Acceptable use of communications technology policy
advertisement
Document name: Acceptable Use of Communications Technology Policy and Guidelines Document type: Policy Staff group to whom it applies: All staff within the Trust Distribution: The whole of the Trust How to access: Intranet Issue date: December 2012 Next review: December 2014 Approved by: Executive Management Team Developed by: Deputy Director of Information Director leads: Director of Finance Contact for advice: Deputy Director of Information Portfolio Manager – IT Infrastructure Acceptable Use of Communications Technology Policy Page 1 of 44 1. INTRODUCTION 4 2. PURPOSE AND SCOPE OF THE DOCUMENT 4 3. DEFINITIONS 3.1 Communication Technology 3.2 Data Protection 3.3 Infrastructure 5 5 5 5 4. DUTIES AND RESPONSIBILITIES 4.1 Trust Responsibilities 4.2 SIRO Responsibilities 4.3 Line Manager Responsibilities 4.4 Staff Responsibilities 4.5 The Health Informatics Service / BHNFT ICT Service 4.6 Legal Responsibilities 6 6 6 6 6 7 7 5. PRINCIPLES 5.1 Security and Confidentiality 5.2 Use of Communications Technology 5.3 Inappropriate Use of Communications Technology 5.4 Security of Communications Facilities 5.5 Monitoring of Communications by the Trust 5.6 Data Protection 5.7 Use of Social Media 5.8 E-Mail Archiving 5.9 Encryption 8 8 8 9 11 12 12 13 14 15 6. EQUALITY IMPACT ASSESSMENT 15 7. DISEMINATION AND IMPLEMENTATION 15 8. PROCESS FOR MONITORING COMPLIANCE AND EFFECTIVENESS 16 9. REVIEW AND REVISION ARRANGEMENTS (including archiving) 16 10. REFERENCES 16 11. ASSOCIATED DOCUMENTS 17 Appendices A Equality Impact Assessment Tool 18 B Checklist for the Review and Approval of Procedural Document 21 C Version Control 24 D Impact of Implementation 25 Acceptable Use of Communications Technology Policy Page 2 of 44 E Monitoring Patient System, Internet or E-Mail Use as part of an investigation 26 E1 Accessing E-Mail when a member of staff is absent 29 G Guidelines in Support of the Acceptable Use of Communications Technology Policy 31 Acceptable Use of Communications Technology Policy Page 3 of 44 Acceptable Use of Communications Technology Policy 1 Introduction 1.1 This document defines the Acceptable Use of Communications Technology Policy for South West Yorkshire Partnership NHS Foundation Trust (referred to hereafter as the Trust). The Acceptable Use of Communications Technology Policy applies to all staff, non-executive directors, contracted third parties (including agency staff), students/trainees, people on secondment and other staff on placement with the Trust, and staff of partner organisations with approved access to the Trust’s communications facilities. For clarity throughout the rest of the document they will simply be referred to as ‘staff’. It has been produced in conjunction with representatives of other NHS Trusts on the Community Of Interest Network (COIN). 1.2 The Trust IT Infrastructure is currently supported via a service level agreement with The Health Informatics Service (The HIS) and Barnsley Hospitals NHS Foundation Trust (BHNFT) Information and Communications Technology (ICT) Service 1.3 This policy replaces the existing policies as follows, E-Mail Policy, Encryption Policy, Internet Policy and it is an alignment of the Acceptable Use of Communications Technology Policy from NHS Barnsley. 1.4 2 The Trust’s communications facilities are available to users for the purposes of it’s business. A degree of limited and responsible personal use by users is also permitted. All use of the Trust’s communications facilities is governed by the terms of this policy and accompanying procedure documents. Purpose/Scope of this Policy 2.1 This document has been developed to explain and set out the Trust communications technology policy and define the boundaries of its use. This is in order that staff can maximize the efficient use of electronic communications and understand the limits of its use. 2.2 Where there is wilful or negligent disregard of this policy it may be investigated and dealt with under the Trust Disciplinary Procedure. 2.3 This policy applies to all information media, systems, networks, portable electronic devices, telephones, applications, locations and Users within the Trust. 2.4 This policy covers usage of communication technology by staff using Trust equipment but also their responsibilities for the use of communications technology in their own time and using their own equipment. Acceptable Use of Communications Technology Policy Page 4 of 44 3. Definitions 3.1 Communication Technology The term covers the use of the following items: Personal computers (PC’s) Laptops Tablets Smartphones (such as Blackberry’s, iPhones, HTC phones) Mobile phones Telephones Removable storage devices (such as memory/pen/USB sticks, CDs/DVDs and removable hard drives) Network facilities Fax machines, Copiers Scanners Note that some elements of personal use of the Trust communications facilities are specifically addressed in section 5.2.2. 3.2 Data Protection Data protection exists to preserve the privacy of individuals, clients and staff alike, and is governed by the Data Protection Act 1998. The Act defines, among others, terms as follows: o data means information which is computerised or in a structured hard copy form o ‘personal data’ is data which can identify an individual, such as a name, a job title, a photograph o ‘processing’ is anything done with the data – just holding data amounts to processing; o ‘data controller’ is the person who controls the purposes and manner of processing of personal data – this role will be within the SWYPFT Trust in the case of personal data processed for business purposes. 3.3 Infrastructure - Computers, systems, networks, cabling and other devices which make up the estate of information management in the Trust. Acceptable Use of Communications Technology Policy Page 5 of 44 4. Duties 4.1 Trust responsibilities 4.1.1 Recognising the importance of protecting the Trust, its Staff and service users/Patients from Information related risks. 4.1.2 Appointing a Senior Information Risk Owner (SIRO) at Board or Senior level within the organisation 4.2 SIRO responsibilities 4.2.1 The review of this policy and the development of related procedure and guidance documents. Also to update in the light of changes to relevant legislation as appropriate. 4.2.2 Policy enforcement – That appropriate audit tools are in place and updated in order to investigate breaches of this policy. Monitor e-mail and internet usage if there are security, confidentiality or disciplinary concerns. 4.2.3 Reporting - In the event of an investigation that arrangements are in place to ensure specific reports will be obtained from internet access logs or e-mail monitoring enabled for sufficient time to establish whether a breach of policy has occurred. This will be undertaken in accordance with the Trust’s Disciplinary policy and procedure. 4.3 Line Manager Responsibilities 4.3.1 Ensuring staff adequately understand where to ask for assistance with understanding this policy. 4.3.2 Allow and support staff to attend and complete annual Information Governance Training 4.4 Staff responsibilities 4.4.1 All staff are responsible for ensuring that they understand and comply with this policy, seeking help and advice where necessary. Staff must use the Trust’s information technology and communications facilities in accordance with this policy and be familiar with the Trust’s Information Management and Technology (IM&T) Security policy and associated procedures, particularly regarding the risks associated with portable electronic devices (laptops/USB etc.,). 4.4.2 All staff are required to undertake Annual Information Governance Training 4.4.3 Ensure any unacceptable use of communication technology incidents that occur are logged via the Datix Incident recording system, grading the incident in accordance with the Trust’s Risk Grading Matrix, with support from their line manager. Acceptable Use of Communications Technology Policy Page 6 of 44 4.4.4 Contact the Service desk to report any faulty communications technology equipment. For West Yorkshire this is tHIS Service Desk 0845 127 2600, in South Yorkshire this is 01226 436090. 4.5 The Health Informatics Service / BHNFT ICT Service 4.5.1 The deployment of encryption software on all Trust devices within the scope of this policy. 4.5.2 Managing configuration changes to the encryption infrastructure. 4.5.3 Providing training and Support related to the technology specified within the scope of this policy. 4.6 Legal Responsibilities 4.6.1 Where relevant, The Trust will comply with: Copyright, Designs & Patents Act 1988 Access to Health Records Act 1990 Computer Misuse Act 1990 The Data Protection Act 1998 The Human Rights Act 1998 Electronic Communications Act 2000 Regulation of Investigatory Powers Act 2000 Freedom of Information Act 2000 Health & Social Care Act 2008 4.6.2. The Trust will comply with other relevant laws and legislation as appropriate. Acceptable Use of Communications Technology Policy Page 7 of 44 5. Principles 5.1 Security and Confidentiality All information relating to the Trust’s service users/patients and staff and that which is considered business sensitive is by definition confidential, both in paper and electronic form. Staff must treat the Trust’s paper-based and electronic information alike with utmost care, in accordance with the Confidentiality policy. http://nww.swyt.nhs.uk/docs/Documents/804.pdf 5.2 Use of Communications Technology 5.2.1 Business use The Trust’s e-mail, internet and telephone facilities exist primarily for business purposes. The Trust derives significant benefits through staff having access to e-mail, internet and telephone facilities. 