Ensuring Confidentiality and Security - PowerPoint PPT Presentation

1 / 44
About This Presentation
Title:

Ensuring Confidentiality and Security

Description:

Ensuring Confidentiality and Security Objectives To foster an awareness of the importance of Information Security. To understand the main threats and counter measures ... – PowerPoint PPT presentation

Number of Views:234
Avg rating:3.0/5.0
Slides: 45
Provided by: Empl113
Category:

less

Transcript and Presenter's Notes

Title: Ensuring Confidentiality and Security


1
Ensuring Confidentiality and Security
2
Objectives
  • To foster an awareness of the importance of
    Information Security.
  • To understand the main threats and counter
    measures
  • To raise awareness of the relevant legislation in
    particular the Data Protection Act 1998

3
What is Information Security?
  • Security means that we have
  • Confidentiality
  • Integrity
  • Availability
  • of the information

4
What is a data handling system
  • The term covers the use and management of data
    through organised systems of all forms, whether
    based on human endeavours, paper methods or
    information technology.

5
How does security affect you?
  • Information about you
  • Information about patients/clients
  • Information about the Trust

6
What can go wrong?All Data Handling systems are
subject to threats
  • Incorrect input
  • Theft
  • Wilful damage
  • Unauthorised access
  • Software Virus


7
Security Breaches examples
  • A set of patients' medical records left in a skip
    by retiring doctor (real example!)
  • A security guard reading personal data left on an
    employees desk overnight.
  • A copy of a child at risk register found on a
    second hand computer (real example)
  • A employee using the PC of another employee (who
    logged in and left PC unattended) to process data
    without authorisation
  • An employee using data for which they have
    authorised access for unauthorised purposes e.g
    a police officer using the police national
    computer to check out daughters boyfriend. (real
    example)

8
Security Breaches examples (2)
  • A database corrupted by a virus
  • A patient in a waiting room at a doctors surgery
    overhearing information about another patients
    ailments.
  • A patient at a GP surgery viewing the personal
    data of a previous patient on a PC screen.
  • A passenger on a train was sitting next to
    someone who was reading a solicitors brief about
    a person who had been charged with murder he
    happened to be a relative of the passenger.

9
Case Study 1
  • An employee of the Child Support Agency, having
    read what he believed to be an inaccurate press
    article derogatory of the CSA and concerning a
    CSA client known to him, decided to set the
    record straight by faxing the true story to the
    newspaper concerned. Whilst the fax was sent
    anonymously, an investigation identified him as
    the author. He was dismissed from his employment
    and convicted of unlawful disclosure of personal
    data.

10
Case Study 2
  • The complainant who was employed by a hospital
    was summoned to the office of his Personnel
    Manager to discuss his sickness record. The
    Personnel Manager had accessed the hospitals
    clinical computer information system in order to
    challenge certain aspects of the employees
    account of events. As a result of this complaint
    the hospital revised its security arrangements
    and the Personnel Manager incurred disciplinary
    action as a result of the inappropriate use of
    confidential clinical information for non-medical
    purposes.

11
Case Study 3
  • The complainant visited his local hospital for a
    course of physiotherapy. Some months after the
    therapy was complete the complainant received a
    letter from the physiotherapist who had since set
    up her own business. The physiotherapist had used
    the complainants information that had originally
    been given in confidence to the hospitals for the
    earlier treatment.

12
The Impact of the Threats
  • Personal privacy
  • Personal health and safety
  • Financial
  • Commercial confidentiality
  • Legal damages and penalties
  • Disruption
  • Political embarrassment

13
Ethical Considerations
  • Promote patient/client well-being
  • Avoid detrimental acts/omissions
  • Open and co-operative manner
  • Recognise patient/client dignity
  • No abuse of position
  • Protect confidential information
  • Common Law Duty of Confidence

14
Overview of Legislation
  • Data Protection Act 1984 1998
  • Computer Misuse Act 1990

15
The Computer Misuse Act 1990
  • Introduced three new offences
  • Unauthorised access to computers
  • Unauthorised access with intent
  • Unauthorised modification

16
Main Provisions DPA 1998
  • Covers all HPSS records including electronic
    records
  • Defines processing as obtaining, holding and
    disclosing data
  • Permits subject access to all records
  • Imposes considerable penalties

17
Data Protection 98 The Principles
  • Personal data shall be processed fairly and
    lawfully
  • Personal data shall be obtained only for one or
    more specified and lawful purpose
  • Personal data shall be adequate, necessary and
    not excessive in relation to the purpose for
    which it was provided

18
Data Protection 98 The Principles
continued...
  • Personal data shall be accurate and up to date
  • Personal data processed for any purpose or
    purposes shall not be kept for longer than is
    necessary for those purposes
  • Personal data shall be processed in accordance
    with the rights of the subject under the Act

19
Data Protection 98 The Principles
continued...
  • Technical organizational measures shall be
    taken against unauthorized or unlawful processing
    of personal data and against accidental loss or
    damage to personal data
  • Personal data shall not be transferred to a
    country outside the European Economic Area.

