Policy Document. IT Computer Usage Policy

Transcription

1 Policy Document IT Computer Usage Policy ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Author IT Services Manager Version 4.1 Issue Issue Date Nov 2011 Review Date July 2014 Status Approved Approved by Caldicott and Information Governance Committee Approved by Date Dec 2011 Ratified by Trust Management Committee Ratified by Date Document Number IG0009 BHT Pol No 059 Lead Director Director of Finance & IT EIA July 2010 Location BHT Intranet/Trust Polices/IT Polices CHB folder/pct Intranet

2 IG0009 IT Computer User Code of Conduct Information Governance Approval and Authorisation Completion of the following detail signifies the review and approval of this document, as minuted in the senior management group meeting shown. Version Authorising Group Date 1.0 ISG 07/02/ Caldicott & Information Governance Committee 12/12/ Caldicott & IG Committee June Trust Management Committee Caldicott & Information Governance Committee Dec Trust Management Committee Change History Version Status Reason for change date Author 3.0 Approved Caldicott &IG Committee Chairman s action June 2010 Dave Morgan 3.0 issue 2 V3 issue 3 V3 issue 3 Draft Draft Draft Addition of new section 16 Monitoring and Auditing of Confidential Information. Update of appendix B,C and D forms Addition of new section 12 Portable Media. Addition to section 13 - Access to Personal Identifiable Information in line with IG0008 Confidentiality Code of Practice. Moved section 14 Secure use of Trust Information to section 3. New section 14 Portable Media New section 18 Loss or Theft of IT Equipment Circulated to Caldicott & IG Committee for comment Nov 2010 Nov 2011 Dec 2011 Dave Morgan Dave Morgan Dave Morgan 4.0 Approved Chairman s action Dec 2011 Dec 2011 Dave Morgan 4.1 Replacement of App. B form, new combined version Document References Feb 2013 Dave Morgan Ref # Document title Document Reference Document Location 1 IT Computer User Access Management Policy IG0031 Intranet 2 Virus Control Procedure IG0044 Intranet 3 IT Laptop Policy IG0085 Intranet 4 Policy for the Procurement or Implementation of New IT IG0025 Intranet Systems, Databases and Information Flows 5 Confidentiality Code of Practice for All Employees IG0008 Intranet 6 IT User Account and Usage Policy IG0035 Intranet 2

3 IG0009 IT Computer User Code of Conduct Information Governance Ref # Document title Document Reference Document Location 7 IT Security Laptop Policy IG0085 Intranet 8 Trust Incident Reporting Policy and Pol049 Intranet Procedure 3

4 Table of Contents 1. Background Purpose and objectives Secure Use of Trust Information key statements Inappropriate Use of Computers Danger from Viruses Access to Computer Systems System Access Password Disclosure Password / PIN Number Management Logging into Computer Systems Removal of System Access Portable Media Access to Person Identifiable Information IT Remote Working Software Licences Installing Software and Creating Systems Use of Non-Trust Computer Processing Equipment on the Trust Network Loss or Theft of Trust IT Equipment Monitoring and Auditing Access to Confidential Information Breach of Policy Monitoring the Policy Review of This Document Glossary/Definitions Appendix A Key Roles and Contact Details Appendix B - Request for Access to Computer Systems Appendix C - Request for Access to the Internet only via the Trust Network (for non-employees only) Appendix D IT Remote Working Person Identifiable, Confidential or Sensitive Data Appendix D1 - Request for IT remote Working Appendix D2 Data Protection Considerations when Remote Working... 23

