Dealing with requests for sensitive information from the Police Top
Can I use generic passwords?
Can I leave my password with a colleague when I’m on leave?
How do I dispose of confidential information?
Can I e-mail personal or sensitive information?
How do I store electronic confidential information?
How do I restrict access to a folder on the shared drive?
How do I make sure I always have the correct document version to hand?
Can I use USB Memory sticks?
How do I know if my laptop is encrypted?
How do encrypt documents and files?
How do I allow other users access to my Inbox and Calendar and what restriction should apply?
How can I check who has access to my Inbox and Calendar?
How secure is NHS Mail?
How do I encrypt CD’s?
Can I securely print?
Can I use shared mailboxes for to receive and send confidential information?
How do I tell if a website is secure?
What should I do if I think my PC has a virus?
How should I store my laptop offsite?
What information is backed up?
My PC is broken, have I lost all my information?
My file has been deleted, can I get it back?
Is remote access secure and can I work on confidential files?
I have lost/had stolen a piece of NHS computer equipment, what should I do?
Dealing with request for sensitive information from the Police. Back
In certain circumstances the police do have a legal right to access personal information without the knowledge of the data subject. However, the law relating to the disclosure of personal information to the Police is specialist area that requires expert advice. Requests for information from the Police must therefore be referred to the SHA Data Protection or Information Governance Lead.
Can I use generic passwords? Back
In order to provide robust information security assurance it is necessary to provide accurate user logon identification and audit trails. If password and user IDs are shared this cannot be achieved. Therefore the use of generic passwords is prohibited unless authorisation from the SHA Information Governance Lead or HQ IT Manger has been sought.
Can I leave my password with a colleague when I’m on leave? Back
The sharing of passwords is strictly prohibited. In order to provide robust information security assurance it is necessary to provide accurate user logon identification and audit trails. If password and user IDs are shared this cannot be achieved.
How do I dispose of confidential information? Back
All SHA employees must ensure that information of a confidential or commercially sensitive nature is disposed of securely. The SHA provides confidential waste paper bins at all of its premises. It should be noted that confidential information is not always stored in a paper format and is occasionally copied to another form of storage device such as a CDR or a USB stick. In the event that is necessary to confidentially destroy any other form of media the SHA Information Governance Lead or HQ IT Manger must be contacted to arrange secure destruction.
Can I e-mail personal or sensitive information? Back
The transmission of personal identifiable information externally over the internet e-mail (e.g. Hotmail, AOL etc) is prohibited. Personal information should only be e-mailed to and from nhs.net accounts. However should there be an urgent need then only the absolute minimum amount of information necessary should be transmitted, it should be transmitted in a password protected file and only to recipients who have a legitimate need to know this personal information. The password for the file should be disclosed separately by telephone.
How do I store electronic confidential information? Back
Currently East Midlands NHS utilises a Shared Drive (P: Drive or \\Trentshafs01\nhseastmidlands) in order to store the majority of its electronic records. Each Directorate has a specific area on this drive where they can store documents.
When utilising this facility the content of the document must be considered, in the event that access to the document is to be limited then the document creator must ensure that the record is located in a restricted area on the shared drive.
In addition to the shared drive (P: Drive) NHS East Midland employees also have the facility to store confidential information in their personal drive (H Drive). This drive has restricted access rights and can only be accessed by the user.
It is prohibited for any employee to store any records on local drives such as physical hard drives (C: Drives).
How do I restrict access to a folder on the shared drive? Back
Requests for the creation of departmental folders and security permissions to be set up and modified must come from a senior manager within your Directorate (this includes the Directorate Business Manager). Requests should be then sent to the IT Customer Service Team at dhis.cst@derwentsharedservices.nhs.uk for the restrictions to be applied.
How do I make sure I always have the correct document version to hand? Back
Some high level corporate documents such as policies and procedures undergo a consultation process and numerous drafts prior to them being approved. It is therefore necessary that documents include clear & concise version control.
The document title must contain within it an indication of which version this document is, starting with V0.00. At each redrafting it should be altered to V0.01, V0.02 and so on until it has gone through to the final approval stage at which point it becomes a formal NHS East Midlands record. When a document receives final approval the document version control must be changed to V1.0 to reflect its approved status. All addition minor amendments must be altered to V0.01, V0.02 and so on.
When the record is next reviewed, for example after a year has elapsed or a major change is required the document version must be renamed V2.00 and then changed to V2.01 and V2.02 and so on, as this version goes through the draft approval process.
Can I use USB Memory sticks? Back
If you require a USB memory stick you may acquire one from the SHA HQ IT Manger. These sticks are fully encrypted to national standards. Use of non encrypted sticks is strictly prohibited.
How do I know if my laptop is encrypted? Back
If your laptop is encrypted you will find the SafeBoot logon screen appears when you first turn on your laptop as shown below.
In the event that you have not seen this screen on your laptop please report this immediately to the IT Customer Service Team at dhis.cst@derwentsharedservices.nhs.uk and the HQ IT Manager.
