Information Assets in Healthcare

information asset owner iao n.w
1 / 68
Embed
Share

Information assets in healthcare play a crucial role in ensuring effective management, protection, and utilization of valuable data. Definition, categorization, evaluation, and lifecycle considerations are key aspects in maximizing the value of these assets for patient care and operational efficiency.

  • Healthcare
  • Information Assets
  • Data Management
  • Asset Evaluation
  • Patient Care.
rayaanacharya
payleema Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Information Asset Owner (IAO) Material taken and adapted from NHS England Information Asset Owner Handbook

  2. What is an Information Asset?

  3. An information asset is a body of information, defined and managed as a single unit so that it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles. An asset can be patient, staff or corporate information/data processed by the Trust and held in various forms including paper copies, excel databases and system applications. All information assets must have an assigned asset owner. Examples of information assets used by the Trust are: Electronic Patient Records e.g. Careflow, Cris, iPortal Healthcare Systems & Apps Paper Health Records CCTV recordings Audit records Some simple questions which can help to define if the information held is an asset are: Is it of value to the Trust? Would there be legal, reputational or financial repercussions if you couldn t produce the information on request? Would it have an operational impact if the information could not be accessed or there was a delay in access? Is there a risk associated with it? Losing it, being tampered with inappropriate disclosure? Will it cost money to reacquire the information? Does the group of information have a specific content not held elsewhere?

  4. Asset Evaluation Assets differ in both format and their importance to Trust business processes. The Trust therefore needs to define the level at which each asset is valued and whether the system level assessments and reviews are appropriate. Document this the Trust holds an Information Asset Register which categorises assets as Primary or Secondary assets. Primary Asset A Primary asset is one which the Trust is reliant on and cannot operate without. The result of the information asset being unavailable for up to 24 hours will disrupt and have an effect on patient care, quality of service and the operations of the Trust. Primary information mainly comprises: Highly Sensitive & vital information for the exercise of the organization's mission or business Personal information, as can be defined specifically in the sense of the national laws regarding privacy Strategic information required for achieving objectives determined by the strategic orientations High-cost information whose gathering, storage, processing and transmission require a long time and/or involve a high acquisition cost Secondary Asset A secondary asset is one which if compromised the Trust as a whole is not reliant on to function however it does perform a necessary localised function. Information held in the asset is personal information or less sensitive information. Below is a breakdown of the asset classifications used by the Trust. Priority 1 A - A system that is critical for patient care: (i.e. emergency care, diagnostic) Priority 1 B - A system that is critical for patient care: (i.e. emergency admission, monitoring, 7/7 service) Priority 1 C - A system that is critical for patient care: (i.e. outpatient, elective admission, core business hours) Priority 2 - A system that is used for patient registration, communication and affects the Hospital financially or reputationally Priority 3 - A system that adds efficiencies

  5. Information Asset Due-Diligence & Lifecycle of an Asset

  6. Due Diligence

  7. To ensure that information assets deployed within the Trust adhere to NHS guidance and national legislation such as UK GDPR and the Data Protection Acts 2018, a number of documents must be completed and approved before a new information asset can be implemented or procured for use within the Trust. Data Protection Impact Assessment (DPIA) Digital Technology Assessment Criteria (DTAC) These documents must be completed for both internally developed systems and those procured from a supplier; they are also required for Free of Charge systems and those which you are looking to trial. We will now investigate these documents and how they fit into the lifecycle of an information asset in more detail.

