GUIDEILINE FOR MONITORING STAFF COMPUTER USE

Transcription

1 GUIDEILINE FOR MONITORING STAFF COMPUTER USE TRUST REF: B41/2007 APPROVED BY: Policy and Guideline Committee VERSION NUMBER: 1 DATE OF APPROVAL: 12 th November 2007 AUTHOR: DIRECTORATE: REVIEW DATE: Gareth Lawrence Corporate and Legal Affairs 2 years Page 1 of 5

2 Index 1. Introduction Relevant legislation Routine audit reports Requests for information on staff usage Documentation Retention Awareness of this guideline Contact Relevant Information Policies... 5 Version Date Author Change Change Control Page 2 of 5

3 1. Introduction This guideline is intended for use by computer systems managers who have the ability to produce audit trails of staff computer activity. This would normally be carried out as a result of routine audit reports or as a request for information on staff system usage, usually when concerns arise over the appropriateness of employees use of the computer system. The principles which underpin this have already been incorporated into the IM&T Procedure for the Monitoring of Internet Access. However, the Trust has many systems with audit trail capabilities and a number of staff within and outside of IM&T who manage systems. This guideline stating the principles to apply will be applicable to systems managers who may be asked to report on the activity of staff members. This guideline does not cover the situation where patients or staff may wish to identify who has accessed their electronic information. In this situation seek advice from the Information Governance Manager. 2. Relevant legislation There are a number of laws and guidelines which govern how this type of activity is conducted. Regulation of Investigatory Powers Act 2000 (RIPA) Telecommunications (Lawful Business Practice Interception of Communications) Regulations 2000 The Human Rights Act 1988 Employment Practices Data Protection Code Part 3, Monitoring at Work (Information Commissioner) This guideline conforms to the legislation and has been agreed with Staff Side Representatives. In summary, the position is: The Trust can not conduct surveillance of staff unless sanctioned by an external body such as the Counter Fraud Service. This guideline does not consider surveillance; The Trust is entitled to, and does, examine it s records to satisfy itself that Trust policies are being adhered to; Staff should be aware that this is the case. 3. Routine audit reports Page 3 of 5

4 Trust computer systems will typically record activity of staff logging onto the system, creation, update, deletion and viewing of records. Systems managers will define audit reports to monitor system usage as they consider appropriate. This may include excessive and unusual use such as outside of normal hours, repeat enquires on same person and excessive failed login in attempts. If at any point it is considered that disciplinary action may arise, Human Resources should be informed. Systems managers are able to investigate abnormal activity and this may result in temporary suspension of the account until the investigation is complete. A record of any investigatory activity should be kept. Documentation supporting the investigation should be held securely on the system and should be accessible only to staff with Systems Administrator access. 4. Requests for information on staff usage This would occur if a request was received from management to report staff member activity in order to determine if the Trust member was in breach of staff policies. The overriding concern in such requests is that staff members are treated fairly and it is recommended that the best way to ensure that requests are legitimate is to only process requests received through Human Resources who are experienced in dealing with such matters in accordance with Trust Policy. As above, a record of any investigatory activity should be kept. Documentation supporting the investigation should be held securely on the system and should be accessible only to staff with Systems Administrator access. 5. Documentation Retention Documentation should be retained by systems managers for a maximum of 6 months after which it should be securely destroyed. Any documentation which is used in a staff disciplinary will be held a part of the disciplinary process documentation. Audit trail reports produced on a staff members activity would be disclosable to the staff member should the staff member request the information. 6. Awareness of this guideline Users of systems will be authorised by line managers to access systems. The authorisation form should alert the user to the prospect of monitoring. In addition to Insite, this guideline will be issued to managers of key computer systems within the Trust and through Human Resources. Page 4 of 5

5 7. Contact Should you require any further details regarding interpretation of this guideline please contact your Human Resources advisor or the Information Governance Manager on x Relevant Information Policies and internet access and monitoring policy Information Security Policy How we monitor UHL Internet Access Page 5 of 5