Information Security Policy

PURPOSE

This policy provides a framework for the management of information security within HIC. HIC's information security is structured through the objective outlined below which are monitored through key performance indicators. Personal data must be handled in accordance with UK GDPR and the Data Protection Act 2018 (DPA) and in accordance with the University of Dundee and NHS Boards policy and guidance on personal data. The DPA requires that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

This policy is supported by topic-specific Standard Operating Procedures (SOPs), which define the implementation of information security controls that are structured to address the needs of certain operational groups within the organisation.

HIC’s security objectives are developed through a risk-based approach, aiming to:

Integrate and maintain security controls across all areas.
Align with HIC’s strategic goals and regulatory requirements.
Protect HIC’s information assets by continually assessing, monitoring, and improving security measures.

SCOPE

This policy applies to;

All those with access to HIC, including staff, clients, visitors and contractors.
All equipment and devices attached to HIC’s computer or telephone networks and any systems supplied to HIC.
All information processed by HIC in its operational activities, including information in both digital and paper form and any communications sent to or from HIC.
All services provided by external parties to HIC in respect of information processing facilities and business activities; and information assets, including the physical locations from which HIC operates.

RESPONSIBILITIES

ROLE	RESPONSIBILITY
Data Protection Officer	A data protection officer (DPO) ensures, in an independent manner, that an organisation applies the laws protecting individuals' personal data.
HIC Operational Director	Accountable for HIC ISMS. Ultimate responsibility for information security within HIC Services and is responsible for ensuring that HIC Services is compliant with relevant external requirements, including legislation.
HIC Operational Team Lead	Responsible for HIC ISMS by leading on the compliance and framework of processes.
HIC Governance & Project Co-ordinator	Co-ordination of HIC ISMS, compliance and framework of processes.
HIC Operational Team	Supporting HIC ISMS, compliance and framework of processes.
HIC All Staff	Adherence to Policies and Standard Operating Procedures.
HIC Leadership Team	Commit to maintaining and supporting HICs ISMS. Review and approve Standard Operating Procedures, Policies, and Key Documents. Ensure Standard Operating Procedures, Policies, and Key Documents are followed and adhered to by their teams. Ensure resources are available to meet information security objectives and to support HIC ISMS. Review performance of HIC ISMS.
HIC Executive Committee	The HIC Executive committee (HIC Exec) is responsible to the University of Dundee Court and Regional NHS Boards for: Ensuring that all HIC Staff and Approved Data Users are aware of this policy. Seeking adequate resources for its implementation. Monitoring compliance. Conducting regular reviews of the policy, having regard to any relevant changes in legislation and organisational policies. Ensuring that this information security policy for HIC Services’ specific needs is consistent with the requirements of University’s policy. This security policy should identify HIC Services’ own information security requirements and provide a management framework for meeting those requirements. Ensuring there is clear direction and visible management support for security initiatives. Oversight of Policies, Standard Operating Procedures and Key Documents. Approval of material changes to Policy, Standard Operating Procedures and Key Documents.
HIC Information Security and Governance Committee	Oversight of Policies, Standard Operating Procedures and Key Documents. Approval of strategic changes to Policies, Standard Operating Procedures and Key Documents. Manage the strategic direction of Information Security and Governance across HIC to improve the overall measured maturity of the Information Security and Governance within HIC. Support HIC and enable it to make better, more informed decisions about establishing, implementing, maintaining, and improving Information Security and Governance practices (people, policies, processes, and technology) across HIC.
HIC Clients	Adherence to Policies and Standard Operating Procedures.
Third Parties/ Suppliers	Adherence to Policies and Standard Operating Procedures and contractual arrangements.

OBJECTIVES

1. Data Confidentiality, Integrity, and Availability (CIA)

To uphold the CIA triad:

Confidentiality: HIC protects sensitive and critical data from unauthorised access and disclosure.
Integrity: Safeguards are implemented to prevent unauthorised data modifications.
Availability: Systems and data are maintained in an operational state to ensure access by authorised users when required.

2. Risk Management

HIC identifies and assesses security risks across its operations and implements mitigation measures through a comprehensive risk management framework, which includes:

Regular risk assessments.
Prioritisation of risks based on potential business impact.
Implementation of effective controls aligned with identified risk levels.

3. Regulatory Compliance and Good Practices

HIC is committed to complying with all relevant legal, regulatory, and industry standards (see appendices below), adopting ISO 27001 good practices to maintain compliance. This includes:

Annual audits and assessments to verify compliance.
Periodic updates to comply with evolving regulatory standards.
References to specific laws, regulations, and industry standards in relevant appendices.
Recognition of external frameworks, such as the Scottish Safe Haven Charter, FAIR Principles, and SATRE, as examples of good practices to guide our operations and continuous improvement efforts.

