Removable media policy

Contents

1 Introduction

Information and data are critical to the realisation of Rotherham, Doncaster and South Humber NHS Foundation Trust’s (hereafter referred to as ‘the trust’) objectives. They are also subject to protection under legislation, regulation and in accordance with the Information risk appetite of the trust.

The trust recognises that providing staff with the ability to work in an agile manner may allow for more effective and efficient ways of working. Agile working is not just related to working from different locations or at different times. It is about gaining the benefit of utilising technology to change work practices and to work differently which should increase the effectiveness of the service and deliver benefits to the trust and its patients.

Removable media represents a particular vulnerability in that significant amounts of data can be held on a single item that is highly portable and easily lost or stolen.

2 Purpose

This document sets out the policy on the use of removable media for the handling of information held or processed by, or on behalf of, the trust.

Through this policy the trust aims to:

• ensure the end-to-end security of data held and processed within the trust through ensuring adequate controls
• enhance the secure handling of information and data between the trust and partners or third parties
• help reduce risk of the removal or loss of data held or processed by the trust

3 Scope

This policy applies to all those working for the trust in whatever capacity, including the trust’s staff, volunteers, students, temporary workers, contractors, suppliers and third parties (hereafter referred to as ‘Staff’). Third parties and suppliers are expected to follow this approach unless specifically excluded or where conditions have been applied within the procurement and contract management process.

This policy includes but is not limited to, the following removable media:

• CDs
• DVDs
• optical disks
• external hard drives
• USB memory sticks (also known as pen drives or flash drives)
• media card readers
• embedded microchips (including smart cards and mobile phone sim cards)
• MP3 players
• digital cameras
• backup cassettes
• audio tapes (including Dictaphones and answering machines)
• smart phones when connected via USB or Bluetooth
• fitness devices when connected via USB or Bluetooth

This policy shall be reviewed every two years or in response to significant changes due to security incidents, variations of law and or changes to organisational or technical infrastructure.

In the event of a national health emergency such as the COVID-19 pandemic, this policy still applies, unless it is superseded by specific clauses mandated by the trust’s business continuity policy.

Responsibilities, accountabilities and duties

This policy applies to all those working for the trust in whatever capacity, including the trust’s staff, volunteers, students, temporary workers, contractors, suppliers and third parties (hereafter referred to as ‘staff’). Third parties and suppliers are expected to follow this approach unless specifically excluded or where conditions have been applied within the procurement and contract management process.

Failure to follow the requirements of this policy may result in investigation and management action being taken as considered appropriate. This may include formal action in line with the trust’s disciplinary or capability procedures for trust staff; and other action in relation to other workers, which may result in the termination of an assignment, placement, secondment, honorary arrangement or contract for services. Additionally, failure to follow the requirements of the Policy may result in a breach of the law or a criminal offence.

5 Procedure or implementation

5.1 Terminology

Terminology

Term	Definition
Shall	This term is used to state a mandatory requirement of this policy
Should	This term is used to state a recommended requirement of this policy
May	This term is used to state an operational requirement of this policy

5.2 The main uses of removable media are

• Data transfer, such as between internal systems, between networked systems and portable or mobile devices owned by the trust and between the trust and third parties.
• Data storage, for example the use of CDs for records and archiving.

The use of removable media for the purposes of record and data storage is set out in the records management policy.

The portability of removable media also brings risk of loss or theft, therefore the exchange of data either internally or with external parties should always be via the trust’s information systems where possible.

Removable media for data transfer shall only be used when all other options have been exhausted and only with the explicit permission of the information asset owner (IAO) and the DPO or head of information governance.

The use of removable media shall only be permitted if:

• there is a genuine business justification (supported through a ‘risk balance’ business case
• the removable media is secured, appropriately authorised and as necessary, appropriately issued for holding sensitive data
• when sending between locations, the removable media is sent via a secure courier wherever possible or sent via a means by which it can be tracked to ensure arrival at the intended destination and by the person who has been authorised to receive it

5.3 When to Use a USB device

A USB stick is not recommended for long-term storage and should only be used as a means of safe transportation from one location to another. All trust data should be downloaded as soon as practical and stored on secure network drives that are regularly backed-up.

5.3.1 Personal information, trust-approved USB devices

If personal information is to be transferred via a USB it shall be via a trust approved encrypted device which will be purchased via the information technology department, on completion of an approved request form via the IT portal.

Removable media shall be scanned and virus checked before use.

Removable media shall be encrypted to the appropriate standard defined by NHS digital and in accordance with government guidelines.

Information held on removable media shall be deleted once its purpose has been served and shall be documented as such by the relevant IAO.

The IAO has the responsibility of taking ownership of local asset control, risk assessment and management processes. Before approving a request for a USB, the IAO must consider other alternative methods to transferring data before proceeding with the request for an encrypted device.

