Ensuring Confidentiality and Security

1
Ensuring Confidentiality and Security
2
Objectives

• To foster an awareness of the importance of
  Information Security.
• To understand the main threats and counter
  measures
• To raise awareness of the relevant legislation in
  particular the Data Protection Act 1998

3
What is Information Security?

• Security means that we have
• Confidentiality
• Integrity
• Availability
• of the information

4
What is a data handling system

• The term covers the use and management of data
  through organised systems of all forms, whether
  based on human endeavours, paper methods or
  information technology.

5
How does security affect you?

• Information about you
• Information about patients/clients
• Information about the Trust

6
What can go wrong?All Data Handling systems are
subject to threats

• Incorrect input
• Theft
• Wilful damage
• Unauthorised access
• Software Virus

7
Security Breaches examples

• A set of patients' medical records left in a skip
  by retiring doctor (real example!)
• A security guard reading personal data left on an
  employees desk overnight.
• A copy of a child at risk register found on a
  second hand computer (real example)
• A employee using the PC of another employee (who
  logged in and left PC unattended) to process data
  without authorisation
• An employee using data for which they have
  authorised access for unauthorised purposes e.g
  a police officer using the police national
  computer to check out daughters boyfriend. (real
  example)

8
Security Breaches examples (2)

• A database corrupted by a virus
• A patient in a waiting room at a doctors surgery
  overhearing information about another patients
  ailments.
• A patient at a GP surgery viewing the personal
  data of a previous patient on a PC screen.
• A passenger on a train was sitting next to
  someone who was reading a solicitors brief about
  a person who had been charged with murder he
  happened to be a relative of the passenger.

9
Case Study 1

• An employee of the Child Support Agency, having
  read what he believed to be an inaccurate press
  article derogatory of the CSA and concerning a
  CSA client known to him, decided to set the
  record straight by faxing the true story to the
  newspaper concerned. Whilst the fax was sent
  anonymously, an investigation identified him as
  the author. He was dismissed from his employment
  and convicted of unlawful disclosure of personal
  data.

10
Case Study 2

• The complainant who was employed by a hospital
  was summoned to the office of his Personnel
  Manager to discuss his sickness record. The
  Personnel Manager had accessed the hospitals
  clinical computer information system in order to
  challenge certain aspects of the employees
  account of events. As a result of this complaint
  the hospital revised its security arrangements
  and the Personnel Manager incurred disciplinary
  action as a result of the inappropriate use of
  confidential clinical information for non-medical
  purposes.

11
Case Study 3

• The complainant visited his local hospital for a
  course of physiotherapy. Some months after the
  therapy was complete the complainant received a
  letter from the physiotherapist who had since set
  up her own business. The physiotherapist had used
  the complainants information that had originally
  been given in confidence to the hospitals for the
  earlier treatment.

12
The Impact of the Threats

• Personal privacy
• Personal health and safety
• Financial
• Commercial confidentiality

• Legal damages and penalties
• Disruption
• Political embarrassment

13
Ethical Considerations

• Promote patient/client well-being
• Avoid detrimental acts/omissions
• Open and co-operative manner
• Recognise patient/client dignity
• No abuse of position
• Protect confidential information
• Common Law Duty of Confidence

14
Overview of Legislation

• Data Protection Act 1984 1998
• Computer Misuse Act 1990

15
The Computer Misuse Act 1990

• Introduced three new offences
• Unauthorised access to computers
• Unauthorised access with intent
• Unauthorised modification

16
Main Provisions DPA 1998

• Covers all HPSS records including electronic
  records
• Defines processing as obtaining, holding and
  disclosing data
• Permits subject access to all records
• Imposes considerable penalties

17
Data Protection 98 The Principles

• Personal data shall be processed fairly and
  lawfully
• Personal data shall be obtained only for one or
  more specified and lawful purpose
• Personal data shall be adequate, necessary and
  not excessive in relation to the purpose for
  which it was provided

18
Data Protection 98 The Principles
continued...

• Personal data shall be accurate and up to date
• Personal data processed for any purpose or
  purposes shall not be kept for longer than is
  necessary for those purposes
• Personal data shall be processed in accordance
  with the rights of the subject under the Act

19
Data Protection 98 The Principles
continued...

• Technical organizational measures shall be
  taken against unauthorized or unlawful processing
  of personal data and against accidental loss or
  damage to personal data
• Personal data shall not be transferred to a
  country outside the European Economic Area.