  8. DPIA Due Diligence

  9. Data Protection Impact Assessment (DPIA) A DPIA is a nationally mandated process which assists the Trust in identifying and minimising the privacy risks of new projects, or to review an existing system when the data is being used for purposes other than its original intent. A DPIA enables the Trust to systematically and thoroughly analyse how a particular project or system will affect the privacy of the individuals involved, this in turn ensures the organisation implements effective standard operating procedures and policies. The assessment acts as a check list to ensure that the information asset has accounted for all aspects of information security. The DPIA helps the IAO or project manager to review the benefits that information sharing might bring to the trust, specific individuals or society as a whole. It also helps to assess any risks or potential negative effects, such as risks to confidentiality that may cause potential harm, distress or embarrassment to individuals or the Trust s reputation if information is shared inappropriately. The DPIA must be completed by the IAO with support from other leads within the trust and not by external parties. A project or update to an asset cannot commence until a DPIA has been finalised but after the initial completion the DPIA does not need further review unless it is likely to involve a new use or significantly change the way it handles personal data. Any major changes to information assets must be agreed, this includes new and or replacement software, system updates and installations, removal or archiving of an information asset and the creation of a new information asset. It is an asset owner s responsibility to complete a DPIA for any new information assets they are looking to introduce to the Trust. The asset owner is also responsible for ensuring that any modifications altering the use of data held in a current Trust asset are captured through the assets DPIA document.

  10. DPIA DTAC Due Diligence

  11. Digital Technology Assessment Criteria (DTAC) The Digital Technology Assessment Criteria (DTAC) is a nationally recommended document that the Trust have implemented which must be completed by suppliers for the assets they provide and is used to provide assurance to the Trust that key digital requirements have been assessed and approved. The DTAC is completed at the same time as the DPIA document with the IAO & IAA acting as a link with the supplier to ensure that the assessment is completed and all of the required supporting documents are provided. The DTAC brings together legislation and good practice for the below key areas within the Trust: Clinical Safety Cyber Security Data Security & Protection Information Security Infrastructure Interoperability Service Delivery The IAO is responsible for ensuring that they is a completed DTAC in place for all systems under their ownership and should take an active role in reviewing the documentation.

  12. DPIA DTAC Due Diligence Pre- Implementation

  13. Once approval of the DPIA & DTAC has been obtained the following documentation needs to be finalised prior to the system s implementation. DCB0160 Contractual & Data Processor/Sharing Agreements

  14. DPIA DTAC Due Diligence Pre- Implementation DCB0160

  15. DCB0160 Under the Health and Social Care Act 2012 section 250 all health organisations are responsible for ensuring that they can evidence compliance of DCB0160 standards for Healthcare Systems implemented within their organisation. As this is a mandated requirement, DCB0160 documentation must be completed and maintained by the Asset Owner & and Clinical Lead for all new clinical systems being introduced into the Trust and for any change in use or decommissioning of a current system. In adherence to this act, health organisations that are responsible for the deployment, use, maintenance or decommissioning of Health IT Systems within the health and care environment are required to ensure they are compliant with DCB0160 standards prior to implementing the system through the completion of the below documentation: Clinical Safety Case Report Hazard Log Clinical Risk Assessment DCB0160 Compliance Assessment While the Trust s Clinical Safety Officer will offer guidance and support on what to include as part of this documentation, it is the Asset Owner & Clinical Leads responsibility to ensure they are completed. The DCB0160 documentation should also be reviewed for the system at the point of contract renewal.

  16. DPIA DTAC Contract Due Diligence Pre- Implementation DCB0160

  17. Contract When the Trust acting as data controller uses an external company to act as processor, there must be a written contract (or other legal act or agreement) in place. The contract is important so that both parties understand their responsibilities and liabilities. If a processor uses another organisation (i.e. a sub-processor) to assist in its processing of personal data for a controller, it needs to have a written contract in place with that sub-processor. The contract (or other legal act) sets out details of the processing including: The subject matter of the processing The duration of the processing The nature and the purpose of the processing The type of personal data involved The categories of data subject The controller s obligations and rights Any transfers of data outside of the UK & EEA In the absence of a formal contract the Trust would engage in the completion of a Data Processor Agreement which will document the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject and the Trust obligations and rights as a data controller. As part of their role IAOs engage with the Trust s must engage with the Trust s Data Security & Protection (DSP) team to ensure that contracts put in place with providers meets the Trust s DSP requirements. Even systems provided free of charge must have an accompanying PO submitted through the Trust supplies department to ensure there is an audit trail. Once in place the IAO must forward a copy of the finalised agreement to the Trust DSP team to provide assurance and evidence as for the Trust s Data Security and Protection. The asset owner must also ensure that risk and incidents are monitored and that if incidents are reported that the appropriate action is taken with the supplier to resolve the risk and prevent further incidents. Any incidents should be reported through the Trust Datix system.