5.2.2 Personal use It is accepted that staff may occasionally need to use the facilities for personal purposes. This is permitted on condition that all the principles and rules set out in this policy and accompanying guidelines are complied with. Staff need to be aware, however, that if they choose to make use of the Trust’s facilities for personal use, they cannot expect total privacy because the Trust may need to monitor communications for the reasons given in section 5.5. Staff will greatly increase the privacy of any personal e-mail by observing the guideline’s in Appendix G. Staff must ensure that personal e-mail, internet and telephone use: is minimal and limited to taking place substantially outside of normal working hours (i.e. during lunch breaks or before or after normal hours of work); does not interfere with the performance of Trust duties; does not take priority over their Trust work responsibilities; does not cause unwarranted expense or liability to be incurred by the Trust; is not otherwise inappropriate as described in section 5.3 does not have a negative impact on the Trust; is lawful and complies with this policy. 5.2.3 E-mails as records All e-mail messages are subject to Data Protection Freedom of Information (FoI) legislation and may be requested evidence in court. In this respect they can be evidenced for subject access purposes under the Data Protection Act where Acceptable Use of Communications Technology Policy Page 8 of 44 they relate to named or identifiable individuals, or for more general disclosure under FoI. Staff should therefore exercise extreme care in the management of e-mails and observe standard document retention limits where an e-mail is to be maintained as a record. Detailed explanation of the management of non clinical records is found in the Non-clinical records management policy: found at http://nww.swyt.nhs.uk/docs/Documents/816.pdf. Personal e-mails must be stored in a folder marked ‘personal’, in order to maintain their privacy from routine monitoring. The Trust reserves the right to open and review the contents of any mailbox hosted by the organisation except where email is stored in a folder marked ‘personal’. Further explanation of this is in Appendix G. 5.3 Inappropriate Use Of Communications Technology 5.3.1 Confidential information about the Trust, any of its staff or service users/patients, outside the context of normal Trust business, and particularly Person-Identifiable Details (PID) which can name or otherwise uniquely identify an individual must not: be shared with anyone unless the PID is essential to providing services or to the context of the communication; be shared via e-mail without the appropriate level of protection or encryption (such as NHS Mail or encryption) to render it unreadable by anyone other than the recipient; be copied to removable media such as laptops or memory sticks, or CDs/DVDs unless encrypted. Just because it is possible to share PID or confidential material does not mean that it should be shared. The principles of the Data Protection Act, the Caldicott review of patient-identifiable information and the Safe Haven Policy must be adhered to at all times. http://nww.swyt.nhs.uk/docs/Documents/645.doc It is recognised that services where central registrations of patients onto electronic systems are carried out; e-mails containing PID are sent using the internal e-mail system, to support the registration process. This will be phased out and will no longer be allowed after services transfer off IPM and TCS. 5.3.2 The Trust reserves the right to prevent all staff from accessing some internet sites which could reduce the performance of the Trust’s information systems, could damage the reputation of the Trust, or to protect staff from harmful content. This also applies to all personal use from Trust premises. It has been determined that staff will be prevented from accessing sites which have been categorised as: Gambling adult content games anonymisers (Including software designed to cover usage) bombs gambling Acceptable Use of Communications Technology Policy Page 9 of 44 glamour hackers malware models p2p (Peer to Peer file sharing) servers phishing pornography racism sects spyware violence Sites categorised as social media such as Facebook, Twitter and Linked In are currently blocked by the Trust’s Communication Technology network. This will be kept under review. The Trust reserves the right to block access to any website or category of websites for the maintenance of computer network confidentiality, integrity or availability. The Trust reserves the right to block access to telephone services on the grounds of cost or where accessing material is classified as inappropriate in this policy. 5.3.2 Misuse or abuse of the Trust’s fixed and mobile telephones, e-mail, blogs (see accompanying guidance Appendix G, message boards or the internet/intranet in breach of this policy will be managed in accordance with the Trust’s disciplinary procedure. It should be noted that misuse could lead to dismissal under the disciplinary procedure. In particular inappropriate use by viewing, accessing, transmitting, posting, downloading or uploading or otherwise perpetuating any of the following is classed as misuse: material which is discriminatory, offensive, criminal, derogatory or may cause embarrassment to the Trust or any of its staff or its clients; pornographic material; a false and/or defamatory statement about any person or organisation; any other statement which is likely to create any liability, whether criminal or civil, and whether for the Trust or the member(s) of staff concerned; illegal, fraudulent or malicious activities of any kind; political or religious lobbying, or activities on behalf of organisations having no connection with the Trust; ( viewing political or religious sites is classed as personal use) where the purpose is for personal, or commercial financial gain, such as the use of chain letters, solicitations of business or services. Note that personal items Acceptable Use of Communications Technology Policy Page 10 of 44 for sale are permitted through the Intranet; unauthorised fund-raising or similar activities, whether for commercial, personal or charitable purposes. Note that requests for charitable donation are permitted through the fundraising requests facility on the Intranet; purporting to be another person (through the use of an account, their credentials or identity) without their explicit written permission, and only then where the law or circumstances would allow; attempting to circumvent or defeat security or auditing systems without prior authority and other than as part of legitimate system testing or security research; 5.3.3 The Trust recognise that electronic media can be used as a means of harassing or bullying others. The Trust regards harassment as totally unacceptable and the following is taken from the Trust’s Bullying and Harassment policy to reinforce this. Harassment is ‘unwanted conduct related to a relevant protected characteristic, which has the purpose or effect of violating an individual’s dignity or creating an intimidating, hostile, degrading, humiliating or offensive environment for that individual’ Bullying may be characterised as offensive, intimidating, malicious or insulting behaviour, an abuse or misuse of power through means intended to undermine, humiliate, denigrate or injure the recipient.' Source: ACAS Guide for Managers and Employers on Harassment and Bullying at Work. Oct 2010 5.3.4 To avoid doubt, the Trust operates a firm ‘zero tolerance’ stance in respect of ‘adult’ content including images, cartoons or text, etc., which may be deemed by staff to be otherwise inoffensive away from the Trust. This may be judged by a ‘public notice board’ test – i.e. if the content of any web page or e-mail would be unsuitable for posting on a public notice board, or on the front page of the local newspaper. 5.3.5 The Trust acknowledges, however, that access to subjects and web sites of a potentially contentious nature may be appropriate in some areas of normal operation and/or in specific circumstances, e.g. sex education, youth advice, counselling on gambling, approved research, etc. The Trust therefore places a special responsibility of care on staff operating in such areas to ensure that such access is necessary and that other users, staff and members of the community are not exposed to any such material without good cause. Application for such individual exemption must be made in advance of any work done in connection with the research via line management to the Service Desk. 5.4 Security Of Communications Facilities Acceptable Use of Communications Technology Policy Page 11 of 44 5.4.1 The security of the Trust’s communications facilities and systems is of paramount importance. The Trust owes a duty to all of its clients and business partners to ensure that all business transactions are kept confidential. If at any time the Trust needs to rely in court on any information which has been stored or processed using IM&T systems it is essential that it is able to demonstrate the integrity of those systems. 