20
Personal Data
  • data which relates to a living individual who can
    be identified from those data,or from those data
    and other information which is in, or likely to
    come into the possession of the data controller-
    includes expression of opinion and intention and
    is
  • system processed or intended to be processed
    automatically,or
  • recorded as part of a relevant filing,or part of
    an accessible record.
  • There is no requirement that this be done by
    reference to the data subject

21
Scope of Data Protection Legislation
  • Automated Data (1984 1998)
  • Relevant filing systems (Manual data) 1998)
  • Accessible Records (1998)

22
Automated Data (1998)
  • On computer
  • Document image processing
  • Audio/Video
  • Digitized images
  • CCTV images

23
Relevant Filing System (1998)
  • Non-automated systems structured by reference to
    individuals
  • Standard manual files
  • Organised to allow ready access to specific
    information about individuals

24
Accessible Records
  • Covers all Health and Social Care records
  • Structured to allow access to individuals

25
Storage
  • Diaries
  • message books
  • appointments register
  • disks
  • address books
  • Complaints register
  • Incident/accident forms

26
Data Protection Definitions
  • Processing - includes obtaining,holding and
    carrying out any operation on the information and
    data.
  • There is no requirement that this be done by
    reference to the data subject

27
Legitimacy of Processing (1998)
  • Personal data shall be processed fairly and
    lawfully and,in particular,shall not be processed
    unless
  • (a) at least one of the conditions in Schedule 2
    is met, and
  • ( b)in the case of sensitive personal data,at
    least one of the conditions in Schedule 3 is met

28
Schedule 2 conditions (1998)
  • Data Subject has given consent
  • Performance of a contract.
  • Compliance with legal obligation.
  • Protection of subjects vital interest.
  • Crown/public functions
  • Legitimate interests of controller or third
    party.

29
Sensitive Data
  • Racial or ethnic origin
  • political opinion
  • religious beliefs (or similar beliefs)
  • membership of trade union
  • physical or mental health or condition
  • sexual life
  • any offence or alleged offence
  • any proceedings or sentence

30
Sensitive Data - Schedule 3
  • Data subject has given explicit consent
  • Performance of legal duty in relation to
    employment
  • Protection of subjects or third partys vital
    interests
  • Legitimate activities of some non-profit
    organisations
  • The information has been made public deliberately
    by the data subject
  • In connection with legal proceedings
  • Administration of justice, statutory obligations
    or crown/public functions

  • Medical purposes
  • For equal opportunities monitoring

31
Schedule 3 contd
  • Substantial public interest prevention
    /detection of any unlawful act
  • SPI protection against dishonesty,malpractice,mi
    smanagement etc
  • Necessary for reviewing equality re
    religion,disability and to promote /maintain
    equality

32
Subject Access Requests
  • Right of access to personal data in computer or
    manual form
  • Entitled to
  • Be informed whether personal data is processed
  • A description of the data held, the purposes for
    which it is processed and to whom the data may
    be disclosed
  • A copy of the data and
  • Information as to the source of the data
  • There are limited exemptions

33
Subject Access Requests contd
  • Responding
  • request should be in writing to relevant
    director,
  • Data should never be read over phone, faxed or
    emailed to data subject,
  • Must be given in 40 days.

34
Case Study
35
Exercise
  • Can you describe a breach of IT security that
    occurred within your work area?
  • Describe What happened?
  • Why it happened?
  • What the impact was?
  • How you recovered (if you did)
  • Steps taken to prevent a repetition.

36
Trust Example Office Fire
  • What Happened?
  • Recent fire destroyed 8 PCs, printer and PC based
    data
  • Why it happened?
  • Accidental fire
  • What was the impact?
  • Minimal as there was central backup of files.
    Would have catastrophic otherwise.
  • How we recovered?
  • Data reloaded onto contingency PCs in another
    Office.

37
Securing automated data
  • Key areas
  • Faxing
  • Avoid the use of fax for sending personal data -
    if there is no alternative use secure protocols
  • Passwords
  • Good password management will help protect
    personal data and staff

38
Securing automated data (2)
  • Email
  • Personal data should not be transmitted by email
  • Data can be accessed by data subjects
  • Email can be insecure
  • Portables/laptops
  • Do not leave unattended when leaving ensure that
    it is locked away be aware of others being able
    to see your computer screen,
  • PDAs and Memory sticks must not contain personal
    information
  • See Trusts IT Security Policy

39
Securing manual data
  • Do not allow sensitive conversations to be
    overheard
  • Guard against people seeking information by
    deception
  • Message books
  • Accessible to staff only sensitive data should
    not be recorded in message books
  • Lock filing cabinets

40
Securing manual data (2)
  • Diaries
  • Patient/client data, which is held in diaries
    should be given the same security as any other
    record
  • Telephone conversations
  • Staff should be careful about those within
    earshot when discussing sensitive information
    check the authenticity of any caller before
    divulging any information

41
Securing manual data (3)
  • Minutes of meetings
  • Minutes which render the subject identifiable
    should be marked confidential stored in a secure
    area available only to the personnel concerned.
  • Staff Supervision records/Staff Appraisal
  • Sick leave records
  • Such information is classified as sensitive data.
    Care should be taken when transferring
    information from medical certificates to
    notification form i.e abbreviations can lead to
    misinterpretation

42
Summary of key points.
  • Duty to PROTECT information
  • Duty to OBTAIN information fairly
  • Duty to ensure information is SECURE
  • Duty to JUSTIFY use and storage of personal data
  • DONT PASS ON information unless you are sure
  • Remember Subject Access

43
BE CAREFUL WHEN YOURE ASKED FOR PERSONAL DETAILS
YOU NEVER KNOW WHERE THEYLL END UP
EVERY
TIME YOURE ASKED FOR PERSONAL INFORMATION THINK
BEFORE YOU GIVE IT AWAY

44
Thank you for attending
Write a Comment
User Comments (0)
About PowerShow.com