Informatics Policy. Information Governance. and Internet Use and Monitoring Policy

Transcription

1 Informatics Policy Information Governance Document Control Document Title Author/Contact Document Reference 3539 Version 6 Pauline Nordoff-Tate, Information Assurance Manager Status Approved Publication Date 28/01/2013 Review Date 27/01/2015 Approved by James Norman, Director of IM&T 28/01/2013 Ratified by Information Governance Group 28/01/2013 Distribution: Royal Liverpool and Broadgreen University hospitals NHS Trust-intranet using Sharepoint which will maintain the policy document in conjunction with each document author. Please note that the Intranet version of this document is the only version that is maintained. Any printed copies should therefore be viewed as uncontrolled and as such, may not necessarily contain the latest updates and amendments.

2 Heading Table of Contents Page Number 1.0 Introduction Objective Scope of Policy Policy Legal implications Internet Access General Principles Internet Access Inappropriate Content Blocked Sites Media Statements Security Software Monitoring of Internet Activity Pro-Active Monitoring Use of General Principles Access Confidentiality NHSmail Inappropriate Content Filtering Software Etiquette Retention of s Monitoring of Activity Access Roles and Responsibilities Managers Staff Associated documentation and references Training & Resources Monitoring and Audit Recording and Monitoring Equality and Diversity Recording and Monitoring of Equality & Diversity 12 Appendix 1 Glossary of Terms 14 Appendix 2 Supporting Legislation and Guidance 15 Appendix 3 Etiquette 16 Appendix 4 Document History and Version Control 18

3 1.0 Introduction The Trust recognises that the use of Internet and is a valuable resource, and encourages the use of these facilities to develop the skills and knowledge of staff. The wide variety and nature of information available on the Internet and via raise concerns about security, confidentiality and proper conduct. This policy provides clarification on the acceptable use of the Internet and in order to protect the Trust and its staff. This policy is not a definitive statement of the purposes for which the Trust facilities must not be used. The onus is placed upon both the management to ensure the policy and suitable training is available and the user of the Trusts systems to conduct themselves at all times in a trustworthy and appropriate manner so as not to discredit or harm the Trust or its staff. This policy should be read in conjunction with other Informatics Policies and the Staff Code of Conduct. This policy is to be treated as a term of the employment contract. 2.0 Objective This document details the requirements that must be adhered to when using the Trust s Internet and resources. 3.0 Scope of Policy This policy covers the appropriate use of Internet and any sent from a Trust address and applies to all employees, volunteers and agents working on behalf of the Trust. The provision of Internet and access relates primarily to use for the Trust s business. Personal use is also permitted as a benefit to staff, provided this does not interfere with the work of the user, their colleagues or the interests of the Trust. Use of the Internet/ system for personal reasons must be agreed with the department Line Manager prior to doing so. This document is intended to cover Internet and access from both within the Trust and remotely (in conjunction with the Trust Portable Device, Removable Media and Remote Access Policy) from any other location. All usage of the Trusts Internet and resources will be governed by the guidance detailed within this document. 4.0 Policy 4.1 Legal implications Misuse of the Internet or can result in legal liability for the Trust and, in some cases, the individual user and their managers. and Internet are forms of publication and inappropriate use may lead to liability under the Defamation Act Both words and pictures can be held to be defamatory if they are untrue, ridicule a person or cause damage to their reputation. A person includes a company or an organisation. Inappropriate use could give rise to liability for negligent virus transmission, copyright infringement, and breach of confidence, 1