5.4.2 All the Trust’s information systems (where technically possible) log the actions of users. This information can be used to audit valid and appropriate access. Each time staff use the Trust’s systems they assume responsibility for the security implications of what they are doing. 5.4.3 Staff should keep all confidential information secure, use it only for the purposes intended (on a need-to-know basis) and not disclose it to any unauthorised third party. As per the Confidentiality Policy http://nww.swyt.nhs.uk/docs/Documents/804.pdf 5.5 Monitoring Of Communications By The Trust 5.5.1 The Trust is ultimately responsible for all business communications, including the elements of personal use but will, so far as is possible and appropriate, respect staff’s privacy and autonomy. The Trust may monitor and audit everyday business communications for reasons described in section 5.5.2. This will be done by nominated IM&T staff (or external agency as appropriate) under the specific instruction of the Deputy Director of Information Technology or their deputy. 5.5.2 The Trust will monitor telephone, e-mail and internet traffic. Data collected, will include: sender, receiver, subject; attachments to e-mail; numbers called and duration of calls; domain names of web sites visited and duration of visits, and files downloaded from the internet This is necessary because it is not always obviously evident what constitutes business traffic, and what is for non-business use. This is carried out for the following reasons: providing evidence of business transactions; ensuring that the Trust’s business procedures, policies and contracts with staff are adhered to; monitoring standards of service; preventing or detecting unauthorised use of the Trust’s communication systems or criminal activities including fraud; maintaining the effective operation of the Trust’s communications systems. 5.5.3 Where monitoring shows potential misuse by individuals this will be passed to line managers. 5.5.4 Any fraudulent activities uncovered by monitoring of communications facilities will be dealt with through the Trust’s Fraud Policy. Acceptable Use of Communications Technology Policy Page 12 of 44 5.5.5 Use of monitoring as part of an investigation is explained in Appendix E, Monitoring Patient System, Internet or E-Mail Use as part of an investigation. 5.6 Data Protection Staff will, through the use of the Trust’s communications facilities, inevitably be involved in processing personal data for the Trust as part of their role and as a result are bound by the provisions of the Data Protection Act 1998. 5.7 Private use of Social Media 5.7.1 When using Social Networking sites, Instant Messaging tools and/or Blogging sites, Trust employees have a responsibility to refrain from any action which brings them, their work colleagues, the Trust or the NHS into disrepute. The following list is not exhaustive, but gives some examples of the minimum standard of behaviour required. Trust employees will not maintain a site, update a status or a page, or engage in instant messaging that: contains personally identifiable information of Trust patients, (including their relatives, visitors or carers). contains judgments in relation to the Trust, their role or performance that. could reasonably be considered to be derogatory, defamatory or would bring the Trust into disrepute. contains personally identifiable information of another Trust employee in relation to their employment, including judgements of their performance and character. contains any information (for example images, references and/or comments) which breach patient/staff confidentiality. contains defamatory statements about the Trust, their services or contractors. contains any information (for example images, references and/or comments which could be seen to bully or intimidate colleagues contains any information (for example images, references and/or comments) which could be seen as sexually explicit or inappropriate seeks to pursue personal relationships with patients or service users in your care or against professional codes of conduct (outside of those normally expected by professional codes of conduct)., even if they are no longer in your care. If you receive a friendship request from a current or former patient, Facebook and other sites allow you to ignore this request without the person being informed, avoiding the need to give unnecessary offence. Acceptable Use of Communications Technology Policy Page 13 of 44 expresses opinions that purport to represent the views of the Trust unless this is an accepted normal part of their job, or through special arrangements that have been approved in advance. expresses opinions that purport to represent their own views on the Trust. contains information (for example images, references and/or comments) that could reasonably be considered as inaccurate, libellous, defamatory, cause harassment, threatening, may otherwise be illegal or would bring the Trust image into disrepute. depicts employees in their work uniform in any image that could be reasonably considered as derogatory, defamatory, or would bring the Trust image into disrepute. depicts employees in their work situation in any image that could be reasonably considered as derogatory, defamatory, or would bring the Trust into disrepute. depicts any information or activities that could reasonably be considered to be derogatory, defamatory or would bring the Trust into disrepute. depicts any information which breaches patient/staff/Trust confidentiality. depicts Trust patients while they are a patient at the Trust (including their relatives, visitors or carers). contains Trust logos (except with express permission from the Trust Communications Department). 5.7.2 Staff as identified in section 1.1 are advised not to divulge who their employers are within their personal profile page on social media sites (eg. in accordance with RCN guidelines, “RCN Legal Advice on using the internet” http://www.rcn.org.uk/__data/assets/pdf_file/0016/281230/003564.pdf , However, those that do divulge their employer should state that they are tweeting/blogging etc. in a personal capacity. 5.7.3 Further guidance on the use of social media in Appendix G. 5.8 Email archiving 5.8.1 Email mailbox size restrictions may mean that staff wish to archive and keep important emails. The Trust email archiving product is called CommVault and where installed will automatically archive user emails. 5.8.2 Where CommVault is not installed, staff may use a ‘PST’ file system whereby emails are moved to an archive PST file stored on a network folder. This archive should not be stored on a local PC hard disk as it may inadvertently contain important or confidential emails which could be disclosed if a computer is lost or stolen. Acceptable Use of Communications Technology Policy Page 14 of 44 5.8.3 Staff should bear in mind that as a result of a freedom of information act request, they may be required to provide copies of emails from their inbox or archive relating to a subject request. 5.8.4 Staff archiving their e-mail should refer to Appendix G 5.8.5 Computer users should contact the IT Service Desk to discuss email archiving where a query arises. 5.9 Encryption To comply with national mandatory requirements the Trust has adopted the following strategies to be used when holding, processing or transferring person identifiable data (PID) or business sensitive information; 5.9.1 All Trust owned laptops must be fully encrypted and must not be used to store PID or business sensitive information. 5.9.2 Only encrypted and Trust approved USB sticks may be used to store electronic data and must not be used to store PID or business sensitive information. 5.9.3 Personal USB media must not be used to save data from the Trust network – this will be enforced by technical configuration. 5.9.4 Trust budget holders should assess if there is a legitimate business need for the use of USB encrypted drives before purchasing (see Appendix G). 5.9.5 DVD/CD and floppy disks shall be read-only unless a valid business need is identified. 5.9.6 DVD/CD and floppy disks used to transfer PID under an arrangement approved by the IG TAG should be encrypted. 5.9.7 Users’ privately owned mobile computing equipment or related devices must not be connected to the Trust network. 