information security policy - nhs dumfries and galloway · information security policy printed...

Information Security Policy

Printed copies should not be considered the definitive version

DOCUMENT

CONTROL

POLICY NO. 77

Policy Group Information Assurance and Security

Author Andrew Turner Version No. 1.3

Reviewer Medical Director Implementation Date Aug 2013

Scope (Applicability) Board wide Next review date Aug 2016

Status Final Last review date New document

Approved By Dr Cameron

Information

Assurance

Committee

Area Partnership

Forum

NHS Dumfries & Galloway

of 17 Pages

Title: Information Security Policy

Date Aug 2013

Version: 1.3

Author: Andrew Turner

The only current version of this document is on the Intranet.

Contents 1. OVERVIEW 4

2. POLICY AIMS 4

3. SCOPE & APPLICABILITY 4

4. RESPONSIBILITIES 5

a. Chief Executive 5

b. Medical Director 5

c. Caldicott Guardian 6

d. Information Assurance Committee 6

e. eHealth Lead 6

f. eHealth IM&T Department 6

g. Third Parties 7

h. Data Protection Officer 7

i. Information Governance and Security Lead 7

j. Line Managers 8

k. All Staff 8

5. OPERATIONAL SYSTEMS 9

a. Confidentiality of IT Systems will be maintained by ensuring that: 9

b. Integrity of IT Systems will be maintained by ensuring: 10

c. Availability of IT Systems will be maintained by ensuring: 10

6. MOBILE COMPUTING 10

7. SYSTEM PROCUREMENT, DEVELOPMENT AND IMPLEMENTATION 10

8. COMPLIANCE 11

9. RISK MANAGEMENT AND BUSINESS CONTINUITY 11

11. RELATED DOCUMENTS 12

12. Appendix 1 – Policy Approval Checklist 13

13. Appendix 2 -Document Status 14

14. Appendix 3 - Communication Action Plan for Implementation 15


of 17 Pages


Date Aug 2013

Version: 1.3



15. Appendix 4 – Related Documents 16

16. Appendix 5 – Codes of Practice 17


of 17 Pages


Date Aug 2013

Version: 1.3



1. OVERVIEW a. The purpose of information security is to ensure business continuity and

minimise risk by preventing or reducing the impact of security incidents.

Information security enables information to be shared while ensuring the

protection of information assets.

b. Information takes several formats; it can be stored on computers, transmitted

across IT networks, printed out, audio-visual and stored on optical media (CD

or DVD/BluRay discs) or written down on paper.

c. From an Information Security perspective, appropriate protection should be

applied to all forms of information stored, including paper-based information,

computer databases, portable and fixed IT media and any other methods used

to communicate information.

d. This policy sets out clear management direction and support for information

security across NHS Dumfries & Galloway in accordance with business

requirements, legislation, regulations, standards and guidance.

e. It demonstrates management support for, and commitment to, information

security through issuing this policy for user acceptance and compliance, as well

as any related policies, procedures and guidelines, including user education

and awareness across NHS Dumfries & Galloway. The purpose of this policy is

to protect all NHS Dumfries & Galloway information assets from threats, internal

or external, deliberate or accidental.

f. It is important that Information Security does not act as a barrier to sharing the

right information with the right person at the right place and at the right time.

Where a clear business need is established for information to be shared, both

internally within the Board and externally to our partners, then appropriate

Information Sharing Protocols will be developed which enable this sharing to

take place. In most cases this will come under the auspices of the Scottish

Accord for the Sharing of Personal Information (SASPI), This process will

ensure that sharing of information is performed in a secure, considered and

controlled manner which will enable effective delivery of healthcare whilst

preserving the appropriate levels if security.

2. POLICY AIMS a. This policy aims to:

i. Provide guidance on the procedures and methods which are to be

employed to maintain the confidentiality, integrity and availability of all

sensitive information throughout NHS Dumfries & Galloway.

ii. Detail the roles and responsibilities and supporting organisational

monitoring arrangements for ensuring that information is accessed,

processed and used safely, securely and effectively.

iii. Provide a framework under which NHS Dumfries & Galloway can

ensure compliance with all relevant legislation and policies.