4 inadvertently entering into contracts, harassment and discrimination and breaches under the Data Protection Act Staff may potentially use the Internet or inappropriately, or without understanding the full implications of what they are doing. Several factors combine to make a particularly important issue where data protection, freedom of information and the management of personal information is concerned. For example, messages: May carry additional personal information, in the form of facts, intentions or opinions about individuals. [ content is searchable by individuals and therefore falls within the Data Protection and the Freedom of Information Acts; therefore the contents of s, (memos and other communications) may be required to be disclosed as part of a Freedom of Information request or as part of Corporate Disclosure]. Carry the same legal status as written documents and should be used with the same care; Are regularly sent without any supervisor checking their content; Can be readily retransmitted to others and can be distributed or broadcast to a very large population with relative ease and at minimal cost; Cannot generally be cancelled once sent; Can be printed with ease and redistributed manually; Can be amended with ease; Can reveal personal data belonging to the sender and recipient; The user of the facilities therefore has a responsibility to ensure appropriate caution is exercised. 4.2 Internet Access General Principles Internet Access Staff are allowed to use the internet for personal use at the discretion of their line manager, who must give consent in advance. Any personal access must only occur on unpaid breaks and lunches and should not be accessed in areas that are in view of patients or members of the public. Personal use of the Internet and must not adversely impact the work required of the user. Excessive and inappropriate use of the Internet and is monitored and may result in disciplinary action being taken. Access to the Internet is logged on a per user basis. Details such as the date and time of access and the site visited, is recorded and the information is retained for 90 days. Reports using this information will 2

5 be provided to a user s line manager or superior, on receipt of a request via or in writing to the Data Protection/Information Security team Inappropriate Content Staff must not access, download or distribute any material/media, which is unlawful, or participate in any chat room or Internet community whose subject matter is unlawful, objectionable or liable to cause offence. Examples of such material is anything that is libellous or pornographic or which includes offensive material relating to gender, race, sexual orientation, religious or political convictions, or disability. This also includes incitement of hatred and violence or any activity that contravenes any Trust policies concerning conduct. In addition, some categories of site are blocked so as to prevent accidental access. Please keep in mind the material seen as humorous to one person may be seen as offensive by someone else. If an employee accidentally accesses material of the type identified in the previous paragraph or other material which they feel may be considered of an offensive nature, they should note the time and web site address, exit from the site and then inform the Information Security Officer. Social networking sites such as Twitter, Facebook, Linked in, Flickr and Yammer are tools which the Trust is using to assist communications with the general public. Staff should not publish negative comments and/or upload pictures of the Trust or its staff to any social networking sites without permission. Any employee who does this without the prior consent of the person referred to, or permission from the Trust, and where subsequently these comments are deemed to cause offence, will be subject to disciplinary measures, even if the comments were added outside of working hours. Staff are reminded that and internet communications are forms of publication and inappropriate use may give rise to a civil liability. Both words and pictures can be held to be defamatory if they represent an untruth, ridicule a person or cause damage to their reputation. A person in this context includes an organisation. If an employee is in doubt about whether it is appropriate for them to access a site, they should obtain the approval of their line manager or Information Security Officer before doing so on ext Blocked Sites The Trust has taken the decision to block a number of sites, as they are seen as being inappropriate for the work place. Sites relating to: 3

6 Adult/Sexually Explicit Content Alcohol & Tobacco Chat Sites Criminal Activity Downloading Gambling Online Gaming Hacking Hosting Sites Illegal Drugs Intimate Apparel & Swimwear Intolerance & Hate Peer-to-Peer Phishing & Fraud Proxies & Translators Ringtones/Mobile Phone Downloads Tasteless & Offensive Content Video Streaming Violence Weapons If staff are found to have accessed any website that falls under the above categories, then disciplinary action may be taken against the staff member. If a website is blocked but is needed for legitimate work related purposes then please contact the Trust s Information Security Officer on extension You will need to provide the website address Media Statements Only those staff who are specifically authorised to give media statements on behalf of the Trust, e.g. the Trust Communications Director, may write or present views, concerning the Trust and its business, on the Internet Security Internet users must be aware that the Internet is inherently insecure and confidential or proprietary information in relation to the business of the Trust and/or patient-identifiable information must never be disclosed, in line with current legislation and Caldicott Guidance. Although the Trust has anti-virus defences in place, great care should be taken when using the Internet. The IT Service Desk should be informed if any suspicion of virus infection arises; the incident will be dealt with in accordance with the normal operational procedures Software The downloading or distribution of copyrighted material, e.g. music/film files or games is prohibited; this applies equally to downloads for work or personal use. Furthermore installation of downloaded software on 4

