|
|
Public
|
OFFICIAL/INTERNA
|
OFFICAL SENSITIVE /
CONFIDENTIAL
|
Key |
Examples of information / data to be handled |
Brochures, News releases, Marketing Materials |
Routine correspondence,employee newsletters, internal phone directories, inter-office memoranda, nonperson identifiable
information, internal policies and procedures
|
Person identifiable information, financial data, purchasing information, vendor contracts |
|
The consequences if
the information / data is
mishandled
|
None |
Unauthorised disclosure
would not significantly
impact NHSCFA, or any
of its stakeholders or
employees
|
Unauthorised
disclosure could result
in significant adverse
impact or penalties to
NHSCFA, its
stakeholders or
employees
|
|
Transmission by
Spoken Word
|
|
|
|
|
|
Conversation /
Meetings
|
No special precautions
required
|
Ensure that you are not
overheard
|
Private setting /
lowered voices. Avoid
public areas, e.g.
elevators, hallways,
cafeterias etc.
|
|
Landline Telephones |
No special precautions required |
Ensure that you are not overheard |
Avoid proximity to
unauthorised listeners.
Speakerphone in
secure area
|
|
Mobile telephones
(including voice
enabled blackberries)
|
No special precautions
required
|
Ensure that you are not
overheard
|
Use of digital
telephones preferred
|
|
Voicemail or answering
machines
|
No special precautions
required
|
Ensure that you are not
overheard
|
Only leave name and
contact details
|
|
Transmission by
Post or e-mail
|
|
|
|
|
|
Mail within the
NHSCFA (i.e. between
buildings)
|
No special handling
required
|
No special handling
required
|
Sealed inter-office
envelope marked
Confidentia
|
|
Mail outside of the
NHSCFA
|
No special handling
required
|
2nd class mail. No
special handling
required
|
2nd class mail. Marked
Private and Confidential
with return address on
the back. Traceable
delivery preferred, e.g.
Recorded delivery,
special delivery etc. use
of a courier if a large
quantity
|
|
E-mail within the
NHSCFA
|
No special handling
required
|
No special handling
required
|
Refrain from use of
personal data. Use of
e-mail discouraged
where practical
|
|
E-mail outside of the
NHSCFA, including
internet, N3 & NHSnet
Mail
|
No special handling
required
|
No special handling
required
|
Use of e-mail
containing personal
data prohibited unless
encrypted or
emergency situation.
Use of e-mail strongly
discouraged. Broadcast
to distribution lists is
prohibited
|
|
Internet and Intranet
|
|
Content to be
promoted must be
authorised by head of
section
|
Content to be promoted
must be authorised by
head of section
|
Must not appear on
intranet / internet
|
|
Magnetic media
(including CDs,
DVDs, Memory Sticks
and Data Cartridges
|
|
No special handling
required
|
No special handling
required
|
Use of personal data
prohibited unless
encrypted or an
emergency situation
|
|
Electronic File
Transfer
|
|
No special handling
required
|
No special handling
required
|
Use of personal data
prohibited unless
encrypted (e.g. using
SFTP, FTPS or secure
VPN) or a one-off
emergency situation
|
|
Web Portals (i.e.
NHSCFA webenabled applications)
|
|
No special handling
required
|
No special handling
required
|
Use of personal data
prohibited unless
encrypted (i.e. using
HTTPS)
|
|
Print, Film, Fiche,
Video, DVD Images
|
|
|
|
|
|
Printed Materials |
No special precautions
required
|
Store out of sight of
non-employees
|
Store out of sight in a
secure area
|
|
Sign-in sheets / Sign-in
logs
|
No special precautions
required
|
Placement out of sight
of non-employees
|
Subsequent signers
cannot identify signer
|
|
Monitors / Computer
Screens
|
No special precautions
required
|
Positioned or shielded
to prevent viewing by
non-employees
|
Positioned or shielded
to prevent viewing by
unauthorised parties.
Possible measures
include physical
location in a secure
area, positioning of
screen, use of
password protected
screen saver, etc
|
|
Copying Standards |
|
No special precautions
required
|
No special precautions
required
|
Photocopying to be
minimised and only
when necessary
|
|
Storage Standards |
|
|
|
|
|
Print Material |
No special precautions
required
|
Reasonable precautions
to prevent access by
non-employees
|
Storage in a secure
manner (e.g. secure
area, lockable
enclosure)
|
|
Electronic Documents |
No special precautions
required
|
Storage on non-public
drives only
|
Storage on secure
drives. Storage on
shared drives without
password protection for
reading is prohibited
|
|
E-mail |
No special precautions
required
|
Reasonable precautions
to prevent access by
non-employees
|
Storage in a secure
manner (e.g. password
access or reduce to
written form, delete
electronic form and
store in accordance
with storage of printed
materials)
|
|
Physical Security
Standards
|
|
|
|
|
|
Computers / Work
Stations
|
Password protected
screen saver to be
used when briefly
unattended. Sign-off
or power-off work
stations or terminals
when not in use or
leaving work area
|
Password protected
screen saver to be used
when briefly
unattended. Sign-off or
power-off work stations
or terminals when not in
use or leaving work
area
|
Password protected
screen saver to be
used when briefly
unattended. Sign-off or
power-off work stations
or terminals when not in
use or leaving work
area
|
|
Printing documentation |
No special precautions
required
|
No special precautions
required
|
Printing of documents
minimised and when
necessary only.
Unattended printing is
permitted only if
physical access are
used to prevent
unauthorised persons
from viewing the
material being printed
|
|
Office access |
No special precautions
required
|
No special precautions
required
|
Access to areas
containing sensitive
information should be
physically restricted.
Sensitive information
must be locked when
left in an unattended
room
|
|
Laptops, Smartphones,
Blackberries etc.
|
Password protected
screen saver to be
used when briefly
unattended. Sign-off
or power-off work
stations or terminals
when not in use or
leaving work area. Also
laptops must be
secured using a
locking device when
outside of the office
environment
|
Password protected
screen saver to be used
when briefly
unattended. Sign-off or
power-off work stations
or terminals when not in
use or leaving work
area. Also laptops must
be secured using a
locking device when
outside of the office
environment
|
Computers must not be
left unattended at any
time unless the
confidential information
is encrypted
|
|
Access Control |
|
Available to the
general public
|
Generally available to
all staff on a need to
know basis
|
Must have a business
need to know the
information. Must have
written approval of the
data owner
|
|
Audit |
|
None |
None |
Access should be
audited as determined
by the data owner
|