  18. DPIA DTAC Contract Due Diligence Pre- Implementation DCB0160 On-Going Management

  19. On-Going Asset Management The management of Information assets is crucial in achieving a secure information handling and management structure within the trust. Information is an invaluable resource to the Trust, its loss or misuse can damage its reputation and service delivery, and cause potential harm or distress to individual subjects. The Trust has a legal obligation to comply with all appropriate legislation in respect of data, information and IT security. It also has a duty to comply with guidance issued by the Department of Health (DoH), Information Commissioner s Office (ICO), The Information Governance Alliance (IGA) and other advisory groups and professional bodies that provide guidance to staff. The Data Protection Act 2018 is the UK legislation that sets out the rules for processing information of identifiable living individuals. These rules are categorised under key principles which organisations collecting or processing data must adhere to as part of their responsibilities as a data controller or data processor. Under the Data Protection Act/GDPR the ICO may, in certain circumstances enforce a monetary penalty notice when principles of the act are breached. This is why the role of the Information Asset Owner (IAO) is so important. The IAO role is key to safeguarding and utilising data and information effectively for patients & staff, even whilst others take them for granted.

  20. DPIA DTAC Contract Due Diligence Pre- Implementation DCB0160 On-Going Management Best Practice

  21. System Management Best Practice

  22. Poor quality and mismanaged information presents a risk to patients, service users, staff members and the organisation. As an asset owner, it is important that the information you store is regularly updated, correct, trustworthy and readily accessible. Accurate and up to date Make sure you know what needs to be included in the record, why you are recording the information and how it will be used; this ensures that the information you enter is correct, justified and clear. Make sure you record the information in the correct system and in the correct record. Give individuals the opportunity to check information about them and point out any mistakes or inaccuracies. If you are not a health or care professional, you should check the information with someone who is or cross-reference the information with other records. Follow your organisation's process to report and correct errors. Give patients or service users the opportunity to check and confirm the details held about them. When using shared records, ensure they are kept up to date so that others have the correct information available to them. Ensure that records can only be obtained by those who need access to them; ensure access restrictions are applied. Recorded & complete Record information as events occur whilst the event is still fresh in your mind. Record high-risk information as a matter of urgency. For completeness Include the NHS number in health and care records; this helps to ensure that the correct record is accessed or shared for the correct patient or service user. To avoid duplication before you create a new record, make sure that one doesn t already exist. Save records in a secure place that is easy to find. Ensure records are stored safely and securely, and that they can be quickly located when required.

  23. Confidentiality, Integrity, Availability

  24. User Access Management User access controls are an essential way to prevent un-authorised access and help support the maintenance of integrity across the University Hospital of North Midlands information systems. It is the responsibility of an IAO to ensure that there is a clear process in place for managing User Registration, User Change and User Removal. User Registration The procedure followed for providing access to a new employee; User Change The procedure followed for changing an employee's Access; User Removal The procedure followed for an employee who leaves UHNM or moves role within the Trust to ensure that their account is closed. When providing access to an individual it is important to consider the Principle of least Privilege. The principle of least privilege (PoLP) is an information security concept which maintains that a user or entity should only have access to the specific data, resources and applications needed to complete a required task. The principle means providing a user with only those privileges which are essential to perform their intended function. For example, a user account for the sole purpose of creating backups does not need to install software: hence, it has rights only to run backup and backup-related applications. Any other privileges, such as installing new software, are blocked. The principle applies also to a personal computer user who usually does work in a normal user account, and opens a privileged, password protected account only when the situation absolutely demands it. Information Asset Owners must also conduct a regular audit of their assets to ensure that the access levels granted to users are appropriate and that any information accessed by them is done so with a clear purpose.

