Data integrity policy

It is also to protect employees’ personal integrity, so that each individual can then act based on the conditions that apply, and in the longer term also protect Humana’s IT infrastructure against infringement or data leaks, thus helping to safeguard Humana’s brand.

The following rules apply as regards employees’ use of IT, based on Humana’s divisions and the commercial requirements imposed by Humana’s owners, customers and other stakeholders.

In addition, secure handling of all types of information is highly significant for Humana and its underlying business areas, and comprises a key element of the company’s overall security management. It should not be possible to corrupt or lose data, and data must always be protected against unauthorised access.

Goals

Humana has therefore defined these points as particularly important target areas to comply with in order to achieve effective data security, and the company requires good compliance in this area of each individual user when using Humana’s IT equipment and system support. Humana’s goal is to have an IT environment with few incidents and high data security, which also means that Humana must comply with the laws and regulations that are relevant to Humana’s type of business.

• Management of access rights and passwords
• Professional and private use of email and internet
• Use of mobile devices
• Software licensing
• Confidentiality and treatment of sensitive information and personal data

Ensuring good quality and compliance at all levels means that at Humana we must always remember that:

• We are obliged to keep passwords secret and not store them in plain text at our desk.
• Humana’s email and internet connection may be used for private purposes provided such use does not cause inconvenience to the employer.
• All equipment must be supervised and when not in use should be kept locked away or taken home at the end of the working day, and protected by a password login.
• Only software approved by Humana’s IT department may be installed on computers and other IT-related equipment.
• Information may not be made available or disclosed to individuals outside the organisation without prior approval from the relevant responsible manager/line manager.
• Humana only uses hardware such as computers, photocopiers, printers and mobile phones that has been acquired using Humana’s ordering procedures and that is in line with the specifications stipulated in Humana’s ordering portal.
• Information may not be forwarded to private devices (mobile phones, tablets, etc.) or private email.
• Information containing personal details may not be forwarded to a third party without a signed data assistant agreement (biträdesavtal) according to applicable legislation.
• Information of a sensitive nature may not be forwarded to a third party without a confidentiality agreement in place, for example when working with an external party or supplier.

Furthermore, Humana’s employees must always treat sensitive data, potential trade secrets and Humana’s property in documents and applications with the greatest caution, and only use it to the extent required for the task in question or the employee’s role. The same applies for overall IT security such as remote access from home or from another workplace outside the office, or operations via Humana’s VPN connection.

It is incumbent upon every employee and their line manager to always ensure that the IT department is correctly informed of rights/access and that employees are assigned the requisite access level based on their role in Humana’s organisation. This includes having the correct level of access to documents and support systems, as well as knowledge of where the employee should store material for automatic backup to apply.

Performance indicators

These indicators and evaluation points are used by Humana to continually follow up and ensure good quality, correct IT use and data security.

• Monthly monitoring of support enquiries based on category and business area, allowing Humana to regularly ensure problem areas are identified and addressed. Humana then also follows up solution rates and response times to ensure continual improvement.
• Monthly monitoring of operating status, together with operating partners and other parties involved, which means that procured SLAs are monitored for compliance and that any potential operating or security-related incidents are always dealt with properly and documented.
• Annual IT survey linked to the general employee survey, allowing Humana to focus on perceived problem areas and work proactively to address them. Humana endeavours to constantly improve its measurable results from year to year.
• Internal audits of data security and compliance linked to the Swedish Personal Data Act (PUL), Patient Data Act (Patientdatalagen) and GDPR by Humana running spot checks in the systems that contain this type of information. Deviations are handled in accordance with guidelines. Humana’s aim is for such deviations to be kept to a minimum and for the company to work actively to prevent a recurrence.
• Major IT incidents such as business interruptions and incidents relating to infringement or data security are handled as a deviation and in addition to being registered as a support enquiry they must always be registered in Humana’s deviation system.

Responsibility

Access rights and passwords

In order to maintain effective IT security it is vital that each individual employee follows guidelines relating to management of access rights.

• Employees are obliged to keep passwords secret and not store them in plain text at their desk.
• Employees must not allow any other person or department to borrow their password.
• Employees must change their passwords when necessary or in response to a request from the IT department or system owner.
• For troubleshooting on computers and software relating to a specific user, personal passwords may only be disclosed to the IT department.

Internet

Firewall traffic is logged, as internet use is an area where security is impacted to a considerable degree by user behaviour. The general rule is that when files are downloaded from the internet, users are required to exercise sound judgement and only access such material or information that is relevant to their work and that comes from reliable websites. Employees are not permitted to use the internet to view/listen to material with pornographic, racist or Nazi content. The ban also extends to material that is discriminatory or connected with criminal activity. Private browsing should be kept to a minimum and good judgement should be used. This also applies to employees who have their own private computer or mobile with them during working hours.

On suspicion of a breach of this policy

Every manager is responsible for reporting suspected breaches of this policy to Humana’s CIO. A deliberate breach of a serious nature may lead to a damages claim and dismissal. If the offence is extremely serious, it may be reported to the police and result in prosecution.

As a company, Humana must always ensure that its employees are aware of, and have received training in relevant legislation, and that based on their work duties they have a firm understanding of the laws and regulations they are expected to comply with on a daily basis.

• Swedish Personal Data Act (Personuppgiftslagen, PUL SFS 1998:204)
• Swedish Bookkeeping Act (Bokföringslagen)
• Social Services Act (Socialtjänstlagen, SOL 2001:453)
• Healthcare Act (Hälso- och sjukvårdslagen 2017:30)
• Patient Safety Act (Patientsäkerhetslagen 2010:659)
• Patient Data Act (Patientdatalagen 2008:355)
• EU General Data Protection Regulation (GDPR)

Individual responsible for Humana’s IT Policy

The person responsible for the IT Policy is Humana’s CIO, in consultation with Humana’s Group management.