Skip to main content
  • Language
    • Afrikaans
    • Albanian
    • Arabic
    • Armenian
    • Azerbaijani
    • Basque
    • Belarusian
    • Bengali
    • Bulgarian
    • Catalan
    • Chinese (Simplified)
    • Chinese (Traditional)
    • Croatian
    • Czech
    • Danish
    • Dutch
    • Esperanto
    • Estonian
    • Filipino
    • Finnish
    • French
    • Galician
    • Georgian
    • German
    • Greek
    • Gujarati
    • Haitian Creole
    • Hebrew
    • Hindi
    • Hungarian
    • Icelandic
    • Indonesian
    • Irish
    • Italian
    • Japanese
    • Kannada
    • Korean
    • Lao
    • Latin
    • Latvian
    • Lithuanian
    • Macedonian
    • Malay
    • Maltese
    • Norwegian
    • Persian
    • Polish
    • Portuguese
    • Romanian
    • Russian
    • Serbian
    • Slovak
    • Slovenian
    • Spanish
    • Swahili
    • Swedish
    • Tamil
    • Telugu
    • Thai
    • Turkish
    • Ukrainian
    • Urdu
    • Vietnamese
    • Welsh
    • Yiddish
  • 0161 272 5660
  • Font Size
    • Increase Font Size
    • Decrease Font Size
    • Reset Font Size
New Islington Medical Practice
Search
Show Main Menu
  • Home
  • Appointments
  • Prescriptions
  • Services
    • Clinics
    • Change / Update Personal Details
    • COVID-19 & Flu
    • Downloadable Forms
    • Fit notes & Sick notes
    • Free NHS Health Checks
    • Health Screening
    • Join The Practice
    • MyMFT
    • NHS App
    • Online Consult (Patchs)
    • Proxy Access
    • Tests & Results
    • Services Index
  • Surgery Information
    • About The Practice
    • Care Quality Commission
    • Comments and Complaints
    • Friends & Family Test
    • Named Accountable GP
    • News
    • Our Team
    • Patient Participation Group
    • Practice Area
    • Practice Policies
    • Primary Care Networks
    • Surgery Times & Out Of Hours
    • Surgery Information Index
  • Health Information & Support
    • COVID-19 & Flu
    • Domestic Abuse
    • Find your NHS number
    • Health A to Z
    • Healthy Start
    • Medicines A to Z
    • Medications for Flying
    • Mental Health Crisis and Support
    • NHS Choose Well
    • NHS Symptom Checker
    • Patient Leaflets
    • Self Referrals
    • Useful Health Information
    • Useful Numbers and Links
    • Waiting for hospital treatment?
  • Contact Us

Data Security and Data Protection Policy

1. Introduction

This policy has been designed to provide a framework of control and safeguards for the security of the information and systems used within New Islington Medical Practice.

A General Practice has a legal obligation to comply with all appropriate legislation in respect of Data, Information and IT Security. It also has a duty to comply with guidance issued by the Department of Health, other advisory groups to the NHS and guidance issued by professional bodies.

It is important that a general practice has an information security policy to provide management direction and support on matters of information security in general practice. The Information systems used by the Practice represent a considerable investment and are valuable assets. The assets comprise equipment, software and data, essential to the effective and continuing operation of the Practice.

Information systems form a major part of the efficiency of a modern general practice. Adequate security procedures are critical in ensuring the Confidentiality, Integrity and Availability of these systems. Much of the data processed via these systems is of a confidential nature, and it is necessary for all information systems to be protected against any events, accidental or malicious, which may put at risk the activities of the Practice or the investment in information.

2. Purpose and Scope of this Policy

The purpose of this policy is to specify how the Practice will protect, to a consistently high standard, all information assets. The policy covers security which can be applied through technology but it also encompasses the behaviour of the people who manage information in day to day practice business.

This policy is applicable to all surgery premises under the responsibility of the Partners, the information systems utilised and the data that can flow into or out of them.

3. Aim and Objectives

The aim of information security is to ensure:

Confidentiality: Information is obtained, held and disclosed lawfully and data access is confined to those with specified authority to view and/or change the data.

Integrity: Information is complete and accurate. All system assets and networks shall be operating correctly according to specification. This means that everyone involved is required to maintain the integrity of all the data within the practice by taking care over data input, checking that the correct record is on the screen before updating, being proficient with the systems and applications used and reporting apparent errors to the Practice Manager or Security lead.

Availability: Systems and data are available when required and the output from it delivered to the right person, at the right time, when it is needed.

Confidentiality, Integrity and Availability will be delivered by the Practice implementing a robust Information Security Management System.

4. Information Security Management System

4.1 Roles and Responsibilities

GPs/Partners

GPs/Partners are responsible for ensuring that everybody employed by the Practice understands the need for, and maintains, information security. They also have overall responsibility for ensuring that systems and mechanisms to protect information security are in place.

Named Person : Dr Wameedh Ali

Security Lead

The Practice must have a nominated Security Lead who is responsible for acting as a focus for information security issues and ensuring that they are raised appropriately with GPs/Partners.

Named Person : Dee Turner

Practice Managers

The Practice Manager is responsible for ensuring that the information security management system set out in this policy is built into local processes and that there is on-going compliance. They must ensure that any incidents or breaches of the policy are reported and managed.

Named Person : Dee Turner

Staff

All staff are responsible for information security and therefore must understand and comply with this policy and the underpinning requirements of Data Protection and Confidentiality law.