5 1. Background Buckinghamshire Healthcare NHS Trust recognises the considerable potential for the use of information and communications technology and will work positively to facilitate appropriate development and innovation. Computer facilities are provided to support staff in fulfilling the responsibilities of their roles. It is an essential legal prerequisite of connection of any NHS organisation to the NHSnet, that the organisation establishes and operates an effective policy for the use of computers within that organisation. This is designed to protect the wider community of NHS organisations from unauthorised and inappropriate access and use of sensitive information and to ensure the security and confidentiality of identifiable patient and staff data. This policy has been developed from relevant legislation including the Data Protection Act 1998 and the Computer Misuse Act, and from NHS guidance contained primarily in the Caldicott requirements and from Ensuring Security and Confidentiality in NHS Organisations the NHS IM&T Security Manual. They are therefore requirements that the Trust is obliged to follow. 2. Purpose and objectives This policy document sets out a Code of Conduct that applies to all staff who use computer facilities provided by the Trust and/or who require to carry out any IT remote working e.g. home, off-sites. It explains the behaviour and obligations expected of staff when using any of the Trust computer systems. Key roles referred to in this Code and their contact details are identified in Appendix A. Key objectives of the policy: Confidentiality data access is confined to those with specified authority to view the data within the remit of their job function, on a need to know basis and a need to use basis to ensure confidentiality of business sensitive information and protect personal data held on the system. Integrity all system assets are operating correctly according to specification and in the way the current user believes them to be operating. A logical access allocation to application systems should be implemented to restrict access to authorised users. Availability information is delivered to the appropriate individual where and when it is required 3. Secure Use of Trust Information key statements It is essential that staff comply with Trust policy in relation to secure information handling. Please refer to the Trust Confidentiality Code of Practice - Appendix 1 Information Handling Responsibilities (see ref [5]) for more detailed information. IG0009 v

6 3.1 For the continued confidentiality of patient and staff data it is generally expected that no patient or staff identifiable data will be taken for use outside Trust locations or legitimate places of work. 3.2 For most purposes, fully anonymising or pseudoanonymising the data will allow it to be used without compromising confidentiality, for research for example. 3.3 It is recognised however, that in exceptional circumstances there may be a need for legitimate removal. In these cases the individual must understand the risks involved and must make the decision whether or not to remove patient identifiable data or to take the safer and more secure form of anonymised or pseudoanonymised option. 3.4 Personally owned IT equipment must not be used for the processing or storage of person identifiable, confidential or sensitive data 3.5 All donated or loaned IT Equipment to the Trust e.g. personal computers, laptops must be risk assessed, approved, registered and encrypted with the IT Services Department prior to any use. 3.6 ALL portable IT media e.g. laptops, DVD s, CD s, USB devices/memory sticks or keys containing person identifiable data, regardless of its use must be secured using approved industry standard AES 256 encryption software. Exceptions can only be made by the Senior Information Risk Owner (SIRO). 3.7 No Trust computing hardware or software may be removed from Trust premises, other than for the purpose of transportation between Trust sites or other places of work, without prior written permission from the line manager. 4. Inappropriate Use of Computers Trust resources or facilities must never be used to assist or support any illegal activity. For example, to create, edit, access or disseminate pornographic, sexist, racist material or any other material likely to cause offence to staff, patients and visiting members of the public, via , Internet or any other method. Under the provisions of the Computer Misuse Act, unauthorised access to computers (hacking) is illegal and must never be undertaken. Storage of personally owned files such as music and photographs e.g. wedding and holidays on Trust file servers is forbidden. Any such files will be deleted without notice. If such files must be shared with colleagues then it is suggested that these should be stored on memory sticks or CD s, these devices must be fully virus checked before use. (see section 14 for procedures on Secure Use of Trust Information). Trust computers and IT equipment are provided to support the Trust s legitimate business requirements. Limited personal/private use is acceptable provided that:- IG0009 v

