Information Security Policy

PURPOSE

This policy provides a framework for the management of information security within HIC (Health Informatics Centre). HIC's information security is structured through the objective outlined below which are monitored through key performance indicators. Personal data must be handled in accordance with UK GDPR and the Data Protection Act 2018 (DPA) and in accordance with the University of Dundee and NHS Boards policy and guidance on personal data. The DPA requires that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 

This policy is supported by topic-specific Standard Operating Procedures (SOPs), which define the implementation of information security controls that are structured to address the needs of certain operational groups within the organisation. 

HIC’s security objectives are developed through a risk-based approach, aiming to:

• Integrate and maintain security controls across all areas.

• Align with HIC’s strategic goals and regulatory requirements.

• Protect HIC’s information assets by continually assessing, monitoring, and improving security measures.

SCOPE

This policy applies to;

• All those with access to HIC, including staff, clients, visitors and contractors.

• All equipment and devices attached to HIC’s computer or telephone networks and any systems supplied to HIC.

• All information processed by HIC in its operational activities, including information in both digital and paper form and any communications sent to or from HIC.

• All services provided by external parties to HIC in respect of information processing facilities and business activities; and information assets, including the physical locations from which HIC operates.  

RESPONSIBILITIES

DEFINITIONS

• Approved Project: An approved project is a project that is logged into the Project Management System and has Ethics, Caldicott and NHS R&D governance approval, as required. 

• Asset: Anything that has a value to HIC Services.

• Caldicott Guardian: A Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing.  

  • Each NHS organisation is required to have a Caldicott Guardian; this was mandated for the NHS by Health Service Circular: HSC 1999/012. The mandate covers all organisations that have access to patient records, so it includes acute trusts, ambulance trusts, mental health trusts, primary care trusts, strategic health authorities, and special health authorities such as NHS Direct. 

  • Caldicott Guardians were subsequently introduced into social care in 2002, mandated by Local Authority Circular: LAC 2002/2. 

  • The Guardian plays a key role in ensuring that NHS, Councils with Social Services Responsibilities and partner organisations satisfy the highest practical standards for handling patient identifiable information. 

  • Acting as the 'conscience' of an organisation, the Guardian actively supports work to enable information sharing where it is appropriate to share and advises on options for lawful and ethical processing of information. 

• Control: A means of managing risk by providing safeguards. This includes policies, procedures, guidelines, other administrative controls, technical controls, or management controls. 

• Data: Information held in electronic or paper form.

• HIC Client: Refers to an individual or organisation that receives services from Health Informatics Centre (HIC) and agrees to follow HIC's contractual obligations, policies, and procedures, ensuring compliance with legal, ethical, and professional standards.

• Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form including textual, numerical, graphic, cartographic, narrative, and audio-visual. 

• Information Security: Preservation of confidentiality, integrity, and availability.

• ISMS: Information Security Management System which covers the full range of HIC ISO 27001 documentation covering HIC's governance and data security processes.

• Personal Data: Information relating to an identified or identifiable living person. The 8 Data Protection Principles in relation to protecting personal data are listed in the Policy document.  

• Project: ​​​​​​​One or more services that covers a client's needs.

• Policy: Overall intention and direction as formally expressed by management. 

• Risk: The potential for an unwanted event to have a negative impact as a result of exploiting a weakness. It can be seen as a function of the value of the asset, threats, and vulnerabilities.

• Risk Assessment: Overall process of identifying and evaluating risk.

• Service: Combination of people, processes, and technology to support client's business.

• Third Party: Person or body that is recognised as being independent of HIC Services.

OBJECTIVES

1. Data Confidentiality, Integrity, and Availability (CIA)

To uphold the CIA triad:

• Confidentiality: HIC protects sensitive and critical data from unauthorised access and disclosure.

• Integrity: Safeguards are implemented to prevent unauthorised data modifications.

• Availability: Systems and data are maintained in an operational state to ensure access by authorised users when required.

2. Risk Management

HIC identifies and assesses security risks across its operations and implements mitigation measures through a comprehensive risk management framework, which includes:

• Regular risk assessments.

• Prioritisation of risks based on potential business impact.

• Implementation of effective controls aligned with identified risk levels.

3. Regulatory Compliance and Good Practices

HIC is committed to complying with all relevant legal, regulatory, and industry standards (see appendices below), adopting ISO 27001 good practices to maintain compliance. This includes:

• Annual audits and assessments to verify compliance.

