Web viewUsing the Document Classification Ribbon in Word procedure (internal) Encryption of...

INFORMATION MANAGEMENT AND DATA

SECURITY POLICY

Policy version control sheet

Document Status ApprovedPolicy Number 27Version Number 2Date of Policy October 2016

Next review date October 2017Name of originator Shaun DavisApproved by Nita EllulDate of approval 26.09.2015Target Audience Staff

Referring authoritiesParents and carersRegulatory bodies

Links to other policies *Information Classification Data policy*Using the Document Classification Ribbon in Word procedure (internal)* Encryption of Confidential data policy* Using the Virtu add-in in Outlook procedure (internal)* Confidentiality & Privacy for YPs & Housemates policy* Case Recording & Access to Files.* Policy for Authorised Room searches* Internet Access & Social Media for Staff policy* Staff Mobile Phone policy* Internet Access & Social Media for YPs Vulnerable Adults policy* Anti-Cyber bullying policy & procedures * Safeguarding and Dealing with Allegations Policy

Changes to previous version: New policy with a suit of related and updated policiesReplaces previous version- wider in scope ie information classification introduced. and includes updated & more comprehensive information and related policies.Reviewed October 2016: Added guidelines to the handling of confidential info

DistributionIntranet Website Email to managers

√ √ √

1 Introduction

1.1 3 Dimensions has an ethical, legal and professional duty to ensure that the information it holds conforms to the principles of confidentiality, integrity and availability; in other words, that the information we hold or are responsible for is safeguarded where necessary against inappropriate disclosure; is accurate, timely and attributable; and is available to those who should be able to access it.

1.2 The Information Management and Security Policy primary purpose is to enable all 3 Dimensions staff to understand both their legal and ethical responsibilities concerning information, and to empower them to collect, use, store and distribute it in appropriate ways.

2 Purpose

2.1 The primary purposes of this policy are to:

Ensure the protection of all 3 Dimensions information systems (including but not limited to all computers, mobile devices, networking equipment, software and data) and to mitigate the risks associated with the theft, loss, misuse, damage or abuse of these systems.

Make certain that users are aware of and comply with all current and relevant UK and EU legislation.

Provide a safe and secure information systems working environment for staff and any other authorised users.

Ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the data that they handle.

1

Reviewed: October 2016

.

Protect 3 Dimensions from liability or damage through the misuse of its IT facilities.

Respond to feedback and update as appropriate, initiating a cycle of continuous improvement.

3 Scope

3.1 This policy is applicable to, and will be communicated to, all staff and other members of the company who interact with information held by 3 dimensions systems used to store and process information. This includes, but is not limited to, any systems or data attached to 3 Dimensions data network, mobile devices used hold 3 Dimensions data.

4 Policy Statement

The following information security principles provide overarching governance for the security and management of information at 3 Dimensions

4.1 Information should be classified according to an appropriate level of confidentiality, (see Information Classification Policy) and in accordance with relevant legislative, regulatory and contractual requirements and all relevant 3 Dimensions policies.

4.2 Staff with particular responsibilities for personal or confidential information are responsible for ensuring the classification of that information and the handling of the information in accordance with its classification level. This included any internal company documents or information.

4.3 All users covered by the scope of this policy must handle information appropriately and in accordance with its classification level.

4.4 Information should be secure, correct and available to those with an authorised legitimate need for access in accordance with its classification level.

4.5 Information will be protected against unauthorized access and processing in accordance with its classification level.

2


.

4.6 Breaches of this policy must be reported

4.7 The aim of this policy is to ensure that everyone handling personal data or confidential information is fully aware of the requirements of the Data Protection Act 1998, the Children’s Act and Children’s Homes Regulations 2015 or Care Quality Commission Outcome 12, and acts in accordance with data protection procedures. This document also highlights key data protection procedures within 3 Dimensions Care and School.

4.8 Our policies & procedures ensures access to confidential information and/or information systems, either through electronic, written or verbal means is only provided on a “need to know” basis and access is properly controlled, authorised and regularly reviewed.

4.9 All our staff, consultants and volunteers who process personal information must ensure they not only understand but also act in line with this Policy and related Policies and Procedures, the Staff Contract of Employment and our Staff Handbook or Consultancy Contract and the data protection principles.