7 a) Use is kept to a reasonable level and does not interfere with the normal performance of the users duties. An example of this might be, but is not limited to, study purposes or research that is work related. b) It is not used for commercial purposes and for the supplying and selling of goods and services. An example of this might be, but is not limited to, trading on Ebay or other such sites, offering personal skills for hire etc. 5. Danger from Viruses Computer viruses can be extremely harmful to computer systems and all reasonable precautions to prevent their spread must be taken. E.g. never open an attachment from an unknown source; do not load data from a floppy disk or any other external memory device without first running virus checking software. For further guidance read the Trust Virus Control Procedure (see ref [2]). 6. Access to Computer Systems Requests for access to the Trust computer systems must be made by completion of the request of Access to Trust Network form, Appendix B. Appendix C is for use by non-employees who require to attach non-trust computer equipment to the Trust network for the purposes of accessing the Internet only. 7. System Access 7.1 Access to corporate systems will only be given once adequate training has been received and competence levels have been reached, as determined by the trainer/system manager. 7.2 Where systems are not under the control of IT (Locally implemented and maintained) training must be administered by the local management. 8. Password Disclosure 8.1 Staff will ensure that all personal passwords held, remain strictly personal to that member of staff, and are not disclosed in any form. 8.2 They must not be relayed verbally, written down or otherwise revealed to any other individual, either within or outside the Trust. 8.3 If any person accesses information through the use of another person's password, then both individuals may be subject to action in accordance with the Trust s disciplinary policy. 8.4 The wilful or negligent disclosure of confidential information whether written or computerised could be seen as a gross misconduct under the Trust's Disciplinary Policy and may lead to dismissal. IG0009 v

8 8.5 In some instances, it may be necessary for IT to know a user s password in order to fix a problem with a PC. At such times IT will arrange with the user to change the password on completion of the task. 9. Password / PIN Number Management 9.1 Any system capable of using passwords/ PIN numbers must have the facility enabled. 9.2 Length of password/ PIN numbers and characteristics are system dependent and are therefore defined by reference to the appropriate System Manager. 9.3 Passwords must include a combination of alpha and numeric characters, in any order. 9.4 Passwords/ PIN numbers must be unique to the system i.e. not be used for access to other systems. 9.5 Passwords/ PIN numbers must not be shared with or disclosed to anyone. 9.6 Frequency of password / PIN number change is system dependent and passwords MUST be changed at the frequency defined in a table in Appendix 1 appropriate to the system. The default is 60 days (30 days for system administrators). 9.7 Passwords/ PIN numbers must be changed if security is believed to have been, or actually has been, breached. 9.8 Passwords must not be a combination of characters that is likely to be guessed such as a family name, nickname, DOB, car registration or consecutive characters e.g. ABC Passwords/ PIN numbers must be something memorable so that it doesn t need to be written down. Passwords are encrypted (coded) when applied, and therefore cannot be seen by the system administrators 10. Logging into Computer Systems Staff may have use of a variety of methods to login to a computer system, for example this may be your user name, swipe card or biometrics (use of thumbprint or retinal scan). All of these methods are for personal access only and must not be used to provide third party access. Care must be taken to ensure that login methods are kept secure at all times. Loss of swipe cards must be reported immediately to the RA Manager and reported as an incident in accordance with the Trust Incident Reporting Policy. Staff have an individual responsibility to ensure that they log themselves out of systems after use or if leaving a system unattended for any period. Only authorised staff may view data and it is essential that staff understand that no one else, except themselves, should have the opportunity to add, amend, view or delete data under their personal log in access rights. IG0009 v

9 11. Removal of System Access 11.1 System Administrators/Managers are empowered to remove/suspend access to systems in the event of any breach or potential breach of this policy System access will be removed under the terms of the IT user Account and Usage Policy (see ref [6]). 12. Portable Media All portable media/device for use on/with information systems owned or operated by the Trust are covered by this policy. This includes: PDA s, Smart devices, e.g. smart phones, USB Memory Sticks, tapes, removable or external hard drives and discs, DVD s and CD-Rom, Laptops. The Trust has a separate IT Laptop Security policy, IG0085 (see ref [7]). All portable media capable of storing Trust information including PDA s (by receiving an for example) must be encrypted. The IT department will be able to provide advice on this. Any personal mobile phone which have the capability to access NHSmail and download documents and files which may contain person identifiable and sensitive information fall under the category of portable media. Since they are not supplied or approved by the Trust and will not be encrypted by the IT Services department they must not be used in this way under any circumstances. Any procurement for portable media must be made through the IT Services Department. No item of portable media should be served as primary source of data. The Trust s network drives should be the original source of data to act as a back up in the event of loss or theft. Trust staff or contractors are not permitted to introduce or use any portable media other than those provided and explicitly approved by the Trust. Portable media supplied by the Trust is either owned or managed by the IT Services department and must appropriately security marked to indicate this. Under no circumstances should person identifiable or sensitive information be downloaded on to portable media that is unencrypted. All portable media must be securely transported and protected against loss, damage and misuse and locked away when not in use. Tampering to an item of portable media in order to by pass encryption security in not permitted. 13. Access to Person Identifiable Information Person identifiable information should only be accessed on a "need to know" basis and only by authorised individuals. It is a breach of Trust policy and may constitute a criminal offence IG0009 v

