiting Line Manager shall:
5.4.6. Follow the Trust’s recruitment and screening processes at all times;
7
5.4.7. Ensure they understand the needs of the Starter and what is expected of
them, including all relevant policies;
5.4.8. Ensure the Starter shall not have access to the Trust’s ICT systems until
they have read and signed the Acceptable Use Policy;
5.4.9. Identify at the outset what ICT assets, systems, access and general
training the post holder(s) shall require;
5.4.10. Prepare a comprehensive induction programme covering: the role, the
responsibilities assigned to the individual, the Trust’s Information
Governance Policy and associated policies, the assets associated with the
role, and the access permissions granted;
5.4.11. Identify relevant training for the individual, including Information Security
Training;
5.4.12. Ensure the employee is familiar with all relevant information security
policies, including the Information Security Incident Reporting and
Management Policy;
5.4.13. Provide the Starter with an overview of information handling within the
department, including electronic and paper; and
5.4.14. In the event of non-compliance report to the relevant IAO.
Employees shall:
5.4.15. Read and sign the Acceptable Use Policy before accessing Trust ICT
assets and systems;
5.4.16. Read all policies relevant to their role, including Information Governance
Policies;
5.4.17. Ensure they understand their continued responsibilities under the
appropriate governing laws, including the Caldicott Principles and the Data
Protection Act (DPA) 2018;
5.4.18. Complete the Information Governance and Information Security training
within a timely manner of their start date;
5.4.19. Be aware of appropriate channels for reporting breaches in keeping with
the Information Security Incident Management Policy;
5.4.20. Should there be any dispute concerning the contract of employment, the
Employee should contact their Line Manager and the HR function.
8
Core Responsibilities: Movers 5.5. The process starts following the agreement of a change in role for a current
Employee. This could be due to service redesign, change in business
requirement, end of project, secondment, acting-up, promotion or a complete
change in role.
Existing and New Line Manager shall:
5.5.1. Ensure they understand the needs of the Mover and what is expected of
them and ensure compliance with the Trust’s Information Security Policy;
5.5.2. Action all elements of the Movers’ process in a timely manner;
5.5.3. Document what assets and access rights the individual currently has and
what the requirements of the new role are;
5.5.4. Work together to develop and implement a joint action plan to ensure that
the Employee does not have access rights to any assets that are not
needed for the new role;
5.5.5. Inform the IAO to revoke any information access that is no longer required
for the former role, and ensure all ICT assets no longer required are
returned;
5.5.6. Make arrangements with the relevant IAO for the Mover to receive the
appropriate ICT assets and access levels associated with the new role;
5.5.7. The new Line Manager should ensure the Mover understands their
continued responsibilities under the appropriate governing laws, including
the Caldicott Principles, the General Data Protection Regulation (GDPR)
2018 and the Data Protection Act (DPA) 2018; and
5.5.8. Ensure that the mover receives information security and training relevant to
their new role, including reading all relevant policies.
Employees shall:
5.5.9. Ensure they understand the process and what is expected of them;
5.5.10. Ensure they understand their continued responsibilities under the
appropriate governing laws, including the Caldicott Principles, GDPR 2018
and DPA 2018; and
5.5.11. Comply with all elements of the Mover process and return all the
organisational assets that are no longer required in the new role to their
existing Line Manager.
9
Core Responsibilities: Leavers 5.6. To ensure that Employees exit the Trust in an orderly manner in line with the
Trust’s relevant policies, leavers exiting from the Trust shall be managed, all
assets assigned to the individual shall be returned, and all access rights removed
in a timely manner.
HR Services shall:
5.6.1. Facilitate the Leaver process with the Line Manager in a timely manner.
This shall include notification of other relevant functions such as payroll
and conducting of an exit interview.
Line Managers shall:
5.6.2. Explain the Leaver process to the Employee and clarify any questions they
may have;
5.6.3. Initiate the Leaver process and action all elements of the Leaver process in
a timely manner;
5.6.4. Remind the leaver of their Terms and Conditions of employment, including
Information Governance obligations – namely, that they must not leave
with the Trust’s information in any format. In addition, they shall respect
confidentiality agreements and personal information requirements;
5.6.5. Ensure that the Employee understands their post termination
responsibilities under the appropriate governing laws, including the GDPR
2018, the DPA 2018 etc.;
5.6.6. Identify the Trust’s assets to which the Leaver has, or has had access, and
ensure these are all returned, and access removed prior to, or on, the
leave date;
5.6.7. Ensure that a robust handover is completed, and contact lists are updated,
recorded and communicated to appropriate areas;
5.6.8. Return the completed termination checklist to HR Support confirming that
all stages of the process have been actioned and ensuring that an exit
interview is carried out;