6 Equality Impact Assessment Included as Appendix A 7 Dissemination and Implementation This policy once approved will be notified to staff via the weekly Comms update e-mail and will be placed on the Trust intranet document store. Business Delivery units (BDUs) will be responsible for more detailed briefings to appropriate staff with support from the IM&T Department. A Frequently Asked Questions sheet has been developed and will be available on the Intranet, it will continue to grow as more questions are asked. Advice to staff about information governance will be issued via the weekly update in the form of policy updates or reminders. Where necessary leaflets Acceptable Use of Communications Technology Policy Page 15 of 44 attached to payslips and other communications methods will be used. These will be approved by the Trust communications team. Communications with service users are covered in the information sharing, confidentiality and Data Protection policy. http://nww.swyt.nhs.uk/docs/SitePages/A-Z.aspx Implementation plan is at Appendix D 8 Process for Monitoring Compliance and Effectiveness The following arrangements are in place to monitor compliance and effectiveness: 8.1 Performance reporting arrangements to Trust Board, EMT and BDUs 8.2 Internal Audits 8.3 Compliance and effectiveness of the Corporate Induction Programme 8.4 NHS Information Governance Toolkit yearly self assessment 8.5 IT Security Reports to Information Governance Trustwide Action Group. 8.6 Information governance questionnaire will be employed periodically to assess staff awareness and understanding of information security. 8.8 Information Governance E-Learning (Including information security) will be reported in the Mandatory training report to Executive Management Team (EMT) and senior managers. 9. Review and Revision arrangements (including Archiving) 9.1 This policy has been developed in consultation with the IG TAG 9.2 Will be available on the intranet in read only format. 9.3 A central electronic read only version will be kept by the Integrated Governance Manager in a designated shared folder to which all Executive Management Team members and their administrative staff have access. 9.4 A central paper copy will be retained in the corporate library 9.5 This policy will be retained in accordance with requirements for retention of nonclinical records. 10. References 10.1 This policy has been developed with reference to the Information Governance Toolkit and the example policies provided in it. 10.2 The following documents have also been used in the development of this policy: Acceptable Use of Communications Technology Policy Page 16 of 44 Health and Care Professions Council – Social Media Guidance: Focus on standards – social networking sites British Medical Association - Using social media: practical and ethical guidance for doctors and medical students Nursing and Midwifery Council: - Practical advice for students, nurses and midwives using social networking sites Department of Health: - Guidance: Blogging and social networking RCN guidelines, “RCN Legal Advice on using the internet” http://www.rcn.org.uk/__data/assets/pdf_file/0016/281230/003564.pdf 11 Associated documents This document has been developed in line with guidance issued by the NHS Litigation Authority and with reference to model documents used in other trusts. It should be read in conjunction with: Disciplinary Policy Information Governance Policy Information sharing, confidentiality and data protection policy Information risk management policy Safe Haven Policy Information Security Policy Network Security Acceptable Use of Communications Technology Policy Policy Page 17 of 44 Appendix A Equality Impact Assessment Template for policies, procedures and strategies Date of Assessment: September 2012 Equality Impact Evidence based Answers & Actions: Assessment Questions: 1 2 Name of the policy that you are Equality Impact Assessing Describe the overall aim of your policy and context? Acceptable Use of Communications Technology policy Policy to ensure that best practice is followed by members of staff when accessing, processing or transmitting/transporting information Who will benefit from this policy? 3 Who is the overall lead for this assessment? Deputy Director of Information 4 Who else was involved in conducting this assessment? Assistant Director of Information IG TAG 5 Have you involved and consulted service users, carers, and staff in developing this policy? Staff Representatives and Human Resources What did you find out and how have you used this information? 6 What equality data have you used to inform this equality impact assessment? 7 N/A N/A What does this data say? Acceptable Use of Communications Technology Policy Page 18 of 44 8 Taking into account the information gathered above. Does this policy affect any of the following equality groups unfavourably: Where Negative impact has been identified please explain what action you will take to remove or mitigate this impact. If no action is to be taken please explain your reasoning. YES NO 9a Race NO 9b Disability NO 9c Gender NO 9d Age NO 9e Sexual Orientation NO 9f Religion or Belief NO 9g Transgender NO 9h Carers NO 10 What monitoring arrangements are you implementing or already have in place to ensure that this policy: promotes equality of opportunity who share the above protected characteristics eliminates discrimination, harassment and bullying for people who share the above protected characteristics promotes good relations between different equality No impact expected. No impact expected. No impact expected. No impact expected. No impact expected. No impact expected. No impact expected. No impact expected. This policy aims to standardise the approach to the Use of Communications technology across the Trust. Acceptable Use of Communications Technology Policy Page 19 of 44 groups, 11 Have you developed an Action Plan arising from this assessment? Who will approve this assessment? N/A Executive Management Team 12 Once approved, please forward a copy of this assessment to the Equality & Inclusion Team: inclusion@swyt.nhs.uk If you have identified a potential discriminatory impact of this policy, please refer it to the Director of Corporate Development or Head of Involvement and Inclusion together with any suggestions as to the action required to avoid/reduce this impact. For advice in respect of answering the above questions, please contact the Director of Corporate Development or Head of Involvement and Inclusion. Acceptable Use of Communications Technology Policy Page 20 of 44 Appendix B Checklist for the Review and Approval of Procedural Document Title of document being reviewed: 1 . 2 . 4 . 5 . Comments Title Is the title clear and unambiguous? YES Is it clear whether the document is a guideline, policy, protocol or standard? YES Rationale Are reasons for development of the document stated? 3 . Yes/N o/ Unsur e YES Development Process Is the method described in brief? YES Are people involved in the development identified? YES Do you feel a reasonable attempt has been made to ensure relevant expertise has been used? YES Is there evidence of consultation with stakeholders and users? YES Content Is the objective of the document clear? YES Is the target population clear and unambiguous? YES Are the intended outcomes described? YES Are the statements clear and unambiguous? YES Evidence Base Acceptable Use of Communications Technology Policy Page 21 of 44 Title of document being reviewed: 6 . Yes/N o/ Unsur e Is the type of evidence to support the document identified explicitly? YES Are key references cited? YES Are the references cited in full? YES Are supporting documents referenced? YES Comments Approval Does the document identify which committee/group will approve it? YES If appropriate have the joint Human Resources/staff side committee (or equivalent) approved the document? 7 . 8 . 9 . 1 0 Dissemination and Implementation Is there an outline/plan to identify how this will be done? YES Does the plan include the necessary training/support to ensure compliance? YES Document Control Does the document identify where it will be held? YES Have archiving arrangements for superseded documents been addressed? YES Process to Monitor Compliance and Effectiveness Are there measurable standards or KPIs to support the monitoring of compliance with and effectiveness of the document? YES Is there a plan to review or audit compliance with the document? YES Review Date Acceptable Use of Communications Technology Policy Page 22 of 44 Title of document being reviewed: Yes/N o/ Unsur e Comments . 1 1 . Is the review date identified? YES Is the frequency of review identified? If so is it acceptable? YES Overall Responsibility for the Document Is it clear who will be responsible implementation and review of the document? Acceptable Use of Communications Technology Policy YES Page 23 of 44 Appendix C Version Control Sheet Vers ion Date Author Stat us Comment / changes 1 Dec emb er 2011 John Hodson Draft Using template of current Information Security Policy 1.1 Marc h 2012 John Hodson Draft Incorporate Barnsley CSD AUP Policy IG Policy. 