7 Trust computers, including laptops, is not permitted unless the Director of Information Management and Technology or a designated deputy gives prior written permission. Downloaded material for personal use must not be stored on the Trust Network, or any other Trust owned device. The use of peer-to-peer systems to download software or multimedia content is prohibited, as is the installation of any such system on Trust network services. The use of Instant Messaging applications is prohibited within the Trust; this includes all web-based interfaces for Instant Messaging applications Monitoring of Internet Activity The Trust reserves the right to carry out the following monitoring activities for legitimate business purposes to comply with this policy. The Trust uses automated mechanisms, both passive (e.g. logging) and active (e.g. blocking access to certain categories of web site), to ensure compliance with this policy. Where the Trust has reason to believe that inappropriate use of the Internet or facilities is, or has been occurring, the Trust retains the right to carry out monitoring activities, for justifiable purposes, to comply with this policy following the Trust information security procedures Pro-Active Monitoring The IT Department will pro-actively monitor the Internet use of staff within the Trust and identify suspected areas of concern. These areas will be identified, and where necessary, the appropriate Line Manager will be advised accordingly. Activity may be monitored with the use of software tools, spot check or manual investigations. 4.3 Use of General Principles Copyright in all documents created via during the course of employment will be vested in the Trust and not the individual user Access The amount of time and the times of day that staff may use for reasonable personal access during working hours, must be agreed with their line manager first, and should not adversely impact the work required of the user. Managers may choose to allow access only outside of working hours (i.e. before or after work or during breaks) Use of the system is monitored and disciplinary action may be taken if misuse of the resource is identified Confidentiality Any sent by an employee is Trust property and, unless marked Personal or Private in the Subject Field may be opened by the Trust. The subject field can be found at the top of the screen under the To and CC headings. By marking the in such a way, 5

8 the sender is exempt from having the examined under the Domestic Purposes Exemption of the Data Protection Act (1998) and may not be accessed under a Freedom of Information request. It must be noted, however, that any marked Personal may be opened if inappropriate activity is identified. Under no circumstances is patient/personal identifiable data to be sent outside of the Trust unless in an encrypted form or via NHSmail (see below). When sending internally, the minimum data (but adequate for the purpose) required should be sent. Please contact the Information Security Officer or Data Protection Officer for guidance on sending patient identifiable data on extension 3671 or Users should exercise caution when disclosing their address to commercial organisations unless specific information/goods are requested, as this information may be passed to other organisations generating Spam mail. Users must not auto forward outside of the Trust since received may contain person-identifiable data and the Internet is not secure NHSmail NHS mail is a secure and encrypted service provided by Connecting for Health which is approved for use by this Trust. Access to the NHS mail service in this Trust is provided on a case-bycase basis, as it is to be used to provide a secure method of ing person identifiable data and Trust information to other NHS organisations. This runs alongside the existing Trust service but does not replace it. For s that do not contain any form of person identifiable data you must continue to use your existing Trust account. Anyone requiring an NHSmail account associated with this Trust will need to: Log a call with the IT Service Desk Get their Manager to complete an NHS mail account application form, which is available on the data protection intranet page or sent from the data protection team following the allocation of the logged call Be supplied with an NHS mail account Inappropriate Content Staff must not distribute any material/media which contain: non-work related attachments information an employer would not reasonably expect to tolerate Or is 6

9 Unlawful, e.g. libellous, pornographic (or other inappropriate naked images), contains inappropriate content relating to gender, race, sexual orientation, religious or political convictions, or disability. This also includes incitement to commit a crime, incitement of hatred and violence or any activity that contravenes any of the Trust s Policies including Equality and Diversity in Employment Policy. Objectionable or causes offence. This also includes material that could be classed as abusive, indecent, obscene, menacing; or in breach of confidence, copyright, privacy or any other rights. should not contain any form of profanity or offensive language. Sending any material in this category as a humorous will not be tolerated or taken as a defence. Distribution of such material may result in legal action in addition to Trust disciplinary procedures. Staff must not initiate or forward electronic chain letters (e.g. any personal s that could be sent to multiple users and subsequently forwarded to more users). These mails often contain moving images and pictures, and it costs the Trust hours in lost productivity. Staff must not forge or anonymously send or make any attempt to infect other systems with computer viruses. If staff receive such and have concerns over the content, they should contact the Service Desk. The incident will then be dealt with in accordance with the Information Security procedure. Chain letters sometimes contain warnings about supposed virus outbreaks; these are often hoaxes and should not be forwarded without contacting Service Desk/Information Security Officer for advice. Staff who receive containing any inappropriate material should inform their Line Manager or the Information Security Officer. Any employee persistently receiving s of this nature should refer the s to the Information Security Officer; the incident will be dealt with in accordance with the Information Security procedure. Staff who receive attachments, which they have any doubt about the origin and/or content of, should contact the IT Service Desk for advice. Many viruses are spread through and opening suspect attachments can result in the spreading of infections both within the organisation and beyond. Staff who receive personal from outside the Trust are asked to communicate to friends that attachments and inappropriate material should not be sent to Trust accounts Filtering Software Incoming and Outgoing s: 7

