Local Backup Procedures - the Royal Cornwall Hospitals Trust ...
Local Backup Procedures - the Royal Cornwall Hospitals Trust ...
Local Backup Procedures - the Royal Cornwall Hospitals Trust ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Title:<br />
Document author:<br />
Document type:<br />
Document library section:<br />
Sub Section:<br />
Document status:<br />
Approved by:<br />
Can this document be published to <strong>the</strong><br />
internet (publicly available)<br />
Brief summary of document<br />
Document reference code:<br />
<strong>Local</strong> <strong>Backup</strong> <strong>Procedures</strong><br />
IT Security Manager<br />
Governance<br />
Final<br />
Information Governance sub-committee<br />
Not necessary as an internal document<br />
These <strong>Procedures</strong> outline <strong>the</strong> actions and responsibilities<br />
for performing <strong>Backup</strong>s of information for servers not<br />
contained within <strong>the</strong> <strong>Cornwall</strong> NHS corporate resilient<br />
architecture.<br />
Server Back Up Tape Procedure – <strong>Local</strong>/Satellite Sites<br />
This document replaces (exact title of<br />
previous document or NA)<br />
Approved Equality Impact Assessment Yes<br />
attached<br />
Cross referenced to: The Data Protection Act 1998<br />
Confidentiality: NHS Code of Practice<br />
BS ISO/IEC 27001 Information Security<br />
Caldicott Guardian Manual 2006<br />
Records Management: NHS Code of Practice<br />
NHS Information Governance<br />
Information Security Management: NHS Code of Practice<br />
The Data Protection (Processing of Sensitive Personal<br />
Data) Order 2000.<br />
The Computer Misuse Act (1990)<br />
Regulation of Investigatory Powers Act 2000<br />
Health & Social Care Act 2001<br />
Civil Contingencies Act 2004<br />
Ratified by:<br />
Integrated Governance Committee<br />
Date of ratification 26 September 2012<br />
Name of Executive signing policy Robert Knibbs, Director of Finance and Performance<br />
Review date March 2015<br />
Suggested key words (to be completed<br />
by Governance Administrator)<br />
Expired documents should be retained<br />
for 10 years from <strong>the</strong> date of expiry<br />
Version control table<br />
Date Version number Summary of changes Changes made by<br />
This document should not be photocopied or o<strong>the</strong>rwise reproduced.<br />
If you have any questions about this policy, please contact <strong>the</strong> Governance Administrator, Telephone<br />
01726 627811, or via email to Policies.PCT@<strong>Cornwall</strong>.nhs.uk<br />
This document is available in o<strong>the</strong>r formats such as large print, Braille &/or<br />
cassette/CD or in any o<strong>the</strong>r<br />
Version: 1.0 Page 1 of 16<br />
Author: Andrew Mann <strong>Local</strong> <strong>Backup</strong> Procedure<br />
Updated: Jul 2012<br />
Reviewer: <strong>Trust</strong> IGC’s<br />
Review Due: Jul 2015
Page 2<br />
Consultation<br />
List <strong>the</strong> individuals (use titles only)/groups<br />
consulted. This must include <strong>the</strong> Counter Fraud<br />
<strong>Local</strong> Security Management Specialist<br />
Director of Finance/SIRO<br />
Head of Information Governance<br />
Head of Corporate Compliance<br />
Caldicott Guardian<br />
IG/IT Security Manager<br />
Corporate Risk Manager<br />
Freedom of Information Manager<br />
Operational Records Manager<br />
Deputy Director of CITS<br />
Associate Director of Corporate Information<br />
Company Secretary<br />
Counter Fraud <strong>Local</strong> Security Management Specialist<br />
Information Governance<br />
Sub Committee<br />
Indicate which of <strong>the</strong><br />
consultees in <strong>the</strong> left<br />
hand column have<br />
responded<br />
Yes<br />
Yes<br />
Yes<br />
Consultation comments<br />
received<br />
Change to review date<br />
Minor formatting changes<br />
Comments<br />
Accepted<br />
Comments<br />
rejected<br />
Reason for<br />
rejection<br />
Disseminate to:<br />
All Staff<br />
Dissemination methods:<br />
Publish on intranet, document library administator.<br />
Notify staff of publication by Weekly Staff Bulletin.<br />
Copy to displayed within <strong>the</strong> safe storing <strong>the</strong> backup tapes – for reference.<br />
Aim:<br />
<strong>Backup</strong>s are an important part of IT Business Continuity and Disaster Recovery. This<br />
procedure documents <strong>the</strong> actions and responsibilities for staff to ensure that<br />
information is secured, enabling it to be restored at a future time following an incident<br />
resulting in data loss.<br />
Purpose:<br />
The purpose of this <strong>Local</strong> <strong>Backup</strong> Procedure is to preserve:<br />
Version: 1.0 Page 2 of 16<br />