10 for a member of staff to access their own personal staff or health records or the records of colleagues, family, friends or others where there is no legitimate business relationship or access is deemed inappropriate or is not authorised as a specific Trust purpose. To disclose/ share confidential information where there is no legitimate business relationship or specific business purpose/or is not on a need to know basis e.g. selling of information for personal gain, general indiscretion or gossip 14. IT Remote Working Explicit authorisation from both the appropriate Asset Manager and IT Services Manager must be obtained prior to any remote working and will only be authorised once appropriate risk assessments have been satisfied. Personally owned IT equipment must not be used for the processing or storage of person identifiable, confidential or sensitive data e.g. home working, off site. Refer to Appendix D - IT Remote Working Policy for further guidance and request form. 15. Software Licences All software must be used in accordance with the licences agreed when purchased and described in the copyright statement in those licences. Further copying of software is illegal and copying of software should never be undertaken without express permission from the Information/IT Security Manager. Modified versions of licensed software must only be incorporated in programs written by users with the express written permission of the licensor. Reverse engineering or de-compiling of licensed software must only be undertaken with the express written permission of the licensor. All copies of software loaned must be removed and returned from any computer owned by an employee at the end of the period of employment, or when requested to do so. 16. Installing Software and Creating Systems Software must not be installed on any Trust computer system which forms part of, or can be connected to, any Trust departmental, specialty or corporate computer system without the prior written permission of the System Manager(s) or IT Security Manager. Communications equipment must not be installed on Trust computing resources without prior written approval from the Trust Information/IT Security Manager. The creation, installation or introduction of any computer based information software system for the purpose of storing or processing patient identifiable data or staff data, requires notification and prior approval from the Trust s Caldicott Guardian and the Information Security officer. The notification form can be found in the Trust's Policy for the Procurement or Implementation of New IT Systems, Databases and Information Flows (see ref [4]). IG0009 v

11 17. Use of Non-Trust Computer Processing Equipment on the Trust Network Any non-trust computer processing device may only be used for the purposes of accessing the internet and access to Trust resources is strictly prohibited. The user must ensure that the equipment has Anti-Virus software installed and has the latest definitions file applied. Additionally, the Operating System must have at least the same level of security patches installed as currently in use in the Trust. The user is responsible for ensuring the above is adhered to and that Appendix C is completed and authorisation received. 18. Loss or Theft of Trust IT Equipment Any loss or potential loss including theft or damage of Trust IT equipment must be reported immediately to the IT Services Department, to the member of staff s line manager and via an IR1 incident form in accordance with the Trust s Incident Reporting Policy & Procedure (see ref[8]). Theft of IT equipment must also be reported to the Trust Security Office and the police and a crime number obtained. 19. Monitoring and Auditing Access to Confidential Information The Trust has overall responsibility for monitoring and auditing access to confidential personal information. Responsibility for this will be delegated to an appropriate senior staff member, e.g. IT System Manager, Information Asset Owner IG/IT Security Lead or equivalent. The following are examples of events that the Trust may audit: failed attempts to access confidential information; repeated attempts to access confidential information; successful access of confidential information by unauthorised persons; evidence of shared login sessions/passwords; Investigation and management of confidentiality events will be in line with the Trust Incident Reporting policy and procedure. Dependent on the severity and circumstances of the incident, staff may be subject to disciplinary procedures resulting in suspension, supervised access to systems, re -training, termination of employment/ contract or criminal charges. 20. Breach of Policy All incidents or information indicating a suspected or actual breach of this policy must be reported as soon as possible to the immediate line manager and where appropriate the Information Security officer in accordance with the Trust Incident Reporting Policy and Procedure (see ref [8]). Staff may be subject to disciplinary procedures if this policy is not adhered to. 21. Monitoring the Policy The Caldicott and Information Governance Committee will monitor the implementation of this procedure and subsequent revisions through: IG0009 v

