Information Security Management - NHS Code of Practice

1 Information Security Management :NHS code of PracticeApril 2007 April 2007 Information Security Management :NHS code of PracticeDH Information READER BOXP olicyEstatesHR/WorkforcePerformanceManag ementIM&TPlanningFinanceCapitalPartnersh ip WorkingDocument purposeBest Practice guidanceGateway reference7974 TitleInformation Security Management : NHS code of PracticeAuthorDH/Digital Information PolicyPublication dateApril 2007 Target audiencePCT CEs, NHS Trust CEs, SHA CEs, CareTrust CEs, Foundation Trust CEs, MedicalDirectors, PCT PEC Chairs, NHS Trust BoardChairs, Special HA CEs, Directors of HR,Directors of Finance, Allied HealthProfessionals, GPs, Royal Colleges, BMA,GMC, Healthcare Commission, MonitorCirculation listDescriptionThe code of Practice is a guide to therequired methods and standards of practicein the Management of Information will benefit all types of NHS organisationsthrough the promotion and adoption of (96)15: NHS Information Managementand Technology Security ManualSuperseded documentsHSG(96)15.

2 NHS Information Managementand Technology Security ManualAction requiredN/ATimingN/AContact detailsAdam GoodwinDigital Information PolicyNHS Connecting for 397 recipient s useSection 1 Foreword1 Types of Information Covered by the code of Practice 2 Types of Organisation Covered by the code of Practice2 Section 2 Introduction3 General Context4 Monitoring Information Security Management Performance5 Legal and Professional Obligations5 NHS Connecting for Health (NHS CFH)6 Social Care Information 6 NHS Information Governance: Information Security Policy7 Section 3 NHS Information Security Management9 Information Security Management System (ISMS)9 NHS Organisational Responsibility 11 Individual Responsibility 12 Information Security Policy (NHS organisations)12 Information Risk Assessment13 Annex AGlossary of Terms15 Annex BResources to Support Security Management : NHS code of Practice has been published by theDepartment of Health as a guide to the methods and required standards of Practice inthe Management of Information Security for those who work within, under contractto, or in business partnership with NHS organisations in England.

3 Its purpose is toidentify and address Security Management in the processing and use of NHSinformation and is based on current legal requirements, relevant standards andprofessional best guidance was prepared by a working group made up of representatives from theDepartment of Health, NHS Connecting for Health, NHS Trusts, Strategic HealthAuthorities, GP practices and professional bodies. It has also been endorsed byinterested stakeholders who were consulted on the draft document and theircomments were incorporated into the final code of Practice as code provides a key component of Information Governance arrangements forthe NHS. This document is part of an evolving Information Security managementframework because risk factors, standards and best Practice covered by the code willchange over time.

4 It, and other related materials, will therefore be subject to regularreview and be updated as practiceguides and standardsInformationGovernanceToolkitExe mplar materials,tools and techniquesThe NHS Information Security Management FrameworkSection 1 Foreword1 Section 1 ForewordInformation Security Management : NHS code of Practice2 Types of Information Covered by the code of guidance contained within this code of Practice and its related materials appliesto NHS Information assets of all types (including the records of NHS patients treatedon behalf of the NHS in the private healthcare sector). Information assets may consist of: digital or hard copy patient health records (including those concerning allspecialties and GP medical records); digital or hard copy administrative Information (including, for example,personnel, estates, corporate planning, supplies ordering, financial andaccounting records); digital or printed X-rays, photographs, slides and imaging reports, outputs andimages; digital media (including, for example, data tapes, CD-ROMs, DVDs, USB discdrives, removable memory sticks, and other internal and external mediacompatible with NHS Information systems); computerised records, including those that are processed in networked, mobileor standalone systems.

5 Email, text and other message of Organisation Covered by the code of guidance within this code of Practice is generally applicable to all organisationsthat access or process NHS Information of the types outlined above. This scopeincludes, but is not limited to, NHS organisations, third party IT/informationservice providers and private sector care providers providing care services underNHS code of Practice is a key component of the Information Security managementframework that replaces prior Information Management and Technology securityguidance published by the NHS Executive Information Management Centre and theNHS Information Authority, including HSG(96)15: NHS Information Managementand Technology Security Manual.

6 Guidelines contained in this code of Practice draw on advice and publishedguidance available from UK Government Security authorities, the British StandardsInstitute, the Information Security Forum, and from best Information securitymanagement practices followed by a wide range of organisations in the Government,public and private sectors. The guidelines provide a framework for consistent andeffective Information Security Management that is both risk and standards-based andis fully integrated with other key NHS Information Governance managers need to be able to demonstrate positive progress in enabling their staffto conform to the guidelines, identifying resource requirements and any related areaswhere organisation or system improvements are required.

7 Information Governanceperformance assessment and Management arrangements facilitate and drive forwardthe necessary changes that enable improvement. Those responsible for monitoringNHS performance, for example Strategic Health Authorities and the HealthcareCommission, play a key role in ensuring that effective Information Governancesystems are in NHS will be supported in delivering improved Information Security through theNHS Information Governance Toolkit (IGT). An Information Security managementroadmap will be developed and published separately and incorporated within the IGTto support implementation of this code of Practice . Section 2 Introduction3 Section 2 IntroductionGeneral organisations need robust Information Security Management arrangementsfor the protection of their patient records and key Information services, to meet thestatutory requirements set out within the Data Protection Act 1998 and to satisfy theirobligations under the Civil Contingencies Act 2004.

8 These aims are also consistentwith the UK Strategy for Information Assurance published by the Cabinet Office(available at ). effective Security , NHS Information assets may become unreliable anduntrustworthy, may not be accessible where or when needed, or may be compromisedby unauthorised third parties. All NHS organisations and those who supply or makeuse of NHS Information therefore have an obligation to ensure that there is adequateprovision for the Security Management of the Information resources that they own,control or , whether in paper or digital form, is the lifeblood of NHS organisationsbecause of its critical importance to NHS patient care and other related businessprocesses. High-quality Information underpins the delivery of high-quality evidence-based healthcare and many other key service deliverables.

9 Information has greatestvalue when it is accurate, up to date and is accessible where and when it is , outdated or inaccessible Information that is the result of one or moreinformation Security weaknesses can quickly disrupt or devalue mission criticalprocesses, and these factors should be fully considered when commissioning, designingor implementing new systems. An effective Information Security Management regime,therefore, ensures that Information is properly protected and is reliably Information may be needed to: support patient care and continuity of care; support day-to-day business processes that underpin the delivery of care; support evidence-based clinical Practice ; support public health promotion and communicate emergency guidance; support sound administrative and managerial decision making, as part of theknowledge base for the NHS; meet legal requirements, including requests from patients under the provisionsof the Data Protection Act or the Freedom of Information Act; assist clinical or other types of audit.

10 Support improvements in clinical effectiveness through research; Information Security Management : NHS code of Practice4 support archival functions by taking account of the historical importance ofinformation; support patient choice and control over treatment and services designed Security Management : NHS code of Practice , together with itssupporting annexes and other related guidance materials within the NHS IGT,identifies the actions, managerial responsibilities and baseline Information securitymanagement measures applicable to all types of NHS Information ( both corporateand health).Monitoring Information Security Management number of bodies monitor NHS performance and, through their existingarrangements, have an interest in NHS Information Security Management .