5.6.9. Ensure, with the IAO, that the Systems Administrator has been informed
that the Employee is no longer entitled to access ICT or equipment or Trust
data and information; and
5.6.10. Report any non-compliance of the Policy to the relevant IAO.
Employees shall:
5.6.11. Ensure that they understand the process and what is expected of them;
10
5.6.12. Ensure they understand their responsibilities under the appropriate
governing laws, including the GDPR 2018 and DPA 2018;
5.6.13. Comply with all elements of the Leavers process and return all the
organisational assets before leaving the Trust.
Training and Awareness 5.7. The Board is committed to leading and fostering a strong culture of information
security awareness throughout the Trust and shall support the Senior Information
Risk Owner (SIRO) in managing associated risks.
5.8. Information Governance, and associated requirements and responsibilities, shall
be included throughout the employee lifecycle from Starters, to Movers, to
Leavers, and during post.
HR Services including Learning and Development team shall:
5.8.1. Ensure that all Employees receive relevant training regarding this Policy
and the associated processes;
5.8.2. Make such training available not only at key points such as starting and
moving but also throughout the entire employee lifecycle;
5.8.3. Provide appropriate support to managers through the process, if required;
5.8.4. Monitor compliance to the Policy and facilitate general and role-specific
training to support this;
5.8.5. Ensure that best practice and lessons learnt are promulgated to foster a
mature information security culture, in liaison with the SIRO;
5.8.6. Ensure that organisational training records are kept, secured and updated.
Line Managers / IAOs shall:
5.8.7. Allow Employees appropriate time to attend any required information
security training / awareness sessions throughout their tenure in post;
5.8.8. Review and check completion of training requirements to support effective
information handling and governance and include this in the performance
appraisal process;
5.8.9. Have in place an appropriate level of ongoing Employee security
management;
5.8.10. Ensure regular formal reviews of access rights for their direct reports;
5.8.11. Ensure that all staff are familiar with the Information Security Incident
Reporting and Management Policy;
11
5.8.12. Ensure that Employees only have authorised access to information assets
required to undertake their jobs and that they follow the Trust’s policies and
procedures;
5.8.13. Ensure that ICT access, activity and monitoring will take place in line with
Trust Policy and good practice as set out by the Regulator and in
applicable laws;
5.8.14. Remind employees on an annual basis of the circumstances in which the
Trust may access user information or monitor usage.
Employees shall:
5.8.15. Comply with all elements of the Starter, Mover and Leaver process
including ongoing training while in post;
5.8.16. Take responsibility to comply with all elements of this Policy and attend
any required training, throughout the duration of their employment with the
Trust;
5.8.17. Comply with Trust policies and procedures, including relevant legal
requirements.
Non-Compliance 5.9. Any circumstances requiring exemptions to this Policy shall be referred to the
relevant IAO. Where the risk sits outside their delegated authority, the IAO shall
complete a Risk Balance Case and forward to the SIRO for approval.
5.10. If there are reasonable grounds for suspecting misuse of IT assets, access may
be suspended by the system manager in consultation with Line Manager / HR,
pending further investigation. Please refer to the Acceptable Use Policy for further
information.
6. Monitoring and Evaluation 6.1. This Policy shall be reviewed every two years or in response to significant
changes due to security incidents, variations of law and/or changes to
organisational or technical infrastructure.
6.2. This Policy is written and maintained by HR Director, in consultation with the SIRO
on behalf of the Board. Questions relating to its content or application should be
addressed through the Information Governance Structure (see Information
Governance Policy for more details) to the SIRO who is responsible for facilitating
communication of this Policy throughout the organisation.
6.3. Breach of this Policy may be dealt with according to disciplinary procedures set
out in the Employees’ contracts.
12
7. Related Policies 7.1. Related policies referenced in this document are available on the intranet or by
request to the Employee’s Line Manager and should be read in conjunction with
this Policy.
13
8. Appendix 1 - C&I Equality Impact Analysis Guidance Document
1. Please indicate the expected impact of your proposal on people with protected characteristics
Characteristics Significant +ve Some +ve Neutral Some -ve Significant -ve
Age X
Disability X
Ethnicity X
Gender re-assignment: X
Religion/Belief: X
Sex (male or female) X
Sexual Orientation X
Marriage and civil partnership X
Pregnancy and maternity X
The Trust is also concerned about key disadvantaged groups event though they are not protected by law
Substance mis-users X
Homeless people X
Unemployed people X
Part-time staff X
Please remember just because a policy or initiative applies to all, does not mean it will have an equal impact on all.