  25. Pseudonymisation & Anonymisation Among the arsenal of IT security techniques available, pseudonymisation or anonymisation is highly recommended by the GDPR regulation. Such techniques reduce risk and assist dataprocessors in fulfilling their data compliance regulations. If it can be proven that the true identity of the individual cannot be derived from anonymised data, then this data is exempt from other methods ensuring the strict confidentiality of the actual data. The two techniques differ and in face of the GDPR the choice will depend on the degree of risk and how the data will be processed. The legal distinction between anonymised and pseudonymised data is its categorisation as personal data. Pseudonymous data still allows for some form of re-identification (even indirect and remote), while anonymous data cannot be re-identified. Pseudonymisation techniques differ from anonymisation techniques. With anonymisation, the data is scrubbed for any information that may serve as an identifier of a data subject. Pseudonymisation does not remove all identifying information from the data but merely reduces the link ability of a dataset with the original identity of an individual (e.g., via an encryption scheme). Both pseudonymisation and anonymisation are encouraged in the GDPR and enable its constraints to be met. These techniques should therefore be generalised and recurring. Those in possession of personal data should implement one or other of these techniques to minimise risk, and automation can reduce the cost of compliance.

  26. Information Mismanagement The mismanagement of information assets particularly when sharing with an external organisation can lead to a multitude of issues for the trust: Data Protection & Confidentiality: Personal data breaches and up to 500,000 fine/enforcement action/undertakings Freedom of Information and EIR: Decision Notices/Fines/imprisonment CEO or equivalent Information Security: Personal data breaches/loss of corporate information Information and Records Management: Information lost -time taken to find lost information= 10% of public sector workers time/loss of business efficiency Information Governance Management: Lack of consistency leads to poor co-ordination; lack of Training leads to all of the above Information Quality Management: Never-incidents/ poor data leads to poor planning and research/other mistakes

  27. Sharing information with other organisations. When sharing information with other organisation there are some key principles which must be adhered to: Ensure that the relevant sharing or processing agreements are in place to support the sharing Make sure that the dataflow is the asset s DPIA and update as required Ensure that the correct security controls are in place to send the information and that you are using a Trust approve secure transfer method If sharing patient identifiable information. ensure that the individual you are sharing the data with has a legitimate purpose for receiving the data and consider if the data can be pseudonymised or anonymised prior to sending Remember if you are unsure seek guidance from the Trust s Data Security & Protection Team.

  28. DPIA DTAC Contract Due Diligence Pre- Implementation DCB0160 Cyber Security & Incident management On-Going Management Best Practice

  29. Cyber Security & Incident Reporting

  30. Cyber Security Information Asset Owners must have an awareness of Trust policies and understand any potential impact that they will have on the assets they are responsible for. With the importance of Cyber Security within the NHS ever increasing, it is important that Information Asset owners have an awareness and understanding of the Trust s Cyber Security requirements and understand how they can seek guidance and report threats within the Trust. The below points are some key areas which must be considered in relation to the Cyber Security of an Information Asset. Transport Level Security - All web portals must use secure HTTPS sites and have in place suitable security protocols to do and an in-date security certificate. Acceptable protocols for Information Assets deployed in the Trust are TLS 1.2 and higher only. Encryption & - Encryption is the process of scrambling data so that only authorized inviduals can unscramble it. Information Asset Owners are responsible for ensuring that their assets encrypt data in line with current NHS standard; 256bit at rest and in transit. Patching - It is the responsibility of an Information Asset Owner to ensure that their systems are operating on latest the latest software; version. To maintain security compliance system patches and updates must be applied within 14 days of the release. This reduces the risk of attackers making use of vulnerabilities within a system. All suspected potential Cyber Security incidents should be logged on DATIX and reported to the Trust Cyber Security team (cybersecurity@uhnm.nhs.uk) for advice & guidance. Any identified underlying risks or vulnerabilities must be logged as a risk raised as a Datix to enable monitoring and action planning to take place..

