Data and other information are assets with a variety of value to the business, its partners and customers. The value of each data type, and therefore the way it is handled needs to be defined as each should be handled differently.
The scope of this document is all data and information held and processed by the business.
Some data can be in multiple classification groups. If in doubt where the data in question sits, it should always be treated as more confidential / critical. Any data that contains any patient data should be treated as confidential.
Types of Data
Personal data is the type of data managed by an individual, containing no operational, critical or confidential information. Examples include personal emails and documents.
Some data held, managed or published by the company is inbak the public domain. For example marketing material that has already been published.
Operational data is everyday business data used for the running of the business. The majority of the data held, managed and created by the business (excluding patient data) falls into this category.
Business Critical Data
Business critical data is generally a subset of the operational data, a set of data that is deemed critical to the running of the business. This could include the data used to generate an algorithm, or the source code for the company's web application. Business critical data could be that of the company's or be information shared by 3rd parties. To remove any doubt, this data is always treated as confidential.
Patient Confidential Data
The bulk of the data held by the company are personal health records from our customers. The way this data is managed is a special case and is detailed more thoroughly in the Confidential Data Policy.
Robust and secure storage of any data is critical to the efficient running of the business. This policy will deal with the areas of data storage that are critical to the running of the business.
Personal Data Storage
This policy does not cover the storage of personal data. It is however important to state that no other data should be bundled with personal data when it is stored. It is vital that users of the company systems employ a clear demarcation of personal and other data types to eliminate the risk of storing non personal data in the wrong way.
Public Data Storage
Once data has become public, the ability to control how it is stored is lost. This policy does not cover the storage of public data.
Operational Data Storage
Operational data should be stored where access is appropriate for all users in the business to access. The backup schedule is appropriate to the importance of the data held.
Business Critical Data Storage
Access to business critical data should be restricted as much as possible to those users who REQUIRE access. This access should be provided at an appropriate level with the avoidance of blanket privileges.
Titles and positions in the company do not dictate access levels.
Wherever possible, business critical data should not be printed out - if it is, it is the responsibility of the user to ensure it is shredded after use.
The backup policy shows more detail of how this data should be backed up.
Patient Confidential Data Storage
The storage of patient confidential data is dealt with in detail in the Confidential Data Policy. In summary, access to this data should be restricted only to those users who require access to operate the business.
The data should be stored on the live secure server environment only. Access to one record at a time is granted for operational reasons, and on the whole is done directly through the application. As the application is web based, there is the possibility of capturing this data from the screen. This should be avoided unless necessary. Any access to the live secure server environment is logged via a google form and saved in the Signum Health Google Drive.
Identifiable patient data should not be stored on any system other than the secure servers of the application. Storage on removable media is detailed in the Removable Media Policy.
If there is a requirement to print any patient confidential data, it should be stored under lock and key, and removed from desks and common areas.
Personal data transmission
There are no requirements for personal data transmission.
Public data transmission
There are no requirements for public data transmission.
Operational data transmission
Operational data should only be transmitted where necessary for business purposes.
Business Critical data transmission
Business critical data should only be transmitted where necessary for business purposes.
Patient Confidential data transmission
Strong encryption must always be used when transmitting patient confidential data, whether this transmission is done inside or outside of the company's network.
Details of the encryption requirements can be found in the Encryption Policy.
Data destruction is covered in the Data Destruction Policy.
Personal, Public & Operational data destruction
There are no requirements for data destruction, although best practice (to avoid things like identity theft) would be to ensure all paper copies are shredded, and electronic storage is removed completely from any storage devices before disposal (and physical destruction is always recommended).
Critical Business Data Destruction
Critical Business data should be destroyed as per the Data Destruction Policy, which will involve shredding and physical destruction of any other storage media.
Confidential Patient Data Destruction
Confidential Patient data should be destroyed as per the Data Destruction Policy, which will involve shredding and physical destruction of any other storage media.
This policy will be enforced by the CTO. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.