3. SCOPE & APPLICABILITY a. This policy applies to all information assets held by NHS Dumfries & Galloway

in any format and is intended to be fully consistent with the Information Security

Policy and Standards of NHS Scotland.

b. This policy applies to all users who undertake work for NHS Dumfries &

Galloway or use any part of the IT infrastructure, whether as an employee, a


of 17 Pages


Date Aug 2013

Version: 1.3



student, a volunteer, a contractor, partner agency, external consultant or 3rd

party supplier.

c. It is a management requirement that all NHS Dumfries & Galloway information

assets are properly safeguarded against breaches of confidentiality, integrity

and availability.

d. In order to achieve this, the following attributes will at all times be in place with

respect to matters relating to Information Assurance:

i. Information Security Policy, objectives, activities and improvements will

be aligned with the business objectives and organisational culture of

NHS Dumfries & Galloway and meet the requirements of

ISO/IEC27002, the Code of Practice for Information Security

Management.

ii. A risk based approach to Information Security will be maintained

enabling informed decisions on information security initiatives and

ensuring that budget and resources are focussed appropriately. These

security initiatives will meet the following objectives:

1. Prevention of incidents via the identification and reduction of

risks.

2. Detection of incidents before damage can occur.

3. Recovery from incidents via containment and repair of damage

and prevention of reoccurrence.

iii. Information security will be promoted at all levels of the business

through comprehensive user awareness education and training.

iv. Management will actively support information assurance initiatives,

ensure they remain abreast of the risks to information assets and

champion the continual improvement of information security within NHS

Dumfries & Galloway.

v. An effective Information Security architecture will be maintained.

vi. An effective Information Security Policy and procedural environment

will be maintained ensuring that;

1. All information assets are protected against unauthorised

access and disclosure.

2. Confidentiality of information will be assured at all times.

3. Integrity of information will be maintained at all times.

4. Business requirements for availability will be met.

5. Breaches of security both actual and suspected are reported

and investigated.

6. Classification and ownership of information assets will be

applied.

7. Regulatory and legislative requirements will be met, including

compliance with the UK Data Protection Act 1998.

4. RESPONSIBILITIES

a. Chief Executive i. Final responsibility for the secure operation of all systems used to store

information assets in NHS Dumfries & Galloway is vested in the Chief

Executive. This responsibility is delegated to all staff developing,

introducing, managing and using information systems throughout the

medium of this policy.

b. Medical Director i. The Medical Director has executive responsibility for Information

Assurance and Security Planning.


of 17 Pages


Date Aug 2013

Version: 1.3



ii. The Medical Director has responsibility for ensuring that Information

Assurance and Security is adequately and appropriately resourced to

complete its function.

c. Caldicott Guardian i. The responsibility for maintaining the confidentiality of patient

identifiable information rests with the NHS Dumfries & Galloway

Caldicott Guardian.

d. Information Assurance Committee i. The NHS Dumfries & Galloway Information Assurance Committee has

the responsibility to monitor compliance with, to review and to approve

all Information Security policies.

ii. The IAC will report twice a year to the Clinical Governance Committee

on levels of compliance with policy.

e. eHealth Lead i. The eHealth Lead has the responsibility to ensure that:

1. The IT infrastructure supports and enables all Information

Security policies to be implemented and maintained.

2. IM&T staff must work within a clear framework which promotes

Information Security and that this framework is documented

and regularly reviewed within the department.

f. eHealth IM&T Department i. All members of the eHealth IM&T Department have the responsibility to

ensure that:

1. IT systems are held in secure areas that provide protection

from unauthorised access and environmental threats such as

fire, flood and loss of power.

2. IT systems used to store NHS Dumfries & Galloway data are

recorded and any movements tracked to ensure that theft or

loss is detected.