How do I encrypt documents and files? Back
Zip files are a good way to collect a number of files up inside a single ‘jacket’ and also ensure that they are sufficiently secured. A program called TugZip is available which enables password to be put on the files, meaning they can be encrypted and therefore secure – a necessity if confidential information is involved. If you require TugZip please contact the IT Customer Service Team at dhis.cst@derwentsharedservices.nhs.uk.
How do I allow other users access to my Inbox and Calendar and what restriction should apply? Back
It is possible to give different users permissions to your calendar, inbox and other folders. These permissions can range from nothing, to full owner rights, e.g. I have given my team owner rights so they can add things to my calendar, and the organisation viewing rights, so anyone can see where I am / when I’m free - but they cannot change or add anything.
Careful consideration should be given to the amount of access you give to another user and to the content of your emails. It is worth noting there is no audit trail for mailbox access and thereby any changes made cannot be distinguished as which user has made them. It is therefore recommended that users periodically check who has access to their calendar, inbox and other folders. Further information relating to this process can be obtained from the IT Customer Service Team at dhis.cst@derwentsharedservices.nhs.uk.
How can I check who has access to my Inbox and Calendar? Back
How secure is NHS Mail? Back
NHS mail is the only NHS email service that is secure enough for the transmission of sensitive personal data. Although e-mails sent via NHS mail are encrypted between the users' PC and the NHS mail service, only messages sent to other NHS mail users or secure GSi domains are guaranteed as secure. Domains that are secure for the exchange of confidential data are: .x.gsi.gov.uk; .gsi.gov.uk; .gse.gov.uk; .gsx.gov.uk; .police.uk; .pnn.police.uk; .cjsm.net; .scn.gov.uk; .gcsx.gov.uk.
How do I encrypt CD’s? Back
Zip files are a good way to collect a number of files up inside a single ‘jacket’ and also ensure that they are sufficiently secured. A program called TugZip is available which enables password to be put on the files, meaning they can be encrypted and therefore secure – a necessity if confidential information is involved. Once the file is zipped and encrypted it can be copied to a CDR. If the CDR is then to be transported it is imperative that the password to the stored files are not kept with the CDR. In addition if the CDR is to be sent via Royal Mail it must be sent “Special Delivery” in order to allow online tracking.
Can I securely print? Back
All the Lexmark x945e printers in Octavia House and Unit 7 contain a function that enables the user to send print jobs to the printer with a username and PIN number attached to them, meaning tat the job is held by the printer it is sent to until the user selects their username on the screen of the printer, enters their PIN number and selects print.
For details on how to use this function either ask a business Manager or the HQ IT Manager.
Can I use shared mailboxes to receive and send confidential information? Back
Shared mailboxes should not be used to ask for, receive or store confidential information under any circumstances. By their very nature shared mailboxes are accessible by multiple people, some of which may not be appropriate to view the information in question.
With shared mailboxes there is also no auditable traceability, which is a requirement of the IG Toolkit.
How do I tell if a website is secure? Back
There are a couple of visual aids to telling if a website is secure:
1. Look for the lock icon in the bottom of your browser:
2. Check the web address to see if it starts ‘https://’ ß this indicated a secure connection
What should I do if I think my PC has a virus? Back
If you think your machine has a virus, you should shut it down immediately, unplug the power and put a notice on the monitor / screen saying do not use – suspected virus. Contact the IT Customer Service Team on 01332 868900 to report the incident so that a technician can visit the PC to inspect and repair it.
Leaving the machine on for any length of time if it is infected puts other users and PC at risk in the organisation.
How should I store my laptop offsite? Back
Laptops should not be left unattended when off site at any time. If absolutely necessary and as a last resort they have to be left in a car, this should be in the boot out of view from anyone else. Although this should only be or short periods of time until the device can be securely placed either back in the office of locked home.
What information is backed up? Back
Only information stored on the file server and email server is backed up (i.e. any stored on the P: drive ( \\trentshafs01\nhseastmidlands ) . Anything stored locally on a PC or laptop is not backed up, so in the event of a hardware failure of that device the data would be lost.
My PC is broken, have I lost all my information? Back
As long as no information was stored locally on the PC / laptop and was on the network droves then the data will not be lost.
Also please see ‘What Information is backed up’
My file has been deleted, can I get it back? Back
If the file was stored on the network shared drives, and was deleted within the past month then IT will be able to restore it from one of the backups, in this case please contact the IT Customer Service Team at dhis.cst@derwentsharedservices.nhs.uk or 01332 868900 where they will guide you through the restore process. The file can only be restored from the backups which are taken each night, for example a file created on Monday morning, and accidentally deleted Monday afternoon cannot be restored as it will not have been present for any backups to have taken place.
This process also applies if a file has been accidentally modified, or corrupted.
Also please see “What Information is backed up”
Is remote access secure and can I work on confidential files? Back
Yes, officially supplied RAS connections are secure and suitable for the transmission of confidential information.
I have lost/had stolen a piece of NHS computer equipment, what should I do? Back
This need to be reported to your line manager and the SHA IG lead immediately, along with any details you have on the device, such as asset number / PC name.