2 May John Hodson Draft Update policy format for presentation to HR and Staff side 3 July John Hodson Draft Incorporate HR changes and general update 4 Sept John Hodson Draft Incorporate further HR Changes and IM&T Infrastructure Manager comments 5 Oct 2012 John Hodson Draft Incorporate comments from Employment Polices working group. Final Nov 2012 John Hodson Final For Presentation to EMT. Located U:\Healthrecs\IG\IG Policies\Draft\AUCT Policy\SWYPFT\Acceptable Use Of Communications Technology Policy final.Docx Page 24 of 44 Appendix D Acceptable Use of Communication Technology Policy Impact of Implementation 1 Description of Impact Staff /Dept affected Increase in enquiries on blocked Web sites IM&T Cost implication No 25 Appendix E Monitoring of Patient System, Internet or E-Mail Use, as part of an investigation process. 1.1 As specified in section 5.5.5 the Trust may wish to utilise the monitoring information collected by the Trusts Communication Technology systems as part of an investigation. The process for this is outlined below. Investigations should be completed following the appropriate procedure (e.g. the Trust’s Disciplinary Procedure, investigations under the Serious Untoward Incident .Process etc.,) Staff should be informed where an investigation is taking place about them. In certain very limited circumstances the Trust may, subject to compliance with any legal requirements, access e-mail marked “Personal”. Examples are when there is reasonable suspicion that they may reveal evidence of unlawful activity, including instances where there may be a breach of a contract with the trust. This would be authorised by a senior Manager from the Human Resources department. The key features and steps for accessing Internet or e-mail use where part of a disciplinary investigation are: a) A line manager requires access to a member of staff’s e-mail or Internet usage; If the line manager is a ‘Senior Manager’,(badn 8b and above) the line manager will contact HR and agree to e-mail the Portfolio Manager – IM&T infrastructure, with the request, how long it is for and confirmation that they have authorised this; a) If the line manager is not a Senior Manager call HR, to find the name of a Senior Manager who can authorise their request and undertake step b) above; b) The Portfolio Manager – IM&T infrastructure will check that the email is from someone who is a Senior Managers and will log a job with the service desk once assured that everything is correct. c) An investigation log will be kept the Portfolio Manager – IM&T infrastructure in e-mail. 1.2ForPatient Systems Where the investigation requires patient systems to be accessed: a) The IG Officer will liaise with the system manager and line manager to reduce the scope of the usage report based on other 26 than legitimate access; b) If required, the IG Officer will ask for IM&T assistance to look up patients and the services they have accessed. c) On completion the system manager will contact the line manager and investigating officer as appropriate to arrange to hand over and explain the report and findings; For E-Mail a) Form will be completed as per Appendix E1; For Internet Usage a) The internet usage will be provided by the ICT service in an agreed and workable format; b) The Portfolio Manager – IM&T infrastructure will contact the line Manager to discuss handover and arrange a meeting if required to explain the report and the details provided. Record of the Investigation a) Details of the request to the service desk and associated actions will be logged; 1.2 Conduct of member of staff accessing e-mail. The following rules must be observed: a) Only individual e-mails covered by the agreed purpose must be accessed (for example if the access is required to find if a particular document has been delivered then only the Inbox should be accessed); b) Any e-mails which are stored in a ‘Personal’ mailbox folder and which are marked “Personal” in the subject heading must not be accessed. Unless the procedure in 1.3 is followed. 1.3 Accessing Staff personal correspondence If an investigation requires access to e-mails that staff have copied to their Personal folder this requires a higher level of authorisation. Managers requiring access to a personal folder must take the following steps: a) Request permission to access personal correspondence from a senior manager in HR, specifying a reason for the request; b) Ensure written authorisation from a senior manager in HR is included in the Investigation file; 27 c) Follow the procedure at 1.2 to log the request for access 28 Appendix E1 CONFIDENTIAL Accessing E-Mail when a member of staff is absent South West Yorkshire Partnership NHS Foundation Trust. Request for access to a member of staff’s email account where permission has not, or cannot be obtained from that member of staff I request that the Service Desk of The Health Informatics Service grant access to the following member of staff’s email account: Name of person to access account ………………………………….. Job Title: ………………………………………….... Location: ………………………...………………… Name of member of staffs account to be accessed ………………………………..…… Job Title: ………………………………………….... Location: ………………………...………………… - The member of staff named above, is on unplanned absence, left organisation Please give reason i.e. Sickness, Left NHS Wakefield District etc* - I believe that the member of staff has been using the email system contrary to South West Yorkshire Partnership NHS Foundation Trust Email Policy.* - An appropriate Out of Office message must be placed on the account, when applicable.* - An Auto forward rule must be placed on the account.* * Delete as appropriate. 29 Name of Senior manager who authorised the request ………………………………..…… Job Title: ………………………………………….... Date: ………………………...………………… Signed ……………………………………………. Date………………………………………………... Name……………………………………………….. Position…………………………………………….. Director / Head of Service Please send a completed copy of this form to: The Health Informatics Service Oak House Brighouse HD6 4AB Tel: 0845 127 2600, ext 2600 Fax: 01422 222168 Email: theservicedesk@this.nhs.uk 30 Appendix G Guidelines in Support of the Acceptable Use of Communications Technology Policy PAGE 1. INTRODUCTION 29 2. PURPOSE 29 3. DEFINITIONS 29 4. PRINCIPLES 29 4.1 Communication Technology 29 4.2 Use of Electronic Mail 30 4.3 Use of Internet and Connect 33 4.4 Inappropriate use of communications technology 33 4.5 Security of communications facilities 34 4.6 Personal blogs, websites and social media 35 4.7 Monitoring of communications by the Trust 36 4.8 Data protection 38 4.9 Using NHSmail (@nhs.net) to send confidential or patient identifiable emails 38 4.10 Encryption 39 4.11 Pornography 41 31 1. INTRODUCTION The guidance applies to all employees of the Trust, non-executive directors, contracted third parties (including agency staff), students/trainees, people on secondment and other staff on placement with the Trust, and staff of partner organisations with approved access. Reference throughout the rest of the document will simply be to ‘staff’. 2. PURPOSE The purpose of this guidance is to enhance and further explain aspects of the Acceptable Use of Communications Technology Policy. 3. PRINCIPLES 3.1 Communication Technology The internet and e-mail are now the primary means of communicating within the NHS. It should be noted that, for example, Department of Health policy and guidance is only disseminated in this way. It is essential, therefore, that staff establish local systems and procedures that recognise this. The Trust will use these facilities to the full (but within available resources and technology) in communicating and cascading information throughout the organisation. Staff are encouraged to familiarise themselves with the facilities and to make use of the Trust’s own Intranet (http://nww.swyt.nhs.uk/ – which will be set as the default web page for all staff at each log-on). The advantage of the internet and e-mail is that they are extremely easy and informal ways of accessing and disseminating information, but this means that it is also easy to send out ill-considered statements. Messages sent on e-mail systems or over the internet should display the same professionalism that would apply when writing a letter or a fax. Staff must not use these media to do or say anything which would be subject to disciplinary or legal action in any other context such as sending, accessing or receiving any discriminatory (on the grounds of a person's sex, race, age, sexual orientation, religion, disability, gender reassignment, marriage or civil partnership, pregnancy, maternity or belief), defamatory or other unlawful material. If in any doubt, staff should seek advice from a manager or contact the Service Desk. Many aspects of communication are protected by intellectual property rights which are infringed by copying. Downloading, uploading, posting, copying, possessing, processing and distributing material from the internet may be an infringement of copyright or of other intellectual property rights. Particular care must be taken when using e-mail or internet message boards as a means of communication because all expressions of fact, intention and opinion in an e-mail may bind the individual and/or the Trust and can be produced in court in the same way as other kinds of written statements. 