Author: Andrew Mann <strong>Local</strong> <strong>Backup</strong> Procedure<br />
Updated: Jul 2012<br />
Reviewer: <strong>Trust</strong> IGC’s<br />
Review Due: Jul 2015
Availability That information systems are available for use as defined within <strong>the</strong> service<br />
level agreement for each system.<br />
Reliability That information systems have appropriate measures in place to ensure<br />
reliability through backup and recovery procedures to support disaster recovery and<br />
business continuity plans.<br />
Responsibility That staff and contractors are aware of <strong>the</strong>ir responsibilities for <strong>the</strong><br />
protection and security of information.<br />
Objectives: List <strong>the</strong> objectives to be achieved. They must be Specific,<br />
Measurable, Realistic and Timebound (SMART)<br />
Responsibilities:<br />
Contained in Procedure<br />
Definitions/Glossary:<br />
Introduction:<br />
Text of document (remember to refer to organisational format requirements)<br />
Training: Has a training need been identified? If so what is it and how will it be<br />
addressed<br />
Training will be provided by <strong>Cornwall</strong> IT Services initially and <strong>the</strong>n will flow out to staff<br />
as needed.<br />
Key Performance Indicators: List how you, as <strong>the</strong> policy author, will measure <strong>the</strong><br />
success of achievement against <strong>the</strong> objectives<br />
Assessment against <strong>the</strong> Information Governance Toolkit and annual submission of<br />
scoring against this. Internal audit will review evidence ga<strong>the</strong>red and report.<br />
Monitoring: To which Board/sub-committee/committee will <strong>the</strong> results of <strong>the</strong><br />
outcome of <strong>the</strong> assessment against <strong>the</strong> key performance indicators be reported<br />
Information Governance Sub Committee<br />
Integrated Governance Committee<br />
Equality Impact Assessment: Attach a completed EIA prior to submitting for<br />
approval/ratification<br />
Version: 1.0 Page 3 of 16<br />
Author: Andrew Mann <strong>Local</strong> <strong>Backup</strong> Procedure<br />
Updated: Jul 2012<br />
Reviewer: <strong>Trust</strong> IGC’s<br />
Review Due: Jul 2015
Server Back Up Tape Procedure – <strong>Local</strong>/Satellite Sites<br />
1 Purpose<br />
The document describes a procedure for <strong>the</strong> systematic changing of server<br />
backup tapes.<br />
2 Responsibility<br />
It is <strong>the</strong> responsibility of staff who are tasked with <strong>the</strong> changing of server<br />
backup tapes to ensure compliance with this procedure. It is <strong>the</strong><br />
responsibility of Property Managers/Information Asset Owners for each of<br />
<strong>the</strong> servers to ensure <strong>the</strong> implementation of this procedure.<br />
3 Definitions<br />
Servers are in place at several trust locations and contain <strong>the</strong> information<br />
stored or saved within <strong>the</strong> IT network at each location. The information is<br />
backed up onto tapes to ensure availability in <strong>the</strong> event of disruption to <strong>the</strong><br />
network.<br />
4 Training Implications<br />
Staff are already responsible for changing server tapes but will need to<br />
comply with this procedure in <strong>the</strong> future.<br />
5 This Policy/Guidance/Strategy/Protocol is cross referenced to:<br />
The Data Protection Act 1998<br />
The Freedom of Information Act 2000<br />
The Human Rights Act<br />
Confidentiality: NHS Code of Practice<br />
BS ISO/IEC 27001 Information Security<br />
Caldicott Guardian Manual 2006<br />
Records Management: NHS Code of Practice<br />
NHS Information Governance<br />
Information Security Management: NHS Code of Practice<br />
The Data Protection (Processing of Sensitive Personal Data) Order 2000.<br />
The Copyright, Designs and Patents Act (1988)<br />
The Computer Misuse Act (1990)<br />
The Health and Safety at Work Act (1974)<br />
Version: 1.0 Page 4 of 16<br />
Author: Andrew Mann <strong>Local</strong> <strong>Backup</strong> Procedure<br />
Updated: Jul 2012<br />
Reviewer: <strong>Trust</strong> IGC’s<br />
Review Due: Jul 2015
Human Rights Act (1998)<br />
Regulation of Investigatory Powers Act 2000<br />
Health & Social Care Act 2001<br />
Civil Contingencies Act 2004<br />
Related <strong>Trust</strong> Policies<br />
Information Governance Policy and Strategy<br />
Records Management Policy and Strategy<br />
Information Risk Management Policy<br />
Security Policy<br />
Disciplinary Policy<br />
Data Protection Policy<br />
IT Security Policy<br />
Mobile Data Security Policy<br />
Email and Internet Policy<br />
Safe Haven Policy<br />
Network Security Policy<br />
Confidential Waste Policy<br />
