| Public | OFFICIAL/INTERNA | OFFICAL SENSITIVE / CONFIDENTIAL | ||
|---|---|---|---|---|
| Key | Examples of information / data to be handled | Brochures, News releases, Marketing Materials | Routine correspondence,employee newsletters, internal phone directories, inter-office memoranda, nonperson identifiable information, internal policies and procedures | Person identifiable information, financial data, purchasing information, vendor contracts |
| The consequences if the information / data is mishandled | None | Unauthorised disclosure would not significantly impact NHSCFA, or any of its stakeholders or employees | Unauthorised disclosure could result in significant adverse impact or penalties to NHSCFA, its stakeholders or employees | |
| Transmission by Spoken Word | ||||
| Conversation / Meetings | No special precautions required | Ensure that you are not overheard | Private setting / lowered voices. Avoid public areas, e.g. elevators, hallways, cafeterias etc. | |
| Landline Telephones | No special precautions required | Ensure that you are not overheard | Avoid proximity to unauthorised listeners. Speakerphone in secure area | |
| Mobile telephones (including voice enabled blackberries) | No special precautions required | Ensure that you are not overheard | Use of digital telephones preferred | |
| Voicemail or answering machines | No special precautions required | Ensure that you are not overheard | Only leave name and contact details | |
| Transmission by Post or e-mail | ||||
| Mail within the NHSCFA (i.e. between buildings) | No special handling required | No special handling required | Sealed inter-office envelope marked Confidentia | |
| Mail outside of the NHSCFA | No special handling required | 2nd class mail. No special handling required | 2nd class mail. Marked Private and Confidential with return address on the back. Traceable delivery preferred, e.g. Recorded delivery, special delivery etc. use of a courier if a large quantity | |
| E-mail within the NHSCFA | No special handling required | No special handling required | Refrain from use of personal data. Use of e-mail discouraged where practical | |
| E-mail outside of the NHSCFA, including internet, N3 & NHSnet Mail | No special handling required | No special handling required | Use of e-mail containing personal data prohibited unless encrypted or emergency situation. Use of e-mail strongly discouraged. Broadcast to distribution lists is prohibited | |
| Internet and Intranet | Content to be promoted must be authorised by head of section | Content to be promoted must be authorised by head of section | Must not appear on intranet / internet | |
| Magnetic media (including CDs, DVDs, Memory Sticks and Data Cartridges | No special handling required | No special handling required | Use of personal data prohibited unless encrypted or an emergency situation | |
| Electronic File Transfer | No special handling required | No special handling required | Use of personal data prohibited unless encrypted (e.g. using SFTP, FTPS or secure VPN) or a one-off emergency situation | |
| Web Portals (i.e. NHSCFA webenabled applications) | No special handling required | No special handling required | Use of personal data prohibited unless encrypted (i.e. using HTTPS) | |
| Print, Film, Fiche, Video, DVD Images | ||||
| Printed Materials | No special precautions required | Store out of sight of non-employees | Store out of sight in a secure area | |
| Sign-in sheets / Sign-in logs | No special precautions required | Placement out of sight of non-employees | Subsequent signers cannot identify signer | |
| Monitors / Computer Screens | No special precautions required | Positioned or shielded to prevent viewing by non-employees | Positioned or shielded to prevent viewing by unauthorised parties. Possible measures include physical location in a secure area, positioning of screen, use of password protected screen saver, etc | |
| Copying Standards | No special precautions required | No special precautions required | Photocopying to be minimised and only when necessary | |
| Storage Standards | ||||
| Print Material | No special precautions required | Reasonable precautions to prevent access by non-employees | Storage in a secure manner (e.g. secure area, lockable enclosure) | |
| Electronic Documents | No special precautions required | Storage on non-public drives only | Storage on secure drives. Storage on shared drives without password protection for reading is prohibited | |
| No special precautions required | Reasonable precautions to prevent access by non-employees | Storage in a secure manner (e.g. password access or reduce to written form, delete electronic form and store in accordance with storage of printed materials) | ||
| Physical Security Standards | ||||
| Computers / Work Stations | Password protected screen saver to be used when briefly unattended. Sign-off or power-off work stations or terminals when not in use or leaving work area | Password protected screen saver to be used when briefly unattended. Sign-off or power-off work stations or terminals when not in use or leaving work area | Password protected screen saver to be used when briefly unattended. Sign-off or power-off work stations or terminals when not in use or leaving work area | |
| Printing documentation | No special precautions required | No special precautions required | Printing of documents minimised and when necessary only. Unattended printing is permitted only if physical access are used to prevent unauthorised persons from viewing the material being printed | |
| Office access | No special precautions required | No special precautions required | Access to areas containing sensitive information should be physically restricted. Sensitive information must be locked when left in an unattended room | |
| Laptops, Smartphones, Blackberries etc. | Password protected screen saver to be used when briefly unattended. Sign-off or power-off work stations or terminals when not in use or leaving work area. Also laptops must be secured using a locking device when outside of the office environment | Password protected screen saver to be used when briefly unattended. Sign-off or power-off work stations or terminals when not in use or leaving work area. Also laptops must be secured using a locking device when outside of the office environment | Computers must not be left unattended at any time unless the confidential information is encrypted | |
| Access Control | Available to the general public | Generally available to all staff on a need to know basis | Must have a business need to know the information. Must have written approval of the data owner | |
| Audit | None | None | Access should be audited as determined by the data owner |
Was this page helpful?
Help us improve cfa.nhs.uk
Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.