3. All information assets are securely removed before equipment

is re-allocated or sent for secure disposal/destruction.

4. Protection against malicious code is operated on all

workstations, servers and data exchange systems.

5. All incoming data (including data held on IT media, e-mail and

Internet downloads) is scanned for malicious code before

installation or use.

6. Back-up and recovery procedures are in place to assist in

business contingency arrangements.

7. Interaction with external IT systems is recorded and monitored.

This includes the monitoring of e-mail and other data streams

up-loaded to, or downloaded from, any NHS Dumfries &

Galloway system.

8. Back-ups of IT systems are kept in a secure place and

success/failure results recorded.

9. A regime of test bare metal restores is performed to ensure

viability of backups. Details of success/failure of these tests

must be recorded.

10. Quarterly reports showing the following must be sent to the

Information Assurance and Security Lead for presentation at

the Information Assurance Committee meeting:

a. Major system outages for the period with details of

steps taken to prevent repeated failures.


of 17 Pages


Date Aug 2013

Version: 1.3



b. Failures of backups and details of rectification

processes put in place.

c. Success and failures of test restores and details of

rectification processes put in place.

d. Numbers of virus/malware infections

e. Numbers of user login failures resulting in user lockout.

g. Third Parties i. Third parties with access to NHS Dumfries & Galloway information

must be governed as follows:

1. Shared accesses to information will be governed by the

principles provided by the Scottish Accord for the Sharing of

Personal Information (SASPI).

2. Each access under SASPI will be provided under the

provisions of an Information Sharing Protocol (ISP) agreed to

between the parties sharing the information.

3. For each ISP an accompanying Privacy Impact Assessment

(PIA) as required by the Information Commissioner under the

Data Protection Act will be completed.

4. The Information Governance and Security Lead must be

consulted during the production of the ISP and the PIA.

h. Data Protection Officer i. The Data Protection Officer will ensure that:

1. A register of all NHS Dumfries & Galloway information assets is

maintained. The register will record data owners and designate

those assets that are confidential or sensitive as defined in

Data Protection legislation and Caldicott guidelines.

2. Staff handling personal information must understand that they

are contractually responsible for following good data protection

practice and are appropriately trained to do so.

3. Queries about handling personal information are promptly and

courteously dealt with.

4. Methods of handling personal information are clearly

described.

5. A regular audit of how personal information is handled is

carried out.

i. Information Governance and Security Lead i. The Information Governance and Assurance Lead for NHS Dumfries &

Galloway is responsible for the implementation and enforcement of all

Information Security Policies and has responsibility for:

1. Ensuring that all Information Security Policies are implemented

throughout NHS Dumfries & Galloway.

2. Ensuring that System Security Policies (SSP) and Secure

Operating Procedures (SOP) are in place and maintained for

all new and existing IT systems.

3. Determining the level of security required for any new IT

systems.

4. Ensuring that all 3rd

party connections comply with the NHSnet

Code of Connection, NHS Dumfries & Galloway or other local

methods of remote connectivity.

5. Providing assistance and guidance in the production of SASPI

ISP and PIA documents.


of 17 Pages


Date Aug 2013

Version: 1.3



6. Ensuring regular risk assessments are performed on IT

systems.

7. Monitoring and reporting to the IAC the state of IT security

within NHS Dumfries & Galloway.

8. Developing, maintaining, reviewing and enforcing procedures

to maintain Information security.

9. Ensuring compliance with relevant legislation and NHS

Scotland Information security guidance.

10. Developing IT Security awareness training material to ensure

that all staff are aware of their responsibilities and

accountability for Information security.

