A Users Guide To
Total Page:16
File Type:pdf, Size:1020Kb
INFORMATION ASSET REGISTER HANDBOOK
(IA Owners and IA Administrators)
(Information Asset Management)
Page 1 of 11
D:\Docs\2018-04-06\0a6f83b8ea7efab025976d66a276a8d0.doc CONTENTS
WHY DO WE NEED AN INFORMATION ASSET REGISTER? 3
LINKS TO DATA PROTECTION 3
INFORMATION ASSET OWNER 4
INFORMATION ASSET ADMINISTRATOR 6
WHAT IS AN INFORMATION ASSET 7
COMPLETING THE INFORMATION ASSET MANAGEMENT TOOL 7
THE RISK ASSESSMENT TOOL AND HOW TO USE IT 10
WHO DO I CONTACT IF I HAVE ANY QUESTIONS ABOUT COMPLETING THE SPREADSHEETS? 11
WHERE SHOULD I SEND THE COMPLETED ASSET REGISTER? 11
Why do we need an Information Asset Register?
The Information Risk Management (IRM) Policy has been created to ensure that the Trust meets the requirements of the Department of Health Information Governance policies and standards on managing information assets.
This states that Page 2 of 11
D:\Docs\2018-04-06\0a6f83b8ea7efab025976d66a276a8d0.doc • All NHS organisations need a clear Information Risk Management Policy
And that
• Information Risk Management should be a fundamental component of the organisations overall business risk management framework
Key aspects of the Information Risk Management Policy:
• Provides support for the organisations business aims and objectives • Defines how our Trust and its delivery partners will manage its Information Risk • Identifies how risk management effectiveness is assessed and measured • Defines IRM escalation points and mechanisms • Identifies accountability, roles & responsibilities for staff
Compliance requirements of the National Policy ‘NHS Information Risk Management’ (NHS Connecting for Health, Digital Information Authority; January 2009 Guidance) is to have knowledge of: • What information assets we have • Where they are • What they hold • How they are used • Identify risks
The way to do this is for our Trust to have a register of all information assets as well as a review and update programme in place. This will require ownership and regular administration hence, the creation of Information Asset Owner and Administrator roles.
Links to Data Protection
Information Risk Management has direct links to the requirements of the Data Protection Act 1998 (DPA 1998). Southern Health NHS Foundation Trust’s Asset Register implementation and review programme is linked to the Data Protection and Data Custodian Framework.
Therefore, The Trust made a Board decision for Data Custodians (within the meaning of the DPA 1998) to become our Trust Information Asset Owners thus, merging the two roles.
INFORMATION ASSET OWNER Role and Responsibilities
Responsible to: Senior Information Risk Owner / Line Manager
Page 3 of 11
D:\Docs\2018-04-06\0a6f83b8ea7efab025976d66a276a8d0.doc Summary
The Information Asset Owner (IAO) is a senior member of staff who is the nominated owner for one or more identified information assets within the service/Trust. IAOs will work closely with other IAOs of the Trust to ensure there is comprehensive asset ownership and clear understanding of responsibilities and accountabilities, especially where information assets are shared by multiple services. IAOs will support the SIRO in their overall information risk management function as defined in Trust policy.
The IAO will also undertake the role of Data Custodian, as required by the Data Protection Act 1998.
The IAO will document, understand and monitor:
What information assets are held, and for what purpose How information is created, amended or added to over time Who has access to the information and why Understand and address the risk to the asset, providing assurance to the SIRO
Key responsibilities 1. Identify and document the scope and importance of all information assets they own. This will include identifying all information necessary in order to respond to incidents or recover from a disaster affecting the information asset.
2. Take ownership of their local asset control, risk assessment and management processes for the information assets they own. This includes the identification, review and prioritisation of perceived risks and oversight of actions agreed to mitigate those risks.
3. Provide support to the SIRO to maintain their awareness of the risks to all information assets that are owned by the Trust, and for report those risks as appropriate.
4. Ensure that staff and relevant others are aware of and comply with expected information governance and Data Protection working practices for the effective use of information assets:
Promote Data Protection & Caldicott Principles on an ongoing basis, including distributing posters, communicating articles and giving local briefings
Promote local induction and ensure that all new starters, before they access any information system, are given instruction on the Data Protection Act and Caldicott, as part of their first day/week induction programme.
Ensure that all new staff attend the Corporate Induction session as soon as they are able
Ensure that all staff have access to current information on Data Protection Act and Caldicott requirements
Ensure that all staff are aware of the Data Custodian/IAO for their area and the contact details for the relevant Information Security Team
Ensure that all staff know the procedure for reporting information and IT security incidents
5. Provide a focal point for the resolution and/or discussion of risk issues affecting their information assets
Page 4 of 11
D:\Docs\2018-04-06\0a6f83b8ea7efab025976d66a276a8d0.doc 6. Ensure that the Organisation’s requirements for information incident identification, reporting, management and response apply to the information assets they own; including ensuring completion of Data Flow Mapping exercises when required.