10 filtering software is currently in place that monitors all incoming and outgoing for inappropriate content (as detailed in section 4.3.4). If the filter finds any inappropriate content in an , then the is quarantined by IT and this is held for 30 days before being permanently removed from the quarantine folder Etiquette Guidance on etiquette is given in Appendix Retention of s All staff must ensure that the number of s in an folder (e.g. Inbox) are kept to a minimum and s are regularly reviewed, destroyed or alternatively filed. Please see the Trust Corporate Records Management Policy for retention and destruction advice. 4.4 Monitoring of Activity The Trust reserves the right to carry out the following monitoring activities to comply with this policy Access The Trust currently retains a copy of all s that are sent or received by a Trust account unless actively deleted by a member of staff from within the Outlook client. The Trust will not use the facility to open employees without due cause. Copies of all s sent and received are stored in backup files for a maximum period of 12 months. may be opened under the following conditions: A report is made raising concern about the contents of an ; A concern is raised by a line manager about inappropriate personal use of Trust ; Routine monitoring identifies potential inappropriate use. This list is not exhaustive. The Trust reserves the right to carry out detailed inspection of any IT equipment without notice, where inappropriate activity is suspected. More detailed investigation could involve further monitoring and examination of stored data (including employee deleted data) held on servers, disks, drives or other historical/archived material/media. IT Support staff will be responsible for username and password management, virus control and the management of security and the Internet connections. Users must not share their password nor leave their computers unattended whilst logged on, as they will be held responsible for any activity which takes place using their account. Unauthorised use of someone else s identity to access the Internet or send is strictly prohibited and will result in disciplinary action. 8

11 All users need to be aware that the service is within the ownership of the Trust and therefore the Trust can access any mailbox if there is a valid reason for doing so. Other than for the monitoring purposes already referred to, temporary access to the content of any staff member s mailbox in their absence will only be granted in justifiable circumstances e.g. with consent of the user or submission of a written request from their Line Manager, the Freedom of Information Office or from the Trust s Counter Fraud Specialist under the NHS Counter Fraud Strategy, to the information Security Officer. This request must identify the business need for the access requested and indicate the mail message/s to be examined. Where such a request is granted, access will be by the Information Security Officer or a representative only, who will provide the required information/ s to the requester. In most cases the Information Security Manager or a representative will notify the user of the mailbox about the access, at the earliest possible opportunity. Discussion between line managers and their staff may take place at any stage to agree access permission for s to assist in the action of corporate s, with the user voluntarily granting permissions to a line manager or colleague to deal with incoming . In the event that a user will be absent for an extended period of time, then temporary access to their entire mailbox may be granted to their line manager. Managers should discuss continued access or the disabling of access with the user upon their return to work. It is accepted that a limited amount of personal messages will be sent using the Trusts system. These messages must be marked as Personal in the Subject field of the . The Trust systems should not be utilised to conduct personal conversations that are nonwork related. This kind of repeated Personal is classed as abuse of the system. Under the Freedom of Information Act (2000), any (memo or other communications, unless marked personal) may be accessed under the provisions detailed in the legislation. 5.0 Roles and Responsibilities The is responsible for this policy. 5.1 Managers The Department Head is locally responsible for the provision of staff training. All staff must be fully aware of the Internet/ policy guidance, its requirements and implementation. All staff should have an understanding of the responsibilities and risks associated with their use. Managers are responsible for ensuring that discussion for continued access to accounts takes place when temporary permission has been granted in an employee s absence. 9