4. Incident Response and Management

HIC has a robust incident management procedure that includes:

Defined roles and responsibilities for incident detection, reporting, and resolution.
Procedures for identifying, reporting, and mitigating incidents.
Event analysis to identify improvement areas and reduce the likelihood of recurrence.

5. Access Control and Privilege Management

HIC employs access controls to ensure data security, granting access strictly on a need-to-know basis. This includes:

Multi-factor authentication for critical systems.
Physical access controls to office.
Regular audits and reviews of access rights.
Procedures for onboarding, changing, and terminating user access in line with role requirements.

6. Security Awareness and Training

HIC promotes a culture of security through regular training and awareness programs. These initiatives are designed to:

Equip staff and HIC Clients with knowledge to recognise and respond to security threats.
Ensure all staff and HIC Clients understand their role in upholding HIC’s security practices.
Include annual refreshers and role-based security training for staff handling sensitive information.

7. Continuous Monitoring and Improvement

Security controls and practices are continuously monitored and enhanced based on identified vulnerabilities, evolving threats, and technological advancements. Key activities include:

Regular security audits, vulnerability scans, and penetration tests.
Periodic reviews and updates of security policies and procedures.
Implementation of corrective actions to address identified gaps.

8. Third-Party and Supply Chain Security

To maintain security across external partnerships, HIC ensures that:

Third-party vendors comply with HIC’s security policies and standards.
Security controls are in place to secure the supply chain and prevent vulnerabilities.
Agreements with vendors include data protection clauses aligned with HIC’s security requirements.

APPLICABLE REFERENCES

For Definitions see HIC ISMS Glossary

APPENDICES

Appendix A Legislation Register

Legislation	Applicability
Official Secrets Act 1989
Data Protection Act 2018, incorporating General Data Protection Regulations (GDPR)	√
Human Rights Act 1998	√
A Charter for Safe Havens in Scotland 2015	√
Freedom of Information (Scotland) Act 2002	√
Environmental Information (Scotland) Regulations 2004	√
Disability Discrimination Act 2005	√
Sex Discrimination Act 1986	√
Computer Misuse Act 1990	√
Telecommunications Act 2003	√
Telecommunications (Fraud) Act 1997	√
Electronic Communications Act 2000	√
Telecommunications (Lawful Business Practices) Act 2000	√
Privacy and Electronic Communications Regulations	√
Regulation of Investigatory Powers Act 2000	√
Anti-Terrorism, Crime & Security Act 2001
Criminal Justice & Public Order Act 1994
Crime & Disorder Act 1998
Police & Criminal Evidence Act 1984	√
Civil Evidence Act 1968	√
Data Retention & Investigatory Powers Act 2014
Civil Contingencies Act 2004	√
Copyright Act 1956	√
Copyright, Design & Patents Act 1988	√
Copyright (Computer Programs) Act 1992	√
Companies Act 2006	√
Police Act 1997	√
Rehabilitation of Offenders Act Scotland 1974	√
Consumer Protection (Distance Selling) Act 2000
Immigration, Asylum & Nationality Act 2006	√
Fire (Scotland) Act 2005	√

Appendix B GDPR Principles

Article 5 of the GDPR sets out seven key principles which lie at the heart of the general data protection regime.

Article 5(1) requires that personal data shall be:  

“(a) Processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);

(b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);

(f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

Appendix C Caldicott Principles

(The Caldicott Committee (December 1997), Dept of Health)

HIC Services procedures are also designed to comply with the 6 NHS Caldicott Principles. HIC Services minimises the use of identifiable data - any request for use of identifiable data is referred for specific Caldicott Guardian approval. HIC Services provides a safe environment to implement Caldicott-approved use of data.

Justify the purpose(s): Every proposed use or transfer of patient-identifiable information within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed by an appropriate guardian.
Don’t use patient-identifiable information unless it is absolutely necessary: Patient-identifiable data items should not be used unless there is no alternative.
Use the minimum necessary patient-identifiable information: Where use of patient-identifiable information is considered to be essential, each individual item of information should be justified with the aim of reducing identifiably.
Access to patient-identifiable information should be on a strict need to know basis: Only those individuals who need access to patient-identifiable information should have access to it, and they should only have access to the information items that they need to see.
Everyone should be aware of their responsibilities: Action should be taken to ensure that those handling patient-identifiable information, (both clinical and non-clinical staff) are made fully aware of their responsibilities and obligations to respect patient confidentiality.
Understand and comply with the law: Every use of patient-identifiable information must be lawful. Someone in each organisation should be responsible for ensuring that the organisation complies with legal requirements.

