NHS Greater Glasgow Patient Data Security

The request was successful.

Dear Greater Glasgow NHS Board,

Can you please confirm whether on not NHS Fife complies with the
regulations publicly available on the following website:

http://n3.nhs.uk/n3scotland/TechnicalInf...

In particular the following paragraph concerning the Caldicott
Guidelines requirements and patient identifiable data:

"Sensitive/Patient Data
Data transmitted across n3 is not encrypted (unless using the VPN
N3-12-4 Catalogue service which encrypts traffic across the
Internet and the N3 network to a specific site). Thus N3 is not
considered secure enough to transmit patient identifiable or
similarly sensitive data across - It does not meet the Caldicott
Guidelines requirements alone. It is the joint responsibility of the sender(s) and receiver(s) of such data - not NHS Connecting for Health, NHS National Services Scotland or N3SP to implement a solution that conforms.

The normal practical solution is to encrypt application data whereit traverses N3 between users and application providers. The encryption method must meet NHS Connecting for Health and NHS National Services Scotland requirements."

Yours faithfully,

JR

Dear Greater Glasgow NHS Board,

Please replace NHS Fife in the first paragraph with NHS Greater Glasgow.

Yours faithfully,

JR

FOI BOARD HQ, Greater Glasgow NHS Board

Dear 'JR'

Thank you for your enquiry. Before I proceed I would be grateful if you
could please supply your full name.

With thanks

Alison Flynn | Freedom of Information Manager | NHS Greater Glasgow &
Clyde
Board HQ | J B Russell House | Gartnavel Royal Hospital
1055 Great Western Road | Glasgow | G12 0XH
e: [NHS Greater Glasgow and Clyde request email] t: 0141 201 4461 w:
www.nhsggc.org.uk

show quoted sections

Dear FOI BOARD HQ,

My Name is Mr Rolland

Yours sincerely,

JR

FOI BOARD HQ, Greater Glasgow NHS Board

Dear Mr Rolland

Thank you for your request for information received on 14 May 2013. We
are dealing with this under our procedures for requests made under the
Freedom of Information (Scotland) Act 2002. A response will be issued
as soon as possible or within 20 working days as provided for in the
Act.

If you have any queries about the progress of your request please
contact me at the details below.
Yours sincerely

Alison Flynn | Freedom of Information Manager | NHS Greater Glasgow &
Clyde
Board HQ | J B Russell House | Gartnavel Royal Hospital
1055 Great Western Road | Glasgow | G12 0XH
e: [NHS Greater Glasgow and Clyde request email] t: 0141 201 4461 w:
www.nhsggc.org.uk

show quoted sections

FOI BOARD HQ, Greater Glasgow NHS Board

2 Attachments

Dear Mr Rolland

Further to your request for information received on 14 May 2013, I am now
able to provide a response on behalf of NHS Greater Glasgow and Clyde as
follows:

The website referred to in your request is a BT website and provides
guidance to users of N3.   The legislation and policies that Boards must
comply with when using networks such as N3 are:
·         Data Protection Act (regarding IT infrastructure, in particular
Principle 7)
·         The NHS Scotland Information Assurance Strategy (Chief Executive
Letter (CEL 26 2011))
·         The NHS Scotland Information Security Policy

The requirement throughout these policies is that NHS Scotland IT
infrastructure and systems must be risk assessed to ensure that patient
identifiable or similarly sensitive information is protected appropriately
in line with guidance such as Caldicott.  This ensures that the risks to
the confidentiality, integrity or availability of information are managed
through the application of appropriate security controls.  

Controls are implemented where risks have been identified, with
appropriate actions already implemented or incorporated into local plans
to close or mitigate the risks for both new and legacy systems.  Such
controls include but are not limited to:
·         application and network access controls.
·         security operating procedures and active audit and monitoring
controls.
·         encryption of the applications by SSL and on the network between
organisations using VPN products.

It should also be noted that N3 is a private network for the NHS and
protected from the internet by firewalls.

This complies with the publicly available N3 guidance: It is the joint
responsibility of the sender(s) and receiver(s) of such data - not NHS
Connecting for Health, NHS National Services Scotland or N3SP to implement
a solution that conforms.

I hope that this information is helpful.  If you are not satisfied with
our response to your request, you have a right to request a review of this
decision within 40 working days of receiving this response.  The procedure
for consideration of a review is detailed in the attached note.  The note
also describes your right to pursue the matter with the Scottish
Information Commissioner if, following a request for review, you remain
dissatisfied with the decision of NHS Greater Glasgow and Clyde.  If
following appeal to the Scottish Information Commissioner you still remain
dissatisfied with the outcome, you have a right of appeal to the Court of
Session on a point of law against the decision of the Scottish Information
Commissioner. 

If you wish us to review this decision, please complete the form enclosed
and return it to the Head of Board Administration, NHS Greater Glasgow and
Clyde, Corporate HQ, JB Russell House, Gartnavel Royal Hospital, 1055
Great Western Road, Glasgow  G12 0XH.

Should you require any clarification about this response or the right to
request a review please contact me as detailed below. 

Yours sincerely

Alison Flynn | Freedom of Information Manager | NHS Greater Glasgow &
Clyde 

Board HQ | J B Russell House | Gartnavel Royal Hospital

1055 Great Western Road | Glasgow | G12 0XH

e:  [1][NHS Greater Glasgow and Clyde request email]          t:  0141 201 4461        w: 
[2]www.nhsggc.org.uk

 

show quoted sections

Dear FOI BOARD HQ,

Is all patient identifiable data encrypted when sent over the N3 network?

Yours sincerely,

JR

FOI BOARD HQ, Greater Glasgow NHS Board

Dear Mr Rolland

Thank you for your follow-up enquiry. I have contacted the relevant department to ask them to confirm the answer to this and will be in touch again once I have further information .

Yours sincerely

Alison Flynn | Freedom of Information Manager | NHS Greater Glasgow & Clyde
Board HQ | J B Russell House | Gartnavel Royal Hospital
1055 Great Western Road | Glasgow | G12 0XH
e: [NHS Greater Glasgow and Clyde request email] t: 0141 201 4461 w: www.nhsggc.org.uk

show quoted sections

FOI BOARD HQ, Greater Glasgow NHS Board

Dear Mr Rolland

As explained in previous response to your query on this matter, the confidentiality of patient information is protected using a wide variety of security controls and in some cases encryption is not the most effective means of managing risk. Outbound transmissions from our main systems over N3 are SSL encrypted. Our applications are accessed one record at a time therefore capturing the transmitted data would result in very small volumes of information. The records are transmitted in a format that would be very difficult to interpret therefore any unencrypted data is of no practical value to anyone who is able to access the network.

I hope this answers your query. However if I can be of further assistance please contact me at the details below.

Yours sincerely

Alison Flynn | Freedom of Information Manager | NHS Greater Glasgow & Clyde
Board HQ | J B Russell House | Gartnavel Royal Hospital
1055 Great Western Road | Glasgow | G12 0XH
e: [NHS Greater Glasgow and Clyde request email] t: 0141 201 4461 w: www.nhsggc.org.uk

show quoted sections

Dear FOI BOARD HQ,
I have received the information requested. However it was supplied to late to have complied with the FOI act. And willis also to late to be of any use to me.

Yours sincerely,

JR