Opal System Level Security Policy

What information is held?

OPAL holds patient data, including demographic and treatment details.

Possible risks that this entails are (non-exhaustive list):

• Unauthorised access could compromise patient confidentiality.
• Inaccurate data input could cause inproper treatment.
• Corrupted data could cause improper treatment.
• System downtime could cause delays in treatment.

Access Controlls

Access to systems that will include patient data will be restricted to:

• Employees of the NHS Trust who are suitably authorised to access patient records.
• Staff of OHC (or their 3rd party contractors) in order to perform system administration.
• Staff of OHC (or their 3rd party contractors) in order to perform incident investigations.

Access will be enabled or disabled either by NHS Trusts or OHC acting on their behalf.

Legal obligations

The following acts of parliament apply to OPAL, and all legal obligations will be observed.

• Data Protection Act 1998
• Freedom of Information Act 2000
• Computer Misuse Act 1990

User Profiles

OPAL has two types of user:

• Administrator: Access to update restricted data, create users, etc
• User: Access to all non-administrative data.

Management of access rights

OPAL will manage these access rights by enforcing a login in order to access the system's information.

Credentials will be created by the nominated NHS Trust administrator as new members of staff work on the areas of the Trust in which OPAL is used.

The same Trust administrators will suspend the accounts of those users who are no longer working in those ares.

Review of access controls

Once every six months, a review will be conducted of all active accounts to ascertain whether access controls are being governed appropriately.

This review will be conducted by the IGL.

Passwords

All access requires a password.

We require all passwords to be at least 6 characters, and not in a list of known banned passwords.

Failed access attempts are logged.