Mobile Devices and Remote Working Policy

Transcription

1 Mobile Devices and Remote Working Policy Document Reference Information Version 1.0 Status Final Author/Lead Risk and IG Manager Date Effective February 2015 Date of Next Formal Review January 2017 Version Control Record Date Version Action Amendments January First version Adoption of previous NWL CSU Mobile Working policy To be read in conjunction with Information Security Policy Information Governance Policy Disciplinary Policy Registration Authority Policy Policy The CCG incorporates and supports the Equality Act 2010 and the human rights of the individual as set out in the European Convention on Human Rights and the Human Rights Act 1998 Page 1 of 10

2 Contents Section Number Paragraph Heading Page Number Document Reference Information 1 Version Control Record 1 1 Introduction 3 2 Objective 3 3 Definitions 3 4 Scope 4 5 Connection to Non-NHS Networks 4 6 Information Held on CCG mobile devices 4 7 Information Held on Personal Mobile Devices 4 8 Mobile Devices Security 5 9 General Security Principals and Guidelines 5 10 Display Screens 7 11 Making an Application for Home Working 7 12 Monitoring and Review 8 13 Policy Breach 8 14 Staff Leavers 8 Page 2 of 10

3 1. Introduction 1.1 Current working practice within the CCG is such that individuals might not have a static work base or will need to work from home either occasionally or for periods of time. In the course of their work such individuals may need to access the NWL (North West London) network or take information away from their base. The CCG operates a remote working facility and it is possible to process or view information on various types of portable/mobile electronic devices. It is important that information, whether stored on mobile devices or accessed or worked on remotely, is protected by proper security processes. 2. Objective 2.1 The purpose of this policy is to protect CCG information that is accessed remotely or is stored on mobile devices. It forms part of an overall set of information governance policies and should be read in conjunction with the Information Security Policy. 3. Definitions 3.1. Data devices this includes any device that can store information required for the CCG s operational business. Typically these are portable computers, laptops/notebooks, smart phones such as blackberries, mobile phones, digital cameras and although not currently supported by the NWL ICT Helpdesk, it may also cover other devices such as personal digital assistants (PDAs), and any other mobile devices which process information Media Any physical item that can store information and requires another device to access it. For example: CD, DVD, Floppy disc, tape, digital storage device (flash memory cards, USB disc keys, portable hard drives) Patient Identifiable Data - Person identifiable information can include one or more of the following: Surname Forename Address/Postcode Telephone Number Occupation Gender Date of Birth Ethnic Group NHS Number NI Number 3.4 CCG Devices - All data devices connecting directly to the NWL network (that is, connected to a network point on NHS premises) must be protected by up to date anti-virus software. Where the device does not update automatically, it is the responsibility of the user to ensure that the anti-virus software is up to date or report it immediately to the NWL ICT Service Desk. 3.5 Personal Devices - That is, devices that are not provided by your employer for use in your work such as home personal computers and laptops, must not be connected directly to the NWL ICT network wired or wireless without ICT authorisation. 3.6 Direct Connection to the NWL ICT Network - It is accepted that from time-to-time, external contractors or visitors will require the use of the Local Area Network (LAN) in order to give presentations or gain access to the Internet. A secure Guest facility has been configured on the network. If a non-nwl computer requires access, an authorised CCG manager may request a temporary Guest logon from the NWL ICT Service Desk. Page 3 of 10