11. Monitoring, recording, investigating and reporting actual or

potential IT security breaches.

j. Line Managers i. Managers will notify the NHS Dumfries & Galloway IT Service Desk of

changes to staff personnel so that IT access can be provided and

withdrawn in a controlled and auditable manner.

ii. Managers will ensure that all current and future staff undertake and

maintain their mandatory training in their personal IT security

responsibilities.

iii. Managers will ensure that any staff using IT systems/media are trained

in their secure use and disposal.

iv. Managers will ensure that no unauthorised staff are allowed to access

any of NHS Dumfries & Galloway IT systems.

v. Managers will determine which staff should be given authority to

access specific IT systems. The level of access to IT systems will be

based on job function need, irrespective of status.

vi. Managers will implement procedures to minimise NHS Dumfries &

Galloway exposure to fraud/theft/disruption of its IT and information

assets.

vii. Managers will ensure that key documentation is maintained for all

critical job functions to ensure Departmental business continuity in the

event of staff unavailability is maintained.

k. All Staff i. All NHS Dumfries & Galloway staff, contractors and service providers

who use or influence the use of NHS Dumfries & Galloway information

systems must conform to the standards expected and described in this

and any other associated information security policies.

ii. All staff must read and sign up to this and any other relevant

information security policies which are relevant to their job role.

iii. All staff and other users of NHS Dumfries & Galloway Information

Systems are expected to have completed the mandatory Information

Governance and Security training within, at an absolute maximum, four

weeks of being granted access. Failure to do so may result in

access being withdrawn.

iv. Similarly staff who fail to undertake the required mandatory Information

Governance and Security refresher training after a period of more than

two years and six months may also have access removed.

v. Specific information security responsibilities required of key personnel

will be defined in their job description and also within IT systems secure

operating procedure documentation. All staff required to use

information systems will be made aware of their responsibilities in

maintaining appropriate levels of Information Security, be adequately


of 17 Pages


Date Aug 2013

Version: 1.3



trained in their Information Security responsibilities and in the correct

use of those systems.

vi. Secure workplace practices are an essential part of this Information

Security Policy. NHS Dumfries & Galloway expects all staff to take

personal and professional responsibility for dealing securely with any

information to which they have access in the course of their duties.

vii. All staff entrusted with access to NHS Dumfries & Galloway information

assets have a responsibility to ensure that their actions when using

these assets fully conform to this and related policies, NHS Scotland

standards and legal requirements;

viii. Every member of staff is personally responsible for ensuring that no

breaches of Information Security result from their personal actions. This

is also equally applicable for staff authorised to access and use NHS

Dumfries & Galloway Information systems remotely.

ix. In particular staff are required to lock workstations when leaving for

more than a few (more than 30) seconds and not to allow another

member of staff to use a workstation which is logged in under their

name.

x. Staff must not log into an application on a workstation which is logged

into the network under a user name other than their own.

xi. Staff must not provide another user with their own user name and

password to allow the other to log in under their name.

xii. Staff must report any suspected or actual breaches of IT security via

the Datix Incident Reporting System which is available on the NHS

Dumfries & Galloway Intranet.

xiii. All staff must fully comply with all NHS Dumfries & Galloway

Information Security Policies, Standards and Procedures.

xiv. Failure to observe this policy may result in disciplinary action or legal

proceedings being taken.

xv. Any member of staff responsible for preparing, procuring services

through or using standard supplier contracts will also ensure

contractors and other third parties comply fully with the provisions of

this and other NHS Dumfries & Galloway Information Security policies.

xvi. All staff must notify their Line Manager of all suspected or actual

breaches of Information security.