4.10 Breach of this Policy and related policies by members of staff will result in disciplinary procedures. Breaches by volunteers or consultants will be dealt with as appropriate.

4.11 3 Dimensions Care Limited (3 Dimensions Care and School) is registered with the Information Commissioner’s Office (ICO) and complies with the Data Protection Act 1998 and is registered as a Data Controller and a Data Processor. It has notified the Information Commissioner of:

The personal data that it will process

The categories of data subjects to which personal data relates

The purposes of which the personal data will be processed

4.12 3 Dimensions Care and School, in accordance with the Data Protection Act, ensures that we:

3


.

only collect information that we need for a specific purpose

keep it secure

ensure it is relevant and up to date

only hold as much as we need for as long as we need it

allow the subject of the information to see it on request if we have written it.

4.13 The requirements we have for processing personal data are recorded on the public register maintained by the ICO. We notify and renew our notification on an annual basis as the law requires.

4.14 If there are any interim changes, these will be notified to the Information Commissioner within 28 days.

4.15 The organisation operates registered Children’s Homes, an adult care home and an Independent Special Educational Needs (SEN) School. We need to process information about our directors, managers, staff, consultants, suppliers and the children/young people/adults in our care, for administrative, statutory, academic and health and safety reasons, in order to operate efficiently. We will only process personal data in accordance with our registration under the Data Protection Act.

5 Children, Young People and Adults in Our Care:

5.1 We are compliant with Children’s Homes Regulations and Care Quality Commission standards in relation to the collection, storage and retention records.

5.2 Further information on how we meet the standards and regulations set out in the National Minimum Standard and Regulations for Children’s Homes (to ensure each child has a permanent, private and secure record of their history, in compliance with legal requirements and confidentiality) can be found in the following policies:

4


.

Case Recording and Access to Files

Confidentiality and Privacy Policy

6 Disclosure of Personal Data

6.1 Induction training is provided to all staff on data protection, confidentiality and sharing information based on CWDC hand-outs, the Care Certificate workbook, information from the ICO and our own policies and guidance.

6.2 Any company confidential information, including personal data of young people, employees of 3 dimensions, authorised consultants and volunteers, must not be disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party.

6.3 Personal information regarding 3 Dimensions’ personnel is held on the main site in a secure locked office in a locked cupboard where access is restricted to senior managers and other authorised personnel. Personal information is not given out apart from in the form of a Reference for former employees or to authorised bodies in Accordance with the Data Protection Act 1988 or for child protection purposes.

6.4 Particular discretion must be used before deciding to transmit personal or confidential data by post, fax or email. If emails are sent containing confidential information, Then encryption must be used (Please see Encryption of Confidential Data Policy). Recipients will need to unlock confidential emails using a 2 part verification email system.

6.5 When sending confidential information via postal services it is required that the recipients address is checked before the information is sent.

5


.

6.6 When sending confidential information via postal services the information should be clearly addressed, sent using the recorded and signed for postal services with a clear return address.

6.7 Where non-routine requests are made, or where staff are unsure of their responsibilities, they should seek the advice of their house manager. The house manager may decide to refer a request for a definitive decision to a Company Director.

6.8 Staff should be aware that those seeking information about individuals may use deception to obtain information.

6.9 Staff must take adequate steps to verify the identity of those seeking information, for example by obtaining and verifying the telephone number and returning the call or by reviewing identification documents if an application is made in person.

6.10 All applications for data should be made in writing and e-mail requests will be accepted.

6.11 Request by other public bodies, including the police, must meet the requirements for lawful processing. The police must be able to demonstrate that they require the information in pursuit of a criminal investigation.

6.12 Where a disclosure is requested in an emergency, staff should make a careful decision as to whether to disclose, taking into account the nature of the information being requested and the likely impact on the subject of not providing it.

6.13 Personal data may be legitimately disclosed where one of the following conditions apply:

The individual has given their consent (e.g. a member of staff has consented to 3 Dimensions Care and School corresponding with a named third party)

Where the disclosure is in the legitimate interests of the organisation (e.g.

6


.

