Information Security Policy for PLE Health

Information Security Officer : Dr Alison Hoskins

PLE Staff and Clinicians Responsibilities

All employees and associates of PLE Health (PLE) are accountable for compliance with this Policy. When using information, any accidental breach of this Policy must be reported to the Information Security Officer as soon you become aware of it. Transmission of information must be via a secure electronic method.

As part of our information security requirements you must ensure that:

  • You adhere to the principles and directives in this Policy at all
  • All possible software updates are downloaded and installed to increase security on mobile
  • All computers/devices used to hold PLE information are password
  • Anti-virus and malware protection is used where available to protect any devices which store PLE
  • A client’s identification is checked when conducting examinations or
  • The caller’s identity is verified before divulging any information on the .
  • All reports are sent to PLE via a secure method eg. ESET or via our online
  • You adhere to data protection requirements in accordance with recommendations or requirements of the ICO and your professional
 

Data Integrity and Availability

Associates who use laptops and/or hand-held mobile devices are responsible for ensuring the integrity of the data they process. Data must be backed up on a regular basis to ensure data integrity and availability and sufficient controls need be taken to ensure that the equipment is secured and not left unattended.

Network Access

The minimum acceptable level of security for connection to a WiFi network is WPA or WPA2 (Wired Equivalent Protection/WEP is not an acceptable standard). Laptops and other mobile devices must not in any circumstances be connected to an unsecure WiFi network (whether via a public wireless access point, wireless ‘hotspot’ or otherwise).

Anti-Virus and Malware Protection

Employees and associates using any device are required to ensure that anti-virus and malware protection controls are installed and regularly updated on the local machine.

Under no circumstances should the operation of any anti-malware software or firewall be disabled and it is vital that any laptop or handheld mobile device has appropriate security measures.

Security Breaches, Hacking and Lost Equipment

Any suspected breach of security by accident or deliberate intrusive action by another (such as hacking) is immediately reported to the Information Security Officer, who in some circumstances will have an obligation to notify the breach to ICO.

Telephone Handling

On a call, employees and associates must ask appropriate Data Protection questions before passing on any information.

Destruction of Media

Not later than 6 months (or agreed timescales) following the completion of the request, all information linked to PLE Clients that is no longer required to complete the service to PLE must be permanently deleted from any laptop or handheld mobile device on which it is stored and any physical copy must be destroyed. Physical paper copies must be destroyed by confidential shredding.

Information Transfer

All employees and associates should use a secure email provider. Unsecure webmail providers such as Hotmail Yahoo, Outlook.com etc. are not appropriate vehicles for the transfer of sensitive information unless sent via an encrypted system such as ESET. Attachments sent by email must be password-protected with the password must be sent by separate email or via PLE’s online portal.

Medical reports/records should only be sent by post if no other option. If posted they must be sent by trackable post and a copy should be retained. This copy should then be securely destroyed within our agreed timescales (not usually more than 6 months)