Removable Media Policy
PURPOSE
The purpose of this Removable Media Policy is to ensure the secure use of removable media devices, such as USB drives, external hard drives, and other portable storage devices. This will help to protect the organisation’s sensitive information and prevent data breaches.
SCOPE
This policy applies to all staff, clients, and third-party entities who have access to data managed by HIC (Health Informatics Centre). It covers all removable media devices used to store, transfer, or transport organisational data.
RESPONSIBILITIES
ROLE | RESPONSIBILITY |
Team Leads |
|
HIC Staff, Clients, Third Party, Suppliers |
|
Process Manager |
|
DEFINITIONS
Data: Information held in electronic or paper form.
Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form including textual, numerical, graphic, cartographic, narrative, and audio-visual.
Policy: Overall intention and direction as formally expressed by management.
Third Party: Person or body that is recognised as being independent of HIC Services.
POLICY
1. Authorised Use
Secure methods of digital transfer as described in the Data Security SOP must be considered prior to deciding on the use of removable media.
Removable media devices must be approved by HIC’s change management process.
Only organisation-issued removable media devices may be used to store or transfer sensitive information.Personal removable media devices are strictly prohibited for storage or transfer of sensitive information.
2. Data Protection Requirements
When removable media is used either the removable media itself or all data stored on it must be encrypted using appropriate encryption methods (e.g., AES-256).
Sensitive information must not be stored on removable media unless it is essential for business purposes.
Removable media must be securely wiped using approved tools before reuse.
3. Physical Security
Removable media must be stored in secure locations when not in use.
Logs of removable media usage must be maintained.
Devices must not be left unattended in public or unsecured areas.
Lost or stolen removable media must be reported immediately to a Line Manager who will raise this via HIC’s incident management process.
4. Prohibited Activities
Use of personally owned devices.
Connecting removable media to unauthorised devices or systems.
Sharing or lending removable media to unauthorised personnel.
Installing unauthorised software or files onto removable media.
Datasets should not be transferred via portable media (e.g. CD/DVD, memory stick or portable storage) with the exception of large scale data including, but not limited to, imaging and genomics datasets may be transferred on encrypted storage in cases where the network infrastructure is not capable of transferring the required volume of data (e.g. limited bandwidth availability where data cannot be transferred in an acceptable amount of time without disruption to NHS clinical and business network traffic). In the case of NHS identifiable data, these must be NHS approved devices.
APPLICABLE REFERENCES
Data Security SOP
Cryptography Policy
DOCUMENT CONTROLS
Process Manager | Point of Contact |
|---|---|
Chris Hall |
Revision Number | Revision Date | Revision Made | Revision By | Revision Category | Approved By | Effective Date |
|---|---|---|---|---|---|---|
1.0 | 04/02/25 |
| Chris Hall | Material | HIC Leadership Team | 17/02/25 |
1.1 | 11/07/25 |
| Symone Sheane | Superficial | Governance Co-Ordinator: Symone Sheane | 11/07/25 |
1.2 | 03/11/25 |
| Symone Sheane | Superficial | Governance Co-Ordinator: Symone Sheane | 03/11/25 |
1.3 | 15/01/26 |
| Chris Hall | Superficial | Process manager: Chris Hall | 15/01/26 |
Copyright Health Informatics Centre. All rights reserved. May not be reproduced without permission. All hard copies should be checked against the current electronic version within current versioning system prior to use and destroyed promptly thereafter. All hard copies are considered Uncontrolled documents.