• Periodic updates to comply with evolving regulatory standards.

• References to specific laws, regulations, and industry standards in relevant appendices.

• Recognition of external frameworks, such as the Scottish Safe Haven Charter, FAIR Principles, and SATRE, as examples of good practices to guide our operations and continuous improvement efforts.

4. Incident Response and Management

HIC has a robust incident management procedure that includes:

• Defined roles and responsibilities for incident detection, reporting, and resolution.

• Procedures for identifying, reporting, and mitigating incidents.

• Event analysis to identify improvement areas and reduce the likelihood of recurrence.

5. Access Control and Privilege Management

HIC employs access controls to ensure data security, granting access strictly on a need-to-know basis. This includes:

• Role based access.

• Multi-factor authentication for critical systems.

• Physical access controls to office.

• Regular audits and reviews of access rights.

• Procedures for onboarding, changing, and terminating user access in line with role requirements.

6. Security Awareness and Training

HIC promotes a culture of security through regular training and awareness programs. These initiatives are designed to:

• Equip staff and HIC Clients with knowledge to recognise and respond to security threats.

• Ensure all staff and HIC Clients understand their role in upholding HIC’s security practices.

• Include annual refreshers and role-based security training for staff handling sensitive information.

7. Continuous Monitoring and Improvement

Security controls and practices are continuously monitored and enhanced based on identified vulnerabilities, evolving threats, and technological advancements. Key activities include:

• Regular security audits, vulnerability scans, and penetration tests.

• Periodic reviews and updates of security policies and procedures.

• Implementation of corrective actions to address identified gaps.

8. Third-Party and Supply Chain Security

To maintain security across external partnerships, HIC ensures that:

• Third-party vendors comply with HIC’s security policies and standards.

• Security controls are in place to secure the supply chain and prevent vulnerabilities.

• Agreements with vendors include data protection clauses aligned with HIC’s security requirements.

APPLICABLE REFERENCES

• N/A

APPENDICES

Appendix A Legislation Register

Appendix B GDPR Principles

Article 5 of the GDPR sets out seven key principles which lie at the heart of the general data protection regime. 

Article 5(1) requires that personal data shall be:   

“(a) Processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’); 

(b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’); 

(c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); 

(d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); 

(e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’); 

(f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).” 

Appendix C Caldicott Principles

(The Caldicott Committee (December 1997), Dept of Health) 

HIC Services procedures are also designed to comply with the 6 NHS Caldicott Principles. HIC Services minimises the use of identifiable data - any request for use of identifiable data is referred for specific Caldicott Guardian approval. HIC Services provides a safe environment to implement Caldicott-approved use of data. 

1. Justify the purpose(s): Every proposed use or transfer of patient-identifiable information within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed by an appropriate guardian. 

2. Don’t use patient-identifiable information unless it is absolutely necessary: Patient-identifiable data items should not be used unless there is no alternative. 

3. Use the minimum necessary patient-identifiable information: Where use of patient-identifiable information is considered to be essential, each individual item of information should be justified with the aim of reducing identifiably. 

4. Access to patient-identifiable information should be on a strict need to know basis: Only those individuals who need access to patient-identifiable information should have access to it, and they should only have access to the information items that they need to see. 

5. Everyone should be aware of their responsibilities: Action should be taken to ensure that those handling patient-identifiable information, (both clinical and non-clinical staff) are made fully aware of their responsibilities and obligations to respect patient confidentiality. 

6. Understand and comply with the law: Every use of patient-identifiable information must be lawful. Someone in each organisation should be responsible for ensuring that the organisation complies with legal requirements.  

 The Information Governance Review, April 2013 (known as Caldicott 2), added a 7th Principle: 

7. The duty to share information can be as important as the duty to protect patient confidentiality:   Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.   

Appendix D Differentiating Audit, Service Evaluation & Research

The Health Research Authority (HRA) in its publication ‘Defining Research – guidance from NRES’ provides a guideline as to whether a project is research, which normally requires NHS REC review, or another activity such as audit or service evaluation, which does not. Projects which do require NHS REC review will normally also require NHS R&D permission(s).  This standard also applies to an Approved Project requiring data from HIC Services.  

From ‘Defining Research’. The Health Research Authority (HRA). Ref. 0987 December 2009 (rev. April 2013) 

*Service development and quality improvement may fall into this category. Source: NHS HRA 

DOCUMENT CONTROLS