Forensic Readiness Policy<br />
System Security Policies<br />
Freedom of Information Policy<br />
Mobile IT Security Policy<br />
IM&T Acceptable Use Policy<br />
IM&T Disposal Policy<br />
Information Security Policy<br />
Business Continuity Plans<br />
Information Quality Policy<br />
Data Quality Policy<br />
6 Equality and Diversity Impact Assessment taken place: Yes<br />
7 Training Implications<br />
For cascading to staff responsible for changing backup tapes.<br />
8 Who this document is relevant to:<br />
This document is relevant to staff who change server tapes in trust<br />
locations, Property Managers, Information Asset Owners and staff<br />
responsible for business continuity plans.<br />
9 Process for monitoring compliance and effectiveness<br />
This procedure will be implemented, managed and monitored by <strong>the</strong><br />
Information Asset Owners who will provide assurances to <strong>the</strong> Senior<br />
Information Risk Owner. Risk assessment of servers will be completed by<br />
CITS who will also provide backup tape validation assurance. Business<br />
Continuity plans should include review of this procedure.<br />
Server Back Up Tape Procedure – <strong>Local</strong>/Satellite Sites<br />
Version: 1.0 Page 5 of 16<br />
Author: Andrew Mann <strong>Local</strong> <strong>Backup</strong> Procedure<br />
Updated: Jul 2012<br />
Reviewer: <strong>Trust</strong> IGC’s<br />
Review Due: Jul 2015
There are two distinct types of backups:<br />
1. Corporate backups – Part of <strong>the</strong> resilient infrastructure for critical<br />
applications<br />
2. <strong>Local</strong> backups – o<strong>the</strong>r locations that have a locally based server. These<br />
are mainly file and print servers, but some do run applications locally.<br />
These procedures and controls relate to servers that are not part of <strong>the</strong><br />
corporate resilient solution for critical applications and for <strong>the</strong> purposes of this<br />
procedure will be referred to as ‘local’ servers.<br />
Server room Controls<br />
All server rooms should be compliant with standard controls as specified in <strong>the</strong><br />
Server Controls Framework and risk assessed accordingly. The server controls<br />
framework covers areas such as:<br />
• Physical Access<br />
o Building security<br />
o Room Security<br />
• Electronic Access<br />
o Firewalls<br />
o Networks<br />
o Login<br />
o Encryption<br />
• Environmental Control<br />
o Fire<br />
o Heat<br />
o Flood<br />
o Leaks<br />
o Power supply<br />
A risk assessment has been undertaken for all server rooms and <strong>the</strong><br />
assessment is based on <strong>the</strong> adequacy of <strong>the</strong>se controls at each location, a copy<br />
of <strong>the</strong> assessment can be obtained by contacting IT Security or <strong>the</strong> <strong>Trust</strong> IG<br />
Lead.<br />
Tape Security<br />
The following method ensures that <strong>the</strong> server data is protected by a good range<br />
of backup tapes that will allow data to be recovered from any given period in <strong>the</strong><br />
last 3 months.<br />
• All backup tapes must be kept physically safe in a fire-proof safe so that<br />
<strong>the</strong>y can be recovered in <strong>the</strong> event of disaster.<br />
• Each site should also use cleaning tapes to clean <strong>the</strong> backup drive as<br />
and when prompted by <strong>the</strong> system, <strong>Cornwall</strong> IT Services or according to<br />
<strong>the</strong> manufacturer’s instructions.<br />
• Each site should identify at least two people, to allow for absences, who<br />
are responsible for changing backup tapes and reporting any problems.<br />
Version: 1.0 Page 6 of 16<br />
Author: Andrew Mann <strong>Local</strong> <strong>Backup</strong> Procedure<br />
Updated: Jul 2012<br />
Reviewer: <strong>Trust</strong> IGC’s<br />
Review Due: Jul 2015
• Any problems or risks identified with <strong>the</strong> backup tape procedure must be<br />
reported in <strong>the</strong> first instance to <strong>the</strong> Information Asset Owner and CITS,<br />
who will instigate <strong>the</strong> business continuity plan to ensure back up of<br />
information and data. Server business continuity plans are held by CITS.<br />
Back up Cycle<br />
A standard Daily/Weekly/Monthly cycle is to be used based on a 12 week or 12<br />
month schedule.<br />
12 Week:<br />
• 4 Daily tapes used every Monday – Thursday.<br />
• 4 Weekly Tapes used every Friday except <strong>the</strong> last Friday of <strong>the</strong> month.<br />
• 3 Monthly Tapes to be used on <strong>the</strong> last Friday of every month.<br />
12 Month:<br />
• 4 Daily tapes used every Monday – Thursday.<br />