5. OPERATIONAL SYSTEMS

a. Confidentiality of IT Systems will be maintained by ensuring that:

i. Only authorised NHS Dumfries & Galloway staff will be granted access

to Information systems and that access will be restricted to the

information required for the person’s job function i.e. only on a need to

know basis.

ii. Updating and other activities that could affect the integrity of

information must be restricted to authorised staff needing to do so as

part of their job function, in line with Caldicott principles on confidential

information access.

iii. Where multiple staff share access to an NHS Dumfries & Galloway

Information System, each member of staff will be provided with a

personal authentication identity. All transactions on such systems must

be attributable and auditable to the user under whose name

transactions are conducted.


of 17 Pages


Date Aug 2013

Version: 1.3



iv. Passwords must be defined in line with national NHS Scotland

standards and kept confidential at all times.

v. Access to NHS Dumfries & Galloway Information systems from external

IT networks and other types of communication link will only be

permitted on an exception basis and be subject to an additional layer of

security, in line with national and NHS Scotland remote connectivity

standards and regulations.

vi. NHS Dumfries & Galloway will control and monitor internal access to

external networks and reserves the right to disconnect immediately,

and if necessary, permanently, any member of staff or organisation

attempting to breach this or any other NHS Dumfries & Galloway

Information security policy.

b. Integrity of IT Systems will be maintained by ensuring: i. All NHS Dumfries & Galloway Information assets will operate in

accordance with IT systems manufacturer specifications.

ii. Wherever possible the CHI number will be the only single point of

reference for all systems.

iii. Staff will be expected to apply due diligence when filing records.

iv. Wherever possible information interchanges between systems will be

transferred electronically and rekeying designed out of systems.

v. Electronic patient records will be standard across NHS Dumfries &

Galloway.

c. Availability of IT Systems will be maintained by ensuring: i. Resilience to component or software failure is designed into all systems

and data networks from the outset.

ii. Regular backups are taken of all IT systems and stored in a secure

manner.

iii. Backups are tested regularly to ensure that systems/files can be

restored if and when required.

iv. Anti-virus and malware detection systems are deployed and maintained

up to date.

v. Security, Critical and Important operating system and application

patches are tested and applied within two weeks of release.

vi. Routine penetration testing will be used to identify security risks and

effective work plans put in place to mitigate these risks.

vii. Business Continuity/Disaster recovery plans are in place, are tested

regularly and are reviewed at least every three years.

6. MOBILE COMPUTING a. Details of guidance on accessing information from mobile devices is given in

the NHS Dumfries & Galloway Use of Mobile Devices Policy.

7. SYSTEM PROCUREMENT, DEVELOPMENT AND

IMPLEMENTATION a. All system procurements, developments and implementations must follow the

guidelines defined in the NHS Dumfries & Galloway Information Systems

Procurement, Development and Implementation Policy.

b. Completed Business Cases for new information Systems must be presented to

the eHealth Board for consideration and approval before submission to Capital

Management Group for procurement.


of 17 Pages


Date Aug 2013

Version: 1.3



c. The testing of all applications must be documented and attention paid to all

aspects of security. Configuration Management must be used for each system -

specifically, all initialisation files, data and test results files and system files

must be identified and preserved with appropriate security and accountability.

Under no circumstances will operational data be provided for use in application

development or testing outside of NHS Dumfries & Galloway own secure IT

environment.

d. All new systems must have a System Security Policy incorporated. The SSP

must address the different aspects of:-

i. physical, personnel and document security principles;

ii. communications security;

iii. hardware and software security measures;

iv. administrative and procedural security rules.

8. COMPLIANCE a. NHS Dumfries & Galloway staff will comply fully with all relevant legislation and

give consideration to advisory instructions from NHS Scotland and Scottish

Government. A list of the principal legislation and formal administrative

guidance on Information Security with which NHS bodies must currently comply

is provided in Appendix 1.

b. NHS Dumfries & Galloway will respect the license conditions and intellectual

property rights of software manufacturers. It will maintain records of the

procurement, disposition and secure disposal of media and licences.

c. NHS Dumfries & Galloway proactively discourages the unauthorised

introduction of software and unauthorised use or copying of licensed software.

d. NHS Dumfries & Galloway is required to make arrangements for adequate

levels of audit to be undertaken to enable detection of unauthorised access,

data leakage and other security breaches.

e. The NHS Dumfries & Galloway Internal Audit function will review and report at

defined intervals upon controls and security levels which operate at a system

and application level. Specifically, Internal Audit will report upon the

compliance of NHS Dumfries & Galloway with this policy as part of their input to

the Annual Statement of Internal Control.