  31. Incident Reporting Any DSP and Information Asset incidents must be reported via DATIX and the DSP team will investigate and decide if it needs to be reported to the Information Commissioners Office (ICO). By law, the Trust has got to report any qualifying personal data breaches to the ICO without undue delay and within 72 hours. It is vital you contact the DSP team ASAP. There are many incidents that occur that can be clinical or cyber related with the below providing an overview of the types of incidents which should be reported. Data Security Incidents: Identifiable data lost in transit Lost or stolen hardware Lost or stolen paperwork Data disclosed in error Data uploaded to website in error Non-secure disposal hardware Non-secure disposal paperwork Technical security failing Corruption or inability to recover data Unauthorised access or disclosure Cyber Incidents: Phishing email Denial of service attack Social media disclosure Website defacement Malicious damage to systems Cyber Bullying Social Engineering

  32. DPIA DTAC Contract Due Diligence Pre- Implementation DCB0160 Cyber Security & Incident management On-Going Management Assurance Best Practice

  33. Why do we need an Information Asset Register? In order to assist Information Asset Owners in performing the necessary reviews of their assets, a suite of assessment forms have been created covering the core elements of Information Security. In completing these forms the asset owner will gain an understanding of an asset s compliance and identify any risks associated with that system. IAOs are responsible for ensuring any risks identified are raised and managed appropriately within their department and are included within the security forms. IAOs are also responsible for logging identified risk on the Datix Risk Register. Once completed these forms are reviewed by the Trust s Data Security and Protection team (which includes the Trust DPO). Feedback may be fed back to the asset owner for further action and reports are used in the Trust s DSP toolkit submission.

  34. DPIA DTAC Contract Due Diligence Pre- Implementation DCB0160 Cyber Security & Incident management On-Going Management Assurance Best Practice Information Asset Register

  35. Information Security Forms As part of the Trust s Information Asset process, asset owners are required to complete four Information Security Forms: Risk Business Continuity and Disaster Recovery (BCDR) System Level Security Policy (SLSP) Dataflow

  36. DPIA DTAC Contract Due Diligence Pre- Implementation DCB0160 Cyber Security & Incident management On-Going Management Information Security Forms Assurance Best Practice Information Asset Register

  37. System Level Security Policy (SLSP) The development, implementation and management of the System Level Security Policy (SLSP) will demonstrate an Information Asset Owners understanding of Data Security & Protection risks and commitment to addressing the security and confidentiality needs of a particular system. An effective SLSP therefore contains a considered and specific view of the range of security policy and management issues relevant to a system and encompass a range of technical, operational and procedural security topics. The SLSP identifies appropriate lines of accountability, both within the Trust and for those other bodies who may legitimately use it. The SLSP includes references to other external security documentation and standards, including the Trust s corporate security policy and where relevant, the security policies and procedures of other organisations. Where the system is available to multiple organisations, the SLSP must establish the necessary common policy, security parameters and operational framework for that system s expected operation including any functional limitations or data constraints applicable to one or more bodies. The SLSP is a core component of an accreditation documentation set for those organisations that undertake formal accreditation processes for their information assets. NHS organisations are required as part of the Data Security & Protection requirements to generate SLSP for all / major / critical information systems. It is the responsibility of the IAO with the support of the IAA to ensure that these documents are completed and subsequently reviewed on an annual basis.

  38. Data Flow Mapping This is the process of documenting a regular exchange of data/information from one location/system (internal or external) to another and the method by which it is exchanged. All data must have a purpose and data flows may include: System to system transfers, Email, Post/courier, Text Portable electronic/removable media. Manual Processing Extracting data for reporting Automated Processing (RPA) A key element of the data flow transfer map will be to identify if the asset is transferring data to other countries. If an overseas transfer is identified, the Information Asset Owner must contact the DSP team. Information sent outside of the UK is classed as high risk and the Trust must ensure appropriate security arrangements are in place. European countries and the rest of the world have different data protection laws than the UK.