The Information Governance Review, April 2013 (known as Caldicott 2), added a 7th Principle:

The duty to share information can be as important as the duty to protect patient confidentiality: Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

Appendix D Differentiating Audit, Service Evaluation & Research

The Health Research Authority (HRA) in its publication ‘Defining Research – guidance from NRES’ provides a guideline as to whether a project is research, which normally requires NHS REC review, or another activity such as audit or service evaluation, which does not. Projects which do require NHS REC review will normally also require NHS R&D permission(s). This standard also applies to an Approved Project requiring data from HIC Services.

From ‘Defining Research’. The Health Research Authority (HRA). Ref. 0987 December 2009 (rev. April 2013)

Research	Service Evaluation*	Clinical Audit	Surveillance	Usual Practice (in Public Health)
The attempt to derive generalisable new knowledge including studies that aim to generate hypotheses as well as studies that aim to test them.	Designed and conducted solely to define or judge current care.	Designed and conducted to produce information to inform delivery of best care.	Designed to manage outbreak and help the public by identifying and understanding risks associated.	Designed to investigate outbreak or incident to help in disease control and prevention.
Quantitative research – designed to test a hypothesis. Qualitative research – identifies/explores themes following established methodology.	Designed to answer: “What standard does this service achieve?”	Designed to answer: “Does this service reach a predetermined standard?”	Designed to answer: “What is the cause of this outbreak?”	Designed to answer: “What is the cause of this outbreak?” and treatment.
Addresses clearly defined questions, aims and objectives.	Measures current service without reference to a standard.	Measures against a standard.	Systematic, statistical methods to allow timely public health action.	Systematic, statistical methods may be used.
Quantitative research – may involve evaluating or comparing interventions, particularly new ones. Qualitative research – usually involves studying how interventions and relationships are experienced.	Involves an intervention in use only. The choice of treatment is that of the clinician and patient according to guidance, professional standards and/or patient preference.	Involves an intervention in use only. The choice of treatment is that of the clinician and patient according to guidance, professional standards and/or patient preference.	May involve collecting personal data and samples with the intent to manage the incident.	Any choice of treatment is based on clinical best evidence or professional consensus.
Usually involves collecting data that are additional to those for routine care but may include data collected routinely. May involve treatments, samples or investigations additional to routine care.	Usually involves analysis of existing data but may include administration of interview or questionnaire.	Usually involves analysis of existing data but may include administration of simple interview or questionnaire.	May involve analysis of existing data or administration of interview or questionnaire to those exposed.	May involve administration of interview or questionnaire to those exposed.
Quantitative research – study design may involve allocating patients to intervention groups. Qualitative research – uses a clearly defined sampling framework underpinned by conceptual or theoretical justifications.	No allocation to intervention: the health professional and patient have chosen intervention before service evaluation.	No allocation to intervention: the health professional and patient have chosen intervention before audit.	Does not involve an intervention.	May involve allocation to control group to assess risk and identify source of incident but treatment unaffected.
May involve randomisation.	No randomisation.	No randomisation.	No randomisation.	May involve randomisation but not for treatment.
Normally requires REC review.	Does not require REC review.	Does not require REC review.	Does not require REC review.	Does not require REC review.

*Service development and quality improvement may fall into this category. Source: NHS HRA

DOCUMENT CONTROLS

Process Manager	Point of Contract

Process Manager	Point of Contract
Jenny Johnston	hicbusiness-support@dundee.ac.uk

Revision Number	Revision Date	Revision Made	Revision By	Revision Category	Approved By	Effective Date

Revision Number	Revision Date	Revision Made	Revision By	Revision Category	Approved By	Effective Date
1.0	01/01/24	Moved SOP to Confluence from SharePoint and updated into new template	Bruce Miller and Symone Sheane	Superficial	Governance Co-Ordinator: Symone Sheane	10/01/24
1.1	10/04/24	Updated document control table, formatted and added in revision category	Bruce Miller and Symone Sheane	Superficial	Governance Co-Ordinator: Symone Sheane	10/04/24
1.2	19/04/24	Updated Approved by column to reference role title and person	Symone Sheane	Superficial	Governance Co-Ordinator: Symone Sheane	19/04/24
1.3	30/04/24	Updated Header to conform with BSI guidelines	Bruce Miller	Superficial	Governance Co-Ordinator: Symone	30/04/24
1.4	02/05/24	Updated links to Definitions in ISMS Glossary, removed Definitions section within document	Bruce Miller	Superficial	Governance Co-Ordinator: Symone Sheane	02/05/24
1.5	14/10/24	Incorporated suggestions from comments and updated labels inline with 2022 standard Update language of policy. Added in objectives and included the legal and governance appendices. Updated roles.	Bruce Miller/Symone Sheane/Jenny Johnston	Superficial and Material	Leadership Team	18/11/24

Copyright Health Informatics Centre. All rights reserved. May not be reproduced without permission.
All hard copies should be checked against the current electronic version within current versioning system
prior to use and destroyed promptly thereafter. All hard copies are considered Uncontrolled documents.

HIC Policies and Standard Operating Procedures