Title
Status
Version No.
Date of approval
Author(s)
Version 1.0
Document control summary
Member IT Policy
(Member Policy on the use of Information
Technology)
Approved
1.0
24 April 2014
Idris Evans - Information Security & Compliance
Manager
RCN Council Approved by
Circulated to
Next Review Date
All Members who use RCN IT Equipment or
Services
September 2015
Version
1.0
Date
12 September 2013
Summary
•
Approved by RCN Council 24 April 2014
Members IT policy 2014.docx Page 1 of 14

7.0
8.0
9.0
10.0
Section
1.0
2.0
3.0
4.0
5.0
6.0
Policy Statement
Scope of Policy
Protection of the IT Environment
Data and File Management
Acceptable Use
E-mail
Health & Safety
Maintenance of the Policy
Monitoring and Reporting
Breach of this policy
Impact Assessment Statement
Policy Review
Page
12
12
12
12
4
3
3
9
9
11
11
12
Page 2 of 14

Policy Statement
Technology is transforming the way in which the Royal College of Nursing (RCN) functions as a business. The effective use of new technologies is key to enabling smarter working practices and shaping the way we work together to achieve our objectives for the RCN. With the right technology choices people may work just as well away from the office. Social networking enables greater flexibility in the way we interact with and learn from each other.
While technology has significant positive potential in supporting members to work more effectively and efficiently wherever they are, it is essential that members also understand their responsibility when using technology when performing their roles. As such the Member
IT Policy has been created to outline the responsible and acceptable usage of technology by members of the RCN.
It should be noted that the RCN will decide which members are permitted access to its IT equipment and systems and which of these members will be allocated RCN e-mail addresses
Laptop computers provide important functionality for specific purposes,
•
RCN Branch members:
to have computing resources at hand in meetings, to be productive while away on Branch business, and when occasionally working at home to eliminate duplication of resources, files, etc.
•
RCN Accredited Stewards
To access the case management system at their place of work, in meetings or at home to check member details, update case information and securely correspond via e-mail with RCN staff and members
Along with the benefit of using RCN owned laptop computers comes additional responsibility to safeguard them from potential theft or damage. If a laptop is stolen or lost there are additional security implications for any data that might have been stored on that laptop as well.
This policy addresses actions that must be taken in order to minimise the risk of the theft or loss of RCN Branch owned laptops and all RCN equipment provided to Accredited Stewards for the purpose of case management and the associated costs to the RCN.
All RCN Branch owned laptops and case management equipment are governed by this policy including systems made available as primary workstations and tablets assigned to an individual Branch member or representative, or purchased through grant monies for specific projects
Page 3 of 14

The aims of this policy are to:
•
ensure that everyone acting on behalf of the RCN understands the basis on which they should use RCN Information Technology (IT). This applies to members of the
RCN, branch officials, accredited representatives and Council members;
•
provide clarity on individual responsibilities so as to ensure the use of RCN systems is consistent with the RCN’s business objectives; and
•
protect confidential data; to protect systems from viruses, theft and misuse; to prevent unauthorised use and to prevent breach of copyright.
This policy complies with requirements in:
•
The Computer Misuse Act 1990;
•
The Copyright, Design and Patent Act 1988;
•
The Data Protection Act 1998;
•
Electronic Communications Act 2000;
•
Regulation of Investigatory Powers Act 2000;
•
Privacy and Electronic Communications Regulations 2003;
•
The Health and Safety at Work Act 1974;
•
The Health and Safety (Display Screen Equipment) Regulations 1992 (as amended
2002) ;
•
Waste Electrical and Electronic Equipment (WEEE) Regulations 2006; and
•
Health & Safety at Work (NI) Order 1978 and Health & Safety (Display Screen
Equipment) Regulations (NI) 1992 (as amended 2002)
Scope of the Policy
This policy applies to all member usage of the RCN’s IT equipment and reference to the
RCN in the use of IT equipment in general and should be read in conjunction with the Data
Protection Policy for Members.
For the purposes of this policy the term members applies to all members of the RCN, branch officials, accredited representatives and Council members authorised to use the
RCN systems. A breach of or failure to comply with this policy may result in removal of this access and require the return of any RCN supplied equipment.
RCN Branch laptops are for Branch use only and may not be used for personal projects, for storing Case management information or for entertainment. RCN Branch laptops may be used for the following Branch related purposes, including but not limited to:
• Using the laptop as the primary workstation computer for Branch work.
• Using the laptop on a Branch trip, such as to a conference, workshop, etc.
• Using the laptop to make a presentation.
• Using the laptop for any other RCN Branch related task
It should be noted that there is a separate IT policy for staff members.
Page 4 of 14