Disclosure to staff - personal information can be disclosed to other 3 Dimensions Care and School employees if it is clear that those members of staff require the information to enable them to perform their jobs)

Where the organisation is legally obliged to disclose the data Where disclosure of data is required for the performance of a contract

6.14 The Data protection Act permits certain disclosures without consent so long as the information is Requested for one or more of the following purposes:

to safeguard national security*; prevention or detection of crime including the apprehension or prosecution of

offenders*; assessment or collection of tax duty*; discharge of regulatory functions (includes health, safety and welfare of

persons at work)*; to prevent serious harm to a third party; To protect the vital interests of the individual, this refers to life and death

situations.

* Requests must be supported by appropriate paperwork.

6.15 The safety and welfare of Children, Young People and Housemate’s in our care takes precedence over issues of confidentiality. If a member of staff is concerned that a Child, Young Person or Housemate has or may have been abused they are required to report this immediately to the Company’s Responsible Individual and designated safeguarding officer. Staff should refer to 3 Dimensions’ Safeguarding and Dealing with Allegations Policy for further detailed guidance.

CONFIDENTIALITY CANNOT BE GUARANTEED IN RESPECT OF CHILD PROTECTION ISSUES

6.16 When members of staff receive enquiries as to whether a named individual is a member of 3 Dimensions Care and School staff, the enquirer should be asked why the information is required. If consent for disclosure has not been given and the reason is not one detailed above (i.e. consent not required), the member of staff should decline to comment. Even confirming whether or not an individual is a member 3 Dimensions Care and School staff may constitute an unauthorised disclosure.

7


.

6.17 Unless consent has been obtained from the data subject, information should not be disclosed over the telephone. Instead, the enquirer should be asked to provide documentary evidence to support their request. Ideally a statement from the data subject consenting to disclosure to the third party should accompany the request.

6.18 As an alternative to disclosing personal data, you may offer to do one of the following:

pass a message to the data subject asking them to contact the enquirer; Accept a sealed envelope/incoming email message and attempt to forward it to

the data subject.

6.19 Please remember to inform the enquirer that such action will be taken conditionally: i.e. "if the person works for 3 Dimensions Care and School” to avoid confirming their presence in or their absence from the organisation.

6.20 If in doubt, staff should seek advice from their House Manager or a member of the Board.

6.21 Further information and guidance can be found in the Data Protection section of the Staff Handbook.

7 Data Security

7.1 No individual should be able to access information to which they do not have a legitimate access right. Notwithstanding systems in place to prevent this, no individual should knowingly contravene this policy, nor allow others to do so.

7.2 3 Dimensions Care and School have taken precautions to ensure data security of our systems and systems backups.

7.3 The allocation of access to files and folders is controlled by the Data Controller and determined on a “need to know” basis by the Board of Directors. Once access has

8


.

been granted secure network folders on the main frame are accessible with a username password, unique to the user. The level of access for each user is defined in the local group policy manager on the server using special permissions.

7.4 All staff have specific or overarching responsibilities for preserving the confidentiality, integrity and availability of information and for ensuring that:

Any personal data, which they hold, is kept securely; Company confidential information or personal information of young people or

staff is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party.

7.5 Staff should know that unauthorised disclosure may be regarded as a disciplinary matter.

7.6 Personal information should be:

Secured in a locked office or filing cabinet or desk drawer; If it is computerised, be password protected.

7.7 Particular care must be taken with data held on portable storage devices or laptop computers and other electronic devices. Only laptops, secure portable storage devices (USBs) and other electronic devices supplied by 3 Dimensions Care and School may be used. See Encryption of Confidential Data policy for further information

7.8 3 Dimensions Care and School restrict the use of removable media where possible. In the event that removable media is needed we issue secure USBs, with encrypted drives for staff who require them to help ensure Company file handling security.

7.9 All data storage devices not owned by 3 Dimensions Care and School are forbidden for use of transporting, storing or transferring company documents and information.

7.10 Only 3 Dimensions Care and School issued USBs must be used to transfer documents to off-site locations, outside the Company premises. These USBs should only be used

9


.

for secure data transfer and not for permanent storage of Company data, and the data deleted when the specific task is completed.

7.11 Any work carried out on remote workstations must only be saved to the USB’s secure drive and not to the local machine. Any altered data or documents should be then updated to their relevant file locations within the 3 Dimensions network and removed from the USB secure drive so that it can be backed up as per company procedures and to make data accessible to relevant parties.

