1. On-boarding of employees of the health care facilities. All candidates for employment, contractors and third party shall be adequately screened, especially for sensitive jobs.

Security roles and responsibilities of employees, contractors , and the third party shall be defined and documented in accordance with the facility's information security policy. This document shall be signed as an agreement by employees, contractors, and the third party of information processing facilities.

Security roles and responsibilities shall include the requirement to:
a.) Implement and act in accordance with the health care facility's information security policies;
b.) Protect assets from unauthorized access, disclosure, modification, destruction or interference;
c.) Execute particular security processes of activities;
d.) Ensure responsibility is assigned to the individual for actions taken;
e.) Report security events or potential events or other security risks to the organization.

Security roles and responsibilities shall be clearly defined and communicated.

Background verification checks on all candidates for employment, contractors, and third party shall be carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks. Procedures shall define criteria and limitations for verification checks (who is eligible to screen people, and how, when and why verification checks are carried out).

A screening process shall be carried out for contractors and third party. Where contractors are provided through an agency, the contract with the agency should clearly specify the agency's responsibilities for the screening and the notification procedures they need to follow if screening has not been completed or if the results give cause for doubt or concern. In the same way, the agreement with the third party should clearly specify all responsibilities and notification procedures for screening.

Employees, contractors and third party shall agree and sign the terms and conditions of their employment contract, which would state their and the health care provider's responsibilities for information security. Terms and conditions of employment shall reflect the health care facility's security policy in addition to clarifying:
a.) That all employees, contractors and third party users who are given access to sensitive information shall sign a confidentiality or non-disclosure agreement prior to being given access to information processing facilities;
b.) The employee's, contractor's and any other user's legal responsibilities and rights (e.g. copyright laws or data protection legislation);
c.) Responsibilities for the classification of information and management of organizational assets associated with information systems and services handled by the employee, contractor or third party user;
d.) Responsibilities of the employee, contractor or third party for the handling of information received from other companies or external parties;
e.) Responsibilities of the organization for the handling of personal information, including personal information created as a result of, or in the course of, employment with the organization;
f.) Responsibilities that are extended outside the organization's premises and outside normal working hours;
g.) Actions to be taken if the employee, contractor or third-party user disregards the organization's security requirements.

2. Employment Period. During and after the employment, no information shall be disclosed without consent from the patient.

2.1. Management Responsibilities. Management responsibilities should be defined to ensure that security is applied throughout an individual's employment within the organization.

Management responsibilities shall ensure that employees, contractors and the third party are:
a.) Properly briefed on their information security roles and responsibilities prior to being granted access to sensitive information or information systems;
b.) Provided with guidelines to state security expectations of their role within the health care facility.
c.) Motivated to fulfill the security policies of the health care facility;
d.) Able to achieve a level of awareness of security relevant to their roles and responsibilities within the health care facility;
e.) Able to conform to the terms and conditions of employment, which includes the health care facility's information security policy and appropriate methods of working;
f.) Able to continue and have the appropriate skills and qualifications.

2.2. Awareness and Training. An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities should be provided to all employees, contractors and third party. A formal disciplinary process for handling security breaches shall be established.

Awareness training shall commence with a formal induction process designed to introduce the health care facility's security policies and expectations before access to information or services is granted.

The security awareness, education, and training activities should be suitable and relevant to the person's role, responsibilities and skills, and should include information on known threats, who to contact for further security advice and the proper channels for reporting information security incidents.

2.3. Disciplinary Process. There shall be a formal disciplinary process for employees who have committed a security breach.\

• PHIC Human Resources Security document.

• Administrative Security
• Privacy Set of Rules (SOR)