Ensuring Confidentiality Ensuring Confidentiality and Security and Security

2

ObjectivesObjectives

• To foster an awareness of the importance of Information Security.

• To understand the main threats and counter measures

• To raise awareness of the relevant legislation in particular the Data Protection Act 1998

3

What is Information What is Information Security?Security?

Security means that we have

– Confidentiality– Integrity– Availability

of the information

4

What is a data handling What is a data handling systemsystem

• ‘The term covers the use and management of data through organised systems of all forms, whether based on human endeavours, paper methods or information technology.’

5

How does security affect How does security affect you?you?

• Information about you• Information about patients/clients• Information about the Trust

6

What can go wrong?What can go wrong?

All Data Handling systems are All Data Handling systems are subject to threats subject to threats

• Incorrect input• Theft• Wilful damage• Unauthorised access• Software Virus

7

Security Breaches: Security Breaches: examplesexamples

• A set of patients' medical records left in a skip by retiring doctor (real example!)

• A security guard reading personal data left on an employee’s desk overnight.

• A copy of a child at risk register found on a second hand computer (real example)

• A employee using the PC of another employee (who logged in and left PC unattended) to process data without authorisation

• An employee using data for which they have authorised access for unauthorised purposes – e.g a police officer using the police national computer to check out daughter’s boyfriend. (real example)

8

Security Breaches: Security Breaches: examples (2)examples (2)

• A database corrupted by a virus• A patient in a waiting room at a doctor’s surgery

overhearing information about another patient’s ailments.• A patient at a GP surgery viewing the personal data of a

previous patient on a PC screen.• A passenger on a train was sitting next to someone who

was reading a solicitor’s brief about a person who had been charged with murder – he happened to be a relative of the passenger.

Case Study 1Case Study 1

An employee of the Child Support Agency, having read what he believed to be an inaccurate press article derogatory of the CSA and concerning a CSA client known to him, decided to set the record straight by faxing the true story to the newspaper concerned. Whilst the fax was sent anonymously, an investigation identified him as the author. He was dismissed from his employment and convicted of unlawful disclosure of personal data.

Case Study 2Case Study 2

The complainant who was employed by a hospital was summoned to the office of his Personnel Manager to discuss his sickness record. The Personnel Manager had accessed the hospital’s clinical computer information system in order to challenge certain aspects of the employee’s account of events. As a result of this complaint the hospital revised its security arrangements and the Personnel Manager incurred disciplinary action as a result of the inappropriate use of confidential clinical information for non-medical purposes.

Case Study 3Case Study 3

The complainant visited his local hospital for a course of physiotherapy. Some months after the therapy was complete the complainant received a letter from the physiotherapist who had since set up her own business. The physiotherapist had used the complainant’s information that had originally been given in confidence to the hospitals for the earlier treatment.

12

The Impact of the ThreatsThe Impact of the Threats

• Personal privacy• Personal health

and safety • Financial • Commercial

confidentiality

• Legal damages and penalties

• Disruption• Political

embarrassment

13

Ethical ConsiderationsEthical Considerations

• Promote patient/client well-being• Avoid detrimental acts/omissions• Open and co-operative manner• Recognise patient/client dignity• No abuse of position• Protect confidential information• Common Law Duty of Confidence

14

Overview of LegislationOverview of Legislation• Data Protection Act 1984 & 1998• Computer Misuse Act 1990

15

The Computer Misuse Act The Computer Misuse Act 19901990

Introduced three new offences• Unauthorised access to computers• Unauthorised access with intent• Unauthorised modification

16

Main Provisions DPA 1998Main Provisions DPA 1998

• Covers all HPSS records including electronic records

• Defines ‘processing’ as obtaining, holding and disclosing data

• Permits subject access to all records• Imposes considerable penalties

17

Data Protection ’98 Data Protection ’98 The PrinciplesThe Principles

1. Personal data shall be processed fairly and lawfully

2. Personal data shall be obtained only for one or more specified and lawful purpose

3. Personal data shall be adequate, necessary and not excessive in relation to the purpose for which it was provided

18

4. Personal data shall be accurate and up to date

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for those purposes

6. Personal data shall be processed in accordance with the rights of the subject under the Act

Data Protection ’98 Data Protection ’98 The Principles The Principles continued...continued...

19

Data Protection ’98 Data Protection ’98 The Principles The Principles continued...continued...

7. Technical & organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or damage to personal data

8. Personal data shall not be transferred to a country outside the European Economic Area.

20

Personal DataPersonal Data• data which relates to a living individual who

can be identified from those data,or from those data and other information which is in, or likely to come into the possession of the data controller- includes expression of opinion and intention and is– system processed or intended to be processed

automatically,or – recorded as part of a relevant filing,or part of an

accessible record.– There is no requirement that this be done by reference

to the data subject

21

Scope of Data Protection Scope of Data Protection LegislationLegislation

• Automated Data (1984 & 1998)

• Relevant filing systems (Manual data) :1998)

• Accessible Records (1998)

22

Automated Data (1998)Automated Data (1998)

• On computer• Document image processing• Audio/Video• Digitized images• CCTV images

23

Relevant Filing System Relevant Filing System (1998)(1998)

• Non-automated systems structured by reference to individuals– Standard manual files

• Organised to allow ready access to specific information about individuals

24

Accessible RecordsAccessible Records

• Covers all Health and Social Care records

• Structured to allow access to individuals

25

StorageStorage

• Diaries• message books• appointments register• disks• address books• Complaints register• Incident/accident forms

26

Data Protection: DefinitionsData Protection: Definitions

• Processing - includes obtaining,holding and carrying out any operation on the information and data.