• 4 Weekly Tapes used every Friday except <strong>the</strong> last Friday of <strong>the</strong> month.<br />
• 12 Monthly Tapes to be used on <strong>the</strong> last Friday of every month;<br />
JAN,FEB, MAR etc.<br />
Please see Appendix 2 and Appendix 3 for schedule details.<br />
Every time a tape is removed from <strong>the</strong> computer after a backup, <strong>the</strong> backup log<br />
(Appendix 1) must be updated. This will enable <strong>the</strong> life span of <strong>the</strong> tape and<br />
tape unit to be monitored.<br />
Tape Replacement<br />
Tapes are mechanical in nature and don’t have a lifespan measured in time but<br />
ra<strong>the</strong>r in terms of <strong>the</strong> number of times <strong>the</strong> tape is used. Therefore it is<br />
recommended that; Monday-Thursday Tapes should be replaced annually,<br />
Friday and Monthly Tapes should be replaced every 5 years.<br />
<strong>Cornwall</strong> IT Services check <strong>the</strong> backup logs for all servers on a daily basis and<br />
investigate any recorded messages. In <strong>the</strong> event of an identified tape failure<br />
<strong>the</strong> tape will need to be replaced immediately. If two or more tapes fail from <strong>the</strong><br />
same batch within a month cycle <strong>the</strong>n <strong>the</strong> whole batch should be replaced.<br />
However, when loading tapes, any issues identified need to be reported to CITS<br />
immediately.<br />
All tapes that have been replaced need to be physically destroyed. Contact<br />
CITS Service Desk to arrange for collection and disposal in line with <strong>the</strong> Policy<br />
for <strong>the</strong> safe disposal of IM&T equipment and electronic media.<br />
Version: 1.0 Page 7 of 16<br />
Author: Andrew Mann <strong>Local</strong> <strong>Backup</strong> Procedure<br />
Updated: Jul 2012<br />
Reviewer: <strong>Trust</strong> IGC’s<br />
Review Due: Jul 2015
Daily Tape Log<br />
Appendix 1<br />
Date Tape ID Signed Name Notes<br />
Version: 1.0 Page 8 of 16<br />
Author: Andrew Mann <strong>Local</strong> <strong>Backup</strong> Procedure<br />
Updated: Jul 2012<br />
Reviewer: <strong>Trust</strong> IGC’s<br />
Review Due: Jul 2015
12 Week Retention Schedule:<br />
Version: 1.0 Page 1 of 16<br />
Author: Andrew Mann <strong>Local</strong> <strong>Backup</strong> Procedure<br />
Updated: Jul 2012<br />
Reviewer: <strong>Trust</strong> IGC’s<br />
Review Due: Jul 2015<br />
Appendix 2<br />
20<br />
12 M T W T F M T W T F M T W T F M T W T F M T W T F<br />
JA<br />
N 2 3 4 5 6 9<br />
1<br />
0<br />
1<br />
1<br />
1<br />
2<br />
1<br />
3<br />
1<br />
6<br />
1<br />
7<br />
1<br />
8<br />
1<br />
9<br />
2<br />
0<br />
2<br />
3<br />
2<br />
4<br />
2<br />
5<br />
2<br />
6<br />
2<br />
7<br />
3<br />
0<br />
3<br />
1<br />
FE<br />
B 1 2 3 6 7 8 9<br />
1<br />
0<br />
1<br />
3<br />
1<br />
4<br />
1<br />
5<br />
1<br />
6<br />
1<br />
7<br />
2<br />
0<br />
2<br />
1<br />
2<br />
2<br />
2<br />
3<br />
2<br />
4<br />
2<br />
7<br />
2<br />
8<br />
2<br />
9<br />
MA<br />
R 1 2 5 6 7 8 9<br />
1<br />
2<br />
1<br />
3<br />
1<br />
4<br />
1<br />
5<br />
1<br />
6<br />
1<br />
9<br />
2<br />
0<br />
2<br />
1<br />
2<br />
2<br />
2<br />
3<br />
2<br />
6<br />
2<br />
7<br />
2<br />
8<br />
2<br />
9<br />
3<br />
0<br />
AP<br />
1 1 1 1 1 1 1 1 2 2 2 2 2 2 3<br />
R 2 3 4 5 6 9 0 1 2 3 6 7 8 9 0 3 4 5 6 7 0<br />
MA<br />
Y 1 2 3 4 7 8 9<br />
1<br />
0<br />
1<br />
1<br />
1<br />
4<br />
1<br />
5<br />
1<br />
6<br />
1<br />
7<br />
1<br />
8<br />
2<br />
1<br />
2<br />
2<br />
2<br />
3<br />
2<br />
4<br />
2<br />
5<br />
2<br />
8<br />
2<br />
9<br />
3<br />
0<br />
3<br />
1<br />
JU<br />
N 1 4 5 6 7 8<br />
1<br />
1<br />
1<br />
2<br />
1<br />
3<br />
1<br />
4<br />
1<br />
5<br />
1<br />
8<br />
1<br />
9<br />
2<br />
0<br />
2<br />
1<br />
2<br />
2<br />
2<br />
5<br />
2<br />
6<br />
2<br />
7<br />
2<br />
8<br />
2<br />
9<br />
1 1 1 1 1 1 1 1 2 2 2 2 2 2 3 3<br />
JUL 2 3 4 5 6 9 0 1 2 3 6 7 8 9 0 3 4 5 6 7 0 1<br />
AU<br />
G 1 2 3 6 7 8 9<br />
1<br />
0<br />
1<br />
3<br />
1<br />
4<br />
1<br />
5<br />
1<br />
6<br />
1<br />
7<br />
2<br />
0<br />
2<br />
1<br />
2<br />
2<br />
2<br />
3<br />
2<br />
4<br />
2<br />
7<br />
2<br />
8<br />
2<br />
9<br />
3<br />
0<br />
3<br />
1<br />
1 1 1 1 1 1 1 1 2 2 2 2 2 2 2<br />
SEP 3 4 5 6 7 0 1 2 3 4 7 8 9 0 1 4 5 6 7 8<br />
OC<br />
T 1 2 3 4 5 8 9<br />
1<br />
0<br />
1<br />
1<br />
1<br />
2<br />
1<br />
5<br />
1<br />
6<br />
1<br />
7<br />
1<br />
8<br />
1<br />
9<br />
2<br />
2<br />
2<br />
3<br />
2<br />
4<br />
2<br />
5<br />
2<br />
6<br />
2<br />
9<br />
3<br />
0<br />
3<br />
1<br />
NO<br />
V 1 2 5 6 7 8 9<br />
1<br />
2<br />
1<br />
3<br />
1<br />
4<br />
1<br />
5<br />
1<br />
6<br />