4 3.7 Remote Connection to the NWL ICT Network - Connection to the NWL ICT network remotely (that is, via our VPN client or any web services) requires authorisation by the ICT Department and will be subject to authentication procedures specified by them. 4. Scope This policy covers: 4.1. Remote working, that is, working on CCG information or accessing the NWL ICT network in a place that is not your normal work base 4.2. The use of data devices 4.3. In particular, the policy covers: Connection to the NWL ICT network remotely and with mobile devices The processing of CCG information away from CCG or NWL premises The processing of CCG information on mobile devices The secure transfer of information The security of mobile devices and information The use of home computers and personal mobile devices 4.4. The policy also relates to any staff member, who at any time removes information in any form from the premises of the CCG where it is usually stored. 5. Connection to non-nhs Networks 5.1 CCG equipment must not be connected to the internet via a commercial internet service provider without prior authorisation by the NWL ICT Department because of the risk to the security of the information held on them and the risk of introducing viruses onto the NWL ICT network. 6. Information held on CCG mobile devices 6.1 Confidential CCG information may only be stored on mobile devices with the permission of your line manager and the CCG s Information Governance Manager. 6.2 Information must not be stored permanently on mobile devices. If it is necessary to work away from the CCG s premises, information should be transferred to the NWL ICT server and deleted from the device as soon as possible. 6.3 Unauthorised software must not be installed onto CCG mobile devices. 6.4 Information must be virus checked before transferring onto NWL computers. This will be done automatically for non-confidential information that is sent via . (Confidential information must not be sent via unless it is part of an agreed and authorised process 7. Information held on Personal mobile devices 7.1 CCG information must not be stored on non-ccg equipment, for example, home personal computers, laptops and PDAs unless it is part of an agreed process, authorised by the CCG s Information Governance Manager and Caldicott Guardian. An exception is the synchronisation of your calendar, task list and address book with non-nwl ICT issued PDAs, which is permitted, but not they cannot be synchronised via a CCG data device, as they are unsupported and untested devices. Page 4 of 10

5 8. Mobile Devices Security 8.1 Information stored on any mobile device must be protected by adequate security including encryption, regular back up procedures, and up to date anti-virus software. In particular, memory sticks must be encrypted and issued by the NWL ICT Department and have password protection. Advice can be sought from the Service Desk. 9. General Security Principals and Guidance 9.1 The security issues in this policy relate to and include physical security of computer equipment, confidentiality of manual and electronic data, and implications for the security of the NWL ICT systems and network. The security of mobile devices and information 9.2 Mobile devices and confidential information, whether manual or electronic, must be protected by adequate security, for example, they must be: Kept out of sight, for example, in the locked boot of the car, when transported Not left unattended, for example, not left in the car boot overnight Locked away when not being used Kept secure and guarded from theft, unauthorised access and adverse environmental events particularly when taken home Password protected 9.3 CCG issued equipment must be returned to the NWL ICT Department for a health check at regular intervals as specified by the Department, or at their specific request. 9.4 Remote access to the NWL ICT server will require the use of security procedures. These must not be divulged under any circumstances to anyone and users will be expected to make whatever arrangements are necessary, at the home address or wherever else access is established, to ensure that these procedures are safeguarded. Usage in any public accessible area 9.5 The use of information in these areas should be kept to an absolute minimum, due to the threats of overlooking and theft. Any member of staff choosing to use information and/or devices in these areas that results in any related incident will be required to state why the usage was required in that situation and the efforts they made to protect the information and any equipment. Equipment in use will not be left unattended at any time. 9.6 Usage in areas not generally accessible to the public (other CCG premises). Staff are responsible for ensuring that unauthorised individuals are not able to see information or access systems. If equipment is being used outside of its normal location and might be left unattended, the user will secure it by other means (e.g. Kensington Lock Security Cable). Home Usage 9.7 Only authorised members of staff are allowed access to information being used at home in any form, on any media. No family members are allowed access to the equipment or data. Use of any information at home must be for work purposes only. 9.8 Staff must ensure the security of information within their home from theft as well as ensuring that unauthorised individuals are not able to see information or access systems. Where possible it should be stored in a locked container (filing cabinet, lockable briefcase). If this is not possible, when not in use it should be neatly filed and stored away out of sight and out of reach of small children. Page 5 of 10