7.12 The Company Computers are for company use only and staff members are not allowed to use them for personal use, all information on computers belongs to the company.

7.13 We therefore monitor and track the use of computers regularly including all internet usage, file access, system access and modification.

7.14 Further information and guidance can be found in the Use of Computer and Telecommunication Services section of the Staff Handbook and in other related policies.

10


Methods Of Storing,

Sharing And Transfering

Data Securly

Encrypted Email,

Dropbox

Encrypted and password protected

Removable Strorage, and

Internal Storage

Password Protected

Server Shares

.

7.15 Staff should ensure that casual disclosure does not take place; by, for example, leaving computer printouts uncovered on desktops or by allowing unauthorised users to view computer screens. PC and laptop screens should not be left unattended without password protected screen-savers.

7.16 Computer printouts must be kept securely, and destroyed in a confidential manner using an approved shredder.

7.17 All offices where staff members are employed to process personal data must be locked when not occupied.

7.18 Staff should not share confidential information with anybody else, even family or friends, without the 3 Dimensions permission

7.19 All staff members are responsible for ensuring that they observe the procedures of other appropriate policies including:

Contacts Policy – including family visits and telephone calls Internet Access & Social Media for staff Confidentiality & Privacy for YP’s and Housemates Policy Encryption of Confidential Data Policy Staff Mobile Phone Policy Visitors Policy Whistle Blowing Policy Policy for Authorised Room Searches Professional Boundaries Policy Safeguarding & Dealing with Allegations Policy

8 Retention of and Disposal of Data

8.1 3 Dimensions is committed to ensuring that the recording system meets all known requirements, and is properly maintained to meet the standards and regulations set out in the Children’s Homes (England) Regulations 2015 and Quality Standards and

11


.

Care Quality Commissions Outcomes framework to ensure each child or housemate has a permanent private and secure record of their history, in compliance with legal requirements and confidentiality.

8.2 3 Dimensions Care and School do not keep personal data for longer than required by law and/or the condition of our Insurance. Some data will be kept for longer periods than others.

8.3 In general, electronic staff records containing information about individual members of staff and other specified records are kept in accordance with The Chidren’s Homes (England) Regulations 2015 as per regulation 37 and as set out in schedule 4 for at least 15 years after the last entry. For more information refer to the Case Recording and Access to Files Policy.

8.4 Information would typically include name and address, position held, leaving salary. Other information relating to individual members of staff will be kept by Human resources for 6 years from the end of employment. Information relating to Income Tax, Statutory Maternity Pay etc. will be retained for the statutory time period (between 3 and 6 years).

8.5 Children Case Records with direct relevance to Children and Young people and/or Vulnerable Adults are kept for 75 years from the date of birth of the child/adult or if the child dies in our care before the age of 18, for 15 years from the date of his or her date of death. This includes training records, job applications and the results of DBS checks. For more information refer to the Case Recording and Access to Files Policy.

8.6 Information relating to unsuccessful applicants in connection with recruitment to a post will generally be destroyed after one month, with the exception of the recruitment form which will be held for one year before being securely destroyed.

8.7 Particular care must be taken with the disposal of personal data. Personal data must be disposed of in a way that protects the rights and privacy of data subjects. Staff

12


.

should be aware that the same standards should be applied to informal records, lists and printouts held by individual members of staff containing personal data as to records which are part of the formal company’s records system.

8.8 Personal data must be destroyed by secure methods such as shredding or secure electronic deletion. Hard drives of redundant PCs or laptop computers are wiped clean using a seven pass secure erase procedure.

8.9 Formal records both manual and electronic may only be destroyed with the appropriate authority of a Company Director.

8.10 Records which are no longer current but which the company is required to keep by law for long periods will be archived and stored in a secure, fire and flood proof building.

9 Rights of Access to Data

9.1 Employees of 3 Dimensions Care and School and the children, young people and adults in our care have the right to access personal data about themselves which the company holds - if that information has been written by the company.

9.2 Any individual who wishes to exercise this right should apply in writing to Nita Ellul, the Responsible Individual or in her absence to another member of the Company’s Board of Directors. Any such requests will normally be complied with within 40 days of receipt of the written request.