  39. Business Continuity and Disaster Recovery (BCDR) Business continuity is a core component of corporate risk management and emergency planning. Its purpose is to counteract or minimise interruptions to a Trust s business activities from the effects of major failures or disruptions to its information assets. Within the NHS there is a large amount of information that needs to be kept secure; however the way that we secure this information must not have a negative impact on healthcare. Therefore, in order to save lives and provide continued healthcare in the event of a disaster or incident, the solution to enable business and service continuity in some instances may not be deemed as secure as before. However, what must be stressed is that an approach with a blatant disregard for security should not even be considered as there is still a responsibility for patient safety and confidentiality. Security needs to be flexible, for within the NHS clinical safety will be the priority. In a disaster situation issues surrounding clinical safety will always take precedence over security issues. It is the responsibility of the IAO to ensure that there is a relevant business continuity and disaster recovery plan in place for their assets. It is the responsibility of the IAO with the support of the IAA to ensure that these documents are completed and subsequently reviewed on an annual basis.

  40. Risk It is a DSP requirement that a risk assessment is conducted on all information assets on an annual basis as a minimum. Risk is defined as the product of the amount that may be lost (the impact) and the probability of losing it (the likelihood). Any actual or perceived risk must be discussed at divisional level and considered for inclusion on the Divisional Trust Risk Register (DATIX). The assessment template has been created in line with the Trust s RM01 Risk Management Policy and Strategy. The basic steps to preventing risks for Information Assets are: Identify assets and who is responsible for them Determine risk methodology and level of acceptable (residual) risk Identify value of each asset (What if?) Identify threat to each asset Identify vulnerabilities threat might exploit Carry out a risk assessment Put in place measures to reduce risk Audit It is the responsibility of the IAO with the support of the IAA to ensure that these documents are completed and subsequently reviewed on an annual basis.

  41. DPIA DTAC Contract Due Diligence Pre- Implementation DCB0160 Contract Renewal Cyber Security & Incident management On-Going Management Information Security Forms Assurance Best Practice Information Asset Register

  42. Contract Renewal To ensure that Information Asset s adhere to the latest national security requirement and continue to provide the required level of assurance to the Trust, when an asset s contract is due for renewal the due diligence process is resumed and the previous completed documentation reviewed. It is the responsibility of the IAO with the support of the IAA to ensure that these documents are revised and subsequently reviewed prior to the contract renewal. The DCB0160 documentation should also be reviewed for the system at the point of contract renewal.

  43. DPIA DTAC Contract Due Diligence Pre- Implementation End of Lifecycle DCB0160 Contract Renewal Cyber Security & Incident management On-Going Management Information Security Forms Assurance Best Practice Information Asset Register

  44. End of Lifecycle Any system or source of information may be considered an Information Asset even if it is not used regularly or in a live environment. For example, old systems that have been superseded may be kept in order to store and access historic patient information. These assets should still provide the same level of information security assurance and will remain on the asset register as live assets.

  45. DPIA DTAC Contract Asset Decommissioning Due Diligence Pre- Implementation End of Lifecycle DCB0160 Contract Renewal Cyber Security & Incident management On-Going Management Information Security Forms Assurance Best Practice Information Asset Register

  46. Decommissioning Assets remain on the register until the IAO can provide assurance to the SIRO via the completion of an Asset Decommissioning Form that the asset has been fully decommissioned. The decommissioning form will seek assurance on aspects such as: Uninstalling Software Removing Hardware Physically destruction of any device or removable storage (hard-drives/flash-drives) Identifying retention requirements for the stored data Migrating/Archiving of historic Data (transference to Secondary Asset) Confirmation/ Sign off from IT, suppliers & Third parties that system has been uninstalled End of Information Sharing Agreements

  47. Legislation

  48. The General Data Protection Regulation (GDPR) & Data Protection Acts 2018 The Data Protection Act 2018 is the UK legislation that sets out the rules for processing information of identifiable living individuals. These rules are categorised under key principles which organisations collecting or processing data must adhere to as part of their responsibilities as a data controller or data processor. Under the Data Protection Act/GDPR the ICO may, in certain circumstances enforce a monetary penalty notice when principles of the act are breached. Personal data is defined under UK GDPR as Any information relating to an identified or identifiable natural person ('Data subject ). To clarify this an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

  49. Principles for Processing Personal Data The processing of personal information must be done lawfully according to the following Data Protection principles. Personal data shall be: 1. Processed lawfully, fairly and in a transparent manner in relation to the data subject. 2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. 3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. 4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. 5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. 6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. 7. Accountability you are required to take responsibility for what you do with personal data and how you comply with the other principles above. You must have proportionate measures and records in place to demonstrate your compliance. GDPR has also brought the ideas of security by security by design and by default into regulations. It encourages the use of controls such as encryption and pseudonymisation.