12 Ensuring that all staff requiring access to IT systems or a requirement to work electronically on Trust business remotely have access to and understand the requirements of the Policy. Regular review of reported information security incidents 22. Review of This Document This document will be formally reviewed every 3 years. This document will be subject to revision when any of the following occur: The adoption of the standards highlights errors and omissions in its content Where other standards / guidance issued by the Trust conflict with the information contained Where good practice evolves to the extent that revision would bring about improvement 23. Glossary/Definitions The following terms/acronyms are used within the document. ISO System PDA Information Security Officer Any computer or other electronic device where software accesses or otherwise carries out functions on information held electronically for example Personal Computer, Server, PDA. Personal Digital Assistant, e.g. Palm Pilot, Blackberry. IG0009 v

13 Appendix A Key Roles and Contact Details Information Security Officer IT Security Officer Anne Chilcott Amersham ext 4039 Dave Morgan Stoke Mandeville ext 6558 IT Service Desk Stoke Mandeville ext 5904 Caldicott Guardian Mr Bruce James Stoke Mandeville ext 5031 IG0009 v

14 Appendix B IT System & Data Access Forms 1. New User Setup I would like to apply for access to the Trust s computer systems. I have read and agree to abide by the Trust s Policies and Codes of Practice and understand my responsibilities to safeguard the organisation regarding: Computer Usage Policy Internet Access Policy User Account and Usage Policy Confidentiality Code of Practice Procedure for the Release of Person Identifiable Data I understand that failure to comply with the above documents may result in the Trust taking disciplinary action in accordance with the Trust s Discipline Policy. I understand and accept that these documents will be subject to periodic review by the Trust and agree to not unreasonably withhold my agreement to any proposed changes. I understand and agree that my use of computing facilities within the Trust may be subject to detailed audit by duly appointed Trust staff and where necessary the Trust s agents, at any time without prior notification. New User Details Title : First Name : Middle Name : Surname : Job Title : Department : Site : Tel. No : Are you Temporary Staff? YES/NO Leaving Date : / /20 *** A leaving date must be provided for all temporary staff before a login can be issued.*** Signature : Date : Mandatory Information Governance Training (Data Protection & Confidentiality) needs to be completed within 2 months of start date. If already completed please provide the completed date, if this has not been completed please tick to confirm you and your manager agree to complete within 2 months of start date. Completed Date: / /20 Agree to complete within 2 months from start date (please tick) IG0009 v

15 2. Request for Access to System Member of Staff to be given access to System Name : Username : Job Title : Department : Site : Tel No : Please tick which system you require access to: System Antibiotics_Admin Antimicrobial Maintenance Utility Arcadia Bloodspot Costar Cressex Diana (Please provide PC Number) DOC Gen DOC Gen Admin LAPP Administrator LAPP Administrator Read Only LAPP Approver LAPP User Lilie - GUM MI Databank PMS User PMS - Report Review Pandemic Flu Report VIP (Outpatients) Winpath 1.1 Other System (Please state) IG0009 v

