Guidance for the Storage, Transmission and Transportation Of

Information and I.T. Security Toolkit for GMPs Physical and Environmental Security

GUIDANCE FOR THE STORAGE, TRANSMISSION AND TRANSPORTATION OF PATIENT / PERSON IDENTIFIABLE INFORMATION (PII) FOR GENERAL MEDICAL PRACTICES V2

Note: Adaptation of “LHB Procedures for the removal, transportation and off site storage of patient or person identifiable information” (Produced by BSC/Gwynedd LHB)

NHS Wales Informatics Service Issue C Date Created: 06/092007 Page 1 of 8 Information and I.T. Security Toolkit for GMPs Physical and Environmental Security

Contents

1 Introduction 6 2 Background 6 3 Removal of patient/personal information (from 6 the practice) 4 Transportation of Patient/Person Identifiable 7 information 5 Taking information home 8 6 Computer Security 9 Appendix 1 - Risk Assessment Form 10 Appendix 2 - Authorisation Form 11

NHS Wales Informatics Service Issue C Date Created: 06/092007 Page 2 of 8 Information and I.T. Security Toolkit for GMPs Physical and Environmental Security

1 Introduction

1.1 There are inherent risks associated with the requirement to take patient or person identifiable information away from the practice. This document has been developed with the aim of providing guidance for General Medical Practices.

1.2 This document aims to raise awareness amongst practice staff (clinicians and administration), ensuring they do not breach the requirements of the Data Protection Act 1998 or the Caldicott Report guidance. There is existing good practice that needs to be adhered to including the International Standard for Information Security (ISO2700), the Information Security Management System (ISMS) and Health Board guidance. Additional guidance on protecting information is also available from the General Medical Committee website.

http://www.gmc-uk.org/guidance/current/library/confidentiality.asp

1.3 Patient or person identifiable information is information that can identify any individual by name, number or a combination of items (staff records would also be included under this definition), and exists in paper or electronic form.

1.4 Any information which can identify an individual must only be removed from the practice if there is a justified purpose for doing so

1.5 If there are any issues regarding these procedures they should be immediately discussed with the IM&T Security Officer, Practice Manager or the Caldicott Guardian.

2 Background

ISO27001 ‘Information can be vulnerable to unauthorised access, misuse or corruption during physical transport’

2.1 The Information Commissioners Office states that “personal information, which is stored, transmitted or processed in information, communication and infrastructures should also be managed and protected in accordance with the organisation’s security policy and using best practice methodologies such as ISO27001”. Therefore, every effort must be made to safeguard this information for the protection of the data subject, the individual and for the practice itself.

2.2 These procedures aim to highlight and suggest ways of improving the security and confidentiality of transporting sensitive information, regardless of the medium to prevent data loss.

3 Removal of patient/personal information (from the practice)

3.1 If a member of staff (including clinicians & administration staff) is required to take patient or person identifiable information off site as part of their role, the practice Caldicott Guardian must be informed along with the IM&T Security Officer/Practice Manager. A Risk Assessment Form (appendix 1) must be completed by the member of staff in conjunction with the IM&T Security Officer/Practice Manager.

NHS Wales Informatics Service Issue C Date Created: 06/092007 Page 3 of 8 Information and I.T. Security Toolkit for GMPs Physical and Environmental Security

3.2 An assessment of the risks involved will then be carried out and recommendations may be made to the member of staff if appropriate.

3.3 Once the member of staff & IM&T Security Officer/Practice Manager are satisfied that the procedures are workable and will comply with current policy, an Authorisation Form (appendix 2) will be signed and approved by the practice Caldicott Guardian. A copy will be kept by the IM&T Security Officer/Practice Manager and a copy given to the member of staff.

3.4 If, as part of the role, a member of staff is regularly required to remove patient or person identifiable information, they must state this on the Risk Assessment Form (Appendix 1 - Question 3) and the authorisation will continue until such time as the termination of the current post or a change in role. However this will be subject to regular review by the Caldicott Guardian.

3.5 If the need to take patient or person identifiable information away from the practice is for an isolated reason, this should be stated on the Risk Assessment Form (Appendix 1 – Question 2). If at any time in the future the need arises again, the same process will need to be repeated.

4 Transportation of Patient/Person Identifiable information

4.1 Any paper, including medical records taken off site must be logged. The log should contain the date, details of information, reason for removal, where the information is being taken and estimated date of return. This is essential to ensure appropriate audit measures are in place and records can be traced at all times.

4.2 When transferring information electronically it must be considered that it is on a need to know basis and only the relevant files should be copied. It is easy to inadvertently copy entire folders particularly when synchronising with portable devices including laptops, PDA’s or USB storage devices.

4.3 All records must always be transported in a secure way by the use of locked boxes or locked briefcases, and should be kept with the member of staff at all times.

4.4 All records, including medical records transported within a vehicle should not be visible to the general public. All equipment that records any confidential information should be carried in a locked container and locked in the boot of the vehicle. This also applies to portable devices including laptops, PDAs and USB storage devices.

4.5 Patient or person identifiable information must not be stored on portable devices, such as a, CD, floppy disk, USB storage device or laptop unless it is absolutely essential. If it is deemed to be essential, then the device must be approved by the practice and must be encrypted.

