Access
Access to IGP IT systems is controlled by individual user IDs and passwords. All user IDs and passwords are uniquely assigned to named individuals and consequently, these individuals are accountable for all actions on IGP IT systems and network.
Individuals must not:
Use someone else's user ID and password to access IGP IT systems.
Allow anyone access to any IGP system from outside the company. Hackers may pretend to be associated with a company we work for or from an official service, such as government agency, retailer or bank. NEVER: install anything or follow instructions to access IGP systems from individuals over the phone/chat/email without express permission from IGP's IT department - DO NOT BE PRESSURED INTO GIVING ACCESS.
Allow anyone else to use their user ID or password on any IGP IT system.
Attempt to access data that they are not authorised to use or access.
Perform any unauthorised changes to IGP IT systems or information.
Leave their user accounts logged in at an unattended and unlocked computer.
Leave their password unprotected (for example writing it down).
If a user suspects that their network password has become compromised, they should immediately report this to the IT department. If the security of a password is in doubt, for example, if it appears that an unauthorised person has logged in to the account, the password must be changed immediately.
Hardcopy access
Access to hardcopy financial or patient records is prohibit except by clinical staff or by those employees directly involved in preparing these records.
IGP operates a clear desk policy and documents should only be available to employees while they are being processed. Documents should not be stored on an individual's desk or left unattended for any lengthy period of time.
Filing cabinets or cupboards should remain locked unless they are being accessed.
Physical documents should not be removed from its source location (office building) and documents/media containing personal data need to be shredded or destroyed onsite.
Hardcopy transmission
When sending hardcopy records to another individual, including patient or third party, employees should ensure the following:
Hardcopy records that contain sensitive information must be sent by recorded delivery, including paper records, CDs or data drives.
Physical media, such as CDs or data drives, must be encrypted and the encryption key should be sent/transmitted separately.
The transfer of personal information outside of the EU is prohibited. If you must transfer data outside the EU, please contact your DPO (Data Protection Officer) to ensure special arrangements have been made.
Transferring records by hand will require special permission from the DPO.
Environment
Core network computer equipment, such as the server, phone system and local back-up system are housed in a secure environment at IGP's main administration centre. All visitors with access to the network hardware must be authorised and supervised by the IT department.
Hardware used by individuals, including phones, workstations, monitors, and printers should not be moved or tampered with without permission or supervision from the IT department.
Hardware should not be removed from the office building at any time without permission.
Employees should not connect non-IGP authorised devices to the IGP network or IT systems.
Employees should not store IGP data on any non-authorised IGP equipment.
Employees should not attempt to alter any of the company's computing or network components without authorisation or beyond one's level of authorisation, including but not limited to bridges, routers, hubs, wiring, and connections.
Failure to comply with requests to discontinue an activity threatens the operation or integrity of computers, systems or networks.
Authorisation to carry out any of the above must be sought in writing through the IT manager.
Telephony (Voice) Equipment
Individuals must ensure that no personal data or sensitive information is overheard by individuals not employed by IGP. Special consideration should be given where there is a possibility that sensitive information may be overheard, even by IGP employees whom are not involved directly with the information process or individual being discussed. If there is a risk of sensitive information may be overheard, IGP will make special arrangements for the conversation to be held in private.
Use of IGP's voice equipment is intended for business use. Individuals must not use IGP's voice facilities for sending or receiving private communications on personal matters, except in exceptional circumstances. All non-urgent personal communications should be made at an individual's own expense using alternative means of communications.
Individuals must not:
Use IGP's voice equipment for conducting private business.
Make hoax or threatening calls to internal or external destinations.
Accept reverse charge calls from domestic or International operators, unless it is for business use.
Conversations via phone communications must be in a private environment, where it is not possible for others can overhear.
Facsimile (fax) machines are not secure and The Independent General Practice actively discourages their use. Any information sent via fax requires a confirmation of receipt from the receiver at the time the fax was sent.
Before personal information is divulged, employees must be absolutely satisfied during any form of communication (email, telephone, video and in person) that the identification of any data subject, representative or third party has been verified and are permitted to access information.
Data subjects, their representative or third party will be required to satisfy and answer security questions to access related information.
Personal information should not be shared internally unless the person you are sharing it with has legitimate reason for accessing that information.
Internet & Email
All individuals are accountable for their actions on the internet and while using IGP email accounts. Any behaviour and/or activities that threaten the integrity of the company's computer networks or systems are expressly prohibited. Such behaviour and/or activities include but are not limited to:
Intentionally or carelessly performing an act that places an excessive load on a computer or network resulting in the disruption of the company's services.
Using the company's resources to gain unauthorised access to any computer system and/or using someone else's computer without their permission.
Give access to or transfer IGP data or software to any person or organisation outside IGP without the authority of IGP.
Unauthorised attempts to circumvent data protection schemes, anti-virus software or to uncover vulnerabilities in the company's security systems.
Interference/disruption of systems, networks or related services, including but not limited to the propagation of computer 'worms', 'viruses' or 'Trojan Horses'.
Unauthorised scanning of ports, computers and networks.