16 3. Share Access Request PLEASE COMPLETE ALL DETAILS IN BLOCK CAPITALS Share Details Full name of Share and Server: (e.g WARDS$ ON BHTFILE01 (N:)). Members of Staff to be given Access to Share (Please list staff members below) Add Remove Name :... Username :... Read Only Modify Job Title :... Department : Site :... Tel No: Add Remove Name :... Username :... Read Only Modify Job Title :... Department : Site :... Tel No: Add Remove Name :... Username :... Read Only Modify Job Title :... Department : Site :... Tel No: Add Remove Name :... Username :... Read Only Modify Job Title :... Department : Site :... Tel No: Share Owner/Manager Requesting Access to be provided to the above: Name : Job Title : Department : Tel No : Signature : Date : Please contact the IT-Service Desk on with any queries when completing this form. Once complete, please return to the IT Service Desk by Fax on via Internal post to the IT Service Desk, IT Department, Ward 21, SMH IT Use Only Actioned By (Print Name) Date Actioned IG0009 v

17 Appendix C - Request for Access to the Internet only via the Trust Network (for non-employees only) I would like to apply for access to the Trust s computer systems. I understand my responsibilities to safeguard the organisation and understand that Buckinghamshire Healthcare NHS Trust has in place an IT Internet Access Policy that I agree to abide by. I certify that, to the best of my knowledge, the equipment I am requesting to be connected to the Trust Network is virus free and the operating system has the relevant security patches as currently defined by Microsoft. I understand and agree that my use of computing facilities within the Trust may be subject to detailed audit by duly appointed Trust staff and where necessary the Trust s agents, at any time without prior notification. New User Details Title : First Name : Middle Name : Surname : Job Title : Department : Site : Tel. No : Data Protection Course - Attended/Booked Date of Course: / /20 Are you Temporary Staff? YES/NO Leaving Date : / /20 *** A leaving date must be provided for all temporary staff before a login can be issued.*** Signature : Date : Manager s Authorisation Name : Job Title : Department : Tel No : Signature : Date : Please contact the IT-Service Desk on with any queries when completing this form. Once complete, please return to the IT Service Desk by Fax on or via Internal post to the IT Service Desk, IT Department, Ward 23, SMH IT Use Only Actioned By (Print Name) Date Actioned / /20 IG0009 v

18 Appendix D IT Remote Working Person Identifiable, Confidential or Sensitive Data 1 Introduction 1.1 Buckinghamshire Healthcare NHS Trust, herein after referred to as the Trust have a duty to ensure that appropriate arrangements and controls are in place to manage IT remote working undertaken by staff. 1.2 The Trust recognises that IT remote working should be available to staff where this is significant to their job role and appropriate but it also recognises that this should be done so in a safe and secure manner to reduce the risks to Trust information being shared or accessed inappropriately to the lowest possible level. 2 Purpose 2.1 This document applies to all staff employed by the Trust and all bank and contractor staff authorised to use person identifiable, confidential or sensitive data. 2.2 The document has been developed to manage IT remote working including the applications made by staff, the suitability for remote working and to reduce the level of risk posed by IT remote working to the lowest possible level. 3 Definitions and key statements 3.1 For the purposes of this document the following definition will apply - Remote working is a form of organising/performing work, using information technology, where work, which could also be performed at the employer s premises, is carried out away from those premises. Normally this is carried out securely via a telecommunication link to their organisation. This can be carried out either at home or other place that provides access to the internet or via a 3G connection if the laptop has that facility. For the purposes of the policy, all work carried out away from the office base, whether temporary or on a longer term basis will be referred to as remote working. Managers have a duty to identify and authorise roles that require IT remote working Staff have a duty to inform their manager of any requirement to carry out IT remote working or changes in their current requirements to carry out IT remote working and seek the necessary authorisation before doing so All staff have a duty to ensure that: Only Trust provided/ approved IT equipment will be used Encryption security will be applied to all IT equipment including any use of IT portable media e.g. USB memory keys, laptops, CD s used to transfer any authorised person identifiable data When using Trust provided laptops they have signed and adhere to the Trust IT Laptop Policy IG0085 (see ref [4]) All donated or loaned IT Equipment to the Trust e.g. personal computers, laptops must be risk assessed, approved, registered and encrypted with the IT Services Department prior to any use. IG0009 v