  50. Caldicott Principles When handling confidential information you should always consider the Caldicott Principles: Caldicott Principle 1: Do you have a justified purpose for using this confidential information? The purpose for using confidential information should be justified, which means making sure there is a valid reason for using it to carry out that particular purpose Caldicott Principle 2: Are you using it because it is absolutely necessary to do so? The use of confidential information must be absolutely necessary to carry out the stated purpose. Caldicott Principle 3: Are you using the minimum information required? If it is necessary to use confidential information, it should include only the minimum that s needed to carry out the purpose. Caldicott Principle 4: Are you allowing access to this information on a strict need-to-know basis only? Before confidential information is accessed, a quick assessment should be made to determine whether it is actually needed for the stated purpose. If the intention is to share the information, it should only be shared with those who need it to carry out their role.

Related


The English language test for healthcare professionals

The English language test for healthcare professionals

maxence
The Impact of Telehealth on Healthcare Delivery

The Impact of Telehealth on Healthcare Delivery

ander
MedLink Healthcare Job Posting pdf

MedLink Healthcare Job Posting pdf

Sharanya
Capital Gains and Assets Overview in Income Tax Law and Accounts

Capital Gains and Assets Overview in Income Tax Law and Accounts

calypso
Monitoring of Returned Assets: Abacha's Legacy in Nigeria

Monitoring of Returned Assets: Abacha's Legacy in Nigeria

martina
IAS 39: Financial Instruments Recognition and Measurement

IAS 39: Financial Instruments Recognition and Measurement

iman
Liquidation Estate and Key Asset Components

Liquidation Estate and Key Asset Components

ruby
University Asset Management Guidelines

University Asset Management Guidelines

jrue
Cost of Credit and Financial Statements

Cost of Credit and Financial Statements

fallon
A Comparison of ELI and UNIDROIT Principles on Digital Assets

A Comparison of ELI and UNIDROIT Principles on Digital Assets

neith
Equitable Distribution in Florida

Equitable Distribution in Florida

tmad
Managing Debt and Protecting Client Assets in Victoria

Managing Debt and Protecting Client Assets in Victoria

shom563
Society: Wealth and Assets Survey Research

Society: Wealth and Assets Survey Research

jordaynmc
Accounting for Biological Assets and Agricultural Produce

Accounting for Biological Assets and Agricultural Produce

zake_802
Accounting for Biological Assets and Agricultural Produce (LKAS 41: Agriculture) by Rangajewa Herath

Accounting for Biological Assets and Agricultural Produce (LKAS 41: Agriculture) by Rangajewa Herath

coss_ur
Comprehensive Fixed Assets Management Guidelines for Educational Institutions

Comprehensive Fixed Assets Management Guidelines for Educational Institutions

boschert_t
Integrated Healthcare Waste Management and WASH in Healthcare Facilities

Integrated Healthcare Waste Management and WASH in Healthcare Facilities

faithanns
Proposed Process Improvements for Fixed Assets Management

Proposed Process Improvements for Fixed Assets Management

aria_307
Intangible Assets and Business Combinations in Accounting

Intangible Assets and Business Combinations in Accounting

abigailes
Impairment of Assets in Financial Management

Impairment of Assets in Financial Management

cake445
Comprehensive Guide to Estate Planning for Various Family Situations

Comprehensive Guide to Estate Planning for Various Family Situations

thibert_v
Net Investment in Capital Assets and Its Importance

Net Investment in Capital Assets and Its Importance

henc_130

More Related Content