10 Compliance, Policy Awareness and Disciplinary Procedures

10.1 Any security breach of 3 Dimensions information systems could lead to the possible loss of confidentiality, integrity and availability of personal or other confidential data stored on these information systems.

13


.

10.2 The loss or breach of confidentiality of personal data is an infringement of the Data Protection Act (1998), contravenes 3 Dimensions Data Protection Policy, and may result in criminal or civil action against 3 Dimensions.

10.3 The loss or breach of confidentiality may result in the loss of business, financial penalties or criminal or civil action against 3 Dimensions. Therefore it is crucial that all users of the company’s information systems adhere to the Information Management and Data Security Policy and its supporting policies as well as the Information Classification Standards set out in the Information Classification Policy When creating any document (See Table Below)

10.4 Overview of Classification (Table 1)

Classification Examples ofInformation Security Risk

Examples ofSecurityMeasures

PublicPublications or information on website

NegligibleWrite-protectedfile format(PDF)

Internal Company Working Documents Medium

Write-protectedfile format(PDF) restricted access

Confidential

Personneldocuments,Young Persons records,Education Records

High

Write-protectedfile format(PDF), File Version Backups. Secure access, Encrypted during transit,intrusiondetection orintrusionprevention tools

10.5 All current staff and other authorised users will be informed of the existence of this policy and the availability of supporting policies.

10.6 Any security breach will be handled in accordance with all relevant policies, including the appropriate disciplinary policies.

14


.

11 Incident Handling

11.1 If a member of 3 Dimensions is aware of an information security incident then they must report it to the IT Manager or Company Director.

11.2 If necessary a member of staff is also able to use 3 dimensions whistle blowing policy or by contacting ICO directly

12 Summary of relevant legislation

12.1 The Computer Misuse Act 1990Defines offences in relation to the misuse of computers as:

Unauthorised access to computer material. Unauthorised access with intent to commit or facilitate commission of further

offences. Unauthorised modification of computer material.

12.2 Data Protection Act 1998

Provides a safeguard for personal privacy in relation to computerised or other systematically filed information; it regulates the use of personal data meaning information about living human beings.

It is an offence to process personal data except where they are:

Fairly and lawfully processed Processed for limited purposes Adequate, relevant and not excessive Accurate and up to date Not kept for longer than is necessary Processed in line with your rights Secure

Not transferred to countries outside the EEA without adequate safeguards15


.

3 Dimensions has a Data Protection Policy which further governs the use of personal data.

12.3 The Freedom of Information Act 2000

The Freedom of Information Act 2000 (FOIA2000) is a general right of public access to all types of recorded information held by public authorities in order to promote a culture of openness and accountability.

12.4 Regulation of Investigatory Powers Act 2000

The Regulation of Investigatory Powers Act 2000 regulates the powers of public bodies to carry out surveillance and investigation. It covers the interception and use of communications data and can be invoked in the cases of national security, and for the purposes of detecting crime, preventing disorder, public safety and protecting public health.

12.5 Protection of Children Act 1999, Criminal Justice Act 1988, Criminal Justice and Immigration Act 2008

The Protection of Children Act 1999 prevents the exploitation of children by making indecent photographs of them and penalises the distribution and showing of such indecent photographs.

Organisations must take appropriate steps to prevent such illegal activities by their workers using their digital systems and networks.

The definition of ‘photographs’ include data stored on a computer disc or by other electronic means which is capable of conversion into an image.

16


.

It is an offence for a person to distribute or show such indecent photographs; or to possess such indecent photographs, with a view to their being distributed or shown by himself or others.

Section 160 of the Criminal Justice Act 1988 made the simple possession of indecent photographs of children an offence. Making an indecent image of a child is a serious offence carrying a maximum sentence of 10 years

17


Web view*Using the Document Classification Ribbon in Word procedure (internal) * Encryption of...

Documents

Transcript of Web view*Using the Document Classification Ribbon in Word procedure (internal) * Encryption of...

Web viewUsing the Document Classification Ribbon in Word procedure (internal) Encryption of...

Transcript of Web viewUsing the Document Classification Ribbon in Word procedure (internal) Encryption of...