6 Supplied equipment 9.9 Where the NWL ICT Department has supplied any form of data device only the member of staff themselves is authorised to have access to it. Any member of staff allowing access to an unauthorised person, deliberately or inadvertently may be subject to disciplinary proceedings You may not connect any NWL ICT supplied device to any phone line or internet connection or other computer, other than where you have been given authority and access to the NWL ICT network via a secure remote link Head of IT Operations is responsible for ensuring that access to supplied equipment requires a username and password and that anti-virus software is installed For supplied equipment that is not classed as portable (i.e. a supplied desktop PC), the IT department are responsible for ensuring anti-virus software is regularly updated. In some cases, this may require the return of for updating and checks by the ICT Department when requested If you have been supplied with IT portable equipment (i.e. a laptop or similar device), you are responsible for ensuring that it is regularly connected to the NWL ICT network on-site for upgrade of anti-virus software All NWL IT portable equipment (e.g. laptops, Tablets) should be encrypted before any information is stored. Person Identifiable Data files should have additional protection against unauthorised access (for example an additional password). When equipment is returned or the data is no longer needed the data must be removed. This is the users responsibility The NWL ICT Department is responsible for the safety testing of supplied equipment and annual electrical appliance testing of this equipment. Staff that use the equipment are responsible for ensuring that these checks are undertaken All new requests for Laptops, Notebooks, PC Tablets, Blackberry Phones and other mobile computing devices must be authorised by a director. Remote Access must also be granted by a director. Staff owned equipment 9.16 The use and storage of person identifiable or confidential data on staff owned equipment is strictly forbidden. Staff may only use a NWL ICT supplied encrypted USB data key for this purpose. If files from your personal home computer are transferred to the office environment this should be using for non-confidential data or a NWL ICT issued USB data key for confidential data. Floppy disks or other removal media should not be used Any Staff that are defined as a Home worker are responsible for ensuring that their work conditions at home comply with health and safety regulations, policies and procedures. Working with sensitive Information 9.18 All staff working with Person Identifiable or Organisationally Sensitive Data on a NWL ICT issued data device must abide by the CCGs policies around confidentiality and information security. Sending an from home 9.19 Electronic mail containing person-identifiable and confidential information may not be sent to or from home unless using an encrypted service such as NHSmail. Non personidentifiable/confidential information may be sent via . Connection to the network 9.20 Staff may connect to the NWL ICT network via the secure VPN method following a process of authorisation by the ICT Department Page 6 of 10

7 Transport/Storage 9.21 When you remove equipment, files and data from the CCG premises you are responsible for ensuring its safe transport and storage. Equipment should be encrypted and password protected whenever possible and not left unattended e.g. in vehicles. Equipment must be transported in a secure, clean environment. Passwords must not be written down and included with the equipment. Appropriate packaging should be used to prevent physical damage (sealed envelopes etc). Where a courier service is used to transport packages containing sensitive information tamper proof packaging should be used. It is best practice to contact the reciepient to ensure that the information or equipment has been appropriately received in good working order and without any obvious signs of tampering or unauthorised access. Disaster Recovery / Major Incidents 9.21 In the event of a major incident or disaster, the organisation may recall all equipment on loan to provide core services. Please see Business Continuity Policy for further guidance Equipment Safety 9.22 NWL ICT equipment used by home-workers must be safe to use and not give rise to any risks to health and safety. It should be maintained in efficient working order and in good repair, and should only be used in accordance with the CCGs policies, procedures and practices applicable to information technology and communication systems, i.e. the and Internet Policy The CCG will maintain its own equipment, but will not be responsible for maintaining staff members own computers and equipment e.g. electrical sockets and other parts of the home worker s domestic electrical system are their own responsibility. Should a problem arise with personal or NWL ICT loaned equipment, staff will be supplied with a replacement PC or laptop, either temporarily or on loan, as required. Further Help 9.24 For further advice and assistance on any of these aspects you can contact the IT Service Desk on or service.desk@nw.london.nhs.uk 10. Display screens 10.1 Legislation concerning the use of display screen equipment (The Health and Safety (Display Screen Equipment) Regulations 1992) also applies to home-workers. Please visit website below for further details: Making an application for home working 11.1 All applications for home working should be submitted to the NWL ICT Helpdesk at service.desk@nw.london.nhs.uk 11.2 Under the new AFC contract, staff members are entitled to apply for combinations of flexible working options. Please consult the HR department for further details The authorisation procedure only relates to staff that need to use mobile computing facilities, either on or off-site (including staff homes), or transfer information between computer systems via physical media. The authorisation procedure is not required for the transfer or offsite usage of paper records. Page 7 of 10