1<br />
9<br />
2<br />
0<br />
2<br />
1<br />
2<br />
2<br />
2<br />
3<br />
2<br />
6<br />
2<br />
7<br />
2<br />
8<br />
2<br />
9<br />
3<br />
0<br />
DE<br />
1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 3<br />
C 3 4 5 6 7 0 1 2 3 4 7 8 9 0 1 4 5 6 7 8 1<br />
Ke<br />
y:<br />
Annual Tape Usage:<br />
DAILY (MON-THU<br />
TAPE) MONTH 1 Total Tapes Used: 11<br />
FRIDAY<br />
1 MONTH 2<br />
FRIDAY<br />
2 MONTH 3<br />
FRIDAY<br />
3<br />
FRIDAY 4 ( Only for months with 5 Fridays)<br />
Mon 53 Fri 1 12 Month 1 4<br />
Tues 52 Fri 2 12 Month 2 4<br />
Wed 52 Fri 3 12 Month 3 4<br />
Thurs 52 Fri 4 4
12 Month Retention Schedule:<br />
Appendix 3<br />
20<br />
12 M T W T F M T W T F M T W T F M T W T F M T W T F<br />
JA<br />
N 2 3 4 5 6 9<br />
1<br />
0<br />
1<br />
1<br />
1<br />
2<br />
1<br />
3<br />
1<br />
6<br />
1<br />
7<br />
1<br />
8<br />
1<br />
9<br />
2<br />
0<br />
2<br />
3<br />
2<br />
4<br />
2<br />
5<br />
2<br />
6<br />
2<br />
7<br />
3<br />
0<br />
3<br />
1<br />
FE<br />
B 1 2 3 6 7 8 9<br />
1<br />
0<br />
1<br />
3<br />
1<br />
4<br />
1<br />
5<br />
1<br />
6<br />
1<br />
7<br />
2<br />
0<br />
2<br />
1<br />
2<br />
2<br />
2<br />
3<br />
2<br />
4<br />
2<br />
7<br />
2<br />
8<br />
2<br />
9<br />
MA<br />
R 1 2 5 6 7 8 9<br />
1<br />
2<br />
1<br />
3<br />
1<br />
4<br />
1<br />
5<br />
1<br />
6<br />
1<br />
9<br />
2<br />
0<br />
2<br />
1<br />
2<br />
2<br />
2<br />
3<br />
2<br />
6<br />
2<br />
7<br />
2<br />
8<br />
2<br />
9<br />
3<br />
0<br />
AP<br />
1 1 1 1 1 1 1 1 2 2 2 2 2 2 3<br />
R 2 3 4 5 6 9 0 1 2 3 6 7 8 9 0 3 4 5 6 7 0<br />
MA<br />
Y 1 2 3 4 7 8 9<br />
1<br />
0<br />
1<br />
1<br />
1<br />
4<br />
1<br />
5<br />
1<br />
6<br />
1<br />
7<br />
1<br />
8<br />
2<br />
1<br />
2<br />
2<br />
2<br />
3<br />
2<br />
4<br />
2<br />
5<br />
2<br />
8<br />
2<br />
9<br />
3<br />
0<br />
3<br />
1<br />
JU<br />
N 1 4 5 6 7 8<br />
1<br />
1<br />
1<br />
2<br />
1<br />
3<br />
1<br />
4<br />
1<br />
5<br />
1<br />
8<br />
1<br />
9<br />
2<br />
0<br />
2<br />
1<br />
2<br />
2<br />
2<br />
5<br />
2<br />
6<br />
2<br />
7<br />
2<br />
8<br />
2<br />
9<br />
1 1 1 1 1 1 1 1 2 2 2 2 2 2 3 3<br />
JUL 2 3 4 5 6 9 0 1 2 3 6 7 8 9 0 3 4 5 6 7 0 1<br />
AU<br />
G 1 2 3 6 7 8 9<br />
1<br />
0<br />
1<br />
3<br />
1<br />
4<br />
1<br />
5<br />
1<br />
6<br />
1<br />
7<br />
2<br />
0<br />
2<br />
1<br />
2<br />
2<br />
2<br />
3<br />
2<br />
4<br />
2<br />
7<br />
2<br />
8<br />
2<br />
9<br />
3<br />
0<br />
3<br />
1<br />
1 1 1 1 1 1 1 1 2 2 2 2 2 2 2<br />
SEP 3 4 5 6 7 0 1 2 3 4 7 8 9 0 1 4 5 6 7 8<br />
OC<br />
T 1 2 3 4 5 8 9<br />
1<br />
0<br />
1<br />
1<br />
1<br />
2<br />
1<br />
5<br />
1<br />
6<br />
1<br />
7<br />
1<br />
8<br />
1<br />
9<br />
2<br />
2<br />
2<br />
3<br />
2<br />
4<br />
2<br />
5<br />
2<br />
6<br />
2<br />
9<br />
3<br />
0<br />
3<br />
1<br />
NO<br />
V 1 2 5 6 7 8 9<br />
1<br />
2<br />
1<br />
3<br />
1<br />
4<br />
1<br />
5<br />
1<br />
6<br />
1<br />
9<br />
2<br />
0<br />
2<br />
1<br />
2<br />
2<br />
2<br />
3<br />
2<br />
6<br />
2<br />
7<br />
2<br />
8<br />
2<br />
9<br />
3<br />
0<br />
DE<br />
1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 3<br />
C 3 4 5 6 7 0 1 2 3 4 7 8 9 0 1 4 5 6 7 8 1<br />
Ke<br />
y:<br />
DAILY (MON-THU<br />
TAPE)<br />
WEEK 1 MONTH END TAPE Total Tapes Used: 20<br />
WEEK 2<br />
(Labelled JAN, FEB, MAR, etc.)<br />
WEEK 3<br />
WEEK 4 ( Only For Months With 5 Fridays)<br />
Annual Tape Usage:<br />
Mon 53 Fri 1 12<br />
Tues 52 Fri 2 12<br />
Wed 52 Fri 3 12<br />
Thurs 52 Fri 4 4<br />
Version: 1.0 Page 2 of 16<br />
Author: Andrew Mann <strong>Local</strong> <strong>Backup</strong> Procedure<br />
Updated: Jul 2012<br />
Reviewer: <strong>Trust</strong> IGC’s<br />
Review Due: Jul 2015
Section Governance Officer responsible for <strong>the</strong><br />
Andrew Mann, IT Security Manager – IG (CITS)<br />
assessment<br />
Name of Policy to<br />
be assessed<br />
Server <strong>Backup</strong> Tape Procedure –<br />
<strong>Local</strong>/Satellite Sites<br />
Date of<br />
Assessment 18/09/12<br />
Is this a new or existing<br />
Policy?<br />
New<br />
1. Briefly describe <strong>the</strong> aims, objectives and<br />
purpose of <strong>the</strong> Policy.<br />
<strong>Backup</strong>s are an important part of IT Business Continuity and Disaster Recovery. This<br />
procedure documents <strong>the</strong> actions and responsibilities for staff to ensure that<br />
information is secured, enabling it to be restored at a future time following an incident<br />
2. Are <strong>the</strong>re any associated objectives of<br />
<strong>the</strong> Policy? Please explain.<br />
3. Who is intended to benefit from this<br />
Policy, and in what way?<br />