1.0 Protection of the IT Environment
1.1 User Accounts
1.1.1 The RCN provides members with the facility to log-on (sign-on) at the beginning of each computer based work session using a unique personal Username and Password to identify themselves.
1.1.2 The use of user names (user identification) and passwords protect initial access to all computer systems and software. System software audits are continuously operated in order that any security incidents can be investigated.
1.1.3 All members are required to:
•
select their own passwords and will be asked to change them at regular intervals, at least every 90 days;
•
select passwords that are at least 9 digits long and a mixture of uppercase and lowercase letters and numbers or special characters and must not be a repeat of any of the previous 12 passwords used;
•
keep passwords confidential. Use of another member’s password or sharing of their own password may result in the removal of access.
•
refrain from using offensive or obscene words or images, the use of which is strictly forbidden;
•
change any passwords generated and issued by the Service
Desk;
•
lock computers using the standard computer lock in Windows, which can be accessed by pressing the keys “Ctrl,Alt and Del” simultaneously when leaving your desk unoccupied. This will prevent anyone else using your network account;
•
log out and switch off their workstation at the end of their working day unless they need the PC for remote access;
•
report immediately to the Service Desk if you have reason to suspect that someone has tried to enter the computer environment illegally and/or has been tampering with any IT equipment.
1.1.4 The RCN identifies usage of its systems by your username and password. On no account can usernames or passwords be divulged to anyone. Your computer use is directly related to the username and password. Any member sharing his or her password should be advised that this is not permitted and may result in in removal of their access
1.1.5 All information on the RCN computer system is the property of the
RCN.
In order to maintain the balance between individual privacy and operational effectiveness however, the Information Technology
Department will not grant access to a users system and/or mailbox
Page 5 of 14

without permission of the individual unless in accordance with the procedure to be followed as per section 1.1.6 and 1.1.7 below.
1.1.6 There may be an operational requirement where your Regional or
Country Director requires access to your system in your absence when there are legitimate reasons to do so, for example, where urgent correspondence has been sent to an absent member. In these instances the Information Technology Department will access the users H: Drive and/or mailbox without their permission to retrieve the specified document(s) only. Only a Regional or Country Director can authorise this emergency access via the Information Security &
Compliance Manager.
The authority will only be granted for operational reasons to access specific operational material. Managers will not be given general access to the users account. Only the Information Technology department will be able to retrieve the requested information
1.1.7 There may be occasions when access is required to a members RCN systems and/or mailbox. A member of the Executive Team can request this with the written approval of the Director of Governance
Support via the Head of Information Technology or the Information
Security & Compliance Manager.
Any such access requests will be time limited and need to relate to a specific investigation/issue over a specified period of time. Only information relating directly to the issue under investigation will be supplied
1.2 Equipment
1.2.1 Your computer is a valuable piece of equipment and should be treated as such.
1.2.2 All members are required to observe the following:
•
It is the responsibility of the RCN to provide an environmental and
IT infrastructure that has due regard for all aspects of the health and safety of its staff and its members and it is the responsibility of all members to maintain the environment and infrastructure in that state;
•
Avoid eating or drinking near computer equipment
•
Do not leave equipment in a position where it is at risk i.e. balancing on a narrow bookcase, close to a source of liquid etc;
•
Ensure that office and/or equipment are not left unprotected. It is the responsibility of members to safeguard both RCN equipment and information;
•
Always lock laptops away overnight;
•
Do not leave portable equipment on view in a public location or unattended in a vehicle. If leaving equipment in a vehicle is unavoidable it must be stored securely out of sight in the boot, and the vehicle must be locked; and
•
Laptops, where supplied, are for business and not for personal use and must be kept available at all times. . All information stored on the laptop must also be saved on the file server to ensure they are backed up and available for other team members.
Page 6 of 14