Providing services or accounts on company computers or via the company's networks to other users from a personal computer unless required to meet the normal activities of authorised business.
Downloading of files
Employees are expressly forbidden to download any executable files (.exe, com or .bat extensions). Employees should also not download or initiate any software upgrades from the Internet, e-mail, or other method unless specifically directed to do so by the IT manager.
Individuals must not:
Connect, access, download, send or receive any data (including images), which IGP considers offensive in any way, including sexually explicit, discriminatory, defamatory or libellous material.
Download any software or application from the internet to any IGP owned devices or any device that is connected to IGP's network.
Download copyrighted material such as images, music media (MP3) files, film and video files (not an exhaustive list) without appropriate approval.
Use any games or screensavers other than those that form part of the operating system.
Shareware, freeware and public domain software is bound by the same policies and procedures as all software. No user may install any free or evaluation software onto the company's equipment.
Appropriate Use
When using the internet, Individuals must not:
Use the internet or email for the purposes of harassment or abuse.
Use profanity, obscenities, or derogatory remarks in communications.
Use the internet or email to make personal gains or conduct a personal business.
Use the internet or email to gamble.
Use the email systems in a way that could affect its reliability or effectiveness, for example distributing chain letters or spam.
Place any information on the Internet that relates to IGP, alter any information about it, or express any opinion about IGP, unless they are specifically authorised to do so.
Make official commitments through the internet or email on behalf of IGP unless authorised to do so. In any way infringe any copyright, database rights, trademarks or other intellectual property.
Connect to the internet or network with suitable antivirus or malware protection.
Send or transmit unprotected personal data or confidential information externally.
Forward IGP mail to personal email accounts (for example a personal Hotmail account).
Electronic Communications
Special category information that is being sent via email must be sent as an attachment and not within the body or subject header of an email.
Sensitive information needs to be encrypted - the key or password that allows access to the file needs to be delivered separately to the actual file.
The password or key to access that information should not be sent with or accessible in the same communication. An alternative contact method should ideally be sought to provide the password/key.
The attachment containing sensitive information needs to be deleted immediately.
Unsecure webmail providers such as Hotmail Yahoo, Outlook.com etc. are not appropriate vehicles for the transfer of sensitive information.
Wireless Network
IGP has deployed a wireless network across the premises which is for the use of employees and authorised representatives only.
External parties, such as patients or visitors, should not be given access to the same WiFi network where personal information is transferred or can be accessed.
Clear Desktop & Screen Policy
In order to reduce the risk of unauthorised access or loss of information, IGP enforces a clear desk and screen policy as follows:
Computers must be logged off/locked or protected with a screen locking mechanism controlled by a password when unattended.
Individuals must not leave or store personal data or sensitive information about an individual or company on an individual desktop computer, including in a documents folder, downloads folder or the desktop itself.
Individuals must not leave programs logged in or documents open when unattended.
Individuals must ensure that where member of the public may have access to personal data, such as on reception, personal data is not readable or accessed.
Personal or confidential business information must be protected using any security features provided. For example, when booking an appointment, a privacy setting must be used to protect personal data from being seen.
Anti-Virus & Malware
The IT department have implemented centralised, automated virus detection and virus software updates. All PCs (including the server) have antivirus software installed to detect and remove any virus automatically.
The IT manager will:
Fully investigate and eradicate any reports/cases of virus infection.
Inform all users of any issues or infections relating to virus contamination.
Ensure updates are installed in a timely manner.
Individuals must:
Ensure any transferable media is scanned before use on company systems.
Ensure download files from e-mail/Internet are scanned verified virus-free - exe or zip must not be downloaded or opened under any circumstance without the IT departments' approval and supervision.
Inform the IT Manager immediately if virus infection is suspected.
Individuals must not:
Remove or disable anti-virus software.
Attempt to remove virus-infected files or clean up an infection.
Working Off-site
It is accepted that laptops and mobile devices will be taken off-site. However, the following controls must be applied:
Working away from the office must be in line with IGP's Remote Working Policy.
Equipment and media taken off-site must not be left unattended.
Laptops must be carried as hand luggage when travelling.
Information should be protected against loss or compromise when working remotely (for example at home or in public places).
Particular care should be taken with the use of mobile devices such as laptops, mobile phones, smartphones and tablets. They must be protected with at least a password or a PIN and encryption where available.
Sensitive personal data should not be stored on the mobile device without encryption.
Access to use the equipment must not be granted to non-staff members.
Employees are personally liable for any unlicensed software, and copyrighted material found on this equipment, and will be subject to the company's disciplinary procedures for any breach of this policy.
Anti-virus software must be installed and working on the equipment.
Mobile Storage Devices
IGP discourages the use of mobile storage devices (other than authorised laptops) and special consideration must be given to any data that is stored on a mobile storage device. Mobile storage devices such as memory sticks, CDs, DVDs and removable hard drives must only be used when no other suitable method of transferring data is available.
Mobile storage devices must be encrypted with the encryption key kept separately.
Mobile storage devices must be kept accountable, meaning that any device used, must be able to be located at any time and stored in a specific lockable unit such as a safe or filing cabinet.