7. To ensure (via IAA) that the service’s RA Sponsors and Agents list is regularly reviewed and up dated – reporting to the RA Co-Ordinator as appropriate.
8. To attend information risk management training as required to ensure skills, capabilities, and any new national requirements are kept up to date.
9. To supervise and delegate tasks to the Information Asset Administrator.
Page 5 of 11
D:\Docs\2018-04-06\0a6f83b8ea7efab025976d66a276a8d0.doc INFORMATION ASSET ADMINISTRATOR Role and Responsibilities
Responsible to: Information Asset Owner
Summary
The Information Asset Administrator’s (IAA) primary role is to support the IAO to fulfill their responsibilities. IAAs will ensure that policies and procedures are followed, recognise actual or potential security incidents, consult with their IAO on incident management and ensure that information asset registers are accurate and up to date.
Key responsibilities
Detailed responsibilities will be in agreement with the IAO – but would include:
1. Maintenance of Information Asset Registers
2. Ensuring compliance with Data Protection Act – data sharing agreements within the local area
3. Ensuring information handling procedures are fit for purpose and are properly applied
4. Under the direction of their IAO, ensuring that personal information is not unlawfully exploited
5. Recognising new information handling requirements (e.g. a new type of information arises) and that the IAO is consulted over appropriate procedures – e.g. completing/updating information mapping flows
6. Recognising potential or actual security incidents and consulting with the IAO
7. Reporting to the IAO on current state of local information handling
8. Ensuring that local information handling constraints (e.g. limits on who can have access to the assets) are applied, referring any difficulties to the IAO
9. Act as first port of call for local managers/staff seeking advice on the handling of information
10. Under the direction of IAO, ensuring that information is securely destroyed at the end of the designation retention period
Page 6 of 11
D:\Docs\2018-04-06\0a6f83b8ea7efab025976d66a276a8d0.doc What is an Information Asset
An Information Asset is Service User, Staff or Corporate information / data, processed by us and is held in an electronic or hard copy/manual format.
Examples of information you may have in your area: Electronic Patient records e.g. OpenRiO primary electronic record, eCAMIS record, Paper health records, OpenRiO secondary record Audit records Paper records and reports including service user and staff records Contracts and agreements Business continuity plans Images i.e. photographs, X-rays, MRIs, Manuals and training materials Research Information Investigations i.e. IMR, CIR Voicemail / answer phone message / message pads CCTV recordings Staff files; sickness, employment details, appraisal, leave, etc. Business meeting minutes/notes, including Board minutes/reports Clinical meeting notes Multi Agency Risk Area Consortium (MARAC) information Whiteboard Back-up and archive data Building plans Travel claims Revalidation documentation Birth Books Ward Admissions & Discharges Book Inventories Tenders Completing the Information Asset Management Tool The Information Asset tool is an excel spreadsheet. It is a combination of both an information asset register and a data protection compliance checklist.
You will need to record the name of the service and team to whom the information assets relate to. As well as recording who the Information Asset Owner is (IAO) and the Information Asset Administrator (IAA).
If you are covering more than one area you will need to use the existing register but use the additional tabs along the bottom of the spreadsheet to create each area.
Please see example as shown below:
Page 7 of 11
D:\Docs\2018-04-06\0a6f83b8ea7efab025976d66a276a8d0.doc If this is the first time an Information Asset Management Tool for this service/team has been completed then please record the date in the ‘date this register is modified’ field.
If this is a review/update/amendment of your initial completed document, please complete the ‘Date this register is modified’ field. In addition to entering this date you will need to ensure that the next review/risk assessment date field on the register is also filled in with a review date, this will reflect that a review has taken place and will provide evidence to the IGTK.
This form must be updated when a new asset is added to the tool OR when an existing information asset is amended. Once the spreadsheet has been reviewed/ updated/ amended please use the ‘Save As’ function, and name your sheet in the following format: e.g. Division (CORP, AMH, LD, TQ21, ISD…, CHILDRENS) Team Name, Version & Date CORPORATE - Information Assurance Team v2 20.07.15
Enter the name of the asset at the top and across question 1 and then simply work down the questions for each different information asset type – refer to the documented example within the IA management tool.
Page 8 of 11
D:\Docs\2018-04-06\0a6f83b8ea7efab025976d66a276a8d0.doc INFORMATION ASSET MANAGEMENT TOOL Name of Service,site and team/s: Information Asset Owner: Information Asset Administrator: Date this register is modified:
What Information/ Data do you have?