9. RISK MANAGEMENT AND BUSINESS CONTINUITY a. NHS Dumfries & Galloway Information Governance and Security Lead and the

Programme Adviser NHS Resilience will carry out risk assessments for all

information systems to ensure that suitable disaster recovery and contingency

arrangements are in place.

b. Recovery procedures will be developed for all IT operational systems and

where relevant appropriate contingency plans will be documented and tested to

ensure an acceptable level of service and control is maintained following a

system failure.

c. The Information Governance and Security Lead will report on the outcomes of

the above work programmes on a twice yearly basis to the IAC.

10. EQUALITY AND DIVERSITY a. NHS Dumfries and Galloway is committed to equality and diversity in respect of

the six equality groups defined by age, disability, gender, race,

religion/belief and sexual orientation.

b. We believe, however, that equality and diversity issues are not relevant to this

area of work because this policy is designed to provide everyone including NHS


of 17 Pages


Date Aug 2013

Version: 1.3



Dumfries and Galloway staff with a consistent approach to Information Security

for the organisation to ensure good governance arrangements are in place.

11. RELATED DOCUMENTS a. NHS Dumfries & Galloway Information Assurance Strategy and NHS Dumfries

& Galloway Information Policy document.

b. NHS Dumfries & Galloway Information Security Strategy.

c. All underlying NHS Dumfries & Galloway Information Assurance Policies and

Procedures.

d. NHS Scotland Information Security Policy.

e. ISO/IEC27002, the Code of Practice for Information Security Management.


of 17 Pages


Date Aug 2013

Version: 1.3



12. Appendix 1 – Policy Approval Checklist

NHS DUMFRIES AND GALLOWAY POLICY APPROVAL CHECKLIST

This checklist must be completed and forwarded with the policy to the appropriate approval

group

POLICY TITLE Information Security Policy POLICY NO. …………….

EXECUTIVE LEAD Dr Angus Cameron

Why has this policy been developed?

Compliance with Board Information

Assurance Strategy

Has the policy been developed in

accordance with or related to legislation?

Please give details of applicable

legislation.

CEL 26/2012

Data Protection Act 1998

Electronic Communications Act 2000

Computer Misuse Act

Has a risk control plan been developed?

Who is the owner of the risk?

Who has been involved/consulted in the

development of the policy?

eHealth Lead and staff, Dr Cameron, Internal

Audit, Staff side representative

Has the policy been assessed for equality

and diversity in relation to:-

Has the policy been assessed for Equality

and Diversity not to disadvantage the

following groups:-

Race/Ethnicity

Gender

Age

Religion/Faith

Disability

Sexual Orientation

Yes

Yes

Yes

Yes

Yes

Yes

Minority Ethnic Communities

Women and Men

Religious & Faith Groups

Disabled People

Young People

L, G, B & T Community

Yes

Yes

Yes

Yes

Yes

Yes

Does the policy contain evidence of the

Equality & Diversity Impact Assessment

Process?

YES

Is there an implementation plan?

YES

When will the policy take effect? Immediate

If the policy applies to partner agencies,

please explain the reasons for this and

how they will be informed of their

responsibilities

Not applicable


of 17 Pages


Date Aug 2013

Version: 1.3



13. Appendix 2 - Document Status Title Information Security Policy

Author Andrew Turner

Approver Dr Angus Cameron

Document reference

Version number 1.2

Document Amendment History

Version number Edited by Edit date Topics covered

0.1 NHS

Lanarkshire

June 2009 Exemplar document

1.0 Andrew

Turner

25th March 2013 1

st Draft.

1.1 Andrew

Turner

2nd

July 2013 2nd

draft after peer review

1.2 Andrew

Turner

11th July 2013 Final draft following review and amendments as

recommended by Information Assurance

Committee – added introduction paragraph

referring to information sharing.

