Removable Media Policy
- Symone Sheane
Analytics
PURPOSE
The purpose of this Removable Media Policy is to ensure the secure use of removable media devices, such as USB drives, external hard drives, and other portable storage devices. This will help to protect the organisation’s sensitive information and prevent data breaches.
SCOPE
This policy applies to all staff, clients, and third-party entities who have access to data managed by HIC. It covers all removable media devices used to store, transfer, or transport organisational data.
RESPONSIBILITIES
ROLE | RESPONSIBILITY |
Team Leads |
|
HIC Staff, Clients, Third Party, Suppliers |
|
POLICY
1. Authorised Use
Secure methods of digital transfer as described in the Data Security SOP must be considered prior to deciding on the use of removable media.
Removable media devices must be approved by HIC’s change management process.
Only organisation-issued removable media devices may be used to store or transfer sensitive information.Personal removable media devices are strictly prohibited for storage or transfer of sensitive information.
2. Data Protection Requirements
When removable media is used either the removable media itself or all data stored on it must be encrypted using appropriate encryption methods (e.g., AES-256).
Sensitive information must not be stored on removable media unless it is essential for business purposes.
Removable media must be securely wiped using approved tools before reuse.
3. Physical Security
Removable media must be stored in secure locations when not in use.
Logs of removable media usage must be maintained.
Devices must not be left unattended in public or unsecured areas.
Lost or stolen removable media must be reported immediately to a Line Manager who will raise this via HIC’s incident management process.
4. Prohibited Activities
Use of personally owned devices is prohibited.
Connecting removable media to unauthorised devices or systems.
Sharing or lending removable media to unauthorised personnel.
Installing unauthorised software or files onto removable media.
Datasets should not be transferred via portable media (e.g. CD/DVD, memory stick or portable storage) with the exception of large scale data including, but not limited to, imaging and genomics datasets may be transferred on encrypted storage in cases where the network infrastructure is not capable of transferring the required volume of data, e.g. limited bandwidth availability where data cannot be transferred in an acceptable amount of time without disruption to NHS clinical and business network traffic. In the case of NHS identifiable data, these must be NHS approved devices.
APPLICABLE REFERENCES
Data Security SOP
Cryptography Policy
DOCUMENT CONTROLS
Process Manager | Point of Contact |
|---|---|
Chris Hall |
Revision Number | Revision Date | Revision Made | Revision By | Revision Category | Approved By | Effective Date |
|---|---|---|---|---|---|---|
1.0 | 04/02/25 |
| Chris Hall | Material | HIC Leadership Team | 17/02/25 |
Copyright Health Informatics Centre. All rights reserved. May not be reproduced without permission.
All hard copies should be checked against the current electronic version within current versioning system
prior to use and destroyed promptly thereafter. All hard copies are considered Uncontrolled documents.