5.4 Classification of removable media

Details of information classification may be found in the Information handling and classification policy. That policy extends to removable media as follows:

• any removable media shall be classified to the highest security classification of the information stored on it
• removable media shall be reclassified if the information copied onto it is of a higher classification than that currently assigned to the removable media, or where it is subject to a security classification upgrade

All removable media shall be physically labelled with a marking that states the maximum security classification of the data held. Security classification markings on removable media shall be easily visually identifiable.

5.5 Secure handling

The safe and secure handling of removable media is the first level of security to prevent the unauthorised disclosure, modification, removal and or destruction of information. Staff who are authorised by the trust to use removable media devices are responsible at all times for the physical security of the devices and the information held on them.

All staff shall comply with information handling and security classification policy, information security policy and IT security policy when handling removable media. They shall ensure the protective handling of information and the acceptable use of removable media devices in accordance with the NHS code of confidentiality, legislation regarding the processing of information.

Particular care shall be taken with removable media that:

• holds or has held security classified or sensitive data or information
• is or has been connected to systems that hold or have held classified or sensitive information

Removable media associated with the processing of data shall remain the property of the trust.

5.6 Unauthorised connections

This policy expressly prohibits the unauthorised connection of any equipment or device to the trust’s computer network. Staff in breach of this policy may be subject to disciplinary procedures.

5.7 Reporting of breach or loss

Any security breach as a result of the use of removable media including loss, theft or other incident, shall be reported to the IGM and to the relevant IAO in keeping with the incident management policy. The escalation route should first involve the staff’s line manager and the IT service desk shall also be informed.

5.8 Destruction of removable media

Removable media shall be correctly disposed of or destroyed at the end of its required lifecycle in accordance with government guidelines and should be documented as such. Details are set out in the digital obsolescence and data preservation policy and records management policy.

Please note where multiple items are held for destruction, the risk of aggregation should be taken into account, which can cause large numbers of non-sensitive items to become sensitive.

6 Training implications

6.1 All Staff DSA

• How often should this be undertaken: Upon commencement of employment and annually thereafter.
• Length of training: 1 and a half hours.
• Delivery method: E-learning or face to face.
• Training delivered by whom: IG or NHS Digital e-learning package.
• Where are the records of attendance held: ESR.

7 Monitoring arrangements

7.1 Policy

• How: Review of best practice against the policy will be undertaken annually through auditing.
• Who: Head of information governance.
• Reported to: Information governance group and health informatics group.
• Frequency: Annually.

8 Equality impact assessment screening

To access the equality impact assessment for this policy, please see the overarching equality impact assessment.

8.1 Privacy, dignity and respect

The NHS Constitution states that all patients should feel that their privacy and dignity are respected while they are in hospital. High Quality Care for All (2008), Lord Darzi’s review of the NHS, identifies the need to organise care around the individual, ‘not just clinically but in terms of dignity and respect’.

As a consequence the trust is required to articulate its intent to deliver care with privacy and dignity that treats all service users with respect. Therefore, all procedural documents will be considered, if relevant, to reflect the requirement to treat everyone with privacy, dignity and respect, (when appropriate this should also include how same sex accommodation is provided).

8.1.1 How this will be met

No issues have been identified in relation to this policy.

8.2 Mental Capacity Act 2005

Central to any aspect of care delivered to adults and young people aged 16 years or over will be the consideration of the individuals capacity to participate in the decision making process. Consequently, no intervention should be carried out without either the individual’s informed consent, or the powers included in a legal framework, or by order of the court.

Therefore, the trust is required to make sure that all staff working with individuals who use our service are familiar with the provisions within the Mental Capacity Act (2005). For this reason all procedural documents will be considered, if relevant to reflect the provisions of the Mental Capacity Act (2005) to ensure that the rights of individual are protected and they are supported to make their own decisions where possible and that any decisions made on their behalf when they lack capacity are made in their best interests and least restrictive of their rights and freedoms.

8.2.1 How this will be met

All individuals involved in the implementation of this policy should do so in accordance with the principles of the Mental Capacity Act (2005).

9 Links to any associated documents

• Information governance policy and management framework (includes data protection policy content)
• Information handling and classification policy
• Incident management policy
• Records management policy
• Digital obsolescence and data preservation policy

10 References

• NHS Code of Confidentiality.
• Data Protection Act 2018.
• UK General Data Protection Regulation 2018.

---

Document control

• Version: 1.1.
• Unique reference number: 603.
• Date approved: 15 January 2024.
• Approved by: Corporate policy approval group.
• Name of originator or author: Data protection officer or head of IG.
• Name of responsible individual: Director of health informatics or SIRO.
• Date issued: 16 January 2024.
• Review date: August 2023.
• Target audience: Audience: All staff.

Page last reviewed: May 17, 2024
Next review due: May 17, 2025

Problem with this page?

Please tell us about any problems you have found with this web page.

Do not include personal or medical information in your message. For example, your name, NHS number, date of birth or medical history.

Type of problem -- Please choose an option -- Wrong information Accessibility Spelling or grammar Layout or display Other

Please provide details of the problem