8 11.4 The staff members line manager needs to initially authorised any request for remote access followed by the relevant Director approval. However, it is the line manager who is responsible for identifying the individual requirements of those eligible for the remote access support set out in this policy and will monitor the usage and the costs incurred Staff designated as 'home workers' are automatically eligible for equipment loans Other members of staff and, exceptionally, others working in an advisory or project capacity for the CCG may be eligible for equipment loan at the discretion of their line manager with joint authorisation from their director Access to this remote access support should be regularly reviewed by each directorate The NWL ICT Department/CCG does not reimburse costs or support the following: Broadband internet connection / line rental installed at a domestic address, for Internet access related to CCG business and access to the NWL ICT servers for home users, unless exceptional circumstances The NWL ICT Department will supply and support a portable computer, on loan at the home address and in some cases a printer and fax machine, if they are required. Additionally, where required the NWL ICT Department will provide a router to enable VPN connection if the user does not own a suitable device already. 12. Monitoring and Review 12.1 The usage of this procedure, and the results of any applications made will be monitored and evaluated. The results of the monitoring and evaluations (excluding reasons for application) will be published in annual equality reports This policy will be reviewed by the CCG IG lead and the relevant CCG IT staff subject to any identified trends in incidents and/or to reflect any organisational changes that may occur prior to the next formal review. 13. Policy Breach 13.1 Any breach of this policy may lead to disciplinary action following HR policy and procedures. 14. Staff Leavers 14.1 On leaving the employment of the organisation, all equipment, software, information and data must be returned. The CCG will take the necessary action to reclaim all equipment, software, information and data that has not been returned by the member of staff (e.g. by collection or means of final salary payment) Page 8 of 10

9 DOCUMENT AUTHOR: Risk and IG Manager APPENDIX _ - Equality Impact Assessment Tool DIRECTORATE: Quality and Safety NAME OF DOCUMENT/POLICY/STRATEGY/PROCEDURE Mobile Working and Remote Devices Policy NEW X EXISTING DATE January 26 th 2015 Aim/Status [a] What is the aim/purpose of the policy/strategy/procedure? To outline the organisation s procedures with regards to the use of mobile devices and remote working. [b] Who is intended to benefit from this policy/strategy/procedure and in what way? All staff as they will be provided with specific guidance and instructions.. [c] How have they been involved in the development of this policy/strategy/procedure? [d] How does it fit into the broader corporate aims? By setting out clear guidelines for acceptable and non-accepted used [e] What outcomes are intended from this policy/strategy/procedure? [f] What resource implications are linked to this policy/strategy/procedure? Impacts [a] what is the likely impact [whether intended or unintended, positive or negative] of the initiative on individual users or on the public at large? Greater clarity for staff on the expectations. Increased information security [b] Is there likely to be differential impact on any group? If yes, please state if this impact may be adverse and give further details [e.g. which specific groups are affected, in what way, and why you believe this to be the case] No. The policy is an inclusive policy that does not seek to advantage or disadvantage any particular staffing group based on age, sex, gender or on the grounds of religious belief or sexual orientation. If the policy is unlawfully discriminatory it must go to a full impact assessment (please Contact the Equality, Diversity & Human Rights Advisor Human Resources Directorate) Persons conducting EqIA Jason Clarke Signed Date: 26 th January 2015 Page 9 of 10

10 Page 10 of 10