20
Personal Data

• data which relates to a living individual who can
  be identified from those data,or from those data
  and other information which is in, or likely to
  come into the possession of the data controller-
  includes expression of opinion and intention and
  is
• system processed or intended to be processed
  automatically,or
• recorded as part of a relevant filing,or part of
  an accessible record.
• There is no requirement that this be done by
  reference to the data subject

21
Scope of Data Protection Legislation

• Automated Data (1984 1998)
• Relevant filing systems (Manual data) 1998)
• Accessible Records (1998)

22
Automated Data (1998)

• On computer
• Document image processing
• Audio/Video
• Digitized images
• CCTV images

23
Relevant Filing System (1998)

• Non-automated systems structured by reference to
  individuals
• Standard manual files
• Organised to allow ready access to specific
  information about individuals

24
Accessible Records

• Covers all Health and Social Care records
• Structured to allow access to individuals

25
Storage

• Diaries
• message books
• appointments register
• disks
• address books
• Complaints register
• Incident/accident forms

26
Data Protection Definitions

• Processing - includes obtaining,holding and
  carrying out any operation on the information and
  data.
• There is no requirement that this be done by
  reference to the data subject

27
Legitimacy of Processing (1998)

• Personal data shall be processed fairly and
  lawfully and,in particular,shall not be processed
  unless
• (a) at least one of the conditions in Schedule 2
  is met, and
  
• ( b)in the case of sensitive personal data,at
  least one of the conditions in Schedule 3 is met

28
Schedule 2 conditions (1998)

• Data Subject has given consent
• Performance of a contract.
  
• Compliance with legal obligation.
• Protection of subjects vital interest.
• Crown/public functions
• Legitimate interests of controller or third
  party.

29
Sensitive Data

• Racial or ethnic origin
• political opinion
• religious beliefs (or similar beliefs)
• membership of trade union
• physical or mental health or condition
• sexual life
• any offence or alleged offence
• any proceedings or sentence

30
Sensitive Data - Schedule 3

• Data subject has given explicit consent
• Performance of legal duty in relation to
  employment
• Protection of subjects or third partys vital
  interests
• Legitimate activities of some non-profit
  organisations
• The information has been made public deliberately
  by the data subject
• In connection with legal proceedings
  
• Administration of justice, statutory obligations
  or crown/public functions
  
  
• Medical purposes
• For equal opportunities monitoring

31
Schedule 3 contd

• Substantial public interest prevention
  /detection of any unlawful act
• SPI protection against dishonesty,malpractice,mi
  smanagement etc
• Necessary for reviewing equality re
  religion,disability and to promote /maintain
  equality

32
Subject Access Requests

• Right of access to personal data in computer or
  manual form
• Entitled to
• Be informed whether personal data is processed
• A description of the data held, the purposes for
  which it is processed and to whom the data may
  be disclosed
• A copy of the data and
• Information as to the source of the data
• There are limited exemptions

33
Subject Access Requests contd

• Responding
• request should be in writing to relevant
  director,
• Data should never be read over phone, faxed or
  emailed to data subject,
• Must be given in 40 days.

34
Case Study
35
Exercise

• Can you describe a breach of IT security that
  occurred within your work area?
• Describe What happened?
• Why it happened?
• What the impact was?
• How you recovered (if you did)
• Steps taken to prevent a repetition.

36
Trust Example Office Fire

• What Happened?
• Recent fire destroyed 8 PCs, printer and PC based
  data
• Why it happened?
• Accidental fire
• What was the impact?
• Minimal as there was central backup of files.
  Would have catastrophic otherwise.
• How we recovered?
• Data reloaded onto contingency PCs in another
  Office.

37
Securing automated data

• Key areas
• Faxing
• Avoid the use of fax for sending personal data -
  if there is no alternative use secure protocols
• Passwords
• Good password management will help protect
  personal data and staff

38
Securing automated data (2)

• Email
• Personal data should not be transmitted by email
• Data can be accessed by data subjects
• Email can be insecure
• Portables/laptops
• Do not leave unattended when leaving ensure that
  it is locked away be aware of others being able
  to see your computer screen,
• PDAs and Memory sticks must not contain personal
  information
• See Trusts IT Security Policy

39
Securing manual data

• Do not allow sensitive conversations to be
  overheard
• Guard against people seeking information by
  deception
• Message books
• Accessible to staff only sensitive data should
  not be recorded in message books
• Lock filing cabinets

40
Securing manual data (2)

• Diaries
• Patient/client data, which is held in diaries
  should be given the same security as any other
  record
• Telephone conversations
• Staff should be careful about those within
  earshot when discussing sensitive information
  check the authenticity of any caller before
  divulging any information

41
Securing manual data (3)

• Minutes of meetings
• Minutes which render the subject identifiable
  should be marked confidential stored in a secure
  area available only to the personnel concerned.
• Staff Supervision records/Staff Appraisal
• Sick leave records
• Such information is classified as sensitive data.
  Care should be taken when transferring
  information from medical certificates to
  notification form i.e abbreviations can lead to
  misinterpretation

42
Summary of key points.

• Duty to PROTECT information
• Duty to OBTAIN information fairly
• Duty to ensure information is SECURE
• Duty to JUSTIFY use and storage of personal data
• DONT PASS ON information unless you are sure
• Remember Subject Access

43
BE CAREFUL WHEN YOURE ASKED FOR PERSONAL DETAILS
YOU NEVER KNOW WHERE THEYLL END UP
EVERY
TIME YOURE ASKED FOR PERSONAL INFORMATION THINK
BEFORE YOU GIVE IT AWAY

44
Thank you for attending