4.6 When transporting more than one record, only the relevant record should be taken into patient’s home/nursing home etc. All other records must be left in a locked container in the locked boot of the vehicle. All due care must be taken to ensure that the record remains complete at all times and is returned in its entirety when no longer required.

NHS Wales Informatics Service Issue C Date Created: 06/092007 Page 4 of 8 Information and I.T. Security Toolkit for GMPs Physical and Environmental Security

4.7 Paper, including medical records, should be returned when no longer needed. They should be logged that they have been returned, signed and dated by the member of staff. When summaries are provided to carry out ‘house’ calls, these should be handed back into the practice to update the computer record and the paper summary should be shredded.

4.8 Personal items such as diaries may contain confidential information that may include details of home visits. Staff members are reminded to carry these securely at all times and should not include information that may identify a patient.

4.9 The BSC courier service must be used to internally transport both live and deceased patient paper records routinely requested by the BSC.

4.10 Copies of paper health records being sent outside the remit of the BSC courier service must be sent via special delivery.

4.11 The ‘Government Mail - Regional Plus’ service must be used to transport any portable media containing Patient Identifiable Information such as memory sticks, CDs and DVDs. Additionally the media must be encrypted and approved by the practice.

5 Taking information home

5.1 It should be noted that any applicable practice IM&T Security Policies and procedures will apply wherever the information is located, and should be adhered to at all times.

5.2 Staff must not take medical records or any confidential information home overnight.

5.3 If a staff member is required to take confidential information home for the day, a locked container and all other items containing confidential information including laptops, files and PDAs; should be locked away in the home and not left in the car overnight.

5.4 Staff must ensure that the information is not accessible by any other members of the household (including family, friends, and neighbours) even if these people are employees of the same organisation.

5.5 Under no circumstances should any family member be allowed to access a laptop owned by the Practice. This will reduce the risk of accidental incidents including the loading of illegal software, inappropriate internet access or viewing of confidential, restricted information.

5.6 Information must not be emailed to, or recorded on, any home PC as there are numerous issues regarding IT security. If an employee needs to work at home they should always be provided with the relevant equipment (including secure remote access tokens if connecting to the network) and access permissions as agreed by the Practice.

NHS Wales Informatics Service Issue C Date Created: 06/092007 Page 5 of 8 Information and I.T. Security Toolkit for GMPs Physical and Environmental Security

5.7 PDAs and laptops should be connected to the network at least once a week to enable synchronisation and updated to ensure that all information recorded is updated to the main Practice network.

6. Computer Security

6.1 The requirements for securing patient, person identifiable or business sensitive information in computer systems are detailed in the Practice IM&T Security Policy, within ISMS.

NHS Wales Informatics Service Issue C Date Created: 06/092007 Page 6 of 8 Information and I.T. Security Toolkit for GMPs Physical and Environmental Security

Appendix 1: Risk Assessment Form (Working with Person/Patient Identifiable Information (PII) off site)

About you Full Name

Post Title

Identifiable Information Type (Tick) Patient Personal

Please tick ONLY the white boxes below that apply Tick Risk 1. Have you signed a Staff Confidentiality & Security Agreement? Low 2. Does your role require you to take patient or personal identifiable Med information off site on a: ‘One off Basis’ 3. Does your role require you to take patient or personal identifiable High information off site on a: ‘Regular Basis’ About the PII 4. Original paper documents/records are being used High 5. Copies of documents/records are being used Med 6. Files will be copied onto a Laptop/ PC with up-to-date Antivirus, Low Internet Security, firewall and password protected 7. Files will be password protected on Floppy/CD/DVD disc/USB stick Med 8. PII will be sent by Email outside of NHS net (Wales) High 9. The Caldicott Guardian has signed off the process Low 10. The minimum and relevant information is being taken offsite Low About transporting the Person Identifiable Information 11. You have a locked container to carry the records/media in Med About your Home-working arrangements 12. You have a lockable secure location for overnight storage Low 13. You have no other members in your household Low 14. You have other adults in your household High 15. You have children in your household High 16. In a discrete room with restricted access to others Low 17. You will be producing documents containing PII Med 18. If a laptop is to be used between home and the Practice, it is Low encrypted to the level agreed by the Health Board. 19. You will be working on a secure home PC/laptop only you can High access 20. You will be working on an unsecured home PC/laptop High 21. If a wireless broadband connection is to be used, it is encrypted Med and password protected to prevent use by others who may be able to access the broadband

NHS Wales Informatics Service Issue C Date Created: 06/092007 Page 7 of 8 Information and I.T. Security Toolkit for GMPs Physical and Environmental Security

Appendix 2: Authorisation Form

Part 2 –Authorisation Form Practice Member of Staff Post Title IM&T Security Officer/Practice Manager: I have undertaken a risk assessment with the above member of staff and can confirm that the Practice has taken the necessary action to ensure that the member of staff is able to adhere to the procedures for the transportation and off site storage of Patient or Person Identifiable Information:-

Signature:

Date:

Member of Staff: I have read and agree to abide by the procedures for the transportation and off site storage of Patient or Person Identifiable Information:-

Signature:

Date:

Caldicott Guardian & IM&T Security Officer/Practice Manager: I can confirm that it is necessary for the above member of staff to remove the information as outlined in Part 1 – Request Form and hereby grant authorisation:-

Signature:

Date:

NHS Wales Informatics Service Issue C Date Created: 06/092007 Page 8 of 8