4. What outcomes are wanted from this<br />
Policy?<br />
5. What factors/forces could<br />
contribute/detract from <strong>the</strong> outcomes?<br />
6. Who are <strong>the</strong> main<br />
stakeholders in relation to<br />
<strong>the</strong> Policy?<br />
Version: 1.0 Page 1 of 16<br />
Author: Andrew Mann <strong>Local</strong> <strong>Backup</strong> Procedure<br />
Updated: Jul 2012<br />
Reviewer: <strong>Trust</strong> IGC’s<br />
Review Due: Jul 2015<br />
resulting in data loss.<br />
To assign responsibilities of tape backups. To provide a tape rotation to ensure that<br />
information can be restored back to a suitable point in time. Tapes are stored<br />
securely.<br />
The organisation with benefit as this forms part of services Business Continuity and<br />
Disaster Recovery procedures. Patients will benefit ultimately from <strong>the</strong> provision and<br />
availability of high quality information and data which meets <strong>the</strong> Data Protection Act,<br />
Freedom of Information Act, Human Rights Act, IT Security: NHS Code of Practice<br />
and Records Management: NHS Code of Practice.<br />
That <strong>the</strong> information processed by <strong>the</strong> trust, in all formats, is protected to <strong>the</strong> highest<br />
possible standards and available quickly, processed in line with legislation and all<br />
confidentiality requirements, Government standards and Connecting for Health<br />
requirements.<br />
All staff responsible for changing backup tapes as well as site managers should be<br />
aware of <strong>the</strong> backup requirements and tape rotation. All service managers should be<br />
aware of <strong>the</strong> backup cycles and <strong>the</strong>refore <strong>the</strong> period of time that information can be<br />
restored back to.<br />
<strong>Trust</strong> Board in meeting its responsibilities.<br />
Information Governance Sub Committee<br />
and Head of Information Governance as<br />
<strong>the</strong> key operating functions responsible for<br />
implementing information governance<br />
throughout CIOSPCT. IT Security<br />
7. Who implements <strong>the</strong> Policy,<br />
and who is responsible for <strong>the</strong><br />
Policy?<br />
Information Governance<br />
Sub Committee - Site<br />
Managers are<br />
responsible for ensuring<br />
that appropriate<br />
procedures are in place
8. Are <strong>the</strong>re concerns that <strong>the</strong> Policy could<br />
have a differential impact on RACIAL<br />
groups?<br />
Managers and <strong>the</strong> Server Team (in<br />
Technical Services) are responsible for<br />
ensuring <strong>the</strong> procedures are practical and<br />
meet requirements.<br />
No<br />
to protect continuity of<br />
services.<br />
This Procedure reflects <strong>the</strong> current national guidance and best practice<br />
and is designed to protect <strong>the</strong> rights of all, irrespective of racial groups.<br />
The standards of IG, documents referenced in this Procedure and<br />
training will take account of <strong>the</strong> need to protect data in any required<br />
format or language to ensure accessibility to all to ensure correct use and<br />
handling.<br />
What existing evidence (ei<strong>the</strong>r presumed or<br />
o<strong>the</strong>rwise) do you have for this?<br />
A requirement of <strong>the</strong> information governance programme specifically relates to <strong>the</strong><br />
provision of information in differing formats and evidence is collated to support this.<br />
9. Are <strong>the</strong>re concerns that <strong>the</strong> Policy could<br />
This Procedure reflects <strong>the</strong> current national guidance and best practice<br />
have a differential impact due to GENDER No and is designed to protect <strong>the</strong> rights of all, irrespective of gender.<br />
What existing evidence (ei<strong>the</strong>r presumed or<br />
o<strong>the</strong>rwise) do you have for this?<br />
There are no sections within this Procedure that distinguish between gender or<br />
transgender.<br />
10. Are <strong>the</strong>re concerns that <strong>the</strong> Policy could<br />
have a differential impact due to<br />
DISABILITY?<br />
What existing evidence (ei<strong>the</strong>r presumed or<br />
o<strong>the</strong>rwise) do you have for this?<br />
Yes<br />
The <strong>Procedures</strong> rely on a colour coded matrix to identify <strong>the</strong> correct tape<br />
for <strong>the</strong> different days of <strong>the</strong> week and end of month. Should a disabled<br />
person be appointed who has <strong>the</strong> responsibility for undertaking <strong>the</strong>se<br />
duties, <strong>the</strong>n <strong>the</strong> legal obligation to make reasonable adjustments to<br />