12 5.2 Staff All Staff must adhere to and abide by this policy. All staff must not attempt to access information on the Internet that is classified as inappropriate content. All Staff must ensure that their default address book is set to All Users, not to Global. For further advice please contact the IT Service Desk. All staff must ensure that subject headers adequately describe the message, as you may be required to search for a retained message under the Freedom of Information Act. All staff must be aware that memos or other communications can be disclosed under the Freedom of Information Act. All staff will ensure that personal communication is marked as such in the subject header. All staff should ensure that access permissions are disabled or continued access is agreed, following discussion with their line manager when temporary access has been granted during an absence from work. The Trust will not tolerate misuse of its systems and will take disciplinary action; this may include further action by the police which may result in fines, a criminal records or custodial sentence. The Data Protection Act protects the rights of individuals regarding the processing of their personal data to ensure that it is not used inappropriately. Personal data includes information such as their name, address, date of birth, employment details etc. Users who have access to such personal data must ensure that it is treated as confidential information and that it is only used in connection with the Information Assurance Policy. 6.0 Associated documentation and references This policy should be read in conjunction with all Informatics policies found on the Intranet Policy website including. Information Assurance Policy Confidentiality Code of Practice Personal Information and Confidentiality Policy Information Access Policy This list is a representative sample and all Trust Information Governance policies must be adhered to whilst operating these devices. 10

13 Failure to adhere to the required policies may result in disciplinary action being taken. Legislation requiring disclosure of personal identifiable information: Police and Criminal Evidence Act 1984 NHS Security Operating Procedure (SyOp) 7.14 The Use of Portable Devices within an NHSnet Connected Environment NHS Security Operating Procedure (SyOp) 9.2 Portable Computer Policy ISO27001 The Code of Practice for Information Security Management Data Protection Act 1998 Computer Misuse Act 2000 Copyright, Designs and Patents 7.0 Training & Resources The IT Training Department will undertake training on the use of the and Internet system where requested, and will raise awareness of this policy and related issues through staff induction, staff handbooks and s to staff. The Data Protection Office will also raise awareness through induction programmes and follow-up training. This policy is also available from the policy area on the Trust intranet. 8.0 Monitoring and Audit The Information Governance Group is a sub-group of the Trust Board with responsibility for the ratification of Information Governance policies and approval of work programmes. This group has senior level representation, chaired by the Caldicott guardian, and supported from all appropriate areas to ensure the Trust steers this agenda appropriately. It receives regular reports from the Information Assurance Manager and responsible staff dealing with all aspects of the agenda as outlined above, and approves central returns required by the Information Governance Toolkit(IGT) to NHS Connecting for Health. 8.1 Recording and Monitoring The IGT will be used by the Trust to conduct baseline audit and construct action plans for future compliance with this agenda. The work programs in the individual areas will be created by adherence to the IGT standards and to the national standards appropriate to the individual field of activity. Minimum requirement to be monitored Process for monitoring, e.g audit Responsible individual / group/ committee Frequency of monitoring Responsible individual / group / committee for Responsible individual / group/ committee for development of Responsible individual / group / committee for monitoring of action plan and 11