Mobile devices must be sent via first class recorded delivery or reputable courier with tracking.
Bring Your Own Device (BYOD)
IGP employees must agree to the following in order to connect their devices to the company internet.
Acceptable Use
The company defines acceptable personal use on company time as reasonable and limited personal communication or listening to music.
Employees are blocked (via firewall) from accessing certain websites during work hours/while connected to the corporate network at the discretion of the company.
Devices' camera and/or video capabilities are not disabled while on-site, but they are not permitted for use without express permission.
Devices may not be used at any time to:
Store or transmit illicit materials
Store or transmit proprietary information belonging to another company
Harass others
Engage in outside business activities
Apps which are available via Apple's store or Google Play are allowed, so long as they abide by IGP's IT policies.
Employees are not permitted to use their mobile device to access company-owned resources: email, calendars, contacts, documents.
IGP has a zero-tolerance policy for texting or emailing while driving and only hands-free talking while driving is permitted.
Smartphones belonging to employees that are for personal use only are not allowed to connect to the server or file sharing network.
Access to the internet for those not employed or in a contractual arrangement with IGP is strictly forbidden.
Use of IGP's internet is intended for business use. Personal use of the company WIFI is permitted where such use does not affect the individual's business performance, is not detrimental to IGP in any way and does not breach any term and condition of employment.
Remote Access
Remote Access refers to any technology that enables IGP to connect users in geographically dispersed locations.
Remote access to IGP's network may be necessary to carry out investigations on the network or to access an individual's desktop from another location within the administration office. However, remote access may also have the potential to compromise the security of the network and the data contain within.
Remote access should be kept to a minimum, using authorised software and all access using remote connections needs to be confirmed by the IT department. Remote access software, includes programs such as Teamviewer, log-me-in and Fast-support.
General access to IGP's network is limited to authorised users, which includes IGP employees and third parties authorised to access the IGP network, such as Westgate IT and authorised software support such as Proclaim or Sage.
When accessing the IGP network remotely, authorised users are responsible for preventing access to any IGP computer resources or data by non-authorised users.
It is the responsibility of authorised users with remote access privileges to IGP 's corporate network to ensure that their remote access connection is given the same consideration as the user's on-site connection to IGP.
The authorised user bears responsibility for and consequences of misuse of the authorised user's access.
All remote access users are responsible for complying with this policy and associated standards. Users must notify the IT department or DPO immediately of any security incidents and/or breaches.
Reporting Data Security Breaches and Weaknesses
Data Security Breaches and weaknesses, such as the loss of data or the theft of a laptop, must be reported in accordance with the requirements of IGP's incident reporting procedure and, where necessary, investigated by the IT Department and/or DPO.
What is a data breach?
A data breach is more than just about losing personal data. A data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.
What constitutes as an incident?
Incident is an instance or period where deliberate or accidental action (or inaction) by a controller or processor leads to the following:
Loss or theft of personal data or equipment on which such data is stored or accessed.
Unauthorised use of, access to or modification of personal data processed by IGP.
Attempts (failed or successful) to gain unauthorised access to personal data processed by IGP.
Unauthorised disclosure of personal data.
Unforeseen circumstances such as a fire or flood.
Human error, accidental loss or disclosure of personal information.
Deliberate or accidental action (or inaction) by a controller or processor.
Third Party Breaches
Under GDPR, IGP also have a responsibility in respect of third parties processing information where IGP is the controller. A third party breach may include:
No contract between processor and controller.
No confirmation from the third party of adherence to GDPR guidelines.
Failing to ensure we have received confirmation of data security measures.
Insecure transfer method.
Unsuitable or no consent.
Failure to update or delete personal information upon request.
Failure or inability to withdraw consent or delete.
Discovery of a Breach or Incident
This policy applies to all staff and clinicians at IGP and relates to all personal and sensitive data held by IGP regardless of format. Any individual who accesses, uses or manages information processed by IGP is responsible for reporting a data breach or incident immediately to the Data Protection Officer (DPO).
IGP's Data Protection officer (DPO): Kieran Reynolds
Email: kieran@theigp.co.uk
If the breach occurs or is discovered outside normal working hours, it must be reported as soon as is practicable.
An Incident Report Form should be completed as part of the reporting process.
All staff should be aware that any breach of the personal data may result in IGP's disciplinary procedures being instigated.
Equipment Disposal
Employees must not dispose of any software or hardware owned by the company without authorisation.
Procurement
Unless authorised, you are not permitted to source and/or purchase any IT hardware, software and/or any associated peripherals or spares. If you purchase any of these without prior authorisation, you will not be reimbursed.
User Responsibilities
All personnel or agents acting for the organisation have a duty to:
Safeguard hardware, software and information in their care.
Restrict access to hardware and software by ensuring:
Passwords are not shared
Systems are not left logged in unattended
Access is not granted to unauthorised persons
Prevent the introduction of malicious software on the organisation's IT systems.
Report on any suspected or actual breaches in security.
Exceptions
Any exception to the policy must be approved by the IGP's IT department and/or DPO.