Distribution

Name Version number Responsibility

Corporate Business Manager 1.2 Place on policy register

Board Management Team 1.2 For approval

Area Partnership Forum 1.2 Approved 29th August 2013

Communications Team 1.2 Place on Intranet and in ‘latest’ news’

Staff side representative 1.2 For comment prior to presentation to APF

IM&T Department 1.2 To configure systems according to policy

1.2

Associated Documents

ISO/IEC 27002 The Code of Practice for Information Security Management

CEL26/2012

NHS Scotland Information Security Policy

NHS Dumfries & Galloway Information Assurance Strategy

NHS Dumfries & Galloway Information Assurance Policy

NHS Dumfries & Galloway Information Systems Procurement, Development and

Implementation Policy

NHS Dumfries & Galloway Access to Information Policy

NHS Dumfries & Galloway Mobile Devices Policy

NHS Dumfries & Galloway eMail Acceptable Use Policy

NHS Dumfries & Galloway Internet and Internet Acceptable Use Policy

NHS Dumfries & Galloway Communications Monitoring Policy


of 17 Pages


Date Aug 2013

Version: 1.3



14. Appendix 3 - Communication Action Plan for

Implementation Name Responsibility Timeframe

Place on policy register Corporate

Business

Manager

Immediate

Place in ‘latest’ news’ Communications

Team

Immediate

Place on Intranet Communications

Team

Immediate

Dissemination to all staff

through line management

Board

Management

Group

Continual process

Routinely issue to all staff IM&T Department Continual process

Amend staff contracts HR Department Immediate


of 17 Pages


Date Aug 2013

Version: 1.3



15. Appendix 4 – Related Documents g. The Principal Acts of Parliament, Management Executive letters and Scottish

Office Home and Health Department circulars relevant to Information security

and confidentiality are:

i. Compliance with legal requirements

ii. Data Protection Act 1998

iii. Computer Misuse Act 1990

iv. Copyright, Design & Patents Act 1988

v. The Health and Safety at Work Act (1974)

vi. Human Rights Act (1998)

vii. Regulation of Investigatory Powers Act (2000)

viii. Health and Social Care Act (2001)

ix. Freedom of Information (Scotland) Act (2002)

x. Public Records (Scotland) Act

xi. Electronic Communications Acts (2000)


of 17 Pages


Date Aug 2013

Version: 1.3



16. Appendix 5 – Codes of Practice ISO/IEC 27002 The Code of Practice for Information Security Management

Circ. SW 1/89 Confidentiality of Social Work Records

Circ. SW 2/89 Access to Personal Files / Regulations

MEL 1992 (14) Safeguarding Confidentiality Identifiable Data / Contracting

MEL 1992 (42) Confidentiality / Personal Data associated with contracts

MEL 1992 (45) Computer Security Guidelines

MEL 1992 (69) Access to Health Records (Now superseded by Data Protection Act

1998 (for living patients)

MEL 1993 (152) Guidance for the Retention and Destruction of Health Records

MEL 1993 (59) NHS in Scotland Information Security Policy

MEL 1993 (70) NHS Communications Systems

MEL 1994 (100) Protecting the Confidentiality of Personal Health Information

MEL 1994 (75) NHS in Scotland IT Security Manual

HDL (2006) 41 NHS Scotland Information Security Policy

MEL 1994 (76) Telecommunications Policy & Management

MEL 1996 (72) The Year 2000

MEL 1996 (80) NHS-Net Telecommunications Policy & Management

NHS circ. DGM 1992 (20) Security of Health records

NHS circ. GEN 1990 (22) Confidentiality of Personal Health Information

NHS circ. GEN 1991 (27) Access to Health Records

SHHD/DGM (1991)/39 Safeguarding the Confidentiality of Personal Data Associated with

Contracts

SHHD/DGM (1991)/47 Computer Security

SHHD/DGM 1991 (28) Computer Software and Crown Copyright