The British Association for Parenteral and Enteral Nutrition is a charity whose objects are to advance clinical nutrition. This involves the relief of sickness as a result of malnutrition; education of health workers, patients, policy makers and the general public and research into clinical nutrition and human metabolism.
The Objective of this policy is to establish and maintain both the physical and information security of BAPEN, including sensitive and confidential information, by:
- Ensuring that all Officers, Council members and those engaged by BAPEN to provide a service to the Association are aware of and fully comply with the relevant legislation as described in this and other documents.
- Describing the principles of security and explaining how they shall be implemented within the Charity.
- Introducing a consistent approach to security and ensuring that everyone understands their responsibilities.
This Information Systems Security Policy shall apply to:
(i) All companies or external organisations commissioned by BAPEN to develop or hold information collected by BAPEN.
(ii) All Officers, Council members and those engaged by BAPEN (including committee members and working party members) to provide a service to the Association.
Responsibility for Security
Overall responsibility for security rests with the Trustees of the Charity (Chairman, Treasurer and Secretary), but on a day-to-day basis this responsibility will be delegated to the company or external organisation holding the database(s).
All BAPEN officers, Council members, committee members, working party members, companies and external organisations are to comply with the requirement to maintain security and confidentiality. Failure to do so may result in removal from office within the Charity, disciplinary action or termination of the contract with the company or organisation, respectively.
This Information System Security Policy shall be maintained, reviewed and updated as directed by the BAPEN Caldicott Guardian.
BAPEN does not hold secure data itself, this occurs through third party companies or external organisations. Such companies or external organisations must have a security policy that is approved by BAPEN. Each company or organisation has a responsibility to comply with the security requirements that may be in force. Each company or organisation should strive to ensure that the confidentiality and integrity is preserved to the highest standard.
BAPEN is obliged to abide by all relevant UK and European Union legislation. This requirement devolves to the Officers, Council members, employees of companies and external organisations who may be held personally responsible for any breaches. The legislation includes:
Data Protection Act
The provisions of this act relate to all personal data of living persons and covers:
(i) Fair and lawful obtaining of data
No person should be misled about the uses, potential or real, which may be made of the information they provide. Further guidance is available from the Data Protection Registrar’s office in a (free) booklet.
(ii) Purpose of Information
(iii) Use or Disclosure of Information
Information stored in any system shall be used and disclosed only in accordance with the Register Entry. Any breach of this principle may lead to prosecution of an individual, company or external organisation.
(iv) Limits of Stored Information
Consideration must be given to the adequacy and relevancy of information. It must be adequate for the purpose for which it is held but it must not be excessive.
All reasonable steps must be taken to ensure that data is accurately captured and inputted to the appropriate system. In particular it must be updated to reflect the current situation.
Information must not be kept longer than it is needed. This requires an adequate and efficient archiving strategy for each type of personal record on the system. The external organisation is responsible for devising and implementing such a strategy.
Appropriate security measures must be taken within any company or external organisation holding data on behalf of BAPEN to prevent unauthorised access to, alteration, disclosure or destruction of personal data in addition to accidental loss or destruction.
Copyright, Designs and Patents Act
All computer software used on any automated information system within BAPEN and any company or external organisations contracted to BAPEN must be properly licensed.
The Computer Misuse Act
(i) The purpose of this legislation is to ease the prosecution of persons who access systems when they are unauthorised to do so.
(ii) It is necessary to ensure that all members of staff understand the seriousness of accessing parts of any system to which they have not been given access rights. Notice is hereby given that BAPEN intends to pursue prosecution of those who set out deliberately to try to extend their legitimate scope of access for unauthorised purposes.
Health and Safety at Work Act.
Computers should be used in a manner that does not affect the user’s health.
All security incidents are to be reported immediately to the Caldicott Guardian and BAPEN Trustees (Chairman, Secretary and Treasurer) using the Incident Report Form (see Annex A).
Data Import/Export and Disposal
No data can be transferred to other companies or organisations with patient identifiable data or personal data, without the express permission of each owner of the data.
In the exception that financial, sensitive or patient identifiable data needs to be transferred across the internet or transported, then the media used (tapes/disks/memory drive) must be encrypted to the standard of encryption set in the Electronic Government Interface Framework (E-gif) Technical Standards Catalogue version 6.2 (http://www.govtalk.gov.uk/schemasstandards/egif_document.asp?docnum=957).
In brief summary, the NHS information governance data encryption algorithms currently applicable are:
- 3DES (168bit)
- AES 256
These algorithms should be used with a recommended minimum key length of 256 bits where available. This is the standard we are moving towards and whilst tactical deployments of less robust encryption are acceptable for now this should be kept under review and stronger encryption introduced when practicable.
Where data is to be transferred across the internet or by removable media it is recommended that AES256 encryption is employed. This standard is available when using applications such as PGP or WINZIP version 9. With these products the data can be put into a Self Decrypting Archive (SDA) as the software that created the archive does not need to be installed on the recipients’ computer. The pass phrase for the archive must be of an appropriate length and complexity. To ensure the safety of data in transit the pass phrase should be communicated to the recipient separately from the encrypted data so that the intended recipient is the only one able to decrypt the data.
All data that is transported on media must also be sent using a security firm, after approval from the BAPEN Caldicott Guardian.
Disks and tapes exported to other organisations must also be virus checked before despatch. The following procedures should be followed when disposing of records and equipment:
- Hard disks will be physically broken.
- CD’s and Floppy Disks will be physically broken
- A shredder will be used when possible.