32 3.2 Use of Electronic Mail 3.2.1 General The Trust considers email as an important means of communication and recognises the importance of proper email content and speedy replies in conveying a professional image and delivering good customer service. Therefore the Trust advises staff to adhere to the following guidelines: Write well-structured emails; Include your name, job title and Trust name; Include an email subject which summarises the content of the email; Use the spell checker before you send out an email; Do not print emails unless you really need to for work purposes. Emails can be saved, if you need to keep them; If you need a reply to your email by a particular date let the recipient know this; If you forward mails, state clearly what action you expect the recipient to take; Only mark emails as important if they really are important; Ensure you send your email only to people who need to see it. Sending emails to all in your address book can unnecessarily block the system; Emails should be treated like any other correspondence and should be answered as quickly as possible; When on leave activate an ‘Out of Office’ message stating when you will return and an alternative contact; Delete any email messages that you do not need to keep a copy of and maintain your mailbox within its allowed limits. Make use of the Outlook archiving feature where possible, with respect to emails you need to retain (5.8 E-Mail Archiving) When utilising the Outlook archiving feature, ensure that patient identifiable and sensitive staff identifiable information is not stored within the .pst file (5.8 E-Mail Archiving) If you have a large document to distribute consider whether this could be made available via a shared drive or by inserting a link; Retaining attachments to emails can take up large amounts of space. If attachments need to be retained it is advisable to save these to a network drive which is located on a file server and is backed up by The Health Informatics Service. Remember that emails can be requested under the Freedom of Information Act. Store any emails containing information likely to be requested e.g. spending of public money/development of services, in a separate folder to allow easy, efficient retrieval. Staff should not amend any messages received, and except where specifically authorised by the other person should not access any other person’s inbox or other e-mail folders nor send any e-mail purporting to come from another person. 33 A disclaimer will be automatically attached to all outgoing e-mail. Staff should not create their own ‘version’ as part of an e-mail ‘footer’. This is designed to limit the Trusts potential liability with regard to the content of the e-mail. Disclaimer ‘Unless expressly stated otherwise, the information contained in this email is confidential and is intended only for the named recipient(s). If you are not the intended recipient you must not copy, distribute, or take any action or reliance upon it. If you have received this e-mail in error, please notify the sender. Any unauthorised disclosure of the information contained in this e-mail is strictly prohibited. This email and any attachments should not be disclosed to third parties under Data Protection or Freedom of Information legislation without first seeking the permission of the sender’ To re-iterate policy section 4.3.1.1.1 Person-Identifiable Details (PID) which can name or otherwise uniquely identify an individual should not be sent externally using e-mail, without the appropriate level of protection or encryption to render it unreadable by anyone other than the recipient. Staff should be aware that this does not extend to non-NHS organisations, such as council networks (e.g. Social Services departments) or voluntary bodies, unless an information sharing agreement and protocols are in place for the secure exchange of information. Again, if staff are unsure they should always seek advice from a manager or via the IS Help Desk. 3.2.2 Business use Each business e-mail should include an appropriate Trust business reference. If the e-mail message or attachment contains information which is timecritical, staff should bear in mind that an e-mail is not necessarily an instant communication (it may encounter network delays, or simply not be picked up immediately by the recipient) and consider therefore whether it is the most appropriate means of communication. In the light of potential security risks inherent in some web-based e-mail accounts (such as ‘hotmail’), staff must not e-mail business documents or those containing PID to personal web-based accounts. Non sensitive documents may be sent to a web-based account, if in doubt ask your line manager. However, under no circumstances should staff send confidential documents or those containing PID to a personal web-based e-mail account, even if asked to do so. E-mail is capable of forming or varying a contract in just the same way as a written letter. Staff should therefore take due care when drafting an e-mail to ensure that the content cannot be construed as forming or varying a contract when this is not the intention. Contact the Service 34 Desk for advice and guidance. 3.2.3 Personal use All personal e-mail must be marked “Personal” in the subject heading, and all personal e-mail sent or received must be filed in a folder marked "Personal" in a user’s mailbox. Staff should contact the Service Desk for guidance on how to set up and use a personal folder. Otherwise all email contained in a user’s inbox or subsidiary folders and sent items folder are deemed to be business communications for the purposes of monitoring (see policy section 5.5). Staff can delete personal e-mail from the live system, but it will have been copied (perhaps many times) onto the sequence of backup. By making personal use of the Trust’s facilities for sending and receiving e-mail staff signify their agreement to abide by the conditions imposed for their use, and signify their consent to the Trust’s monitoring personal e-mail in accordance with section 5.5 of the policy. 3.2.4 Staff are advised to use separate e-mail systems such as hotmail or Gmail for personal e-mail. This will negate the requirement to set up special folders for personal e-mail. E-mails as records E-mails can and do constitute a formal record of a discussion, communication or decision on a matter. In managing e-mails staff should therefore identify those that should be retained as a record. 3.3 Use of Internet and the Intranet Staff are trusted to use the internet responsibly and should bear in mind at all times that, when visiting an internet site, information identifying their PC may be logged. Therefore any activity engaged in via the internet may affect the Trust. Whenever a web site is accessed, staff should always comply with the terms and conditions governing its use. Staff are strongly discouraged from providing their Trust e-mail address when using public web sites for non-business purposes, such as on-line shopping. This must be kept to a minimum and done only where unavoidable, as it could result in the receipt of substantial amounts of unwanted and unnecessary (spam) e-mail. Goods should not be ordered for delivery to Trust premises unless agreed with line manager. Access to certain web sites may be blocked during normal working hours. If you have a particular business need to access such sites, please contact the Service Desk. 35 3.4 Inappropriate use of communications technology Unacceptable use for both business and personal purposes is determined in any of three ways: Through line management supervision, where it is found that use of e-mail or the internet is not acceptable in the context of the performance of the member of staff’s duties Through a ‘public notice board’ test – i.e. if the content of any web page or e-mail would be unsuitable for posting on a public notice board Through the auditing of logs of access and use held by the IM&T Services or Facilities departments, where such use could result in a threat to the efficient, safe, legal operation of the communications infrastructure in line with Trust policies and procedures Staff who find themselves in receipt of an offensive e-mail or who unintentionally connect to an internet site containing offensive or inappropriate material should contact the Service Desk to seek advice and record the incident. Staff must not: use any images, text or material which are copyright-protected, other than in accordance with the terms of the license under which downloading was permitted; introduce software; seek to gain access to restricted areas of the Trust’s network; access or try to access data which is known or could reasonably be expected to be known to be confidential; introduce any form of computer virus. carry out any hacking activities Attempt to obtain access to a password protected system using the password of another member of staff obtained without their express permission. Staff members should not routinely share any computer passwords. Access a computer workstation or application which has been left ‘logged on’ by another member of staff. network ‘packet-sniffing’ or password-detecting Staff should be aware that any of the actions of section 3.4 above would 36 not only contravene the terms of this policy but may also amount to the commission of an offence under the Computer Misuse Act 1990, which creates the following offences: Unauthorised access to computer material i.e. hacking; Unauthorised modification of computer material; Unauthorised access with intent to commit or facilitate the commission of further offences. Where there is evidence of actual or suspected misuse of facilities in breach of this policy the Trust may undertake a more detailed investigation in accordance with its disciplinary procedures, which could lead to curtailment or withdrawal of such facilities and could result in disciplinary action. The procedure for launching investigations is outlined in Appendix E. 3.5 Security of communications facilities The Trust’s systems or equipment must not be used in any way which may cause damage or overloading, or which may affect their performance or that of the internal or external network. Staff should keep system passwords safe, and not disclose them to anyone. Those who have a legitimate reason to access other users' email folders must be given permission from that other user. The Service Help Desk will provide guidance on how to do this. Whenever there is a requirement to load onto a PC material from outside the Trust’s staff must be sure that it is from a secure and safe source. If in doubt staff should contact the Service Desk. No device, equipment or software should be attached to or installed on the Trust’s systems without the prior approval of the IM&T department. This includes any removable storage device (including, but not exclusively, memory sticks), MP3 player or similar device, PDA or telephone. Attachment means to a USB port, infra-red connection port or any network connection point that would support and interface to such a device. The Trust routinely monitors all e-mails passing through its system for viruses. Staff should exercise caution when opening e-mails from unknown external sources or where, for any reason, an e-mail appears suspicious. The Service Desk should be informed immediately if a suspicious communication or suspected virus is received. 3.6 Personal blogs, websites and social media This section specifically covers the use of social media sites, blogs and personal web sites and content. Web logs allow users (usually once 37 registered) to pos’ messages, respond to other postings, and generally keep a thread active on a common theme or specific subject. It is a common tool employed by many web sites to engage with their audience. Likewise, it has become much easier for individuals to create their own web sites and also to maintain a web presence through such web sites as Twitter, YouTube and Facebook. Such content will be covered by the term blog throughout the rest of this section. In their own private time (and using personal IT equipment) staff may wish to create, update, or otherwise contribute to websites, blogs, and message boards or other on-line forums as an individual. For the avoidance of doubt such activities (the above not being an exhaustive list) are classed as personal use. When a member of staff posts any content to the internet - written, vocal or visual - which identifies them as a member of the Trust and/or discusses their work or anything related to the Trust or its business, clients or staff, The Trust expects that individual to act in ways which are consistent with their contract of employment and within the Trust’s policies and procedures. It should be noted that simply revealing their name could be sufficient to identify them as a Trust employee. If staff already have a personal blog or website or intend to create one which indicates in any way that they work for the Trust it should be reported to their manager who will record this in their personal file. Staff should ensure that any content is consistent with their terms and conditions of their employment. If a blog posting clearly identifies that the member of staff works for the Trust and expresses any idea or opinion then a disclaimer, such as "these are my own personal views and not those of the Trust”, should be added or the material removed. Staff should be aware that comments on social media, even those limited to “friends”, are regarded by the courts as being public comments, as “friends” can repeat the comments referenced back to the member of staff. If staff think that something on their blog or website could give rise to a conflict of interest and in particular concerns issues of impartiality or confidentiality required by their role then this must be discussed with their manager. If staff are contacted by someone from the media or press about posts on their blog or website that relate to the Trust they should talk to their manager and the Trust’s communication team must be consulted before responding. Staff are advised: to keep personal and professional social networking as separate as possible. 38 Whether or not you identify your work role online, be aware that all your activity online can reflect on your professional life to protect their own privacy. Think through what kinds of information you want share and with whom, and adjust your privacy settings. On Facebook and other sites, you can adjust your privacy settings at group level to share different levels of information with different kinds of friends. Remember that the more your personal life is exposed through social networking sites, the more likely it is that this could have a negative impact. to remember that everything you post online is public, even with the strictest privacy settings. Once something is online, it can be copied and redistributed, and it is easy to lose control of it. Presume that everything you post online will be permanent and will be shared. If as part of your job you are required to use social media (such as Facebook or Twitter as part of work, it is advised that you set up a separate account from your personal account. 3.7 Monitoring of communications by the Trust In terms of maintaining personal privacy, staff need to be aware that such monitoring might reveal sensitive personal data about them. For example, if they regularly visit web sites which detail the activities of a particular political party or religious group, then those visits might indicate their political opinions or religious beliefs. By carrying out such activities using the Trust’s facilities staff consent to the processing of sensitive personal data about them which may be revealed by such monitoring. Sometimes it is necessary for the Trust to access staff business communications during their absence, such as when away due to illness or on holiday. Unless mailbox and network folder settings have already been enabled such that the individuals who need to do this already have permission to view appropriate files and folders, access will be granted only with the permission of their line manager or HR senior manager. Staff will be made aware of this on their return to work. As per Appendix E1. It is up to individual staff to prevent the inadvertent disclosure of the content of personal e-mail by filing it in accordance with this policy. In particular, staff are responsible to anybody outside the Trust who sends to them, or receives from them, a personal e-mail, for the consequences of any breach of their privacy which may be caused by a failure or inability to file personal e-mail appropriately. All incoming e-mail is scanned on behalf of the Trust, using viruschecking software. The software may also block unsolicited marketing e-mail (spam) and e-mails which have potentially inappropriate 39 attachments. The Trust has the facility to listen in on telephone calls made using its communication facilities. This would be authorised in the same manner as described in section 4.7.5 but carried out by the Facilities team. 3.8 Data protection Staff should be aware that whenever and wherever they are processing personal data on behalf of the Trust it must be kept confidential and secure, and particular care should be taken not to disclose them to any other person (whether inside or outside the Trust) unless authorised to do so for the purposes of their job. If in doubt help should be sought from a line manager or the Information Governance team. The Data Protection Act gives an individual the right to see all the information which any data controller holds about them. This should be borne in mind when recording personal opinions about someone, whether in an e-mail or otherwise. It is another reason why personal remarks and opinions must be made or given responsibly, be relevant and appropriate, as well as accurate and justifiable. Section 55 of the Act makes it a criminal offence to obtain or disclose personal data without the consent of the data controller. ‘Obtaining’ here includes the gathering of personal data by employees at work without the authorisation of the employer. Staff may be committing this offence if without the authority of the Trust they exceed their authority in collecting personal data, access personal data held by the Trust, or pass them on to someone else (whether inside or outside the Trust). Whilst the Trust is data controller for all personal data processed for the purposes of its business, individual staff will be data controller for all personal data processed in any personal e-mail which they send or receive. Use for social, recreational or domestic purposes attracts a wide exemption under the Act, but if in breach of this policy, staff are using the Trust’s communications facilities for the purpose of a business which is not the Trust’s business, then they will assume extensive personal liability under the Act. 3.9 Using NHSmail (@nhs.net) to send confidential or patient identifiable emails The NHSmail email system can be used to send confidential emails or emails containing patient identifiable information under certain circumstances. The system can be accessed via the website http://www.nhs.net NHSmail accounts are available to all staff members and new accounts can be created via this website. The following guidelines MUST be followed if you are considering using this system to send confidential or patient 40 identifiable email: 1. Notify the Portfolio Manager - Information Governance and Health Records so that your data flow can be documented formally. 