19 4 Roles and responsibilities 4.1 Information Asset Managers 4.1 Information Asset Managers will support and enable the Operational Clinical Leads and Managers to fulfil their responsibilities and ensure the effective implementation of this policy within their divisions. 4.2 Operational Clinical Leads/Managers Operational Clinical Leads/Managers must ensure that Job roles that require IT remote working are identified and managed in accordance with this policy Staff within their responsibility need to apply for the ability to remote work prior to any work commencing and provide all appropriate information within the documentation required. Further information and copies of appropriate forms to be completed can be found in appendices D1 and D They review their staff members applications to remote work appropriately and sign all relevant documentation as required. Copies of all relevant forms must be retained in the staff member s personal file. Where they feel an application of remote working is not appropriate, this must be discussed with the individual and it must be documented that the application has been declined by completing the appropriate form as set out in appendix Staff complete their requirements in terms of reading the relevant Trust documentation and understanding their responsibilities therein. Further information can be provided by the IG and IT departments All Information Governance incidents are investigated appropriately and the information is shared with the relevant services within the Trust where required Copies of all appropriate documentation relating to the technology for remote working are retained by the IT department for reference When a staff member leaves the organisation or changes to a department where remote working is not required the necessary steps are taken to retrieve any remote working access and that this is shared with the appropriate services within IT Information Governance Manager The Information Governance Manager will ensure that They provide information, support and advice (where applicable) to staff/it on remote working They provide incident investigation advice where requested. 4.4 IT Services Manager The IT Services Manager will ensure that Adequate resources are available and appropriate people are identified within their department to ensure that all remote working applications are monitored and actioned in a timely manner. IG0009 v

20 4.7.3 Where appropriate, software and upgrades to Trust PC equipment is provided to ensure the equipment meets all security requirements Appropriate training is provided to the individual on how to use the equipment given to them to remote work and that they are given time to ask any questions where necessary. The trainer will ensure that the appropriate agreement form is filled in and signed as set out in appendix 4 before the individual is provided with the necessary equipment to remote work The Laptop and VPN Register is kept up to date with information relating to users with laptops and VPN tokens so that records can be updated and assets can be monitored. 4.5 All Staff All staff will ensure that They apply to remote work via the appropriate methods as set out in Appendix D1and provide honest information within this documentation Whilst remote working, they abide by all appropriate Information Governance policies and procedures specifically within this policy and within the Trust s Laptop Security Policy They read the relevant Trust documentation and understand their responsibilities therein. Further information can be obtained from the IG and IT departments Where required, they implement all further control measures requested by IG and IT before their application for remote working is approved. Where these measures cannot be met, this information must be then provided to the IG and IT Managers and their Operational Clinical Lead/Manager for further discussion All Information Governance incidents including lost or stolen IT equipment must be reported via the Trust s Incident Reporting Policy. 5 Working remotely 5.1 All staff wanting to work remotely must make an appropriate application to do so via the documentation as set out in Appendix D1. This then must be submitted to the individual s respective Line Manager for approval then sent to the IT department for processing. 5.2 The Operational Clinical Lead/Manager may, at this stage, reject the application to remotely work. If so, the reason for this rejection must be documented and provided to the member of staff. If the member of staff wishes to contest this decision, this must be done so via the approved HR processes. 5.3 Remote working is only possible using Trust provided/ approved PC hardware, using a VPN token if access to the Trust network is required. Other hardware, for example, that provided by third party companies or personally owned equipment, must not be used. 5.4 Whilst remote working, staff members must ensure that they are aware of their responsibilities to store information safely, to protect it from loss, destruction or damage. This requires storage that is secure against theft and damage, and the protection of systems from computer fraud and virus attacks. 5.6 Staff must ensure that they are aware of their responsibilities when using sensitive data e.g. Patient Identifiable data, Personal identifiable data, see Appendix D2. Further information is available from the IG and IT departments. (We need a reference here to the one that discusses the requirement for senior manager approval) 6 Virtual Private Networks (VPN) 6.1 Staff members that require access to the Trust s electronic systems must do so via a VPN connection using a VPN token. IG0009 v