1.2.3 All computer equipment and software will be purchased and installed by the Information Technology Department.
1.2.4 When a computer that has been purchased by the RCN has been highlighted for replacement, members will be informed and arrangements agreed for the replacement.
1.2.5 The Information Technology Department will ensure that all mobile devices, including but not limited to, laptops, Blackberrys, smartphones and tablets are fully encrypted
1.3 Unauthorised Changes to the system
Users may not alter their computer system set-up. The Information
Technology Department is responsible for all system set-up including the corporate and local networks.
1.4 New Software
1.4.1 In order to protect the RCN network, under no circumstances should software be downloaded from the internet. In the event that a piece of software is identified as a potential valuable business tool the matter must be discussed with the IT Development Manager before proceeding. It is essential that no software licences are breached.
1.4.2 It is the responsibility of the Information Technology Department to purchase and install all software required by the RCN. Permission to install non-standard software, which is not normally supplied or supported by the Information Technology Department, should be sought from the service desk.
1.5 Virus Protection
A virus is a small program that attaches itself to certain other software files.
As these files are used the infection spreads to other files which can spread across an entire network. The minimum effect is to create much confusion and concern; the more serious types can cause catastrophic and permanent damage to RCN operational data.
Viruses are usually transmitted via e-mail but are increasingly occurring as a result of files being downloaded from the Internet. Even shrink-wrapped new software has been known to carry a virus.
Page 7 of 14

Steps have been taken to protect the RCN network against virus attacks but new strains are appearing every day. Therefore it is important that all members remain vigilant and report any suspected problems to the Service
Desk immediately.
Do not:
•
Load any unauthorised software on to any RCN owned portable, PC or the network – this includes items such as screen savers, and free software supplied with some newspapers or magazines.
•
Attempt to access any external software packages via the Internet using
RCN equipment unless authorised to do so through services provided by the Information Technology Department.
Do:
•
Report immediately any suspicion you have about any form of virus on your workstation or the RCN network to the Service Desk .
1.6.
Reporting incidents
1.6.1
In order to ensure that information security events and weaknesses with Information Technology can be acted upon they should be reported to regional officers and the Service Desk .as quickly as possible.
•
•
•
•
•
•
•
•
1.6.2
Examples of security events and incidents include, but are not limited to:
•
•
Loss or theft of ICT Equipment
Loss or theft of paper records, such as files, notebooks, governance papers/confidential/commercial information etc.
Loss of service, equipment or facilities
System malfunctions
Human errors
Non-compliance with policies or guidelines
Breaches of physical security arrangements
Uncontrolled system changes
Malfunctions of software or hardware
Access violations
1.7. Responding to incidents
1.7.1
All Incidents reported to the Service Desk .will be responded to as defined in current SLAs and will also be referred to the Information
Security and Compliance Manager for any further investigation and action required.
1.7.2
The response to all incidents will follow the Information
Commissioner’s Office guidance on data security breach management.
Any allegation of a breach of data protection will be
Page 8 of 14

investigated by the RCN IT Operations Manager and the relevant
Regional Director, who will produce a report for the Director of Finance
2.0 Data and File Management
2.1 Do not download, store or record data that includes any personally identifiable information such as: Name, Address, Membership number or any other sensitive information, etc. which if lost or stolen could be used for Identity theft and would breach the Data Protection Act.
2.2 The user is responsible for the security of all information stored on, or carried with, the laptop and as such is requested to store NO RCN member information on the Laptop, all member information should be record in the Case Management system .
2.3 The user is responsible to make sure that virus protection updates, operating system updates and virus scans are performed regularly.
2.4 Do not alter any system software or hardware configuration unless instructed to do so by someone from the Information Systems
Department.
2.5 Safe guard the device and data by ensuring the laptop is “locked” or the user is logged off when not in use. All Branch equipment must be password protected
2.6 Back-Up
2.6.1 To ensure that no data is lost, it is essential that, where available, all data is stored on either the users home drive (H); or the departmental group drive (G) or shared drives. These drives reside on central file servers that are backed-up to a daily schedule by the IT Support team.
This ensures data is not irretrievably lost should one of your drives become lost or corrupted.
2.6.2 To ensure that the risk of data loss is minimised, users should ensure that laptops are regularly connected to the network to ensure data is moved onto network drives
2.6.3 The local drive (C) drive should not be used for data storage as these files will not be backed up.
2.6.4 It is the responsibility of the Infrastructure Team within the Information
Technology Department to have in place a tested and regularly practised ‘Restore’ procedure that meets the operational needs of all centrally backed-up data and systems.
Page 9 of 14