External Contractors

Contracts with external contractors that allow access to the Practice’s information systems must be in operation before access is allowed. These contracts must ensure that the staff or sub-contractors of the external organisation comply with all appropriate security policies.

4.2 Governance

  • There must be a named individual within the practice nominated as the Security Lead.
  • A suitable forum for security issues is established within the practice.
  • Procedures for managing and reporting incidents are documented, accessible to all staff and that their use is monitored and assured.
  • All ICT assets, (hardware, software, application or data) must have a named Information Asset Owner (IAO) who shall be responsible for the information security of that asset. IAO at New Islington is Dee Turner.
  • All information security incidents, near misses, and suspected weaknesses are to be reported to the Security Lead, Practice Manager, Caldicott Guardian and Data Protection Officer.
  • Where we engage with third parties to process personal data on the Practice’s behalf, we stipulate our privacy expectations in written instructions. They are under a strict duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

4.3 Workforce

  • All staff must be trained when recruited and then at least every two years. In particular all staff should understand:
    • What information they are using, how it should be handled, stored and transferred.
    • What procedures and protocols control the sharing of information with others.
    • How to report security concerns or suspected breaches.
  • All employee contracts must contain confidentiality agreements and all employee job descriptions must detail security responsibilities.
  • All contracts with third party suppliers must have appropriate clauses containing security and confidentiality requirements.

4.4 Premises

  • A physical security check to assess whether adequate measures (windows, doors, privacy measures etc) are in place should be undertaken regularly

4.5 ICT Assets

  • For each ICT asset, the Security Lead and the relevant IAO, supported by the Practice Manager, must carry out a risk assessment which assesses whether adequate security measures are in place. Expert advice will be sought where required.
  • Management of computers and networks shall be controlled through standard documented procedures.
  • In order to minimise loss of, or damage to, all assets, equipment shall be; identified, registered and physically protected from threats and environmental hazards.
  • General practice assets and equipment must not be removed from the premises or lent to anyone without the permission of a Partner or the Practice Manager.
  • Practice systems must only be used for approved purposes authorised by the Partners and managed by the Security lead.
  • Only suitably qualified or experienced staff should undertake maintenance work on, or make changes to, the practice systems.
  • Only authorised software may be installed and it must only be used in accordance with the software licence agreement.
  • To maintain the integrity and availability of practice systems, backups of practice software and information must be taken regularly.

4.6 Access Controls

  • All systems providing access to personal data or other confidential information must be protected by strong passwords.
  • Each individual is responsible for keeping their own password secure, and must ensure it is neither disclosed to nor used by anyone else, under any circumstances. Staff must only access systems using their own login and password. All staff are accountable for any activity carried out under their login and password, and this is audited. Passwords should be a minimum of 8 characters in length with a mixture of letters and numbers and have an expiry date requiring them to be changed regularly.
  • Access to information and/or ICT facilities shall be restricted to users who have an authorised business need to access the information and be approved by the relevant Information Asset Owner.
  • Access must be granted to, and revoked from, information systems in a controlled manner and a list of authorised users must be maintained by the Practice Manager.
  • The user list must be reviewed regularly and leavers and those no longer requiring access for their duties must be removed from the system immediately.
  • Access to system utilities and program source libraries shall be controlled and restricted to those authorised users who have a legitimate business need e.g. system administrators.

4.7 Protection from malicious software

Unless completely isolated, computer systems are continually at risk from virus infection. Viruses may be received as an e-mail message or as an attachment to a message, via a macro within a word or spreadsheet document or via an infected program that has been downloaded or installed through removable media.

  • The Practice shall use software countermeasures and management procedures to protect itself against the threat of malicious software. All staff shall be expected to co-operate fully with this policy.
  • Users shall not install software on the Practice’s property without permission from the Security Lead. Users breaching this requirement may be subject to disciplinary action.
  • If a virus is suspected the Security lead must be informed immediately.

4.8 Removable media

Removable media of all types that contain software or data from external sources, or that have been used on external equipment, require the approval of the Security lead before they may be used on the Practice systems. Such media must also be fully virus checked before being used on the Practice’s equipment. Users breaching this requirement may be subject to disciplinary action.

4.9 Monitoring System Access and Use

An Audit trail of system access and staff data use shall be maintained and reviewed on a regular basis. The Practice will put in place routines to regularly Audit compliance with this and other policies. In addition it reserves the right to monitor activity where it suspects that there has been a breach of policy.

4.10 New and upgraded information systems

  • The Practice shall ensure that all new information systems, applications and networks include a Data Protection Impact Assessment and are approved by the Security lead before they commence operation.
  • Changes to information systems, applications or networks shall be reviewed and approved by the Security lead.

4.11 Business Continuity Management

  • The Practice shall ensure that it has appropriate Business Continuity management arrangements for information assets, including appropriate disaster recovery plans in place for all priority applications, systems and networks.
  • These plans are reviewed and tested on a regular basis.

Share

  • Print
  • Facebook
  • X (Twitter)

Site

  • Sign In
  • Sitemap
  • Back To Top

About

  • Disclaimer
  • Website Privacy
  • Website Accessibility
  • Cookies
  • Content Attribution

Social

  • Facebook
  • X (Twitter)

Contact

New Islington Medical Practice

Ancoats Primary Care Centre, Old Mill Street, Manchester, M4 6EE

  • 0161 272 5660
  • gmicb-mh.nimp@nhs.net
© Neighbourhood Direct Ltd  2024
Website supplied by Oldroyd Publishing Group

Loading...