14 Relevance of policy to Trust needs Audit / Review review of results action plan implementation IGG Annually IGG IGG IGG 9.0 Equality and Diversity The Trust is committed to an environment that promotes equality and embraces diversity in its performance as an employer and service provider. It will adhere to legal and performance requirements and will mainstream equality and diversity principles through its policies, procedures and processes. This policy should be implemented with due regard to this commitment. To ensure that the implementation of this policy does not have an adverse impact in response to the requirements of the Equality Act 2010 this policy has been screened for relevance during the policy development process and a full Equality Impact Analysis conducted where necessary prior to consultation. The Trust will take remedial action when necessary to address any unexpected or unwarranted disparities and monitor practice to ensure that this policy is fairly implemented. This policy and procedure can be made available in alternative formats on request including large print, Braille, moon, audio, and different languages. To arrange this please refer to the Trust translation and interpretation policy in the first instance. The Trust will endeavour to make reasonable adjustments to accommodate any employee/patient with particular equality and diversity requirements in implementing this policy and procedure. This may include accessibility of meeting/appointment venues, providing translation, arranging an interpreter to attend appointments/meetings, extending policy timeframes to enable translation to be undertaken, or assistance with formulating any written statements. 9.1 Recording and Monitoring of Equality & Diversity The Trust understands the business case for equality and diversity and will make sure that this is translated into practice. Accordingly, all policies and procedures will be monitored to ensure their effectiveness. Monitoring information will be collated, analysed and published on an annual basis as part of Equality Delivery System. The monitoring will cover all strands of equality legislation and will meet statutory employment duties under the Equality Act Where adverse impact is identified through the monitoring process the Trust will investigate and take corrective action to mitigate and prevent any negative impact. 12

15 The information collected for monitoring and reporting purposes will be treated as confidential and it will not be used for any other purpose. 13

16 Appendix 1 Glossary of Terms DPA - Data Protection Act IT - Information Technology 14

17 Appendix 2 Supporting Legislation and Guidance The Data Protection Act 1998 Seventh Principle states: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data 15

18 Appendix 3 Etiquette The following should be adhered to: Ensure your address book defaults to all users not global and select your recipients with care. If confidential information is disclosed inappropriately by the selection of the wrong address disciplinary action may be taken. The subject field should always be used to add a short description of the contents of the . This will assist the recipient in prioritising opening of and aids future retrieval of opened messages. Ensure that personal is marked as such in the subject header. Ensure that corporate s do not contain information of a personal nature. Care should be taken with content. Nothing should be written in an , memo or other communication that would not be written in a letter or said to someone face to face. All corporate correspondence should be reflecting a professional approach. Remember s could be subject to public disclosure under the Freedom of Information Act. The same conventions should be used as when sending a letter by post, e.g. using the same style of greeting. Corporate Document Standards should be observed when sending reports etc. messages should not be written in all CAPITAL letters as this is considered to be aggressive. When you are sending messages or responding to messages sent by other users, your recipient might have different views, opinions and cultures. Without vocal inflection and body language; sarcasm, facetiousness and otherwise innocent fun can easily be misinterpreted as being rude or abusive. Internal s must be signed off with the name, title and contact details of the sender. This can be added to a signature file so that it appears automatically by following the steps outlined below: o select the Tools menu from the menu bar in your Inbox o then select Options o then select the Mail Format tab o add a signature file by using Signature Picker. External s can be signed off with name or role title. All s should have an appropriate notice at the foot of the message. A sample footer is included below: 16

19 Any views or opinions presented are solely those of the author and do not necessarily represent those of the Royal Liverpool and Broadgreen University Hospitals (NHS) Trust. This may contain confidential and/or proprietary Trust information some or all of which may be legally privileged. It is for the intended recipient only. If any addressing or transmission error has misdirected this , please notify the author by replying to this and destroy any copies. If you are not the intended recipient you must not use, disclose, distribute, copy, print, or rely on this . The information contained in this may be subject to public disclosure under the NHS Code of Openness or the Freedom of Information Act Unless the information is legally exempt from disclosure, the confidentiality of this and your reply cannot be guaranteed. The Trust may monitor outgoing and incoming s and other telecommunications on its and telecommunications systems. By replying to this you give your consent to such monitoring. 17

20 Appendix 4 Document History and Version Control Document History Version Date Comments Author 1 30/03/05 N Morgan 2 30/03/06 N Morgan /03/07 Reformatted and Revised A Penketh N Morgan 3 11/07/2007 Revised A Penketh 4 30/04/2009 Revised M Haynes /06/2010 Revised Information 5 28/10/2011 Revised and updated, removal of acceptance form appendix C 6 28/01/2013 Amendments in Sections and and reformatted Review Process Prior to Ratification: Assurance Manager PNordoff-Tate PNordoff-Tate Name of Group/Department/Committee Date Information Governance Group 10 th April 2007 Information Governance Group 20 th September 2009 Information Governance Group (virtual meeting) 28/10/2011 Information Governance Group 28/01/