3.0 Acceptable use
Members have an individual duty to ensure that their usage of Information
Technology is consistent with acceptable practice and is consistent with the
RCN’s business objectives. It is generally unacceptable if the RCN’s resources or equipment are used to obtain or transmit information for private purposes. Members should be aware that software is used to monitor all IT activity.
Examples of unacceptable usage are given below.
•
The creation, transmission or use of any offensive, obscene or indecent images, data or other material.
•
The creation, transmission or use of material which is designed or likely to cause annoyance, inconvenience or needless anxiety, including the sending of chain e-mail and Spam (that is, unsolicited or undesired bulk electronic messages).
•
The creation, transmission or use of material which is designed or likely to compromise the security of the RCN’s systems or data, including network security information and user names/passwords or pins.
•
The creation, transmission or use of defamatory material, that makes a false claim, expressly stated or implied to be factual, that may cause offence and/or may bring the RCN in to disrepute.
•
The transmission of material such that it infringes the copyright of another person, where the sender does not have the explicit permission of the owner or does not own the copyright themselves (See RCN Intellectual Property
Policy).
•
The transmission of material that breaches the duty of confidentiality, such as data from the membership database.
•
The transmission of large volumes of material (for example, in excess of
20MB) that requires excessive amounts of network capacity and data storage.
•
The transmission of unsolicited commercial or advertising material either to other RCN users, or to organisations and individuals connected to other networks, this could be considered as spam and have the potential to deviate from the Data Protection Act. Please refer to the Bulk E-mail section of the
Data Protection Policy for Members for additional guidance.
•
To dial up the network, using the free remote connections to the internet, for private/personal use.
Page 10 of 14

•
To use RCN hardware (for example, laptops) to access, store or transmit any of the above.
•
The transfer of any sensitive information such as member information / staff information without encryption or approval. For guidance on the definition of what is or isn’t sensitive data please refer to the Data Protection Policy
•
Unauthorised representation of the RCN using electronic media either during work time or outside.
•
To connect any unauthorised device to the RCN network
4.0 E-mail
4.1 All email sent and received using RCN e-mail addresses will be archived and stored for a period of three years.
4.2 All email sent and received using RCN e-mail addresses will remain the property of the RCN.
5.0
4.3 The RCN has implemented a size limitation on messages and users are expected to zip large attachments over 5MB. Files larger than 10MB cannot be transmitted or received. Large files should always be zipped.
4.4 Certain file types which may be attached to mail are prohibited, as they represent an unacceptable security risk to the RCN, and will be blocked from the RCN network. Intended recipients will be notified that any message(s) has been blocked.
4.5 Each mailbox is subject to an automatic archiving process, where all email over 30 days old is archived.
4.6 All members must be aware of the danger of inadvertently making or varying, by email, a legally binding contract on behalf of the RCN. No-one should correspond by this means with suppliers of goods or services to the RCN unless they are authorised to do so.
Health & Safety
5.1 The use of information technology raises a number of well known health and safety concerns. Activists should ensure that they familiarise themselves with general guidance on best practice, see links below including information published by the RCN which is attached to the user guidance, to minimise the risks to your health and safety. In particular, checking the design of your
‘work-station’, your posture whilst using the equipment, the need for regular breaks and so on.
Page 11 of 14

http://www.hse.gov.uk/msd/dse/ http://www.tuc.org.uk/workplace-issues-12 http://www.posturite.co.uk/posture-learning-resources
6.0 Maintenance of the policy
6.1 The content of this document is not exhaustive but indicates issues which the
RCN considers serious in the management of information technology.
6.2 Should you require assistance on any issues arising out of your responsibilities, please discuss them with the Information Security &
Compliance Manager or the Head of IT.
7.0 Monitoring and Reporting
7.1 Monitoring and auditing of IT systems, especially the internet and email, is performed continually to ensure integrity of the systems and policies, as well as compliance with legal and contractual obligations and capacity planning.
7.2 Individual emails are not opened but all mail will automatically be scanned by specialist software. Staff are reminded that any content may be highlighted for review by members of the Information Technology department.
8.0 Breach of this policy
This policy is intended to ensure that members working for or with the RCN understand the basis on which they should use RCN IT systems.
Access to the systems may be withdrawn and equipment returned to the RCN in any case of misuse of these facilities.
9.0 Impact Assessment Statement
This policy has undergone an equalities impact assessment process and has been determined to have no unjustifiable negative impact on a specific equality group or groups.
Page 12 of 14

10.0 Policy Review
It is the responsibility of the Information Security & Compliance Manager to monitor and review this policy, and to present any necessary changes to the Executive Team and relevant Committees of Council. This Policy will be reviewed an annual basis.
Page 13 of 14

Date: _____/____/__________________
Page 14 of 14