2. Consideration of available data, research and information
Please list any monitoring, demographic or service data or other information you have used to help you analyse whether
you are delivering a fair and equitable service. Social factors are significant determinants of health or employment
outcomes. Monitoring data and other information should be used to help you analyse whether you are delivering a fair and
equitable service. Social factors are significant determinants of health outcomes. Please consult these types of potential
sources as appropriate. There are links on the Trust website:
• Joint strategic needs analysis (JSNA) for each borough
• Demographic data and other statistics, including census findings
• Recent research findings (local and national)
• Results from consultation or engagement you have undertaken
• Service user monitoring data (including age, disability, ethnicity, gender, religion/belief, sexual orientation and)
• Information from relevant groups or agencies, for example trade unions and voluntary/community organisations
• Analysis of records of enquiries about your service, or complaints or compliments about them
14
Recommendations of external inspections or audit reports
Key questions (supports EDS Goals)
Your Response
This meets objective EDS2 4.1 Inclusive leadership. Board and senior leaders routinely demonstrate their commitment to promoting equality within and beyond the organisation.
2.1 What evidence, data or information have you considered to determine how this policy/ development contributes to delivering better health outcomes for all?
Equality Act 2010, GDPR and Data Protection Act 2018
Cyber security consists of technologies, processes and controls designed to protect trust’s information assets such as systems, networks, programs, devices and data from cyber-attacks. Effective cyber security reduces the risk of cyber attacks, effectively manage information risks and protects against the unauthorised exploitation of trust’s information assets resulting in better patient care.
2.2 What evidence, data or information have you considered to determine how this policy/ development contributes to improving patient access and experience?
As above
2.3 What evidence, data or information have you considered to determine how this development/policy contributes to delivering a representative and well supported workforce?
This policy encourages staff to protect their assets as part of cyber security and with information securely
2.4 What evidence, data or information have you considered to determine how this policy/development contributes to inclusive leadership and governance?
The Senior Information Risk Owner is responsible for cyber security with delegated responsibility the Information Asset Owners across the trust. This has been explained in the roles and responsibilities section
3. It is Trust policy that you explain your proposed development or change to people who might be affected by it, or their representatives. Please outline how you plan to do this.
Group Methods of engagement
Staff The policy will be published on the intranet and updates provided at divisional leadership meetings as well as cascaded by the Information Asset Owners across the trusts
IG Steering Group The policy has been reviewed by HR, Comms, Caldicott Guardian , SIRO, ICT
4. Equality Impact Analysis Improvement Plan
If your analysis indicates some negative impacts, please list actions that you plan to take as a result of this analysis to
reduce those impacts, or rebalance opportunities. These actions should be based upon the analysis of data and
engagement, any gaps in the data you have identified, and any steps you will be taking to address any negative impacts or
15
remove barriers. The actions need to be built into your service planning framework. Actions/targets should be measurable,
achievable, realistic and time framed.
Negative impacts identified Actions planned By who
Staff do not read or complete relevant training in cyber security
These policies will be available on intranet and a comms plan will be in place to ensure staff are aware where to access the cyber security policies
IG Steering Group
Race
The application of this policy is both fair and consistent regardless of race, ethnicity or nationality. However, it is recognised there is a risk to any member of staff whose first language is not English and support will be offered to ensure the policy is translated to the required language.
EDI Lead
Disability
The application of this policy is both fair and consistent regardless of the disability and therefore does not impact on this protected characteristic. This policy can be made available in another format, on request.
EDI Lead
5. Sign off and publishing
Once you have completed this form, it needs to be ‘approved’ by Service Director, Clinical Director or an Executive Director
or their nominated deputy. If this Equality Impact Analysis relates to a policy, procedure or protocol, please attach it to the
policy and process it through the normal approval process. Following this sign off by the Sub Policy Group your policy and
the associated EqIA will be published by the Trust’s Policy Lead on the website.
If your EqIA related to a service development or business /financial plan or strategy, once your Director or the relevant
committee has approved it please send a copy to the Equality and Diversity Lead ([email protected]), who
will publish it on the Trust’s website. Keep a copy for your own records.
I have conducted this Equality Impact Analysis in line with Trust guidance
Your name: Mahwish Noor Position Information Governance Manager
Signed: Mahwish Noor Date: December 2020
Approved by: Equality and Diversity Lead
Your name: Debra Hall Position: Equality and Diversity Lead
Sign:
Date 13/01/2020