21 6.2 VPN is a connection made between one network and another. VPN is used to securely connect to the Trust s network in order for an individual to work remotely. A VPN token is part of the remote access system and provides a unique number every 60 seconds. This number is used as part of the process to remotely work alongside a password provided to the individual. 6.2 If a successful application for remote working is made, staff members will be provided with the appropriate software and VPN token to connect to the Trust s electronic systems remotely. Connection must be done so in accordance with listed policies. IG0009 v

22 Appendix D1 - Request for IT remote Working IT Remote Working conditions of use: 1. I will keep all equipment secure including the Laptop. VPN token, USB stick etc at all times. 2. Where I will use a Trust provided laptop for home/remote working, this must be encrypted. 3. I will use only an approved Trust provided encrypted USB stick. 4. I will not write down any passwords and will keep the VPN token separate from the laptop (i.e. not the same bag) 5. I will not carry out any electronic transfer of information between NHS systems and privately managed personal computer resources. 6. I will report any changes to my home/remote working environment to my Line Manager and IT Service Manager 7. I will return to IT all equipment issued to me for the purpose of remote working should this be no longer required or on termination of contract. 8. I understand that failure to observe and maintain this home/remote working agreement may result in the home/remote working facility being withdrawn. Requester Details Name : Job title : Department : Site : Tel. No : Directorate: Usage Details Will Person Identifiable Data (PID) be processed? YES/NO Reason why Home\Remote working is Required and what work would be completed whilst Home\Remote Working? I confirm that I have read and understand the above conditions of use. I also confirm that the information that I have provided above is true and correct: Signature : Date : Type of Access Required IT will contact you further with costs and further authorisations required 3G Blackberry VPN Token Encrypted USB Memory Stick Trust Laptop Manager s Authorisation Name : Job Title : Department : Tel No : Signature : Date : Please contact the IT-Service Desk on with any queries when completing this form. Once complete please retain a copy, provide your manager with a copy and return a copy to IT Service Desk by fax on or via internal post to the IT Service Desk, IT Dept, Ward 23, SMH IG0009 v

23 Appendix D2 Data Protection Considerations when Remote Working All staff should adhere to Trust policy when using Trust records/information for remote working purposes. In addition, consideration should be given to the following: Manual records (paper records) Staff should avoid taking patient records home whenever possible, and where this cannot be avoided, procedures for safeguarding the information should be made i.e. locked securely in a briefcase, kept under your supervision at all times or locked in a secure cupboard with only your access, until they are returned to work Confidential/Sensitive information should not be left where it might be looked at by unauthorised persons i.e. family and friends and should not be left in insecure areas Records must not be left in the car. During transportation these should be locked in the boot of the car and removed immediately on arrival at home and kept secure as above. Records must be properly booked out from their normal filing system i.e. tracing and tracking system Records must be returned to the filing location, as soon as possible Electronic records Always log-out of any computer system or application when you have finished working or leaving your work station for a period of time Ensure passwords are kept safely and not accessible to friends and family Use a password protected screen saver to prevent casual viewing of information Do not store patient information on a USB stick unless you have been authorised to do so and it is a Trust standard encrypted USB stick. The data must be wiped from the memory stick once it has been copied to its destination. Do not download person identifiable/sensitive information from your NHSmail account onto your home PC or any other non Trust provided equipment Key Risks to working on personally owned equipment You cannot guarantee adherence to the Trust s Security Policies by members of your family or friends You would be unable to guarantee virus protection to the Trust s standard Even if you delete any Trust data from your home PC, this is still retrievable from the hard drive by an expert or with the right software IT equipment is vulnerable to theft and loss and any data stored on personally owned equipment that does not meet the Trust s strict security requirements are at a significantly higher risk. IG0009 v