Enter as free text in appropriate column 1 Example: Personnel Records
How is the information held? Electronic Yes 2 From the drop down menu select: Yes or No Hard Copy/ Manual Yes If this information is electronic, where is it stored? Local "C" Drive No From the drop down menu select: Yes or No Removable Drives: e.g. DVDs, SD Cards & Yes Datasticks Sharepoint Yes If you know the name of the drive/shared folder please state Network Drives: e.g. Corporate Services - Departmental Drive, Information 3 Home drive Governance Dictaphones No
Database System RiO
Enter as free text in appropriate column Other
Does the information contain Person Identifiable Data? e.g. name, address, DOB, photograph, dental impressions, x rays/images - 4 Yes that can identify a person? From the drop down menu select: Yes or No Does the information contain Sensitive Data? e.g. ethnicity, physical or mental health details, religion, diseases, sexual 5 orientation, financial details, sickness/ disciplinary/ appraisal record, trade Yes union membership - that tells us something about the person? From the drop down menu select: Yes or No If yes to Question 4b, please state what sort of Personal Sensitive Information. Sickness, e.g. Looked after/ adoption, ethnicity, physical or mental health details, Disciplinary, 6 safeguarding (childrens), religion, diseases, sexual orientation, security N.O.K. Details, access (keycodes) etc. Financial Details, Employment Contract Enter as free text in appropriate column Does the information contain Corporate Sensitive Data? 7 e.g .contract tender, budget details - commercially sensitive information. No From the drop down menu select: Yes or No If the information is in hardcopy/paper format, do you store your documents, 8 On-site / off- site / both? Both Enter as free text On site or off site, in appropriate column If off- site, with which archive company? 9 e.g. PHS Records Management , Box-It Box-it Enter as free text in appropriate column If stored On-site , where is it located? e.g. Managers Offices, Admin Offices, Ward office, Consultation Room, 10 Manager's Office Personally held (like an HCP diary) Enter as free text in appropriate column How is the (on- site) information protected against inappropriate access? e.g. Password protected log-on, limited access to local drives, password Locked in 4 drawer 11 protection of sensitive folders, smartcards, filing cabinets locked, office filing cabinet access limited: alarm + pinpad access code. Enter as free text in appropriate column Please confirm whether the IAO risked assessed the asset within this 12 register? If no, please name the person who did? A.Sessor Enter as free text in appropriate column What is the level of risk regarding inappropriate access to the information 13 asset? (refer to the risk level tool) 10 Enter the result as free text in appropriate column Your asset should be reviewed in accordance with the frequency determined 14 by the level of risk i.e. annually, 6 monthly or monthly. Annually Annually Annually
Please set a date for the next review? 15 01/05/2014 Enter as free text in appropriate column What do you consider to be your main information asset risk? Paper records not locked away at all 16 times, use of offices by staff from other sites Page 9 of 11
D:\Docs\2018-04-06\0a6f83b8ea7efab025976d66a276a8d0.doc The Risk Assessment Tool and How to use it Having identified our information assets we then need to identify what information risks exist, for example: Inappropriate access Damage to the information asset Loss of information Inaccessibility to the information and the likelihood of any of the above occurring.
The risk assessment matrix below is the preferred method to do this and must be embedded within all services, departments and teams across the Trust.
1 – 2 Very unlikely Severity Level: High (8-10) Likelihood: 3 – 4 Unlikely Medium (5-7) 5 – 6 Occasionally Low (1- 4) 7 – 8 Likely 9 –10 Always Scenario 1 Medics recording discharge summaries onto a tape dicta phone which has no protection. Medic records service user full name, DOB (PID) + clinical information including medication, diagnosis. This happens on a regular basis.
Severity: You may consider this to be very high because of the PID and personal sensitive information e.g. 10.
Likelihood: You may consider, the information is recorded on a regular basis on an unprotected device/media and can easily be lost, accessed by unauthorised person/s e.g. 10.
Risk score is: 100 so the risk will need to be reassessed monthly.
Scenario 2 Ward lists which contain Person Identifiable Data (PID), filed into a ring binder, stored on shelf in a room unlocked when occupied, and locked when not occupied.
Severity: You may consider this to be high because of the PID e.g. 5.
Likelihood: You may consider that the room is occupied throughout the day, and locked when not occupied thus making this middle of the likelihood range e.g. 5.
Risk score is: 25 so the risk will need to be reassessed 6 monthly.
Scenario 3 An administrator accesses the Trust’s network via a desktop computer, on site, to create and store service user appointment letters into a protected folder held on a network shared drive (not C drive).
Severity: You may consider this to be high because of the PID e.g. 7.
Likelihood: You may consider this to be very unlikely as to access to the building is limited, access to the IT network is with a password and network account and the folder is protected so access is restricted e.g. 1.
Page 10 of 11
D:\Docs\2018-04-06\0a6f83b8ea7efab025976d66a276a8d0.doc Risk score is: 7 so the risk will need to be reassessed annually.
Who do I contact if I have any Questions about completing the spreadsheets?
Please contact either your local Information Governance Lead or The Information Assurance Team and ask to speak with:
Sharon France, Information Governance Manager Donna Woolley, Information Governance Facilitator Karen Watts, Information Governance Facilitator
Telephone IG Team: 01962 763931
Where should I send the completed Asset Register?
Please return the completed Asset Register compliance tool to the Information Assurance Team by NHSmail to: [email protected]
Page 11 of 11
D:\Docs\2018-04-06\0a6f83b8ea7efab025976d66a276a8d0.doc