2. The recipient of your email MUST have an email address which ends in one of the following suffixes: • • • • • • • • • nhs.net gcsx.gov.uk gse.gov.uk gsi.gov.uk gsiup.co.uk gsx.gov.uk pnn.gov.uk pnn.police.uk cjsm.net For example, the recipient address might be joe.bloggs@nhs.net or joe.bloggs@gcsx.gov.uk 3. Ensure that if you are receiving confidential or patient identifiable emails into your NHSmail inbox that the sender uses an NHSmail account or an account where the associated email address ends in one of the suffixes listed. 4. Ensure that you regularly check the contents of your NHSmail account. 5. If you are a manager, ensure that your staff members have appropriate access to NHSmail accounts to ensure the confidential transfer of identifiable data. If you have any queries or concerns about this process, please contact the Portfolio Manager – IM&T Infrastructure or the Portfolio Manager Information Governance and Health Records 3.10 Encryption Encryption Guidelines The following represents a sample of potential risk areas that may affect Trust information assets. Encryption will be used to mitigate any risks to the Trust’s Information assets. Although encryption can be used to protect this data, it is important that it is not used to the detriment of other more relevant controls, policies and good practices. Prior to the transfer of any person identifiable data, full consideration must be given to the business need for the transfer, and to assess if 41 there is any opportunity to anonymise or pseudonomise the data. Trust Workstations Potentially it is recognised that all workstations are subject to an element of risk from being stolen or accessed remotely without permission. However encryption also has some impact on performance so it is not appropriate in all circumstances. Office based Trust workstations should be encrypted by default where they are considered vulnerable. The majority of workstations are protected by a secure network logon, network file servers are made available to Users for the secure storage of data and information and physical access restrictions are in place in most locations. In the following circumstances, PC workstations must be encrypted: All Workstations in open or unrestricted areas that are used to edit PID. Any Workstation that may be used to store PID locally because an exception has been agreed and formalised through the Information Governance TAG i.e. because it is in a location with poor network coverage. Any Trust workstation that may be used to edit PID. Any workstation considered at risk due to its vulnerability to 3rd party access or theft. Trust Laptops Due to their mobility, laptops represent a much larger risk to allowing unauthorised access to business sensitive information and personal identifiable data. Laptops are easily lost and stolen and so data stored locally is at much more risk. All data on Trust laptops should be encrypted. It is the responsibility of the user to ensure that their laptop has been encrypted, if in doubt you should contact the Service Desk who manage and control encryption software across the Trust. Business sensitive information and PID should not be stored on a laptop hard drive. Any data removed from the Trusts secure internal network is potentially at risk and should not be removed, transported or transferred onto a laptop unless there is an authorised business need, formally approved by the Information Governance TAG. This includes all confidential information stored on a laptop, email archives or individual documents. If you need any guidance, need to store PID on a laptop temporarily or require specific information on storing and transporting confidential data you should contact the Portfolio Manager – IM&T Infrastructure, the Portfolio Manager – Information Governance and Health Records or The Service Desk. 42 Mobile Devices Many mobile devices such as USB Memory Sticks, portable hard disks, smart phones and PDAs have the potential to store large amounts of data. As such they represent a significant risk to the security of information if used inappropriately. It is the users responsibility to ensure that the device is encrypted and that no PID is transferred onto the device. Specific Guidance for the following mobile devices follows; Portable Hard Drives – Prohibited on the Trust Network PDAs (Personal Digital Assistants) – Must be encrypted and are prohibited for PID data storage. USB Memory Sticks – Must be encrypted and authorised by a Trust Budget holder. The use of personal memory sticks to save data from the Trust network is not permitted. A secure password must be assigned to an encrypted USB memory stick by the user to enable encryption Smartphones, i-Pods or Media Players – no data should be transferred from Trust network onto these devices. Other Removable Media – the copying of data is discouraged on to DVDs, CDs or floppy disks. PID and business sensitive information should not be copied onto this media without encryption. Any exceptions must be risk assessed and approved by The Information Governance TAG. Applications and Electronic Transmission If Person Identifiable Data is transferred through electronic means, then this data must be encrypted to the level required by the NHS Approved Cryptographic Standards. This is applicable whenever data is transferred by any electronic means outside the perimeter of the secure Trust internal network or a secure virtual private network (VPN). This requirement is applicable for Trust related transmissions or when using Third Party Suppliers to provide applications or services. Other Electronic Transport – Uploading PID/Business sensitive information by other electronic methods such as technical transport protocols should not be used without consulting the Portfolio Manager – IM&T Infrastructure or the Portfolio Manager – Information Governance and Health Records. . 3.11 Pornography What is pornography? Pornography can take many forms. For example, textual descriptions, still and moving images, cartoons and sound files. Some pornography is illegal in the UK and some is 43 legal. Pornography that is legal in the UK may be considered illegal elsewhere. Because of the global nature of Internet these issues must be taken into consideration. Therefore, the Trust defines pornography as the description or depiction of sexual acts or naked people that are designed to be sexually exciting. The Trust will not tolerate its facilities being used for this type of material and considers such behave Indecent Images of Children – Guidance for Managers It is a criminal act under Section 1 of the Protection of Children’s Act 1978 for any person to make and distribute indecent images of children. These are arrestable offences. Upon receipt of any information concerning this kind of activity, the department head should notify the Police (Child and Public Protection Unit) immediately. No downloading or distribution of any images should be completed, either internally or externally within the organisation, as this may leave the individuals responsible open to criminal investigation. The computer should be left and not used by anyone, allowing this to be seized as evidence for forensic examination by the Police. The details of all persons having access to the computer should be made available to allow clear evidence trail to be established. What you must not do Create, download or transmit (other than for properly authorised and lawful research) pornography. Send or forward webmails with attachments containing pornography. If you receive a webmail with an attachment containing pornography you should report it to the (IM&T) Security Officer or your supervisor. What are the consequences of not following this policy? Users and/or the Trust can be prosecuted or held liable for transmitting or downloading pornographic material, in the UK and elsewhere. The reputation of the Trust will be seriously questioned if its systems have been used to access or transmit pornographic material and this becomes publicly known. Users found to be in possession of pornographic material, or to have transmitted pornographic material, will be dealt with under the Trust Disciplinary Procedure. 44