enable <strong>the</strong>m to adequately and competently perform <strong>the</strong>ir duties will be<br />
made.<br />
11. Are <strong>the</strong>re concerns that <strong>the</strong> Policy could<br />
have a differential impact due to SEXUAL<br />
ORIENTATION?<br />
No<br />
There are no sections within this Procedure that would be impacted by<br />
sexual orientation.<br />
Version: 1.0 Page 2 of 16<br />
Author: Andrew Mann <strong>Local</strong> <strong>Backup</strong> Procedure<br />
Updated: Jul 2012<br />
Reviewer: <strong>Trust</strong> IGC’s<br />
Review Due: Jul 2015
What existing evidence (ei<strong>the</strong>r presumed or<br />
o<strong>the</strong>rwise) do you have for this?<br />
12. Are <strong>the</strong>re concerns that <strong>the</strong> Policy could<br />
have a differential impact due to <strong>the</strong>ir AGE? No<br />
Age is not relevant to <strong>the</strong> subject of this Procedure.<br />
What existing evidence (ei<strong>the</strong>r presumed or<br />
o<strong>the</strong>rwise) do you have for this?<br />
This Procedure and its content and implementation will not be impacted by age of<br />
staff or patients.<br />
13. Are <strong>the</strong>re concerns that <strong>the</strong> Policy could<br />
have a differential impact due to <strong>the</strong>ir<br />
RELIGIOUS BELIEF?<br />
No<br />
Religious beliefs are not relevant to <strong>the</strong> subject of this Procedure<br />
What existing evidence (ei<strong>the</strong>r presumed or<br />
o<strong>the</strong>rwise) do you have for this?<br />
No references to Religious beliefs are made within this Procedure.<br />
14. Are <strong>the</strong>re concerns that <strong>the</strong> policy could<br />
have a differential impact due to <strong>the</strong>ir<br />
MARRIAGE OR CIVL PARTNERSHIP<br />
STATUS? (This MUST be considered for<br />
employment policies).<br />
No<br />
Marriage nor civil partnership are relevant to this Procedure.<br />
What existing evidence (ei<strong>the</strong>r presumed or<br />
o<strong>the</strong>rwise) do you have for this?<br />
There are no sections in this Procedure that are relevant to partnerships of any kind.<br />
15. Are <strong>the</strong>re concerns that <strong>the</strong> policy could<br />
have a differential impact due to GENDER<br />
REASSIGNMENT OR TRANSGENDER<br />
ISSUES?<br />
No<br />
Gender reassignment or transgender issues are not relevant to <strong>the</strong><br />
subject matter of this Procedure or associated documents. The <strong>Local</strong><br />
<strong>Backup</strong> Procedure and o<strong>the</strong>r information governance policies and<br />
procedures will be made available to all staff, regardless of gender.<br />
Version: 1.0 Page 3 of 16<br />
Author: Andrew Mann <strong>Local</strong> <strong>Backup</strong> Procedure<br />
Updated: Jul 2012<br />
Reviewer: <strong>Trust</strong> IGC’s<br />
Review Due: Jul 2015
What existing evidence (ei<strong>the</strong>r presumed or<br />
o<strong>the</strong>rwise) do you have for this?<br />
16. Are <strong>the</strong>re concerns that <strong>the</strong> policy could<br />
have a differential impact due to<br />
PREGNANCY OR MATERNITY?<br />
What existing evidence (ei<strong>the</strong>r presumed or<br />
o<strong>the</strong>rwise) do you have for this?<br />
17. How have <strong>the</strong> Core Human Rights<br />
Values of:<br />
Fairness;<br />
Respect;<br />
Equality;<br />
Dignity;<br />
Autonomy<br />
The <strong>Local</strong> <strong>Backup</strong> Procedure and associated documents are made available in <strong>the</strong><br />
document library and via <strong>the</strong> Weekly Bulletin for all staff.<br />
The <strong>Local</strong> <strong>Backup</strong> Procedure documentation will remain available to staff<br />
No on maternity leave or on return from maternity leave. Knowledge and<br />
skills following maternity leave will be updated using a hand over process<br />
between <strong>the</strong> member of staff returning to work and <strong>the</strong> member of staff<br />
returning to duty.<br />
There is nothing in this Procedure which would relate specifically to pregnancy or<br />
maternity leave, The <strong>Local</strong> <strong>Backup</strong> Procedure and associated documents are made<br />
available in <strong>the</strong> document library for all staff.<br />
The requirements and principles of <strong>the</strong> Data Protection Act, which is linked to <strong>the</strong><br />
Human Rights Act, have been taken into account when writing this Procedure,<br />
including <strong>the</strong> individual rights of staff and patients as data subjects. Fairness in<br />
informing patients of <strong>the</strong> uses to be made of <strong>the</strong>ir data in a fair processing notice<br />