• There is no requirement that this be done by reference to the data subject

27

Legitimacy of Processing Legitimacy of Processing (1998)(1998)

• Personal data shall be processed fairly and lawfully and,in particular,shall not be processed unless:

– (a) at least one of the conditions in Schedule 2

is met, and

– ( b)in the case of sensitive personal data,at least one of the conditions in Schedule 3 is met”

28

Schedule 2 conditions Schedule 2 conditions (1998)(1998)

1. Data Subject has given consent2. Performance of a contract.

3. Compliance with legal obligation.4. Protection of subject’s vital interest.5. Crown/public functions 6. Legitimate interests of controller or

third party.

29

Sensitive DataSensitive Data

• Racial or ethnic origin• political opinion• religious beliefs (or similar beliefs)• membership of trade union• physical or mental health or condition• sexual life• any offence or alleged offence• any proceedings or sentence

30

Sensitive Data - Schedule 3Sensitive Data - Schedule 31. Data subject has given explicit consent2. Performance of legal duty in relation to employment

3. Protection of subject’s or third party’s vital interests

4. Legitimate activities of some non-profit organisations 5. The information has been made public deliberately by the

data subject 6. In connection with legal proceedings 7. Administration of justice, statutory obligations or

crown/public functions

8. Medical purposes9. For equal opportunities monitoring

31

Schedule 3 cont’dSchedule 3 cont’d

• Substantial public interest + prevention /detection of any unlawful act

• SPI + protection against dishonesty,malpractice,mismanagement etc

• Necessary for reviewing equality re: religion,disability and to promote /maintain

equality

32

Subject Access RequestsSubject Access Requests• Right of access to personal data in

computer or manual form• Entitled to:

– Be informed whether personal data is processed– A description of the data held, the purposes for

which it is processed and to whom the data may be disclosed;

– A copy of the data; and – Information as to the source of the data

• There are limited exemptions

33

Subject Access Requests Subject Access Requests cont’dcont’d

•Responding:– request should be in writing to relevant

director, – Data should never be read over phone, faxed

or emailed to data subject,– Must be given in 40 days.

Case StudyCase Study

ExerciseExercise

Can you describe a breach of IT security that occurred within your work area?

Describe: What happened?Why it happened?What the impact was?How you recovered (if you

did)Steps taken to prevent a

repetition.

36

Trust Example: Office FireTrust Example: Office Fire

• What Happened?– Recent fire destroyed 8 PCs, printer and PC based

data

• Why it happened?– Accidental fire

• What was the impact?– Minimal as there was central backup of files. Would

have catastrophic otherwise.

• How we recovered?– Data reloaded onto contingency PC’s in another

Office.

37

Securing automated dataSecuring automated data

Key areas:• Faxing

– Avoid the use of fax for sending personal data - if there is no alternative use secure protocols;

• Passwords– Good password management will help protect

personal data and staff

38

Securing automated data Securing automated data (2)(2)

• Email– Personal data should not be transmitted by email

• Data can be accessed by data subjects• Email can be insecure

• Portables/laptops– Do not leave unattended; when leaving ensure that it

is locked away; be aware of others being able to see your computer screen,

– PDA’s and Memory sticks must not contain personal information

– See Trusts IT Security Policy

39

Securing manual dataSecuring manual data

• Do not allow sensitive conversations to be overheard

• Guard against people seeking information by deception

• Message books– Accessible to staff only; sensitive data should

not be recorded in message books

• Lock filing cabinets

40

Securing manual data (2)Securing manual data (2)

• Diaries– Patient/client data, which is held in diaries

should be given the same security as any other record

• Telephone conversations– Staff should be careful about those within

earshot when discussing sensitive information; check the authenticity of any caller before divulging any information

41

Securing manual data (3)Securing manual data (3)• Minutes of meetings

– Minutes which render the subject identifiable should be marked confidential; stored in a secure area; available only to the personnel concerned.

• Staff Supervision records/Staff Appraisal• Sick leave records

• Such information is classified as sensitive data. Care should be taken when transferring information from medical certificates to notification form i.e abbreviations can lead to misinterpretation

42

Summary of key points.Summary of key points.

• Duty to PROTECT information• Duty to OBTAIN information fairly• Duty to ensure information is SECURE• Duty to JUSTIFY use and storage of

personal data• DON’T PASS ON information unless you

are sure• Remember Subject Access

43

BE CAREFUL WHEN YOU’RE BE CAREFUL WHEN YOU’RE ASKED FOR PERSONAL DETAILS ASKED FOR PERSONAL DETAILS

YOU NEVER KNOW WHERE YOU NEVER KNOW WHERE THEY’LL END UP THEY’LL END UP

**************************************************************************

EVERY TIME YOU’RE ASKED FOR PERSONAL EVERY TIME YOU’RE ASKED FOR PERSONAL INFORMATION THINK BEFORE YOU GIVE IT AWAY INFORMATION THINK BEFORE YOU GIVE IT AWAY

**************************************************************************

Thank you for attendingThank you for attending