have been produced, respect for patient privacy, dignity and choice have been<br />
written into all Information Governance Policies produced and linked to this<br />
Procedure.<br />
Been considered in <strong>the</strong> formulation of this<br />
policy/Policy<br />
If <strong>the</strong>y haven’t please reconsider <strong>the</strong><br />
document and amend to incorporate <strong>the</strong>se<br />
values.<br />
Version: 1.0 Page 4 of 16<br />
Author: Andrew Mann <strong>Local</strong> <strong>Backup</strong> Procedure<br />
Updated: Jul 2012<br />
Reviewer: <strong>Trust</strong> IGC’s<br />
Review Due: Jul 2015
18. Which of <strong>the</strong> Human Rights Articles<br />
does this document impact?<br />
The right:<br />
Yes<br />
No<br />
What existing evidence (ei<strong>the</strong>r presumed or<br />
o<strong>the</strong>rwise) do you have for this?<br />
• To life;<br />
• Not to be tortured or treated in an inhuman or degrading way;<br />
• To be free from slavery or forced labour;<br />
• To liberty and security;<br />
• To a fair trial – <strong>the</strong> need for a route and process of complaint<br />
is recognised and provided in <strong>the</strong> data protection leaflet made<br />
available to staff and patients;<br />
• To no punishment without law;<br />
• To respect for home and family life, home and<br />
correspondence – respect for patient wishes is taken into<br />
account in IG policies and privacy assessment tool is used<br />
when implementing new systems or uses of information;<br />
• To freedom of thought, conscience and religion;<br />
• To freedom of expression – patient choice has been a<br />
consideration in writing IG documentation, as well as <strong>the</strong> need<br />
for availability of differing formats and language as and when<br />
necessary;<br />
• To freedom of assembly and association;<br />
• To marry and found a family;<br />
• Not to be discriminated against in relation to <strong>the</strong> enjoyment of<br />
any of <strong>the</strong> rights contained in <strong>the</strong> European Convention;<br />
• To peaceful enjoyment of possessions and education;<br />
• To free elections<br />
No<br />
No<br />
All documentation produced as part of <strong>the</strong> Information Governance programme of<br />
work has taken account of <strong>the</strong> Human Right Act and this has been referenced where<br />
necessary.<br />
Yes<br />
Yes<br />
No<br />
No<br />
No<br />
No<br />
No<br />
No<br />
No<br />
No<br />
No<br />
No<br />
Version: 1.0 Page 5 of 16<br />
Author: Andrew Mann <strong>Local</strong> <strong>Backup</strong> Procedure<br />
Updated: Jul 2012<br />
Reviewer: <strong>Trust</strong> IGC’s<br />
Review Due: Jul 2015
How will you ensure that those responsible<br />
for implementing <strong>the</strong> Policy are aware of <strong>the</strong><br />
Human Rights implications and equipped to<br />
deal with <strong>the</strong>m?<br />
19. Could <strong>the</strong> differential<br />
impact identified in 8 – 13<br />
amount to <strong>the</strong>re being <strong>the</strong><br />
potential for adverse impact N<br />
in this policy?<br />
20. Can this adverse impact<br />
be justified on <strong>the</strong> grounds of<br />
promoting equality of<br />
N<br />
opportunity for one group?<br />
Or any o<strong>the</strong>r reason?<br />
21. Should <strong>the</strong> policy<br />
proceed to a full equality<br />
impact assessment? N<br />
The Act has been referenced within <strong>the</strong> Procedure and any monitoring of compliance<br />
will include <strong>the</strong> awareness of patients and staff having a right to privacy, dignity,<br />
respect and choice. Training in Human Rights Act is also made available to staff.<br />
Any and all adverse impacts will be mitigated by adjustments indicated at times of<br />
additional needs.<br />
Please explain for each equality heading (questions 8 –13) on a separate piece of<br />
paper.<br />
If Yes, describe why, <strong>the</strong>n proceed to a full EIA.<br />
If No, are <strong>the</strong>re any minor fur<strong>the</strong>r amendments that should take place? No<br />
If a need for minor amendments is identified, what date were <strong>the</strong>se completed and<br />
what actions were undertaken.<br />
Signed (completing officer) ……… …………………………………….. Date<br />
Signed (Head of Section) ……………………………………………………….. Date<br />
Please ensure that a signed copy of this form is sent to both <strong>the</strong> Policies Officer and <strong>the</strong> Equality and Diversity lead to be placed<br />
on <strong>the</strong> Primary Care <strong>Trust</strong> website.<br />
Version: 1.0 Page 6 of 16<br />
Author: Andrew Mann <strong>Local</strong> <strong>Backup</strong> Procedure<br />
Updated: Jul 2012<br />
Reviewer: <strong>Trust</strong> IGC’s<br />
Review Due: Jul 2015